github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Use RunWithPrivileges

Browse Source 
RunWithPrivileges() will enable privileges will lock a thread, change
privileges, and run the function passed in, within that thread. This
allows us to limit the scope in which we enable privileges and avoids
accidentally enabling privileges in threads that should never have them.

Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
This commit is contained in:
Gabriel Adrian Samfira 2023-03-15 05:30:46 -07:00
parent b41ca11598
commit 6f0714efcb
2 changed files with 10 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
archive/tar_opts_windows.go
View File

@ -18,7 +18,6 @@ package archive
import ( import (
"context" "context"
"fmt"
"io" "io"
"github.com/Microsoft/go-winio" "github.com/Microsoft/go-winio"
@ -31,12 +30,12 @@ func applyWindowsLayer(ctx context.Context, root string, r io.Reader, options Ap
// It seems that in certain situations, like having the containerd root and state on a file system hosted on a // It seems that in certain situations, like having the containerd root and state on a file system hosted on a
// mounted VHDX, we need SeSecurityPrivilege when opening a file with winio.ACCESS_SYSTEM_SECURITY. This happens // mounted VHDX, we need SeSecurityPrivilege when opening a file with winio.ACCESS_SYSTEM_SECURITY. This happens
// in the base layer writer in hcsshim when adding a new file. // in the base layer writer in hcsshim when adding a new file.
if err := winio.EnableProcessPrivileges([]string{winio.SeSecurityPrivilege}); err != nil { err = winio.RunWithPrivileges([]string{winio.SeSecurityPrivilege}, func() error {
return 0, fmt.Errorf("enabling privileges: %w", err) var innerErr error
} size, innerErr = ociwclayer.ImportLayerFromTar(ctx, r, root, options.Parents)
defer winio.DisableProcessPrivileges([]string{winio.SeSecurityPrivilege}) return innerErr
})
return ociwclayer.ImportLayerFromTar(ctx, r, root, options.Parents) return
} }
// AsWindowsContainerLayer indicates that the tar stream to apply is that of // AsWindowsContainerLayer indicates that the tar stream to apply is that of

10
snapshots/windows/windows.go
View File

@ -481,12 +481,10 @@ func (s *snapshotter) convertScratchToReadOnlyLayer(ctx context.Context, snapsho
// It seems that in certain situations, like having the containerd root and state on a file system hosted on a // It seems that in certain situations, like having the containerd root and state on a file system hosted on a
// mounted VHDX, we need SeSecurityPrivilege when opening a file with winio.ACCESS_SYSTEM_SECURITY. This happens // mounted VHDX, we need SeSecurityPrivilege when opening a file with winio.ACCESS_SYSTEM_SECURITY. This happens
// in the base layer writer in hcsshim when adding a new file. // in the base layer writer in hcsshim when adding a new file.
if err := winio.EnableProcessPrivileges([]string{winio.SeSecurityPrivilege}); err != nil { if err := winio.RunWithPrivileges([]string{winio.SeSecurityPrivilege}, func() error {
return fmt.Errorf("enabling privileges: %w", err) _, err := ociwclayer.ImportLayerFromTar(ctx, reader, path, parentLayerPaths)
} return err
defer winio.DisableProcessPrivileges([]string{winio.SeSecurityPrivilege}) }); err != nil {
if _, err := ociwclayer.ImportLayerFromTar(ctx, reader, path, parentLayerPaths); err != nil {
return fmt.Errorf("failed to reimport snapshot: %w", err) return fmt.Errorf("failed to reimport snapshot: %w", err)
} }