From 2272ca9167fbf75a5ebcebcbe583a5e1f01fed08 Mon Sep 17 00:00:00 2001
From: Seth Hoenig <shoenig@duck.com>
Date: Tue, 9 May 2023 09:43:52 -0500
Subject: [PATCH] client: unveil /etc/ssh/ssh_known_hosts for artifact
 downloads (#17122)

This PR fixes a bug where nodes configured with populated
/etc/ssh/ssh_known_hosts files would be unable to read them during
artifact downloading.

Fixes #17086
---
 .../taskrunner/getter/util_linux.go           | 40 +++++++++++--------
 .../taskrunner/getter/util_linux_test.go      | 30 ++++++++++----
 2 files changed, 46 insertions(+), 24 deletions(-)

diff --git a/client/allocrunner/taskrunner/getter/util_linux.go b/client/allocrunner/taskrunner/getter/util_linux.go
index af7d63caf..be4a3fc12 100644
--- a/client/allocrunner/taskrunner/getter/util_linux.go
+++ b/client/allocrunner/taskrunner/getter/util_linux.go
@@ -75,17 +75,19 @@ func lockdown(allocDir, taskDir string) error {
 
 func additionalFilesForVCS() []*landlock.Path {
 	const (
-		sshDir        = ".ssh"                  // git ssh
-		knownHosts    = ".ssh/known_hosts"      // git ssh
-		etcPasswd     = "/etc/passwd"           // git ssh
-		gitGlobalFile = "/etc/gitconfig"        // https://git-scm.com/docs/git-config#SCOPES
-		hgGlobalFile  = "/etc/mercurial/hgrc"   // https://www.mercurial-scm.org/doc/hgrc.5.html#files
-		hgGlobalDir   = "/etc/mercurial/hgrc.d" // https://www.mercurial-scm.org/doc/hgrc.5.html#files
+		homeSSHDir     = ".ssh"                     // git ssh
+		homeKnownHosts = ".ssh/known_hosts"         // git ssh
+		etcPasswd      = "/etc/passwd"              // git ssh
+		etcKnownHosts  = "/etc/ssh/ssh_known_hosts" // git ssh
+		gitGlobalFile  = "/etc/gitconfig"           // https://git-scm.com/docs/git-config#SCOPES
+		hgGlobalFile   = "/etc/mercurial/hgrc"      // https://www.mercurial-scm.org/doc/hgrc.5.html#files
+		hgGlobalDir    = "/etc/mercurial/hgrc.d"    // https://www.mercurial-scm.org/doc/hgrc.5.html#files
 	)
 	return filesForVCS(
-		sshDir,
-		knownHosts,
+		homeSSHDir,
+		homeKnownHosts,
 		etcPasswd,
+		etcKnownHosts,
 		gitGlobalFile,
 		hgGlobalFile,
 		hgGlobalDir,
@@ -93,34 +95,38 @@ func additionalFilesForVCS() []*landlock.Path {
 }
 
 func filesForVCS(
-	sshDir,
-	knownHosts,
+	homeSSHDir,
+	homeKnownHosts,
 	etcPasswd,
+	etcKnownHosts,
 	gitGlobalFile,
 	hgGlobalFile,
 	hgGlobalDir string) []*landlock.Path {
 
 	// omit ssh if there is no home directory
 	home := findHomeDir()
-	sshDir = filepath.Join(home, sshDir)
-	knownHosts = filepath.Join(home, knownHosts)
+	homeSSHDir = filepath.Join(home, homeSSHDir)
+	homeKnownHosts = filepath.Join(home, homeKnownHosts)
 
-	// only add if a path exists
+	// detect if p exists
 	exists := func(p string) bool {
 		_, err := os.Stat(p)
 		return err == nil
 	}
 
 	result := make([]*landlock.Path, 0, 6)
-	if exists(sshDir) {
-		result = append(result, landlock.Dir(sshDir, "r"))
+	if exists(homeSSHDir) {
+		result = append(result, landlock.Dir(homeSSHDir, "r"))
 	}
-	if exists(knownHosts) {
-		result = append(result, landlock.File(knownHosts, "rw"))
+	if exists(homeKnownHosts) {
+		result = append(result, landlock.File(homeKnownHosts, "rw"))
 	}
 	if exists(etcPasswd) {
 		result = append(result, landlock.File(etcPasswd, "r"))
 	}
+	if exists(etcKnownHosts) {
+		result = append(result, landlock.File(etcKnownHosts, "r"))
+	}
 	if exists(gitGlobalFile) {
 		result = append(result, landlock.File(gitGlobalFile, "r"))
 	}
diff --git a/client/allocrunner/taskrunner/getter/util_linux_test.go b/client/allocrunner/taskrunner/getter/util_linux_test.go
index d3d0e5171..c32e0b447 100644
--- a/client/allocrunner/taskrunner/getter/util_linux_test.go
+++ b/client/allocrunner/taskrunner/getter/util_linux_test.go
@@ -32,8 +32,8 @@ func TestUtil_loadVersionControlGlobalConfigs(t *testing.T) {
 	t.Setenv("HOME", fakeHome)
 
 	const (
-		ssh        = ".ssh"
-		knownHosts = ".ssh/known_hosts"
+		homeSSH        = ".ssh"
+		homeKnownHosts = ".ssh/known_hosts"
 	)
 
 	var (
@@ -41,8 +41,9 @@ func TestUtil_loadVersionControlGlobalConfigs(t *testing.T) {
 		hgFile         = filepath.Join(fakeEtc, "hgrc")
 		hgDir          = filepath.Join(fakeEtc, "hgrc.d")
 		etcPasswd      = filepath.Join(fakeEtc, "passwd")
-		sshDir         = filepath.Join(fakeHome, ssh)
-		knownHostsFile = filepath.Join(fakeHome, knownHosts)
+		etcKnownHosts  = filepath.Join(fakeEtc, "ssh/ssh_known_hosts")
+		sshDir         = filepath.Join(fakeHome, homeSSH)
+		knownHostsFile = filepath.Join(fakeHome, homeKnownHosts)
 	)
 
 	err := os.WriteFile(gitConfig, []byte("git"), filePerm)
@@ -54,20 +55,35 @@ func TestUtil_loadVersionControlGlobalConfigs(t *testing.T) {
 	err = os.Mkdir(hgDir, dirPerm)
 	must.NoError(t, err)
 
-	err = os.WriteFile(etcPasswd, []byte("x:y:z"), filePerm)
+	err = os.WriteFile(etcPasswd, []byte("etc passwd"), filePerm)
+	must.NoError(t, err)
+
+	err = os.Mkdir(filepath.Join(fakeEtc, "ssh"), dirPerm)
+	must.NoError(t, err)
+
+	err = os.WriteFile(etcKnownHosts, []byte("etc known hosts"), filePerm)
 	must.NoError(t, err)
 
 	err = os.Mkdir(sshDir, dirPerm)
 	must.NoError(t, err)
 
-	err = os.WriteFile(knownHostsFile, []byte("abc123"), filePerm)
+	err = os.WriteFile(knownHostsFile, []byte("home known hosts"), filePerm)
 	must.NoError(t, err)
 
-	paths := filesForVCS(ssh, knownHosts, etcPasswd, gitConfig, hgFile, hgDir)
+	paths := filesForVCS(
+		homeSSH,
+		homeKnownHosts,
+		etcPasswd,
+		etcKnownHosts,
+		gitConfig,
+		hgFile,
+		hgDir,
+	)
 	must.SliceEqual(t, []*landlock.Path{
 		landlock.Dir(sshDir, "r"),
 		landlock.File(knownHostsFile, "rw"),
 		landlock.File(etcPasswd, "r"),
+		landlock.File(etcKnownHosts, "r"),
 		landlock.File(gitConfig, "r"),
 		landlock.File(hgFile, "r"),
 		landlock.Dir(hgDir, "r"),