Compare path-parts instead of path-strings when filtering mounts

nader-ziada · aramprice · commit 1e53ee597dd5 · 2024-07-09T14:17:30.000-07:00
Check to see whether the "directory parts" of the volume are a sub-set
of and existing BPM-default directory (that will already be mounted) so
that we do not accidentally filter out mounts which have a name that is
a sub-string of the existing job. For example the job `service-metrics`
should be able to have an unrestricted volume mount of the
`service-metrics-adapter` job directory.

Specifically a job located at `/var/vcap/jobs/service-metrics` was
unable to access an "unrestricted volume" located at
`/var/vcap/jobs/service-metrics-adapter` because the job being
instantiated alreay had default mount which was a (string) prefix of the
job directory it was attempting to mount.

Signed-off-by: Rajath Agasthya &lt;rajath.agasthya@broadcom.com&gt;
Signed-off-by: aram price &lt;aram.price@broadcom.com&gt;
diff --git a/src/bpm/runc/adapter/adapter.go b/src/bpm/runc/adapter/adapter.go
@@ -20,6 +20,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"slices"
 	"strings"
 
 	"code.cloudfoundry.org/bytefmt"
@@ -293,8 +294,18 @@ func filterVolumesUnderBoshMounts(boshMounts []specs.Mount, unrestrictedVolumes
 	for _, v := range unrestrictedVolumes {
 		keep := true
 		for _, m := range boshMounts {
-			if strings.HasPrefix(v.Path, m.Destination) {
-				keep = false
+			// Check to see whether the "directory parts" of the volume are a sub-set of and existing BPM-default
+			// directory (that will already be mounted) so that we do not accidentally filter out mounts which
+			// have a name that is a sub-string of the existing job. For example the job `service-metrics` should be
+			// able to have an unrestricted volume mount of the `service-metrics-adapter` job directory.
+			boshMountDirParts := strings.Split(m.Destination, fmt.Sprintf("%c", filepath.Separator))
+			volumeDirParts := strings.Split(v.Path, fmt.Sprintf("%c", filepath.Separator))
+
+			if len(boshMountDirParts) <= len(volumeDirParts) {
+				volumeDirPartsPrefix := volumeDirParts[:len(boshMountDirParts)]
+				if slices.Compare(boshMountDirParts, volumeDirPartsPrefix) == 0 {
+					keep = false
+				}
 			}
 		}
 
diff --git a/src/bpm/runc/adapter/adapter_test.go b/src/bpm/runc/adapter/adapter_test.go
@@ -869,7 +869,8 @@ var _ = Describe("RuncAdapter", func() {
 						{Path: "/this/is/an/unrestricted/path"},
 						{Path: "/writable/executable/path", Writable: true, AllowExecutions: true},
 						{Path: "/var/vcap/jobs/example/config/config.yml", MountOnly: true},
-						{Path: "/var/vcap/jobs/other/config/config.yml", MountOnly: true},
+						{Path: "/var/vcap/jobs/other/config/config.yml", MountOnly: true, AllowExecutions: true},
+						{Path: "/var/vcap/jobs/example-two/config/config.yml", MountOnly: true, AllowExecutions: true},
 					},
 				}
 			})
@@ -894,7 +895,13 @@ var _ = Describe("RuncAdapter", func() {
 					Destination: "/var/vcap/jobs/other/config/config.yml",
 					Type:        "bind",
 					Source:      "/var/vcap/jobs/other/config/config.yml",
-					Options:     []string{"nodev", "nosuid", "noexec", "rbind", "ro"},
+					Options:     []string{"nodev", "nosuid", "rbind", "exec", "ro"},
+				}))
+				Expect(spec.Mounts).To(HaveMount(specs.Mount{
+					Destination: "/var/vcap/jobs/example-two/config/config.yml",
+					Type:        "bind",
+					Source:      "/var/vcap/jobs/example-two/config/config.yml",
+					Options:     []string{"nodev", "nosuid", "rbind", "exec", "ro"},
 				}))
 			})
 
