|
|
@@ -58,6 +58,7 @@ import (
|
|
|
"syscall"
|
|
|
"time"
|
|
|
|
|
|
+ "github.com/Microsoft/go-winio/pkg/security"
|
|
|
"github.com/Microsoft/hcsshim"
|
|
|
"github.com/Microsoft/hcsshim/ext4/tar2ext4"
|
|
|
"github.com/Microsoft/opengcs/client"
|
|
|
@@ -67,7 +68,6 @@ import (
|
|
|
"github.com/docker/docker/pkg/idtools"
|
|
|
"github.com/docker/docker/pkg/ioutils"
|
|
|
"github.com/docker/docker/pkg/reexec"
|
|
|
- "github.com/docker/docker/pkg/system"
|
|
|
"github.com/sirupsen/logrus"
|
|
|
)
|
|
|
|
|
|
@@ -608,10 +608,11 @@ func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) error {
|
|
|
}
|
|
|
layerChain = append(layerChain, parentChain...)
|
|
|
|
|
|
- // Make sure layers are created with the correct ACL so that VMs can access them.
|
|
|
layerPath := d.dir(id)
|
|
|
logrus.Debugf("lcowdriver: create: id %s: creating %s", id, layerPath)
|
|
|
- if err := system.MkdirAllWithACL(layerPath, 755, system.SddlNtvmAdministratorsLocalSystem); err != nil {
|
|
|
+ // Standard mkdir here, not with SDDL as the dataroot was created with
|
|
|
+ // inheritance to just local system and administrators.
|
|
|
+ if err := os.MkdirAll(layerPath, 0700); err != nil {
|
|
|
return err
|
|
|
}
|
|
|
|
|
|
@@ -868,14 +869,30 @@ func (d *Driver) ApplyDiff(id, parent string, diff io.Reader) (int64, error) {
|
|
|
logrus.Warnf("lcowdriver: applydiff: id %s failed %s", id, err)
|
|
|
return 0, fmt.Errorf("re-exec error: %v: stderr: %s", err, stderr)
|
|
|
}
|
|
|
- return strconv.ParseInt(stdout.String(), 10, 64)
|
|
|
+
|
|
|
+ size, err := strconv.ParseInt(stdout.String(), 10, 64)
|
|
|
+ if err != nil {
|
|
|
+ logrus.Warnf("lcowdriver: applydiff: id %s failed to parse output %s", id, err)
|
|
|
+ return 0, fmt.Errorf("re-exec error: %v: stdout: %s", err, stdout)
|
|
|
+ }
|
|
|
+ return applySID(id, size, dest)
|
|
|
+
|
|
|
}
|
|
|
// The inline case
|
|
|
size, err := tar2ext4Actual(dest, diff)
|
|
|
if err != nil {
|
|
|
logrus.Warnf("lcowdriver: applydiff: id %s failed %s", id, err)
|
|
|
}
|
|
|
- return size, err
|
|
|
+ return applySID(id, size, dest)
|
|
|
+}
|
|
|
+
|
|
|
+// applySID adds the VM Group SID read-only access.
|
|
|
+func applySID(id string, size int64, dest string) (int64, error) {
|
|
|
+ if err := security.GrantVmGroupAccess(dest); err != nil {
|
|
|
+ logrus.Warnf("lcowdriver: applySIDs: id %s failed %s", id, err)
|
|
|
+ return 0, err
|
|
|
+ }
|
|
|
+ return size, nil
|
|
|
}
|
|
|
|
|
|
// tar2ext4Reexec is the re-exec entry point for writing a layer from a tar file
|
John Howard