Skip to content

fix symlink resolution for noble #200

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dudejas wants to merge 2 commits into
base: master
Choose a base branch
from
Open

fix symlink resolution for noble #200

dudejas wants to merge 2 commits into from

Conversation

@dudejas
Copy link

@dudejas dudejas commented Jan 9, 2026

Fixes #199

aramprice
aramprice reviewed Jan 17, 2026
View reviewed changes
src/bpm/runc/adapter/mount_symlink_test.go
. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"

. "bpm/runc/adapter"
Copy link
Member

@aramprice aramprice Jan 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: generally try to avoid dot-imports (ginkgo / gomega being an exception)

aramprice
aramprice reviewed Jan 17, 2026
View reviewed changes
src/bpm/runc/adapter/mount_symlink_test.go
Copy link
Member

@aramprice aramprice Jan 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: this can probably be src/bpm/runc/adapter/mount_test.go since there are unlikely to be more mount_{xyz}_test.go files.

aramprice
aramprice reviewed Jan 17, 2026
View reviewed changes
Copy link
Member

@aramprice aramprice left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the changes, this look good code wise. I would appreciate some other folks looking at it as well, especially to think over any potential security changes from this.

Before this change we allowed an inside-container-mount of an outside-the-container-symlink to resolve at container runtime, from inside the container to the outside-container-symlink-target.

With this change bpm will pre-resolve, not at container runtime, an outside-the-container-symlink to its outside-the-container-symlink-target (not mediated by the container subsystem), and then an inside-the-container-mount will be created which points directly to the outside-the-container-symlink-target

I think this change introduces a difference in the time at which a symlink is resolved (container-creation vs. ad hoc during container runtime)... and I'm curious if this is consequential to the security posture of bpm. I don't think this is the case for the issue mentioned in #199...

I'm wondering if this could have implications in arbitrary cases?

src/bpm/runc/adapter/mount_symlink_test.go
var (
tempDir string
realDir string
symlinkPath string
Copy link
Member

@aramprice aramprice Jan 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: to better reveal intention perhaps this var could be symlinkToRealDir?

src/bpm/runc/adapter/mount_symlink_test.go
err = os.Mkdir(realDir, 0755)
Expect(err).NotTo(HaveOccurred())

symlinkPath = filepath.Join(tempDir, "symlink")
Copy link
Member

@aramprice aramprice Jan 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: similar to the var naming, this value could be "symlink-to-real-directory"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aramprice aramprice aramprice left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

Foundational Infrastructure Working Group
Status: Inbox

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Fix Symlink Resolution in Bind Mounts for Noble Stemcell Compatibility

2 participants

@dudejas @aramprice