Merge pull request #802 from stgraber/main

Various bugfixes
lxc · Apr 29, 2024 · 008d418 · 008d418
2 parents e2842dd + c50747f
commit 008d418
Show file tree

Hide file tree

Showing 5 changed files with 44 additions and 7 deletions.
diff --git a/cmd/incus/storage.go b/cmd/incus/storage.go
@@ -123,6 +123,12 @@ func (c *cmdStorageCreate) Run(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	// Require a proper driver name.
+	if strings.Contains(args[1], "=") {
+		_ = cmd.Help()
+		return fmt.Errorf(i18n.G("Invalid number of arguments"))
+	}
+
 	// If stdin isn't a terminal, read text from it
 	if !termios.IsTerminal(getStdinFd()) {
 		contents, err := io.ReadAll(os.Stdin)

diff --git a/cmd/incusd/api_internal.go b/cmd/incusd/api_internal.go
@@ -732,7 +732,7 @@ func internalImportFromBackup(ctx context.Context, s *state.State, projectName s
 		return err
 	})
 	if err != nil {
-		return fmt.Errorf("Failed loading profiles for instance: %w", err)
+		return fmt.Errorf("Failed loading profiles (%v) for instance: %w", strings.Join(backupConf.Container.Profiles, ", "), err)
 	}
 
 	// Add root device if needed.
@@ -844,7 +844,7 @@ func internalImportFromBackup(ctx context.Context, s *state.State, projectName s
 			return err
 		})
 		if err != nil {
-			return fmt.Errorf("Failed loading profiles for instance snapshot %q: %w", snapInstName, err)
+			return fmt.Errorf("Failed loading profiles (%v) for instance snapshot %q: %w", strings.Join(snap.Profiles, ", "), snapInstName, err)
 		}
 
 		// Add root device if needed.

diff --git a/internal/server/apparmor/instance_lxc.go b/internal/server/apparmor/instance_lxc.go
@@ -73,7 +73,6 @@ profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
   deny /proc/kcore rwklx,
   deny /proc/sysrq-trigger rwklx,
   deny /proc/acpi/** rwklx,
-  deny /proc/sys/fs/** wklx,
 
   # Handle securityfs (access handled separately)
   mount fstype=securityfs -> /sys/kernel/security/,
@@ -322,7 +321,21 @@ profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
   mount options=(rw,move) /sys?*{,/**},
 
   # Block dangerous paths under /proc/sys
-  deny /proc/sys/[^kn]*{,/**} wklx,
+  deny /proc/sys/[^fkn]*{,/**} wklx,
+  deny /proc/sys/f[^s]*{,/**} wklx,
+  deny /proc/sys/fs/[^b]*{,/**} wklx,
+  deny /proc/sys/fs/b[^i]*{,/**} wklx,
+  deny /proc/sys/fs/bi[^n]*{,/**} wklx,
+  deny /proc/sys/fs/bin[^f]*{,/**} wklx,
+  deny /proc/sys/fs/binf[^m]*{,/**} wklx,
+  deny /proc/sys/fs/binfm[^t]*{,/**} wklx,
+  deny /proc/sys/fs/binfmt[^_]*{,/**} wklx,
+  deny /proc/sys/fs/binfmt_[^m]*{,/**} wklx,
+  deny /proc/sys/fs/binfmt_m[^i]*{,/**} wklx,
+  deny /proc/sys/fs/binfmt_mi[^s]*{,/**} wklx,
+  deny /proc/sys/fs/binfmt_mis[^c]*{,/**} wklx,
+  deny /proc/sys/fs/binfmt_misc?*{,/**} wklx,
+  deny /proc/sys/fs?*{,/**} wklx,
   deny /proc/sys/k[^e]*{,/**} wklx,
   deny /proc/sys/ke[^r]*{,/**} wklx,
   deny /proc/sys/ker[^n]*{,/**} wklx,
@@ -361,7 +374,7 @@ profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
   deny /proc/sys/net?*{,/**} wklx,
 
   # Block dangerous paths under /sys
-  deny /sys/[^fdck]*{,/**} wklx,
+  deny /sys/[^fdc]*{,/**} wklx,
   deny /sys/c[^l]*{,/**} wklx,
   deny /sys/cl[^a]*{,/**} wklx,
   deny /sys/cla[^s]*{,/**} wklx,
@@ -391,7 +404,7 @@ profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
   deny /sys/devices/virtual?*{,/**} wklx,
   deny /sys/devices?*{,/**} wklx,
   deny /sys/f[^s]*{,/**} wklx,
-  deny /sys/fs/[^cb]*{,/**} wklx,
+  deny /sys/fs/[^bc]*{,/**} wklx,
   deny /sys/fs/b[^p]*{,/**} wklx,
   deny /sys/fs/bp[^f]*{,/**} wklx,
   deny /sys/fs/bpf?*{,/**} wklx,

diff --git a/internal/server/storage/backend.go b/internal/server/storage/backend.go
@@ -760,6 +760,18 @@ func (b *backend) CreateInstanceFromBackup(srcBackup backup.Info, srcData io.Rea
 		volumeConfig = srcBackup.Config.Volume.Config
 	}
 
+	// Get instance root size information.
+	if srcBackup.Config != nil && srcBackup.Config.Container != nil {
+		_, rootConfig, err := internalInstance.GetRootDiskDevice(srcBackup.Config.Container.ExpandedDevices)
+		if err == nil && rootConfig["size"] != "" {
+			if volumeConfig == nil {
+				volumeConfig = map[string]string{}
+			}
+
+			volumeConfig["size"] = rootConfig["size"]
+		}
+	}
+
 	vol := b.GetVolume(volType, contentType, volStorageName, volumeConfig)
 
 	importRevert := revert.New()
@@ -795,6 +807,11 @@ func (b *backend) CreateInstanceFromBackup(srcBackup backup.Info, srcData io.Rea
 		})
 	}
 
+	// Make sure the size isn't part of the instance volume after initial creation.
+	if volumeConfig != nil {
+		delete(volumeConfig, "size")
+	}
+
 	// Update information in the backup.yaml file.
 	err = vol.MountTask(func(mountPath string, op *operations.Operation) error {
 		return backup.UpdateInstanceConfig(b.state.DB.Cluster, srcBackup, mountPath)

diff --git a/internal/server/storage/drivers/driver_dir.go b/internal/server/storage/drivers/driver_dir.go
@@ -77,7 +77,8 @@ func (d *dir) Create() error {
 
 	// Check that if within INCUS_DIR, we're at our expected spot.
 	cleanSource := filepath.Clean(sourcePath)
-	if strings.HasPrefix(cleanSource, internalUtil.VarPath()) && cleanSource != GetPoolMountPath(d.name) {
+	varPath := strings.TrimRight(internalUtil.VarPath(), "/") + "/"
+	if (cleanSource == internalUtil.VarPath() || strings.HasPrefix(cleanSource, varPath)) && cleanSource != GetPoolMountPath(d.name) {
 		return fmt.Errorf("Source path '%s' is within the Incus directory", cleanSource)
 	}