moby/hack
Cory Snider e9bbc41dd1 Remove local fork of archive/tar package
A copy of Go's archive/tar packge was vendored with a patch applied to
mitigate CVE-2019-14271. Vendoring standard library packages is not
supported by Go in module-aware mode, which is getting in the way of
maintenance. A different approach to mitigate the vulnerability is
needed which does not involve vendoring parts of the standard library.

glibc implements name service lookups such as users, groups and DNS
using a scheme known as Name Service Switch. The services are
implemented as modules, shared libraries which glibc dynamically links
into the process the first time a function requiring the module is
called. This is the crux of the vulnerability: if a process linked
against glibc chroots, then calls one of the functions implemented with
NSS for the first time, glibc may load NSS modules out of the chrooted
filesystem.

The API underlying the `docker cp` command is implemented by forking a
new process which chroots into the container's rootfs and writes a tar
stream of files from the container over standard output. It utilizes the
Go standard library's archive/tar package to write the tar stream. It
makes use of the tar.FileInfoHeader function to construct a tar.Header
value from an fs.FileInfo value. In modern versions of Go on *nix
platforms, FileInfoHeader will attempt to resolve the file's UID and GID
to their respective user and group names by calling the os/user
functions LookupId and LookupGroupId. The cgo implementation of os/user
on *nix performs lookups by calling the corresponding libc functions. So
when linked against glibc, calls to tar.FileInfoHeader after the
process has chrooted into the container's rootfs can have the side
effect of loading NSS modules from the container! Without any
mitigations, a malicious container image author can trivially get
arbitrary code execution by leveraging this vulnerability and escape the
chroot (which is not a sandbox) into the host.

Mitigate the vulnerability without patching or forking archive/tar by
hiding the OS-dependent file info from tar.FileInfoHeader which it needs
to perform the lookups. Without that information available it falls back
to populating the tar.Header with only the information obtainable
directly from the FileInfo value without making any calls into os/user.

Fixes #42402

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-02-18 13:40:19 -05:00
..
ci hack/ci: remove unused entrypoint scripts 2022-01-12 00:38:02 +01:00
dockerfile/install update runc binary to v1.1.0 2022-02-06 16:23:38 +09:00
make docker-py: skip CreateContainerTest::test_create_with_device_cgroup_rules 2022-01-20 11:11:22 +01:00
test hack/test/unit: run libnetwork tests sequentially 2021-08-03 12:19:49 +02:00
validate Dockerfile: update golangci-lint v1.44.0 2022-02-08 09:43:30 +01:00
dind hack/dind: fix cgroup v2 evacuation with docker run --init 2021-04-28 13:30:10 +09:00
generate-authors.sh run shfmt 2020-03-03 12:27:49 +09:00
generate-swagger-api.sh hack: fix mixed tabs/spaces for indentation 2019-08-02 15:58:33 +02:00
generate-test-certs.sh hack: add script to regenerate certificates 2021-05-18 09:43:18 +02:00
go-mod-prepare.sh vendor: replace vndr with go mod vendor 2022-01-18 15:46:00 +01:00
make.ps1 Add TestBuildWCOWSandboxSize integration test 2020-11-10 19:51:46 +11:00
make.sh hack/make.sh: remove extra empty lines 2020-03-03 12:36:06 +09:00
README.md vendor: replace vndr with go mod vendor 2022-01-18 15:46:00 +01:00
vendor.sh Remove local fork of archive/tar package 2022-02-18 13:40:19 -05:00

About

This directory contains a collection of scripts used to build and manage this repository. If there are any issues regarding the intention of a particular script (or even part of a certain script), please reach out to us. It may help us either refine our current scripts, or add on new ones that are appropriate for a given use case.

DinD (dind.sh)

DinD is a wrapper script which allows Docker to be run inside a Docker container. DinD requires the container to be run with privileged mode enabled.

Generate Authors (generate-authors.sh)

Generates AUTHORS; a file with all the names and corresponding emails of individual contributors. AUTHORS can be found in the home directory of this repository.

Make

There are two make files, each with different extensions. Neither are supposed to be called directly; only invoke make. Both scripts run inside a Docker container.

make.ps1

  • The Windows native build script that uses PowerShell semantics; it is limited unlike hack\make.sh since it does not provide support for the full set of operations provided by the Linux counterpart, make.sh. However, make.ps1 does provide support for local Windows development and Windows to Windows CI. More information is found within make.ps1 by the author, @jhowardmsft

make.sh

  • Referenced via make test when running tests on a local machine, or directly referenced when running tests inside a Docker development container.
  • When running on a local machine, make test to run all tests found in test, test-unit, test-integration, and test-docker-py on your local machine. The default timeout is set in make.sh to 60 minutes (${TIMEOUT:=60m}), since it currently takes up to an hour to run all of the tests.
  • When running inside a Docker development container, hack/make.sh does not have a single target that runs all the tests. You need to provide a single command line with multiple targets that performs the same thing. An example referenced from Run targets inside a development container: root@5f8630b873fe:/go/src/github.com/moby/moby# hack/make.sh dynbinary binary cross test-unit test-integration test-docker-py
  • For more information related to testing outside the scope of this README, refer to Run tests and test documentation

Vendor (vendor.sh)

A shell script that is a wrapper around go mod vendor.