Older versions of Go don't format comments, so committing this as
a separate commit, so that we can already make these changes before
we upgrade to Go 1.19.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 52c1a2fae8)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Finish the refactor which was partially completed with commit
34536c498d, passing around IdentityMapping structs instead of pairs of
[]IDMap slices.
Existing code which uses []IDMap relies on zero-valued fields to be
valid, empty mappings. So in order to successfully finish the
refactoring without introducing bugs, their replacement therefore also
needs to have a useful zero value which represents an empty mapping.
Change IdentityMapping to be a pass-by-value type so that there are no
nil pointers to worry about.
The functionality provided by the deprecated NewIDMappingsFromMaps
function is required by unit tests to to construct arbitrary
IdentityMapping values. And the daemon will always need to access the
mappings to pass them to the Linux kernel. Accommodate these use cases
by exporting the struct fields instead. BuildKit currently depends on
the UIDs and GIDs methods so we cannot get rid of them yet.
Signed-off-by: Cory Snider <csnider@mirantis.com>
If chroot is used with a special root directory then create
destination directory within chroot. This works automatically
already due to extractor creating parent paths and is only
used currently with cp where parent paths are actually required
and error will be shown to user before reaching this point.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit 52d285184068998c22632bfb869f6294b5613a58)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 80f1169eca)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The io/ioutil package has been deprecated in Go 1.16. This commit
replaces the existing io/ioutil functions with their new definitions in
io and os packages.
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
These tests fail when run by a non-root user
=== RUN TestUntarWithMaliciousSymlinks
archive_unix_test.go:63: assertion failed: expected error to contain "open /safe/host-file: no such file or directory", got "Error processing tar file(exit status 1): Error creating mount namespace before pivot: operation not permitted"
--- FAIL: TestUntarWithMaliciousSymlinks (0.00s)
=== RUN TestTarWithMaliciousSymlinks
archive_unix_test.go:90: /tmp/TestTarWithMaliciousSymlinks400408188
=== RUN TestTarWithMaliciousSymlinks//tmp/TestTarWithMaliciousSymlinks400408188/root/safe_host-file
archive_unix_test.go:155: assertion failed: error is not nil: error processing tar file: Error after fallback to chroot: operation not permitted: exit status 1
=== RUN TestTarWithMaliciousSymlinks//tmp/TestTarWithMaliciousSymlinks400408188/root/safe/_host-file
archive_unix_test.go:155: assertion failed: error is not nil: error processing tar file: Error after fallback to chroot: operation not permitted: exit status 1
=== RUN TestTarWithMaliciousSymlinks//tmp/TestTarWithMaliciousSymlinks400408188/root/safe_
archive_unix_test.go:155: assertion failed: error is not nil: error processing tar file: Error after fallback to chroot: operation not permitted: exit status 1
=== RUN TestTarWithMaliciousSymlinks//tmp/TestTarWithMaliciousSymlinks400408188/root/safe/_
archive_unix_test.go:155: assertion failed: error is not nil: error processing tar file: Error after fallback to chroot: operation not permitted: exit status 1
=== RUN TestTarWithMaliciousSymlinks//tmp/TestTarWithMaliciousSymlinks400408188/root_safe/host-file
archive_unix_test.go:155: assertion failed: error is not nil: error processing tar file: Error after fallback to chroot: operation not permitted: exit status 1
=== RUN TestTarWithMaliciousSymlinks//tmp/TestTarWithMaliciousSymlinks400408188/root_/safe/host-file
archive_unix_test.go:155: assertion failed: error is not nil: error processing tar file: Error after fallback to chroot: operation not permitted: exit status 1
=== RUN TestTarWithMaliciousSymlinks//tmp/TestTarWithMaliciousSymlinks400408188/root_
archive_unix_test.go:155: assertion failed: error is not nil: error processing tar file: Error after fallback to chroot: operation not permitted: exit status 1
--- FAIL: TestTarWithMaliciousSymlinks (0.02s)
--- FAIL: TestTarWithMaliciousSymlinks//tmp/TestTarWithMaliciousSymlinks400408188/root/safe_host-file (0.00s)
--- FAIL: TestTarWithMaliciousSymlinks//tmp/TestTarWithMaliciousSymlinks400408188/root/safe/_host-file (0.00s)
--- FAIL: TestTarWithMaliciousSymlinks//tmp/TestTarWithMaliciousSymlinks400408188/root/safe_ (0.00s)
--- FAIL: TestTarWithMaliciousSymlinks//tmp/TestTarWithMaliciousSymlinks400408188/root/safe/_ (0.00s)
--- FAIL: TestTarWithMaliciousSymlinks//tmp/TestTarWithMaliciousSymlinks400408188/root_safe/host-file (0.00s)
--- FAIL: TestTarWithMaliciousSymlinks//tmp/TestTarWithMaliciousSymlinks400408188/root_/safe/host-file (0.00s)
--- FAIL: TestTarWithMaliciousSymlinks//tmp/TestTarWithMaliciousSymlinks400408188/root_ (0.00s)
FAIL
FAIL github.com/docker/docker/pkg/chrootarchive 0.042s
Signed-off-by: Arnaud Rebillout <elboulangero@gmail.com>
update test to fix go 1.15 linting failure:
pkg/chrootarchive/archive_test.go:103:32: conversion from int to string yields a string of one rune
relates to golang/go 32479
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The implementation in libcontainer/system is quite complicated,
and we only use it to detect if user-namespaces are enabled.
In addition, the implementation in containerd uses a sync.Once,
so that detection (and reading/parsing `/proc/self/uid_map`) is
only performed once.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Switch to moby/sys/mount and mountinfo. Keep the pkg/mount for potential
outside users.
This commit was generated by the following bash script:
```
set -e -u -o pipefail
for file in $(git grep -l 'docker/docker/pkg/mount"' | grep -v ^pkg/mount); do
sed -i -e 's#/docker/docker/pkg/mount"#/moby/sys/mount"#' \
-e 's#mount\.\(GetMounts\|Mounted\|Info\|[A-Za-z]*Filter\)#mountinfo.\1#g' \
$file
goimports -w $file
done
```
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
also renamed the non-windows variant of this file to be
consistent with other files in this package
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
environment not in the chroot from untrusted files.
See also OpenVZ a3f732ef75/src/enter.c (L227-L234)
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
(cherry picked from commit cea6dca993c2b4cfa99b1e7a19ca134c8ebc236b)
Signed-off-by: Tibor Vass <tibor@docker.com>
Previously only unpack operations were supported with chroot.
This adds chroot support for packing operations.
This prevents potential breakouts when copying data from a container.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This is useful for preventing CVE-2018-15664 where a malicious container
process can take advantage of a race on symlink resolution/sanitization.
Before this change chrootarchive would chroot to the destination
directory which is attacker controlled. With this patch we always chroot
to the container's root which is not attacker controlled.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This implements chown support on Windows. Built-in accounts as well
as accounts included in the SAM database of the container are supported.
NOTE: IDPair is now named Identity and IDMappings is now named
IdentityMapping.
The following are valid examples:
ADD --chown=Guest . <some directory>
COPY --chown=Administrator . <some directory>
COPY --chown=Guests . <some directory>
COPY --chown=ContainerUser . <some directory>
On Windows an owner is only granted the permission to read the security
descriptor and read/write the discretionary access control list. This
fix also grants read/write and execute permissions to the owner.
Signed-off-by: Salahuddin Khan <salah@docker.com>
With `rprivate` there exists a race where a reference to a mount has
propagated to the new namespace, when `rprivate` is set the parent
namespace is not able to remove the mount due to that reference.
With `rslave` unmounts will propagate correctly into the namespace and
prevent the sort of transient errors that are possible with `rprivate`.
This is a similar fix to 117c92745b
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This enables docker cp and ADD/COPY docker build support for LCOW.
Originally, the graphdriver.Get() interface returned a local path
to the container root filesystem. This does not work for LCOW, so
the Get() method now returns an interface that LCOW implements to
support copying to and from the container.
Signed-off-by: Akash Gupta <akagup@microsoft.com>
Changes most references of syscall to golang.org/x/sys/
Ones aren't changes include, Errno, Signal and SysProcAttr
as they haven't been implemented in /x/sys/.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
[s390x] switch utsname from unsigned to signed
per 33267e036f
char in s390x in the /x/sys/unix package is now signed, so
change the buildtags
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
There is no case which would resolve in this error. The root user always exists, and if the id maps are empty, the default value of 0 is correct.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
This patch fixed below 4 types of code line
1. Remove unnecessary variable assignment
2. Use variables declaration instead of explicit initial zero value
3. Change variable name to underbar when variable not used
4. Add erro check and return for ignored error
Signed-off-by: Daehyeok Mun <daehyeok@gmail.com>
In some cases, attempting to `docker cp` to a container's volume dir
would fail due to the volume mounts not existing after performing a
bind-mount on the container path prior to doing a pivot_root.
This does not seem to be effecting all systems, but was found to be a
problem on centos.
The solution is to use an `rbind` rather than `bind` so that any
existing mounts are carried over.
The `MakePrivate` on `path` is no longer neccessary since we are already
doing `MakeRPrivate` on `/`.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
The `archive` package defines aliases for `io.ReadCloser` and
`io.Reader`. These don't seem to provide an benefit other than type
decoration. Per this change, several unnecessary type cases were
removed.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
If parent of the destination path is shared, this
path will be unmounted from the parent ns even if
the path itself is private.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
The namespace unshare+pivot root is not possible when running inside a
user namespace, so fallback to the original "real" chroot code.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
If we are running in a user namespace, don't try to mknod as
it won't be allowed. libcontainer will bind-mount the host's
devices over files in the container anyway, so it's not needed.
The chrootarchive package does a chroot (without mounting /proc) before
its work, so we cannot check /proc/self/uid_map when we need to. So
compute it in advance and pass it along with the tar options.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
When pivot_root fails we need to unmount the bind mounted path we
previously mounted in preparation for pivot_root.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
For me when I run the test I see:
```
Downloading from http://nourl/bad
Importing 283 B
Untar re-exec error: exit status 1: output: unexpected EOF
```
and nothing about "dial tcp" so it appears that the output is
system dependent and therefore we can't really check it. I think
checking for non-zero exit code is sufficient so I'm removing this
string check.
Signed-off-by: Doug Davis <dug@us.ibm.com>
The path we're trying to remove doesn't exist after a successful
chroot+chdir because a / is only appended after pivot_root is
successful and so we can't cleanup anymore with the old path.
Also fix leaking .pivot_root dirs under /var/lib/docker/tmp/docker-builder*
on error.
Fix https://github.com/docker/docker/issues/22587
Introduced by https://github.com/docker/docker/pull/22506
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This fixes one issue with Docker running under a grsec kernel, which
denies chmod and mknod under chroot.
Note, if pivot_root fails it will still fallback to chroot.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
pkg/chrootarchive/diff_unix.go erroneously calls flush on stdout, which tries to read from stdout returning an error.
This has been fixed by removing the call and by modifying flush to return errors and checking for these errors on calls to flush.
Signed-off-by: Amit Krishnan <krish.amit@gmail.com>
