From cfdc075b1c08d0d1939a1a0847fd7b8e80ae2a6f Mon Sep 17 00:00:00 2001 From: Illo Abdulrahim Date: Tue, 16 Nov 2021 13:10:45 +0100 Subject: [PATCH] Fix file capabilities droping in Dockerfile doCopyXattrs() never reached due to copyXattrs boolean being false, as a result file capabilities not being copied. moved copyXattr() out of doCopyXattrs() Signed-off-by: Illo Abdulrahim Signed-off-by: Sebastiaan van Stijn (cherry picked from commit 31f654a704f61768828d5950a13f30bb493d1239) Signed-off-by: Sebastiaan van Stijn --- daemon/graphdriver/copy/copy.go | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/daemon/graphdriver/copy/copy.go b/daemon/graphdriver/copy/copy.go index 7bca046e5e..0f036c8187 100644 --- a/daemon/graphdriver/copy/copy.go +++ b/daemon/graphdriver/copy/copy.go @@ -110,11 +110,13 @@ type dirMtimeInfo struct { stat *syscall.Stat_t } -// DirCopy copies or hardlinks the contents of one directory to another, -// properly handling xattrs, and soft links +// DirCopy copies or hardlinks the contents of one directory to another, properly +// handling soft links, "security.capability" and (optionally) "trusted.overlay.opaque" +// xattrs. // -// Copying xattrs can be opted out of by passing false for copyXattrs. -func DirCopy(srcDir, dstDir string, copyMode Mode, copyXattrs bool) error { +// The copyOpaqueXattrs controls if "trusted.overlay.opaque" xattrs are copied. +// Passing false disables copying "trusted.overlay.opaque" xattrs. +func DirCopy(srcDir, dstDir string, copyMode Mode, copyOpaqueXattrs bool) error { copyWithFileRange := true copyWithFileClone := true @@ -207,7 +209,11 @@ func DirCopy(srcDir, dstDir string, copyMode Mode, copyXattrs bool) error { return err } - if copyXattrs { + if err := copyXattr(srcPath, dstPath, "security.capability"); err != nil { + return err + } + + if copyOpaqueXattrs { if err := doCopyXattrs(srcPath, dstPath); err != nil { return err } @@ -256,10 +262,6 @@ func DirCopy(srcDir, dstDir string, copyMode Mode, copyXattrs bool) error { } func doCopyXattrs(srcPath, dstPath string) error { - if err := copyXattr(srcPath, dstPath, "security.capability"); err != nil { - return err - } - // We need to copy this attribute if it appears in an overlay upper layer, as // this function is used to copy those. It is set by overlay if a directory // is removed and then re-created and should not inherit anything from the