Use lchown when remapping rootfs
Use lchown when remapping the container's rootfs as to ensure that the symlink has the correct permissions but the underlying file that it points to is not modified. Remapping on the host can cause host files to change outside of the rootfs if symlinks are dereferenced. Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
This commit is contained in:
Michael Crosby
parent
ef344c14ba
commit
1f6b10b699
13
spec_unix.go
13
spec_unix.go
@ -6,12 +6,10 @@ import (
|
|||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"os"
|
"os"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
"strings"
|
|
||||||
"syscall"
|
"syscall"
|
||||||
|
|
||||||
"golang.org/x/sys/unix"
|
"golang.org/x/sys/unix"
|
||||||
|
|
||||||
"github.com/containerd/containerd/fs"
|
|
||||||
"github.com/containerd/containerd/mount"
|
"github.com/containerd/containerd/mount"
|
||||||
specs "github.com/opencontainers/runtime-spec/specs-go"
|
specs "github.com/opencontainers/runtime-spec/specs-go"
|
||||||
)
|
)
|
||||||
@ -179,15 +177,8 @@ func incrementFS(root string, uidInc, gidInc uint32) filepath.WalkFunc {
|
|||||||
var (
|
var (
|
||||||
stat = info.Sys().(*syscall.Stat_t)
|
stat = info.Sys().(*syscall.Stat_t)
|
||||||
u, g = int(stat.Uid + uidInc), int(stat.Gid + gidInc)
|
u, g = int(stat.Uid + uidInc), int(stat.Gid + gidInc)
|
||||||
symlink = info.Mode()&os.ModeSymlink != 0
|
|
||||||
)
|
)
|
||||||
// make sure we resolve links inside the root for symlinks
|
// be sure the lchown the path as to not de-reference the symlink to a host file
|
||||||
if path, err = fs.RootPath(root, strings.TrimPrefix(path, root)); err != nil {
|
return os.Lchown(path, u, g)
|
||||||
return err
|
|
||||||
}
|
|
||||||
if err := os.Chown(path, u, g); err != nil && !symlink {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
return nil
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user