pezkuwichain/pezkuwi-subxt
1
0
Fork 0
mirror of https://github.com/pezkuwichain/pezkuwi-subxt.git synced 2026-06-18 17:41:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

PVF: fix detection of unshare-and-change-root security capability (#2304)

Browse Source
This commit is contained in:
Marcin S
2023-11-14 15:03:19 +01:00
committed by GitHub
parent 39cc95740a
commit 7cfc233cdc
8 changed files with 32 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
polkadot/node/core/pvf/src/security.rs
+18 -2
View File
@@ -27,14 +27,19 @@ const SECURE_MODE_ANNOUNCEMENT: &'static str =
\nMore information: https://wiki.polkadot.network/docs/maintain-guides-secure-validator#secure-validator-mode";
/// Run checks for supported security features.
///
/// # Return
///
/// Returns the set of security features that we were able to enable. If an error occurs while
/// enabling a security feature we set the corresponding status to `false`.
pub async fn check_security_status(config: &Config) -> SecurityStatus {
let Config { prepare_worker_program_path, .. } = config;
let Config { prepare_worker_program_path, cache_path, .. } = config;
// TODO: add check that syslog is available and that seccomp violations are logged?
let (landlock, seccomp, change_root) = join!(
check_landlock(prepare_worker_program_path),
check_seccomp(prepare_worker_program_path),
check_can_unshare_user_namespace_and_change_root(prepare_worker_program_path)
check_can_unshare_user_namespace_and_change_root(prepare_worker_program_path, cache_path)
);
let security_status = SecurityStatus {
@@ -149,11 +154,22 @@ fn print_secure_mode_message(errs: Vec<SecureModeError>) -> bool {
async fn check_can_unshare_user_namespace_and_change_root(
#[cfg_attr(not(target_os = "linux"), allow(unused_variables))]
prepare_worker_program_path: &Path,
#[cfg_attr(not(target_os = "linux"), allow(unused_variables))] cache_path: &Path,
) -> SecureModeResult {
cfg_if::cfg_if! {
if #[cfg(target_os = "linux")] {
let cache_dir_tempdir =
crate::worker_intf::tmppath_in("check-can-unshare", cache_path)
.await
.map_err(
|err|
SecureModeError::CannotUnshareUserNamespaceAndChangeRoot(
format!("could not create a temporary directory in {:?}: {}", cache_path, err)
)
)?;
match tokio::process::Command::new(prepare_worker_program_path)
.arg("--check-can-unshare-user-namespace-and-change-root")
.arg(cache_dir_tempdir)
.output()
.await
{