linux: add src-nofollow & dest-nofollow options

Introduce `src-nofollow` and `dest-nofollow` bind mount options
for more precise control over symbolic link handling.

The `src-nofollow` option enables mounting the source symbolic link
itself, rather than its target.

The `dest-nofollow` option ensures that if the destination path is
a symbolic link, the mount operation replaces the symbolic link
itself, instead of dereferencing it and mounting to its target.

Closes: containers#1761

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Author: giuseppe

crun.1

@@ -661,6 +661,16 @@ destination instead of attempting a mount that would resolve the
 symlink itself.  If the destination already exists and it is not a
 symlink with the expected content, crun will return an error.
 
+.SH dest-nofollow
+When this option is specified for a bind mount, and the destination of
+the bind mount is a symbolic link, \fBcrun\fR will mount the symbolic link
+itself at the target destination.
+
+.SH src-nofollow
+When this option is specified for a bind mount, and the source of the
+bind mount is a symbolic link, \fBcrun\fR will use the symlink itself
+rather than the file or directory the symbolic link points to.
+
 .SH r$FLAG mount options
 If a \fBr$FLAG\fR mount option is specified then the flag \fB$FLAG\fR is set
 recursively for each children mount.

crun.1.md

@@ -571,6 +571,16 @@ destination instead of attempting a mount that would resolve the
 symlink itself.  If the destination already exists and it is not a
 symlink with the expected content, crun will return an error.
 
+## dest-nofollow
+When this option is specified for a bind mount, and the destination of
+the bind mount is a symbolic link, `crun` will mount the symbolic link
+itself at the target destination.
+
+## src-nofollow
+When this option is specified for a bind mount, and the source of the
+bind mount is a symbolic link, `crun` will use the symlink itself
+rather than the file or directory the symbolic link points to.
+
 ## r$FLAG mount options
 
 If a `r$FLAG` mount option is specified then the flag `$FLAG` is set

src/libcrun/linux.c

@@ -2130,14 +2130,27 @@ do_mounts (libcrun_container_t *container, const char *rootfs, libcrun_error_t *
               path = proc_buf;
             }
 
-          ret = get_file_type (&src_mode, (extra_flags & OPTION_COPY_SYMLINK) ? true : false, path);
+          if ((extra_flags & OPTION_COPY_SYMLINK) && (extra_flags & (OPTION_SRC_NOFOLLOW | OPTION_DEST_NOFOLLOW)))
+            return crun_make_error (err, 0, "`copy-symlink` is mutually exclusive with `src-nofollow` and `dest-nofollow`");
+
+          /* Do not resolve the symlink only when src-nofollow and copy-symlink are used.  */
+          ret = get_file_type (&src_mode, (extra_flags & (OPTION_SRC_NOFOLLOW | OPTION_COPY_SYMLINK)) ? true : false, path);
           if (UNLIKELY (ret < 0))
             return crun_make_error (err, errno, "cannot stat `%s`", path);
 
+          if (S_ISLNK (src_mode) && (extra_flags & OPTION_DEST_NOFOLLOW) && source_mountfd < 0)
+            {
+              ret = get_bind_mount (AT_FDCWD, def->mounts[i]->source, true, true, extra_flags & OPTION_SRC_NOFOLLOW, err);
+              if (UNLIKELY (ret < 0))
+                return ret;
+
+              source_mountfd = ret;
+            }
+
           data = append_mode_if_missing (data, "mode=1755");
         }
 
-      if (S_ISLNK (src_mode))
+      if (S_ISLNK (src_mode) && (extra_flags & OPTION_COPY_SYMLINK))
         {
           cleanup_free char *target = NULL;
           ssize_t len;
@@ -2185,12 +2198,22 @@ do_mounts (libcrun_container_t *container, const char *rootfs, libcrun_error_t *
         {
           bool is_dir = S_ISDIR (src_mode);
 
-          /* Make sure any other directory/file is created and take a O_PATH reference to it.  */
-          ret = crun_safe_create_and_open_ref_at (is_dir, get_private_data (container)->rootfsfd, rootfs, target, is_dir ? 01755 : 0755, err);
-          if (UNLIKELY (ret < 0))
-            return ret;
-
-          targetfd = ret;
+          if (extra_flags & OPTION_DEST_NOFOLLOW)
+            {
+              /* If dest-nofollow is specified, expect the target to exist.  */
+              ret = safe_openat (get_private_data (container)->rootfsfd, rootfs, target, O_PATH | O_NOFOLLOW | O_CLOEXEC, 0, err);
+              if (UNLIKELY (ret < 0))
+                return ret;
+              targetfd = ret;
+            }
+          else
+            {
+              /* Make sure any other directory/file is created and take a O_PATH reference to it.  */
+              ret = crun_safe_create_and_open_ref_at (is_dir, get_private_data (container)->rootfsfd, rootfs, target, is_dir ? 01755 : 0755, err);
+              if (UNLIKELY (ret < 0))
+                return ret;
+              targetfd = ret;
+            }
         }
 
       if (extra_flags & OPTION_TMPCOPYUP)

tests/test_mounts.py

@@ -703,6 +703,106 @@ def test_mount_help():
 
     return 0
 
+def test_bind_mount_symlink_nofollow():
+    root = get_tests_root()
+    file_target = os.path.join(root, "a-file")
+    symlink = os.path.join(root, "a-symlink")
+    target_content = file_target
+    file_target_content = "inside-the-file"
+
+    with open(file_target, "w+") as f:
+        f.write(file_target_content)
+
+    os.symlink(target_content, symlink)
+
+    def prepare_rootfs(rootfs):
+        path = os.path.join(rootfs, "target")
+        os.symlink("point-to-nowhere", path)
+
+    for userns in [True, False]:
+        for src_nofollow in [True, False]:
+            conf = base_config()
+            add_all_namespaces(conf, userns=userns)
+
+            if userns:
+                getMapping = lambda x : [
+                    {
+                        "containerID": 0,
+                        "hostID": x,
+                        "size": 1
+                    }
+                ]
+                conf['linux']['uidMappings'] = getMapping(os.geteuid())
+                conf['linux']['gidMappings'] = getMapping(os.getegid())
+
+            if src_nofollow:
+                options = ["bind", "dest-nofollow", "src-nofollow"]
+                conf['process']['args'] = ['/init', 'readlink', '/target']
+                expected = target_content
+            else:
+                options = ["bind", "dest-nofollow"]
+                conf['process']['args'] = ['/init', 'cat', '/target']
+                expected = file_target_content
+
+            mount_opt = {"destination": "/target", "type": "bind", "source": symlink, "options": options}
+            conf['mounts'].append(mount_opt)
+
+            try:
+                out, _ = run_and_get_output(conf, hide_stderr=True,callback_prepare_rootfs=prepare_rootfs)
+                sys.stderr.write("got output %s with configuration userns=%s, src-nofollow=%s\n" % (out, userns, src_nofollow))
+                if expected not in out:
+                    return -1
+            except Exception as e:
+                sys.stderr.write("error %s\n" % e)
+                return -1
+
+    return 0
+
+def test_bind_mount_file_nofollow():
+    root = get_tests_root()
+    target = os.path.join(root, "a-file")
+    target_content = "content-of-file"
+
+    with open(target, "w+") as f:
+        f.write(target_content)
+
+    def prepare_rootfs(rootfs):
+        path = os.path.join(rootfs, "symlink")
+        os.symlink("point-to-nowhere", path)
+
+    for userns in [True, False]:
+        for src_nofollow in [True, False]:
+            conf = base_config()
+            conf['process']['args'] = ['/init', 'cat', '/symlink']
+            add_all_namespaces(conf, userns=userns)
+
+            if userns:
+                getMapping = lambda x : [
+                    {
+                        "containerID": 0,
+                        "hostID": x,
+                        "size": 1
+                    }
+                ]
+                conf['linux']['uidMappings'] = getMapping(os.geteuid())
+                conf['linux']['gidMappings'] = getMapping(os.getegid())
+
+            if src_nofollow:
+                options = ["bind", "dest-nofollow", "src-nofollow"]
+            else:
+                options = ["bind", "dest-nofollow"]
+            mount_opt = {"destination": "/symlink", "type": "bind", "source": target, "options": options}
+            conf['mounts'].append(mount_opt)
+
+            try:
+                out, _ = run_and_get_output(conf, hide_stderr=True,callback_prepare_rootfs=prepare_rootfs)
+                sys.stderr.write("got output %s with configuration userns=%s, src-nofollow=%s\n" % (out, userns, src_nofollow))
+                if target_content not in out:
+                    return 1
+            except Exception as e:
+                sys.stderr.write("error %s\n" % e)
+    return 0
+
 all_tests = {
     "mount-ro" : test_mount_ro,
     "mount-rro" : test_mount_rro,
@@ -732,6 +832,8 @@ def test_mount_help():
     "mount-ro-cgroup": test_ro_cgroup,
     "mount-cgroup-without-netns": test_cgroup_mount_without_netns,
     "mount-copy-symlink": test_copy_symlink,
+    "mount-bind-mount-symlink-nofollow": test_bind_mount_symlink_nofollow,
+    "mount-bind-mount-file-nofollow": test_bind_mount_file_nofollow,
     "mount-tmpfs-permissions": test_mount_tmpfs_permissions,
     "mount-add-remove-mounts": test_add_remove_mounts,
     "mount-help": test_mount_help,

tests/test_oci_features.py

@@ -106,6 +106,8 @@ def test_crun_features():
                 "defaults",
                 "async",
                 "rasync",
+                "dest-nofollow",
+                "src-nofollow",
                 "private",
                 "tmpcopyup",
                 "rexec",