allow access to readonly volumes during sandboxed

2026-03-26 10:21:52 +00:00 · 2021-08-16 17:48:45 -06:00
parent 7dc53a4e85
commit 8b1daabb05
5 changed files with 40 additions and 14 deletions
--- a/appmgr/src/action/docker.rs
+++ b/appmgr/src/action/docker.rs
@@ -10,7 +10,7 @@ use serde_json::Value;
 use crate::id::{Id, ImageId};
 use crate::s9pk::manifest::{PackageId, SYSTEM_PACKAGE_ID};
 use crate::util::{IoFormat, Version};
-use crate::volume::{VolumeId, Volumes};
+use crate::volume::{Volume, VolumeId, Volumes};
 use crate::{Error, ResultExt, HOST_IP};

 pub const NET_TLD: &'static str = "embassy";
@@ -110,12 +110,13 @@ impl DockerAction {
        &self,
        pkg_id: &PackageId,
        pkg_version: &Version,
+        volumes: &Volumes,
        input: Option<I>,
    ) -> Result<Result<O, (i32, String)>, Error> {
        let mut cmd = tokio::process::Command::new("docker");
        cmd.arg("run").arg("--rm").arg("--network=none");
        cmd.args(
-            self.docker_args(pkg_id, pkg_version, &Volumes::default(), false)
+            self.docker_args(pkg_id, pkg_version, &volumes.to_readonly(), false)
                .await,
        );
        let input_buf = if let (Some(input), Some(format)) = (&input, &self.io_format) {
--- a/appmgr/src/action/mod.rs
+++ b/appmgr/src/action/mod.rs
@@ -140,11 +140,12 @@ impl ActionImplementation {
        &self,
        pkg_id: &PackageId,
        pkg_version: &Version,
+        volumes: &Volumes,
        input: Option<I>,
    ) -> Result<Result<O, (i32, String)>, Error> {
        match self {
            ActionImplementation::Docker(action) => {
-                action.sandboxed(pkg_id, pkg_version, input).await
+                action.sandboxed(pkg_id, pkg_version, volumes, input).await
            }
        }
    }
--- a/appmgr/src/config/mod.rs
+++ b/appmgr/src/config/mod.rs
@@ -509,13 +509,11 @@ pub fn configure<'a, Db: DbHandle>(
                .get(db, true)
                .await?
            {
-                let version = dependent_model
-                    .clone()
-                    .manifest()
-                    .version()
-                    .get(db, true)
-                    .await?;
-                if let Err(error) = cfg.check(dependent, &*version, &config).await? {
+                let manifest = dependent_model.clone().manifest().get(db, true).await?;
+                if let Err(error) = cfg
+                    .check(dependent, &manifest.version, &manifest.volumes, &config)
+                    .await?
+                {
                    let dep_err = DependencyError::ConfigUnsatisfied { error };
                    handle_broken_dependents(
                        db,
--- a/appmgr/src/dependencies.rs
+++ b/appmgr/src/dependencies.rs
@@ -13,6 +13,7 @@ use crate::s9pk::manifest::PackageId;
 use crate::status::health_check::{HealthCheckId, HealthCheckResult, HealthCheckResultVariant};
 use crate::status::{DependencyErrors, MainStatus, Status};
 use crate::util::Version;
+use crate::volume::Volumes;
 use crate::{Error, ResultExt as _};

 #[derive(Clone, Debug, thiserror::Error, Serialize, Deserialize)]
@@ -136,6 +137,7 @@ impl DepInfo {
        dependency_config: Option<Config>, // fetch if none
        dependent_id: &PackageId,
        dependent_version: &Version,
+        dependent_volumes: &Volumes,
    ) -> Result<Result<(), DependencyError>, Error> {
        let (manifest, info) = if let Some(dep_model) = crate::db::DatabaseModel::new()
            .package_data()
@@ -170,7 +172,12 @@ impl DepInfo {
        };
        if let Some(cfg_req) = &self.config {
            if let Err(e) = cfg_req
-                .check(dependent_id, dependent_version, &dependency_config)
+                .check(
+                    dependent_id,
+                    dependent_version,
+                    dependent_volumes,
+                    &dependency_config,
+                )
                .await
            {
                if e.kind == crate::ErrorKind::ConfigRulesViolation {
@@ -215,11 +222,17 @@ impl DependencyConfig {
        &self,
        dependent_id: &PackageId,
        dependent_version: &Version,
+        dependent_volumes: &Volumes,
        dependency_config: &Config,
    ) -> Result<Result<(), String>, Error> {
        Ok(self
            .check
-            .sandboxed(dependent_id, dependent_version, Some(dependency_config))
+            .sandboxed(
+                dependent_id,
+                dependent_version,
+                dependent_volumes,
+                Some(dependency_config),
+            )
            .await?
            .map_err(|(_, e)| e))
    }
@@ -227,10 +240,16 @@ impl DependencyConfig {
        &self,
        dependent_id: &PackageId,
        dependent_version: &Version,
+        dependent_volumes: &Volumes,
        old: &Config,
    ) -> Result<Config, Error> {
        self.auto_configure
-            .sandboxed(dependent_id, dependent_version, Some(old))
+            .sandboxed(
+                dependent_id,
+                dependent_version,
+                dependent_volumes,
+                Some(old),
+            )
            .await?
            .map_err(|e| Error::new(anyhow!("{}", e.1), crate::ErrorKind::AutoConfigure))
    }
--- a/appmgr/src/status/mod.rs
+++ b/appmgr/src/status/mod.rs
@@ -337,7 +337,14 @@ impl DependencyErrors {
                        crate::ErrorKind::Dependency,
                    )
                })?
-                .satisfied(db, dep_id, None, &manifest.id, &manifest.version)
+                .satisfied(
+                    db,
+                    dep_id,
+                    None,
+                    &manifest.id,
+                    &manifest.version,
+                    &manifest.volumes,
+                )
                .await?
            {
                res.insert(dep_id.clone(), e);