Alleged fix for docker-compose

Refs #47
noobient · Apr 1, 2020 · 2cbfc58 · 2cbfc58
1 parent 07c6634
commit 2cbfc58
Showing 1 changed file with 26 additions and 4 deletions.
diff --git a/ansible/roles/docker/files/authz.rego b/ansible/roles/docker/files/authz.rego
@@ -20,16 +20,35 @@ unconfined
 # prohibit access to the host file system outside /home
 # which would essentially grant root privileges to the user
 
-valid_host_path_prefixes = {"home/", "proc/", "tmp/.X11-unix", "dev/shm"}
+valid_host_path_prefixes = {"/home/", "/proc/", "/tmp/.X11-unix", "/dev/shm"}
 
 # binds
 # `docker run -v /:/host-root`
 
 host_bind_paths[trimmed]
 {
+    # run example:
+    # /:/host-root
+    #
+    # compose example:
+    # dockertest_shared_vol:/:rw
+
     input.Body.HostConfig.Binds[_] = bind
-    split(bind, ":", parts)
-    trim(parts[0], "/", trimmed)
+
+    # find the first / occurence, it is guaranteed to exist
+    slashindex := indexof(bind, "/")
+
+    # take the remainder, '/:/host-root' or '/:rw'
+    afterslash := substring(bind, slashindex, -1)
+
+    # split into array via ':' delimiter
+    parts := split(afterslash, ":")
+
+    # '/' in both cases, magic!
+    trimmed := parts[0]
+
+    # TODO why did they trim leading slashes?
+    #trim(parts[0], "/", trimmed)
 }
 
 valid_host_bind_paths[host_path]
@@ -50,7 +69,10 @@ valid_bind_mapping_whitelist
 host_mount_paths[trimmed]
 {
     input.Body.HostConfig.Mounts[_] = mount
-    trim(mount.Source, "/", trimmed)
+    trimmed := mount.Source
+
+    # TODO why did they trim leading slashes?
+    #trim(mount.Source, "/", trimmed)
 }
 
 valid_host_mount_paths[host_path]