Validate container system stop --prefix to prevent accidental logout#1717
Open
mvanhorn wants to merge 1 commit into
Open
Validate container system stop --prefix to prevent accidental logout#1717mvanhorn wants to merge 1 commit into
mvanhorn wants to merge 1 commit into
Conversation
The --prefix option was interpolated unvalidated into launchd label and domain-target strings passed to launchctl bootout. A path value such as /usr/local/container produced a malformed bootout target, which can tear down the entire GUI login session and log the user out. Add a validate() guard that rejects any prefix that is empty or contains characters outside [A-Za-z0-9._-] (including '/'), with a clear error. All valid usage, including the default com.apple.container., is unchanged. Fixes apple#1672
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Type of Change
Motivation and Context
container system stopaccepts a--prefix/-poption (defaultcom.apple.container.). A user reported in #1672 thatcontainer system stop -p /usr/local/containerlogs them out of macOS.The value is interpolated unvalidated into launchd label and domain-target strings that are handed to
launchctl bootout(SystemStop.swiftbuilds"\(launchdDomainString)/\(prefix)apiserver"and re-maps enumerated labels, thenServiceManager.deregisterrunslaunchctl bootout <label>). A path value produces a malformed bootout target, andlaunchctl bootoutof a malformed or bare domain target tears down the entire GUI session (gui/<uid>), which ends the user's login.This adds a
validate()guard that rejects any--prefixthat is empty or contains characters outside[A-Za-z0-9._-](including/), with a clear error naming the bad value and the expected form. All valid usage, including the default and any real reverse-DNS prefix, is unchanged. Scope is limited tosystem stop;system statusdeclares the same option but only uses it for read-onlylaunchctl list/isRegisteredcalls, so it cannot log the user out.Fixes #1672
Testing
Added
Tests/ContainerCommandsTests/SystemStopValidationTests.swift(swift-testing): rejects/usr/local/containerandfoo bar, accepts the defaultcom.apple.container.and a customcom.example.svc..swift format lint --strict --configuration .swift-format-nolinton the changed files reports no findings.AI was used for assistance.