diff options
| author | Tobias Henkel <tobias.henkel@bmw.de> | 2020-07-20 18:12:07 +0200 |
|---|---|---|
| committer | Tobias Henkel <tobias.henkel@bmw.de> | 2020-07-21 19:20:24 +0200 |
| commit | 49fe527edb2c27f67c074be72e3fb6d665400de7 (patch) | |
| tree | 2e851a40b29cbe15ca9a36b92f6cfe728d0eb3d8 /zuul/executor/server.py | |
| parent | 6161ad75a83cd8e8c3bd347ea7f40b0e2d6b5c33 (diff) | |
| download | zuul-49fe527edb2c27f67c074be72e3fb6d665400de7.tar.gz | |
Block localhost shell tasks in untrusted playbooks
Zuul was designed to block local code execution in untrusted
environments to not only rely on bwrap to contain a job. This got
broken since the creation of a command plugin that injects the
zuul_job_id which is required for log streaming. However this plugin
doesn't do a check if the task is a localhost task. Further it is
required in trusted and untrusted environments due to log
streaming. Thus we need to fork this plugin and restrict the variant
that is used in untrusted environments.
We do this by moving actiongeneral/command.py back to action/*. We
further introduce a new catecory actiontrusted which gets the
unrestricted version of this plugin.
Change-Id: If81cc46bcae466f4c071badf09a8a88469ae6779
Story: 2007935
Task: 40391
Diffstat (limited to 'zuul/executor/server.py')
| -rw-r--r-- | zuul/executor/server.py | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/zuul/executor/server.py b/zuul/executor/server.py index 2b08d5bc7..4e909491a 100644 --- a/zuul/executor/server.py +++ b/zuul/executor/server.py @@ -859,6 +859,7 @@ class AnsibleJob(object): self.library_dir = os.path.join(plugin_dir, 'library') self.action_dir = os.path.join(plugin_dir, 'action') self.action_dir_general = os.path.join(plugin_dir, 'actiongeneral') + self.action_dir_trusted = os.path.join(plugin_dir, 'actiontrusted') self.callback_dir = os.path.join(plugin_dir, 'callback') self.lookup_dir = os.path.join(plugin_dir, 'lookup') self.filter_dir = os.path.join(plugin_dir, 'filter') @@ -2049,13 +2050,22 @@ class AnsibleJob(object): # 10s to respond config.write('timeout = 30\n') - # We need at least the general action dir as this overwrites the - # command action plugin for log streaming. + # We need the general action dir to make the zuul_return plugin + # available to every job. action_dirs = [self.action_dir_general] if not trusted: + # Untrusted jobs add the action dir which makes sure localhost + # modules are restricted where needed. Further the command + # plugin needs to be restricted and also inject zuul_log_id + # to make log streaming work. action_dirs.append(self.action_dir) config.write('lookup_plugins = %s\n' % self.lookup_dir) + else: + # Trusted jobs add the actiontrusted dir which adds the + # unrestricted command plugin to inject zuul_log_id to make + # log streaming work. + action_dirs.append(self.action_dir_trusted) config.write('action_plugins = %s\n' % ':'.join(action_dirs)) |