github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request #8254 from gabriel-samfira/fix-access-denied-on-vhdx-mount

Browse Source 
Fix access denied on mounted vhdx root
This commit is contained in:
Derek McGowan 2023-05-10 08:39:36 -07:00 committed by GitHub
commit 14d22efccc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 17 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
archive/tar_opts_windows.go
View File

@ -20,13 +20,22 @@ import (
"context" "context"
"io" "io"
"github.com/Microsoft/go-winio"
"github.com/Microsoft/hcsshim/pkg/ociwclayer" "github.com/Microsoft/hcsshim/pkg/ociwclayer"
) )
// applyWindowsLayer applies a tar stream of an OCI style diff tar of a Windows layer // applyWindowsLayer applies a tar stream of an OCI style diff tar of a Windows layer
// See https://github.com/opencontainers/image-spec/blob/main/layer.md#applying-changesets // See https://github.com/opencontainers/image-spec/blob/main/layer.md#applying-changesets
func applyWindowsLayer(ctx context.Context, root string, r io.Reader, options ApplyOptions) (size int64, err error) { func applyWindowsLayer(ctx context.Context, root string, r io.Reader, options ApplyOptions) (size int64, err error) {
return ociwclayer.ImportLayerFromTar(ctx, r, root, options.Parents) // It seems that in certain situations, like having the containerd root and state on a file system hosted on a
// mounted VHDX, we need SeSecurityPrivilege when opening a file with winio.ACCESS_SYSTEM_SECURITY. This happens
// in the base layer writer in hcsshim when adding a new file.
err = winio.RunWithPrivileges([]string{winio.SeSecurityPrivilege}, func() error {
var innerErr error
size, innerErr = ociwclayer.ImportLayerFromTar(ctx, r, root, options.Parents)
return innerErr
})
return
} }
// AsWindowsContainerLayer indicates that the tar stream to apply is that of // AsWindowsContainerLayer indicates that the tar stream to apply is that of

8
snapshots/windows/windows.go
View File

@ -478,7 +478,13 @@ func (s *snapshotter) convertScratchToReadOnlyLayer(ctx context.Context, snapsho
writer.CloseWithError(err) writer.CloseWithError(err)
}() }()
if _, err := ociwclayer.ImportLayerFromTar(ctx, reader, path, parentLayerPaths); err != nil { // It seems that in certain situations, like having the containerd root and state on a file system hosted on a
// mounted VHDX, we need SeSecurityPrivilege when opening a file with winio.ACCESS_SYSTEM_SECURITY. This happens
// in the base layer writer in hcsshim when adding a new file.
if err := winio.RunWithPrivileges([]string{winio.SeSecurityPrivilege}, func() error {
_, err := ociwclayer.ImportLayerFromTar(ctx, reader, path, parentLayerPaths)
return err
}); err != nil {
return fmt.Errorf("failed to reimport snapshot: %w", err) return fmt.Errorf("failed to reimport snapshot: %w", err)
} }