docker/buildx
1
0
Fork 0
mirror of https://gitea.com/Lydanne/buildx.git synced 2025-05-18 00:47:48 +08:00
Code Issues Packages Projects Releases 1 Wiki Activity

bake: make FS entitlements error by default

Browse Source 
Change FS entitlements checks from warning to error
by default as expressed in initial PR. Users can still
opt-out with environment variable if the choose to.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
This commit is contained in:
Tonis Tiigi 2024-12-19 16:45:30 -08:00
parent 5c5bc510ac
commit 72c3d4a237
No known key found for this signature in database
GPG Key ID: AFA9DE5F8AB7AF39
2 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
bake/entitlements.go
View File

@ -257,7 +257,7 @@ func (c EntitlementConf) Prompt(ctx context.Context, isRemote bool, out io.Write
fmt.Fprintf(out, "%s %s %s\n\n", strings.Join(args[:idx+1], " "), strings.Join(slices.Concat(flags, flagsFS), " "), strings.Join(args[idx+1:], " ")) fmt.Fprintf(out, "%s %s %s\n\n", strings.Join(args[:idx+1], " "), strings.Join(slices.Concat(flags, flagsFS), " "), strings.Join(args[idx+1:], " "))
} }
fsEntitlementsEnabled := false fsEntitlementsEnabled := true
if isRemote { if isRemote {
if v, ok := os.LookupEnv("BAKE_ALLOW_REMOTE_FS_ACCESS"); ok { if v, ok := os.LookupEnv("BAKE_ALLOW_REMOTE_FS_ACCESS"); ok {
vv, err := strconv.ParseBool(v) vv, err := strconv.ParseBool(v)
@ -265,8 +265,6 @@ func (c EntitlementConf) Prompt(ctx context.Context, isRemote bool, out io.Write
return errors.Wrapf(err, "failed to parse BAKE_ALLOW_REMOTE_FS_ACCESS value %q", v) return errors.Wrapf(err, "failed to parse BAKE_ALLOW_REMOTE_FS_ACCESS value %q", v)
} }
fsEntitlementsEnabled = !vv fsEntitlementsEnabled = !vv
} else {
fsEntitlementsEnabled = true
} }
} }
v, fsEntitlementsSet := os.LookupEnv("BUILDX_BAKE_ENTITLEMENTS_FS") v, fsEntitlementsSet := os.LookupEnv("BUILDX_BAKE_ENTITLEMENTS_FS")
@ -279,11 +277,11 @@ func (c EntitlementConf) Prompt(ctx context.Context, isRemote bool, out io.Write
} }
if !fsEntitlementsEnabled && len(msgs) == 0 { if !fsEntitlementsEnabled && len(msgs) == 0 {
if !fsEntitlementsSet {
fmt.Fprintf(out, "This warning will become an error in a future release. To enable filesystem entitlements checks at the moment, set BUILDX_BAKE_ENTITLEMENTS_FS=1 .\n\n")
}
return nil return nil
} }
if fsEntitlementsEnabled && !fsEntitlementsSet && len(msgsFS) != 0 {
fmt.Fprintf(out, "To disable filesystem entitlements checks, you can set BUILDX_BAKE_ENTITLEMENTS_FS=0 .\n\n")
}
if term { if term {
fmt.Fprintf(out, "Do you want to grant requested privileges and continue? [y/N] ") fmt.Fprintf(out, "Do you want to grant requested privileges and continue? [y/N] ")

4
hack/test-driver
View File

@ -167,7 +167,8 @@ buildxCmd bake ${bakePlatformFlag} \
--file="${bakedef}" \ --file="${bakedef}" \
--builder="${builderName}" \ --builder="${builderName}" \
--set "*.context=${context}" \ --set "*.context=${context}" \
--metadata-file="${context}/metadata-bake-def.json" --metadata-file="${context}/metadata-bake-def.json" \
--allow fs="${context}"
cat "${context}/metadata-bake-def.json" cat "${context}/metadata-bake-def.json"
# bake all target # bake all target
@ -175,6 +176,7 @@ buildxCmd bake ${bakePlatformFlag} \
--file="${bakedef}" \ --file="${bakedef}" \
--builder="${builderName}" \ --builder="${builderName}" \
--set "*.context=${context}" \ --set "*.context=${context}" \
--allow fs="${context}" \
--metadata-file="${context}/metadata-bake-all.json" \ --metadata-file="${context}/metadata-bake-all.json" \
all all
cat "${context}/metadata-bake-all.json" cat "${context}/metadata-bake-all.json"