Fix chroot Tar when copying from container root #39351
Conversation
|
Looks like this test is a bit flaky recently; https://jenkins.dockerproject.org/job/Docker-PRs-WoW-RS5-Process/2722/console opened #39352 |
|
Linting failure; |
438d8db to
df4fc6d
Compare
|
Updated and this is all green. |
|
I was hoping to not add more special cases (this part of the code is FULL of that) but if this is fine for others I don't want to block it. Would be great to have the test run on Windows too. |
df4fc6d to
47a9c89
Compare
|
On second thought, this corner case is basically never even a thing on Windows because of how base images are on Windows. So I'm fine with skipping the test on windows, as long as other windows tests don't fail because of this PR. |
When the requested container path is the root, the path that is requested to be tared up is the parent directory of the container rootfs. Really this isn't any different than other cases, however in this case we end up chrooting to the container rootfs and the requsted tar path goes out of scope. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
47a9c89 to
55d38d7
Compare
Codecov Report
@@ Coverage Diff @@
## master #39351 +/- ##
=========================================
Coverage ? 36.97%
=========================================
Files ? 612
Lines ? 45643
Branches ? 0
=========================================
Hits ? 16875
Misses ? 26482
Partials ? 2286 |
|
Pushed an update thinking maybe it would be simple to support Windows but after discussing with Tibor on Slack, yeah agreed it's probably not so simple, and we have other tests which are covered on Windows... so pushed again to add the skip back in for the new test. |
| // handle a case where the source path that was passed in is actually the parent of `root` | ||
| // this would happen when the requested archive path *is* the root. | ||
| if filepath.Dir(root) == src { | ||
| root = src |
There was a problem hiding this comment.
this is not good because it only works for overlay2. For vfs, since the layout is different (no merged directory), src will be equal to /var/lib/docker/vfs/dir while root will be /var/lib/docker/vfs/dir/$ID. You don't want to tar all of . The chroot will happen one level above what's desired./var/lib/docker/vfs/dir
There was a problem hiding this comment.
I debugged root and src when running -e DOCKER_GRAPHDRIVER=vfs
There was a problem hiding this comment.
This is the chroot path, not changing the source path.
I'm running my new test against vfs and it seems to be ok.
There was a problem hiding this comment.
And CI is running vfs as well.
There was a problem hiding this comment.
I edited the first comment of this thread, I incorrectly said it would tar all the vfs dirs, when in fact the problem is that the chroot would not happen at the correct directory.
There was a problem hiding this comment.
@cpuguy83 sorry i didn't see your comments here (got github cached). I wasn't expecting the tests to fail under vfs.
|
This opens us back up to the same attack for |
When the requested container path is the root, the path that is
requested to be tared up is the parent directory of the container
rootfs.
Really this isn't any different than other cases, however in this case
we end up chrooting to the container rootfs and the requsted tar path
goes out of scope.
Fixes #39348 "Regression due to CVE mitigation from 39292"
relates to #39292 "Pass root to chroot to for chroot Tar/Untar (CVE-2018-15664)"