moby/pkg/chrootarchive/archive_unix.go

//go:build !windows

package chrootarchive // import "github.com/docker/docker/pkg/chrootarchive"

import (
	"io"
	"net"
	"os/user"
	"path/filepath"
	"strings"

	"github.com/docker/docker/pkg/archive"
	"github.com/pkg/errors"
)

func init() {
	// initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host
	// environment not in the chroot from untrusted files.
	_, _ = user.Lookup("docker")
	_, _ = net.LookupHost("localhost")
}

func invokeUnpack(decompressedArchive io.Reader, dest string, options *archive.TarOptions, root string) error {
	relDest, err := resolvePathInChroot(root, dest)
	if err != nil {
		return err
	}

	return doUnpack(decompressedArchive, relDest, root, options)
}

func invokePack(srcPath string, options *archive.TarOptions, root string) (io.ReadCloser, error) {
	relSrc, err := resolvePathInChroot(root, srcPath)
	if err != nil {
		return nil, err
	}

	// make sure we didn't trim a trailing slash with the call to `resolvePathInChroot`
	if strings.HasSuffix(srcPath, "/") && !strings.HasSuffix(relSrc, "/") {
		relSrc += "/"
	}

	return doPack(relSrc, root, options)
}

// resolvePathInChroot returns the equivalent to path inside a chroot rooted at root.
// The returned path always begins with '/'.
//
//   - resolvePathInChroot("/a/b", "/a/b/c/d") -> "/c/d"
//   - resolvePathInChroot("/a/b", "/a/b")     -> "/"
//
// The implementation is buggy, and some bugs may be load-bearing.
// Here be dragons.
func resolvePathInChroot(root, path string) (string, error) {
	if root == "" {
		return "", errors.New("root path must not be empty")
	}
	rel, err := filepath.Rel(root, path)
	if err != nil {
		return "", err
	}
	if rel == "." {
		rel = "/"
	}
	if rel[0] != '/' {
		rel = "/" + rel
	}
	return rel, nil
}
Update to Go 1.17.0, and gofmt with Go 1.17 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2021-08-23 13:14:53 +00:00			`//go:build !windows`
Windows: chrootarchive refactor Signed-off-by: John Howard <jhoward@microsoft.com> 2015-05-14 22:08:00 +00:00
Add canonical import comment Signed-off-by: Daniel Nephin <dnephin@docker.com> 2018-02-05 21:05:59 +00:00			`package chrootarchive // import "github.com/docker/docker/pkg/chrootarchive"`
Windows: chrootarchive refactor Signed-off-by: John Howard <jhoward@microsoft.com> 2015-05-14 22:08:00 +00:00
			`import (`
Windows: Docker build starting to work Signed-off-by: John Howard <jhoward@microsoft.com> 2015-06-01 23:42:27 +00:00			`"io"`
Disable chrootarchive.init() on Windows Disables user.Lookup() and net.LookupHost() in the init() function on Windows. Any package that simply imports pkg/chrootarchive will panic on Windows Nano Server, due to missing netapi32.dll. While docker itself is not meant to run on Nano Server, binaries that may import this package and run on Nano server, will fail even if they don't really use any of the functionality in this package while running on Nano. Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com> 2023-01-18 13:59:46 +00:00			`"net"`
			`"os/user"`
Pass root to chroot to for chroot Untar This is useful for preventing CVE-2018-15664 where a malicious container process can take advantage of a race on symlink resolution/sanitization. Before this change chrootarchive would chroot to the destination directory which is attacker controlled. With this patch we always chroot to the container's root which is not attacker controlled. Signed-off-by: Brian Goff <cpuguy83@gmail.com> 2019-05-30 18:15:09 +00:00			`"path/filepath"`
Add chroot for tar packing operations Previously only unpack operations were supported with chroot. This adds chroot support for packing operations. This prevents potential breakouts when copying data from a container. Signed-off-by: Brian Goff <cpuguy83@gmail.com> 2019-05-30 21:55:52 +00:00			`"strings"`
Windows: Docker build starting to work Signed-off-by: John Howard <jhoward@microsoft.com> 2015-06-01 23:42:27 +00:00
			`"github.com/docker/docker/pkg/archive"`
Add chroot for tar packing operations Previously only unpack operations were supported with chroot. This adds chroot support for packing operations. This prevents potential breakouts when copying data from a container. Signed-off-by: Brian Goff <cpuguy83@gmail.com> 2019-05-30 21:55:52 +00:00			`"github.com/pkg/errors"`
Windows: chrootarchive refactor Signed-off-by: John Howard <jhoward@microsoft.com> 2015-05-14 22:08:00 +00:00			`)`

Disable chrootarchive.init() on Windows Disables user.Lookup() and net.LookupHost() in the init() function on Windows. Any package that simply imports pkg/chrootarchive will panic on Windows Nano Server, due to missing netapi32.dll. While docker itself is not meant to run on Nano Server, binaries that may import this package and run on Nano server, will fail even if they don't really use any of the functionality in this package while running on Nano. Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com> 2023-01-18 13:59:46 +00:00			`func init() {`
			`// initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host`
			`// environment not in the chroot from untrusted files.`
			`_, _ = user.Lookup("docker")`
			`_, _ = net.LookupHost("localhost")`
			`}`

Pass root to chroot to for chroot Untar This is useful for preventing CVE-2018-15664 where a malicious container process can take advantage of a race on symlink resolution/sanitization. Before this change chrootarchive would chroot to the destination directory which is attacker controlled. With this patch we always chroot to the container's root which is not attacker controlled. Signed-off-by: Brian Goff <cpuguy83@gmail.com> 2019-05-30 18:15:09 +00:00			`func invokeUnpack(decompressedArchive io.Reader, dest string, options *archive.TarOptions, root string) error {`
pkg/chrootarchive: stop reexec'ing before chroot Unshare the thread's file system attributes and, if applicable, mount namespace so that the chroot operation does not affect the rest of the process. Signed-off-by: Cory Snider <csnider@mirantis.com> 2022-09-27 22:39:26 +00:00			`relDest, err := resolvePathInChroot(root, dest)`
Windows: Docker build starting to work Signed-off-by: John Howard <jhoward@microsoft.com> 2015-06-01 23:42:27 +00:00			`if err != nil {`
pkg/chrootarchive: stop reexec'ing before chroot Unshare the thread's file system attributes and, if applicable, mount namespace so that the chroot operation does not affect the rest of the process. Signed-off-by: Cory Snider <csnider@mirantis.com> 2022-09-27 22:39:26 +00:00			`return err`
Pass root to chroot to for chroot Untar This is useful for preventing CVE-2018-15664 where a malicious container process can take advantage of a race on symlink resolution/sanitization. Before this change chrootarchive would chroot to the destination directory which is attacker controlled. With this patch we always chroot to the container's root which is not attacker controlled. Signed-off-by: Brian Goff <cpuguy83@gmail.com> 2019-05-30 18:15:09 +00:00			`}`

pkg/chrootarchive: fix FreeBSD build For unix targets, `goInChroot()` is only implemented for `Linux`, hence FreeBSD build fails. This change - Adds FreeBSD-specific chrooted tar/untar implementation - Fixes statUnix() to accomodate to FreeBSD devminor/devmajor - quirk. See also: https://github.com/containerd/containerd/pull/5991 Signed-off-by: Artem Khramov <akhramov@pm.me> Co-authored-by: Cory Snider <corhere@gmail.com> 2023-07-13 01:17:02 +00:00			`return doUnpack(decompressedArchive, relDest, root, options)`
Add chroot for tar packing operations Previously only unpack operations were supported with chroot. This adds chroot support for packing operations. This prevents potential breakouts when copying data from a container. Signed-off-by: Brian Goff <cpuguy83@gmail.com> 2019-05-30 21:55:52 +00:00			`}`

			`func invokePack(srcPath string, options *archive.TarOptions, root string) (io.ReadCloser, error) {`
pkg/chrootarchive: stop reexec'ing before chroot Unshare the thread's file system attributes and, if applicable, mount namespace so that the chroot operation does not affect the rest of the process. Signed-off-by: Cory Snider <csnider@mirantis.com> 2022-09-27 22:39:26 +00:00			`relSrc, err := resolvePathInChroot(root, srcPath)`
Add chroot for tar packing operations Previously only unpack operations were supported with chroot. This adds chroot support for packing operations. This prevents potential breakouts when copying data from a container. Signed-off-by: Brian Goff <cpuguy83@gmail.com> 2019-05-30 21:55:52 +00:00			`if err != nil {`
			`return nil, err`
			`}`

pkg/chrootarchive: stop reexec'ing before chroot Unshare the thread's file system attributes and, if applicable, mount namespace so that the chroot operation does not affect the rest of the process. Signed-off-by: Cory Snider <csnider@mirantis.com> 2022-09-27 22:39:26 +00:00			// make sure we didn't trim a trailing slash with the call to `resolvePathInChroot`
Add chroot for tar packing operations Previously only unpack operations were supported with chroot. This adds chroot support for packing operations. This prevents potential breakouts when copying data from a container. Signed-off-by: Brian Goff <cpuguy83@gmail.com> 2019-05-30 21:55:52 +00:00			`if strings.HasSuffix(srcPath, "/") && !strings.HasSuffix(relSrc, "/") {`
			`relSrc += "/"`
			`}`

pkg/chrootarchive: fix FreeBSD build For unix targets, `goInChroot()` is only implemented for `Linux`, hence FreeBSD build fails. This change - Adds FreeBSD-specific chrooted tar/untar implementation - Fixes statUnix() to accomodate to FreeBSD devminor/devmajor - quirk. See also: https://github.com/containerd/containerd/pull/5991 Signed-off-by: Artem Khramov <akhramov@pm.me> Co-authored-by: Cory Snider <corhere@gmail.com> 2023-07-13 01:17:02 +00:00			`return doPack(relSrc, root, options)`
pkg/chrootarchive: stop reexec'ing before chroot Unshare the thread's file system attributes and, if applicable, mount namespace so that the chroot operation does not affect the rest of the process. Signed-off-by: Cory Snider <csnider@mirantis.com> 2022-09-27 22:39:26 +00:00			`}`
Add chroot for tar packing operations Previously only unpack operations were supported with chroot. This adds chroot support for packing operations. This prevents potential breakouts when copying data from a container. Signed-off-by: Brian Goff <cpuguy83@gmail.com> 2019-05-30 21:55:52 +00:00
pkg/chrootarchive: stop reexec'ing before chroot Unshare the thread's file system attributes and, if applicable, mount namespace so that the chroot operation does not affect the rest of the process. Signed-off-by: Cory Snider <csnider@mirantis.com> 2022-09-27 22:39:26 +00:00			`// resolvePathInChroot returns the equivalent to path inside a chroot rooted at root.`
			`// The returned path always begins with '/'.`
			`//`
			`// - resolvePathInChroot("/a/b", "/a/b/c/d") -> "/c/d"`
			`// - resolvePathInChroot("/a/b", "/a/b") -> "/"`
			`//`
			`// The implementation is buggy, and some bugs may be load-bearing.`
			`// Here be dragons.`
			`func resolvePathInChroot(root, path string) (string, error) {`
			`if root == "" {`
			`return "", errors.New("root path must not be empty")`
Add chroot for tar packing operations Previously only unpack operations were supported with chroot. This adds chroot support for packing operations. This prevents potential breakouts when copying data from a container. Signed-off-by: Brian Goff <cpuguy83@gmail.com> 2019-05-30 21:55:52 +00:00			`}`
pkg/chrootarchive: stop reexec'ing before chroot Unshare the thread's file system attributes and, if applicable, mount namespace so that the chroot operation does not affect the rest of the process. Signed-off-by: Cory Snider <csnider@mirantis.com> 2022-09-27 22:39:26 +00:00			`rel, err := filepath.Rel(root, path)`
			`if err != nil {`
			`return "", err`
			`}`
			`if rel == "." {`
			`rel = "/"`
			`}`
			`if rel[0] != '/' {`
			`rel = "/" + rel`
			`}`
			`return rel, nil`
Add chroot for tar packing operations Previously only unpack operations were supported with chroot. This adds chroot support for packing operations. This prevents potential breakouts when copying data from a container. Signed-off-by: Brian Goff <cpuguy83@gmail.com> 2019-05-30 21:55:52 +00:00			`}`