diff options
author | James E. Blair <jim@acmegating.com> | 2022-03-28 09:40:22 -0700 |
---|---|---|
committer | James E. Blair <jim@acmegating.com> | 2022-03-28 15:44:19 -0700 |
commit | a190e35bb8039dad5336e658ac7947adebbb6da6 (patch) | |
tree | 5fbe9b753fb412a8340ff9f7c0f6e963b3be06aa | |
parent | 9bd930110955438ca4b6721c39b6e685e33e1fab (diff) | |
download | zuul-a190e35bb8039dad5336e658ac7947adebbb6da6.tar.gz |
Add a note about bwrap and setsid
https://github.com/containers/bubblewrap/issues/142 is relevant to
us, however our use of start_new_session in popen effectively
avoids the issue. Add a note to that effect so that we don't
accidentally open a vulnerability later.
Also, clean up some py2-only code.
Change-Id: Icd4adee32f35c478661dc2d657cf6c9e55e1f7b5
-rw-r--r-- | zuul/driver/bubblewrap/__init__.py | 17 | ||||
-rw-r--r-- | zuul/executor/server.py | 2 |
2 files changed, 7 insertions, 12 deletions
diff --git a/zuul/driver/bubblewrap/__init__.py b/zuul/driver/bubblewrap/__init__.py index 71919eb7b..69ade4748 100644 --- a/zuul/driver/bubblewrap/__init__.py +++ b/zuul/driver/bubblewrap/__init__.py @@ -22,7 +22,6 @@ import os import psutil import pwd import shlex -import sys import threading import re import struct @@ -41,17 +40,11 @@ class WrappedPopen(object): def __call__(self, args, *sub_args, **kwargs): try: args = self.command + args - if kwargs.get('close_fds') or sys.version_info.major >= 3: - # The default in py3 is close_fds=True, so we need to pass - # our open fds in. However, this can only work right in - # py3.2 or later due to the lack of 'pass_fds' in prior - # versions. So until we are py3 only we can only bwrap - # things that are close_fds=False - pass_fds = list(kwargs.get('pass_fds', [])) - for fd in self.fds: - if fd not in pass_fds: - pass_fds.append(fd) - kwargs['pass_fds'] = pass_fds + pass_fds = list(kwargs.get('pass_fds', [])) + for fd in self.fds: + if fd not in pass_fds: + pass_fds.append(fd) + kwargs['pass_fds'] = pass_fds proc = psutil.Popen(args, *sub_args, **kwargs) finally: self.__del__() diff --git a/zuul/executor/server.py b/zuul/executor/server.py index 59bee9ddd..158042be4 100644 --- a/zuul/executor/server.py +++ b/zuul/executor/server.py @@ -2829,6 +2829,8 @@ class AnsibleJob(object): stdin=subprocess.DEVNULL, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, + # Either this must be present, or we need the + # --new-session argument for bwrap. start_new_session=True, env=env_copy, ) |