daemon: container: ensure cp cannot traverse outside container rootfs

This patch fixes the bug that allowed cp to copy files outside of
the containers rootfs, by passing a relative path (such as
../../../../../../../../etc/shadow). This is fixed by first converting
the path to an absolute path (relative to /) and then appending it
to the container's rootfs before continuing.

Docker-DCO-1.1-Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (github: cyphar)

AUTHORS

@@ -6,6 +6,7 @@
 Aanand Prasad <aanand.prasad@gmail.com>
 Aaron Feng <aaron.feng@gmail.com>
 Abel Muiño <amuino@gmail.com>
+Aleksa Sarai <cyphar@cyphar.com>
 Alexander Larsson <alexl@redhat.com>
 Alexey Shamrin <shamrin@gmail.com>
 Alex Gaynor <alex.gaynor@gmail.com>

daemon/container.go

@@ -745,8 +745,13 @@ func (container *Container) Copy(resource string) (io.ReadCloser, error) {
 	if err := container.Mount(); err != nil {
 		return nil, err
 	}
+
 	var filter []string
+
+	// Ensure path is local to container basefs
+	resource = path.Join("/", resource)
 	basePath := path.Join(container.basefs, resource)
+
 	stat, err := os.Stat(basePath)
 	if err != nil {
 		container.Unmount()