File: commands_runsecurity.go

package info (click to toggle)
singularity-container 4.1.5%2Bds4-1
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 43,876 kB
  • sloc: asm: 14,840; sh: 3,190; ansic: 1,751; awk: 414; makefile: 413; python: 99
file content (62 lines) | stat: -rw-r--r-- 1,282 bytes parent folder | download | duplicates (7) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
 
//go:build dfrunsecurity
// +build dfrunsecurity

package instructions

import (
	"github.com/pkg/errors"
)

const (
	SecurityInsecure = "insecure"
	SecuritySandbox  = "sandbox"
)

var allowedSecurity = map[string]struct{}{
	SecurityInsecure: {},
	SecuritySandbox:  {},
}

func isValidSecurity(value string) bool {
	_, ok := allowedSecurity[value]
	return ok
}

var securityKey = "dockerfile/run/security"

func init() {
	parseRunPreHooks = append(parseRunPreHooks, runSecurityPreHook)
	parseRunPostHooks = append(parseRunPostHooks, runSecurityPostHook)
}

func runSecurityPreHook(cmd *RunCommand, req parseRequest) error {
	st := &securityState{}
	st.flag = req.flags.AddString("security", SecuritySandbox)
	cmd.setExternalValue(securityKey, st)
	return nil
}

func runSecurityPostHook(cmd *RunCommand, req parseRequest) error {
	st := cmd.getExternalValue(securityKey).(*securityState)
	if st == nil {
		return errors.Errorf("no security state")
	}

	value := st.flag.Value
	if !isValidSecurity(value) {
		return errors.Errorf("security %q is not valid", value)
	}

	st.security = value

	return nil
}

func GetSecurity(cmd *RunCommand) string {
	return cmd.getExternalValue(securityKey).(*securityState).security
}

type securityState struct {
	flag     *Flag
	security string
}