client: unveil /etc/ssh/ssh_known_hosts for artifact downloads (#17122)

This PR fixes a bug where nodes configured with populated /etc/ssh/ssh_known_hosts files would be unable to read them during artifact downloading. Fixes #17086
2023-05-09 09:43:52 -05:00 · 2023-05-09 09:43:52 -05:00 · 6f4992ef29
parent 74714272cc
commit 6f4992ef29
2 changed files with 46 additions and 24 deletions
--- a/client/allocrunner/taskrunner/getter/util_linux.go
+++ b/client/allocrunner/taskrunner/getter/util_linux.go
@ -75,17 +75,19 @@ func lockdown(allocDir, taskDir string) error {

 func additionalFilesForVCS() []*landlock.Path {
 	const (
-		sshDir        = ".ssh"                  // git ssh
-		knownHosts    = ".ssh/known_hosts"      // git ssh
-		etcPasswd     = "/etc/passwd"           // git ssh
-		gitGlobalFile = "/etc/gitconfig"        // https://git-scm.com/docs/git-config#SCOPES
-		hgGlobalFile  = "/etc/mercurial/hgrc"   // https://www.mercurial-scm.org/doc/hgrc.5.html#files
-		hgGlobalDir   = "/etc/mercurial/hgrc.d" // https://www.mercurial-scm.org/doc/hgrc.5.html#files
+		homeSSHDir     = ".ssh"                     // git ssh
+		homeKnownHosts = ".ssh/known_hosts"         // git ssh
+		etcPasswd      = "/etc/passwd"              // git ssh
+		etcKnownHosts  = "/etc/ssh/ssh_known_hosts" // git ssh
+		gitGlobalFile  = "/etc/gitconfig"           // https://git-scm.com/docs/git-config#SCOPES
+		hgGlobalFile   = "/etc/mercurial/hgrc"      // https://www.mercurial-scm.org/doc/hgrc.5.html#files
+		hgGlobalDir    = "/etc/mercurial/hgrc.d"    // https://www.mercurial-scm.org/doc/hgrc.5.html#files
 	)
 	return filesForVCS(
-		sshDir,
-		knownHosts,
+		homeSSHDir,
+		homeKnownHosts,
 		etcPasswd,
+		etcKnownHosts,
 		gitGlobalFile,
 		hgGlobalFile,
 		hgGlobalDir,
@ -93,34 +95,38 @@ func additionalFilesForVCS() []*landlock.Path {
 }

 func filesForVCS(
-	sshDir,
-	knownHosts,
+	homeSSHDir,
+	homeKnownHosts,
 	etcPasswd,
+	etcKnownHosts,
 	gitGlobalFile,
 	hgGlobalFile,
 	hgGlobalDir string) []*landlock.Path {

 	// omit ssh if there is no home directory
 	home := findHomeDir()
-	sshDir = filepath.Join(home, sshDir)
-	knownHosts = filepath.Join(home, knownHosts)
+	homeSSHDir = filepath.Join(home, homeSSHDir)
+	homeKnownHosts = filepath.Join(home, homeKnownHosts)

-	// only add if a path exists
+	// detect if p exists
 	exists := func(p string) bool {
 		_, err := os.Stat(p)
 		return err == nil
 	}

 	result := make([]*landlock.Path, 0, 6)
-	if exists(sshDir) {
-		result = append(result, landlock.Dir(sshDir, "r"))
+	if exists(homeSSHDir) {
+		result = append(result, landlock.Dir(homeSSHDir, "r"))
 	}
-	if exists(knownHosts) {
-		result = append(result, landlock.File(knownHosts, "rw"))
+	if exists(homeKnownHosts) {
+		result = append(result, landlock.File(homeKnownHosts, "rw"))
 	}
 	if exists(etcPasswd) {
 		result = append(result, landlock.File(etcPasswd, "r"))
 	}
+	if exists(etcKnownHosts) {
+		result = append(result, landlock.File(etcKnownHosts, "r"))
+	}
 	if exists(gitGlobalFile) {
 		result = append(result, landlock.File(gitGlobalFile, "r"))
 	}
--- a/client/allocrunner/taskrunner/getter/util_linux_test.go
+++ b/client/allocrunner/taskrunner/getter/util_linux_test.go
@ -32,8 +32,8 @@ func TestUtil_loadVersionControlGlobalConfigs(t *testing.T) {
 	t.Setenv("HOME", fakeHome)

 	const (
-		ssh        = ".ssh"
-		knownHosts = ".ssh/known_hosts"
+		homeSSH        = ".ssh"
+		homeKnownHosts = ".ssh/known_hosts"
 	)

 	var (
@ -41,8 +41,9 @@ func TestUtil_loadVersionControlGlobalConfigs(t *testing.T) {
 		hgFile         = filepath.Join(fakeEtc, "hgrc")
 		hgDir          = filepath.Join(fakeEtc, "hgrc.d")
 		etcPasswd      = filepath.Join(fakeEtc, "passwd")
-		sshDir         = filepath.Join(fakeHome, ssh)
-		knownHostsFile = filepath.Join(fakeHome, knownHosts)
+		etcKnownHosts  = filepath.Join(fakeEtc, "ssh/ssh_known_hosts")
+		sshDir         = filepath.Join(fakeHome, homeSSH)
+		knownHostsFile = filepath.Join(fakeHome, homeKnownHosts)
 	)

 	err := os.WriteFile(gitConfig, []byte("git"), filePerm)
@ -54,20 +55,35 @@ func TestUtil_loadVersionControlGlobalConfigs(t *testing.T) {
 	err = os.Mkdir(hgDir, dirPerm)
 	must.NoError(t, err)

-	err = os.WriteFile(etcPasswd, []byte("x:y:z"), filePerm)
+	err = os.WriteFile(etcPasswd, []byte("etc passwd"), filePerm)
+	must.NoError(t, err)
+
+	err = os.Mkdir(filepath.Join(fakeEtc, "ssh"), dirPerm)
+	must.NoError(t, err)
+
+	err = os.WriteFile(etcKnownHosts, []byte("etc known hosts"), filePerm)
 	must.NoError(t, err)

 	err = os.Mkdir(sshDir, dirPerm)
 	must.NoError(t, err)

-	err = os.WriteFile(knownHostsFile, []byte("abc123"), filePerm)
+	err = os.WriteFile(knownHostsFile, []byte("home known hosts"), filePerm)
 	must.NoError(t, err)

-	paths := filesForVCS(ssh, knownHosts, etcPasswd, gitConfig, hgFile, hgDir)
+	paths := filesForVCS(
+		homeSSH,
+		homeKnownHosts,
+		etcPasswd,
+		etcKnownHosts,
+		gitConfig,
+		hgFile,
+		hgDir,
+	)
 	must.SliceEqual(t, []*landlock.Path{
 		landlock.Dir(sshDir, "r"),
 		landlock.File(knownHostsFile, "rw"),
 		landlock.File(etcPasswd, "r"),
+		landlock.File(etcKnownHosts, "r"),
 		landlock.File(gitConfig, "r"),
 		landlock.File(hgFile, "r"),
 		landlock.Dir(hgDir, "r"),