Add ValidVolumes config (#226)

Follow https://gitea.com/gitea/act/pulls/60, https://gitea.com/gitea/act/pulls/64

This PR adds the `valid_volumes` configuration. `valid_volumes` is a sequence containing the volumes (including bind mounts) that can be mounted to the container. By default, `valid_volumes` is empty, which means that no volumes can be mounted. Users can specify multiple valid volumes and [glob](https://github.com/gobwas/glob) is supported.

All volumes will be allowed when using `exec` to run workflows locally.

Reviewed-on: https://gitea.com/gitea/act_runner/pulls/226
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Reviewed-by: Jason Song <i@wolfogre.com>
Co-authored-by: Zettat123 <zettat123@gmail.com>
Co-committed-by: Zettat123 <zettat123@gmail.com>

internal/app/cmd/exec.go

@@ -410,6 +410,7 @@ func runExec(ctx context.Context, execArgs *executeArgs) func(cmd *cobra.Command
 			PlatformPicker: func(_ []string) string {
 				return execArgs.image
 			},
+			ValidVolumes: []string{"**"}, // All volumes are allowed for `exec` command
 		}
 
 		if !execArgs.debug {

internal/app/run/runner.go

@@ -198,6 +198,7 @@ func (r *Runner) run(ctx context.Context, task *runnerv1.Task, reporter *report.
 		DefaultActionsURLs:   parseDefaultActionsURLs(taskContext["gitea_default_actions_url"].GetStringValue()),
 		PlatformPicker:       r.labels.PickPlatform,
 		Vars:                 task.Vars,
+		ValidVolumes:         r.cfg.Container.ValidVolumes,
 	}
 
 	rr, err := runner.New(runnerConfig)

internal/pkg/config/config.example.yaml

@@ -58,3 +58,13 @@ container:
   # The parent directory of a job's working directory.
   # If it's empty, /workspace will be used.
   workdir_parent:
+  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
+  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
+  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
+  # valid_volumes:
+  #   - data
+  #   - /src/*.json
+  # If you want to allow any volume, please use the following configuration:
+  # valid_volumes:
+  #   - '**'
+  valid_volumes: []

internal/pkg/config/config.go

@@ -42,11 +42,12 @@ type Cache struct {
 
 // Container represents the configuration for the container.
 type Container struct {
-	Network       string `yaml:"network"`        // Network specifies the network for the container.
-	NetworkMode   string `yaml:"network_mode"`   // Deprecated: use Network instead. Could be removed after Gitea 1.20
-	Privileged    bool   `yaml:"privileged"`     // Privileged indicates whether the container runs in privileged mode.
-	Options       string `yaml:"options"`        // Options specifies additional options for the container.
-	WorkdirParent string `yaml:"workdir_parent"` // WorkdirParent specifies the parent directory for the container's working directory.
+	Network       string   `yaml:"network"`        // Network specifies the network for the container.
+	NetworkMode   string   `yaml:"network_mode"`   // Deprecated: use Network instead. Could be removed after Gitea 1.20
+	Privileged    bool     `yaml:"privileged"`     // Privileged indicates whether the container runs in privileged mode.
+	Options       string   `yaml:"options"`        // Options specifies additional options for the container.
+	WorkdirParent string   `yaml:"workdir_parent"` // WorkdirParent specifies the parent directory for the container's working directory.
+	ValidVolumes  []string `yaml:"valid_volumes"`  // ValidVolumes specifies the volumes (including bind mounts) can be mounted to containers.
 }
 
 // Config represents the overall configuration.