From 8b1daabb0508bafc34834366879244a25d11e5e3 Mon Sep 17 00:00:00 2001 From: Aiden McClelland Date: Mon, 16 Aug 2021 17:48:45 -0600 Subject: [PATCH] allow access to readonly volumes during sandboxed --- appmgr/src/action/docker.rs | 5 +++-- appmgr/src/action/mod.rs | 3 ++- appmgr/src/config/mod.rs | 12 +++++------- appmgr/src/dependencies.rs | 25 ++++++++++++++++++++++--- appmgr/src/status/mod.rs | 9 ++++++++- 5 files changed, 40 insertions(+), 14 deletions(-) diff --git a/appmgr/src/action/docker.rs b/appmgr/src/action/docker.rs index a3a1d06ad..977daf3f3 100644 --- a/appmgr/src/action/docker.rs +++ b/appmgr/src/action/docker.rs @@ -10,7 +10,7 @@ use serde_json::Value; use crate::id::{Id, ImageId}; use crate::s9pk::manifest::{PackageId, SYSTEM_PACKAGE_ID}; use crate::util::{IoFormat, Version}; -use crate::volume::{VolumeId, Volumes}; +use crate::volume::{Volume, VolumeId, Volumes}; use crate::{Error, ResultExt, HOST_IP}; pub const NET_TLD: &'static str = "embassy"; @@ -110,12 +110,13 @@ impl DockerAction { &self, pkg_id: &PackageId, pkg_version: &Version, + volumes: &Volumes, input: Option, ) -> Result, Error> { let mut cmd = tokio::process::Command::new("docker"); cmd.arg("run").arg("--rm").arg("--network=none"); cmd.args( - self.docker_args(pkg_id, pkg_version, &Volumes::default(), false) + self.docker_args(pkg_id, pkg_version, &volumes.to_readonly(), false) .await, ); let input_buf = if let (Some(input), Some(format)) = (&input, &self.io_format) { diff --git a/appmgr/src/action/mod.rs b/appmgr/src/action/mod.rs index db57a9b5a..6d5a7eacb 100644 --- a/appmgr/src/action/mod.rs +++ b/appmgr/src/action/mod.rs @@ -140,11 +140,12 @@ impl ActionImplementation { &self, pkg_id: &PackageId, pkg_version: &Version, + volumes: &Volumes, input: Option, ) -> Result, Error> { match self { ActionImplementation::Docker(action) => { - action.sandboxed(pkg_id, pkg_version, input).await + action.sandboxed(pkg_id, pkg_version, volumes, input).await } } } diff --git a/appmgr/src/config/mod.rs b/appmgr/src/config/mod.rs index 93345c1f8..afe8fa7dd 100644 --- a/appmgr/src/config/mod.rs +++ b/appmgr/src/config/mod.rs @@ -509,13 +509,11 @@ pub fn configure<'a, Db: DbHandle>( .get(db, true) .await? { - let version = dependent_model - .clone() - .manifest() - .version() - .get(db, true) - .await?; - if let Err(error) = cfg.check(dependent, &*version, &config).await? { + let manifest = dependent_model.clone().manifest().get(db, true).await?; + if let Err(error) = cfg + .check(dependent, &manifest.version, &manifest.volumes, &config) + .await? + { let dep_err = DependencyError::ConfigUnsatisfied { error }; handle_broken_dependents( db, diff --git a/appmgr/src/dependencies.rs b/appmgr/src/dependencies.rs index 4c8a7c99f..e343707a0 100644 --- a/appmgr/src/dependencies.rs +++ b/appmgr/src/dependencies.rs @@ -13,6 +13,7 @@ use crate::s9pk::manifest::PackageId; use crate::status::health_check::{HealthCheckId, HealthCheckResult, HealthCheckResultVariant}; use crate::status::{DependencyErrors, MainStatus, Status}; use crate::util::Version; +use crate::volume::Volumes; use crate::{Error, ResultExt as _}; #[derive(Clone, Debug, thiserror::Error, Serialize, Deserialize)] @@ -136,6 +137,7 @@ impl DepInfo { dependency_config: Option, // fetch if none dependent_id: &PackageId, dependent_version: &Version, + dependent_volumes: &Volumes, ) -> Result, Error> { let (manifest, info) = if let Some(dep_model) = crate::db::DatabaseModel::new() .package_data() @@ -170,7 +172,12 @@ impl DepInfo { }; if let Some(cfg_req) = &self.config { if let Err(e) = cfg_req - .check(dependent_id, dependent_version, &dependency_config) + .check( + dependent_id, + dependent_version, + dependent_volumes, + &dependency_config, + ) .await { if e.kind == crate::ErrorKind::ConfigRulesViolation { @@ -215,11 +222,17 @@ impl DependencyConfig { &self, dependent_id: &PackageId, dependent_version: &Version, + dependent_volumes: &Volumes, dependency_config: &Config, ) -> Result, Error> { Ok(self .check - .sandboxed(dependent_id, dependent_version, Some(dependency_config)) + .sandboxed( + dependent_id, + dependent_version, + dependent_volumes, + Some(dependency_config), + ) .await? .map_err(|(_, e)| e)) } @@ -227,10 +240,16 @@ impl DependencyConfig { &self, dependent_id: &PackageId, dependent_version: &Version, + dependent_volumes: &Volumes, old: &Config, ) -> Result { self.auto_configure - .sandboxed(dependent_id, dependent_version, Some(old)) + .sandboxed( + dependent_id, + dependent_version, + dependent_volumes, + Some(old), + ) .await? .map_err(|e| Error::new(anyhow!("{}", e.1), crate::ErrorKind::AutoConfigure)) } diff --git a/appmgr/src/status/mod.rs b/appmgr/src/status/mod.rs index 6f64a37a5..73c816854 100644 --- a/appmgr/src/status/mod.rs +++ b/appmgr/src/status/mod.rs @@ -337,7 +337,14 @@ impl DependencyErrors { crate::ErrorKind::Dependency, ) })? - .satisfied(db, dep_id, None, &manifest.id, &manifest.version) + .satisfied( + db, + dep_id, + None, + &manifest.id, + &manifest.version, + &manifest.volumes, + ) .await? { res.insert(dep_id.clone(), e);