Accommodate multiple networks in --network request

apptainer · Apr 8, 2021 · 34d5cf7 · 34d5cf7
1 parent e66004d
commit 34d5cf7
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 4 deletions.
diff --git a/e2e/config/config.go b/e2e/config/config.go
@@ -538,6 +538,49 @@ func (c configTests) configGlobalCombination(t *testing.T) {
 			},
 			exit: 0,
 		},
+		{
+			name: "AllowNetNetworksMultiMulti",
+			// Two networks allowed, asking for both
+			argv:    []string{"--net", "--network", "bridge,ptp", c.env.ImagePath, "true"},
+			profile: e2e.UserProfile,
+			directives: map[string]string{
+				"allow net users":    u.Name,
+				"allow net networks": "bridge,ptp",
+			},
+			exit: 0,
+		},
+		{
+			// Two networks allowed, asking for one
+			name:    "AllowNetNetworksMultiOne",
+			argv:    []string{"--net", "--network", "ptp", c.env.ImagePath, "true"},
+			profile: e2e.UserProfile,
+			directives: map[string]string{
+				"allow net users":    u.Name,
+				"allow net networks": "bridge,ptp",
+			},
+			exit: 0,
+		},
+		{
+			// One network allowed, but asking for two
+			name:    "AllowNetNetworksOneMulti",
+			argv:    []string{"--net", "--network", "bridge,ptp", c.env.ImagePath, "true"},
+			profile: e2e.UserProfile,
+			directives: map[string]string{
+				"allow net users":    u.Name,
+				"allow net networks": "bridge",
+			},
+			exit: 255,
+		},
+		{
+			// No networks allowed, asking for two
+			name:    "AllowNetNetworksNoneMulti",
+			argv:    []string{"--net", "--network", "bridge,ptp", c.env.ImagePath, "true"},
+			profile: e2e.UserProfile,
+			directives: map[string]string{
+				"allow net users": u.Name,
+			},
+			exit: 255,
+		},
 	}
 
 	for _, tt := range tests {

diff --git a/internal/pkg/runtime/engine/singularity/container_linux.go b/internal/pkg/runtime/engine/singularity/container_linux.go
@@ -2257,8 +2257,16 @@ func (c *container) prepareNetworkSetup(system *mount.System, pid int) (func(con
 		if err != nil {
 			return nil, err
 		}
-		// Is the requested network in the list of networks allowed for unpriv CNI?
-		allowedNetNetwork := slice.ContainsString(c.engine.EngineConfig.File.AllowNetNetworks, net)
+		// Is/are the requested network(s) in the list of networks allowed for unpriv CNI?
+		allowedNetNetwork := false
+		for _, n := range strings.Split(net, ",") {
+			allowedNetNetwork = slice.ContainsString(c.engine.EngineConfig.File.AllowNetNetworks, n)
+			// If any one requested network is not allowed, disallow the whole config
+			if !allowedNetNetwork {
+				sylog.Errorf("Network %s is not permitted for unprivileged users.", n)
+				break
+			}
+		}
 		// User is in the user / groups allowed, and requesting an allowed network?
 		allowedNetUnpriv = (allowedNetUser || allowedNetGroup) && allowedNetNetwork
 	}
@@ -2313,8 +2321,10 @@ func (c *container) prepareNetworkSetup(system *mount.System, pid int) (func(con
 	return func(ctx context.Context) error {
 		if fakeroot || allowedNetUnpriv {
 			// prevent port hijacking between user processes
-			if err := networkSetup.SetPortProtection(net, 0); err != nil {
-				return err
+			for _, n := range strings.Split(net, ",") {
+				if err := networkSetup.SetPortProtection(n, 0); err != nil {
+					return err
+				}
 			}
 			if euid != 0 {
 				priv.Escalate()