Fix access denied on mounted vhdx root
It seems that in certain situations, like having the containerd root and state on a file system hosted on a mounted VHDX, we need SeSecurityPrivilege when opening a file with winio.ACCESS_SYSTEM_SECURITY. This happens in the base layer writer in hcsshim when adding a new file. Enabling SeSecurityPrivilege allows the containerd root to be hosted on a vhdx. Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
This commit is contained in:
parent
7cd72cce99
commit
b41ca11598
@ -18,14 +18,24 @@ package archive
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"io"
|
||||
|
||||
"github.com/Microsoft/go-winio"
|
||||
"github.com/Microsoft/hcsshim/pkg/ociwclayer"
|
||||
)
|
||||
|
||||
// applyWindowsLayer applies a tar stream of an OCI style diff tar of a Windows layer
|
||||
// See https://github.com/opencontainers/image-spec/blob/main/layer.md#applying-changesets
|
||||
func applyWindowsLayer(ctx context.Context, root string, r io.Reader, options ApplyOptions) (size int64, err error) {
|
||||
// It seems that in certain situations, like having the containerd root and state on a file system hosted on a
|
||||
// mounted VHDX, we need SeSecurityPrivilege when opening a file with winio.ACCESS_SYSTEM_SECURITY. This happens
|
||||
// in the base layer writer in hcsshim when adding a new file.
|
||||
if err := winio.EnableProcessPrivileges([]string{winio.SeSecurityPrivilege}); err != nil {
|
||||
return 0, fmt.Errorf("enabling privileges: %w", err)
|
||||
}
|
||||
defer winio.DisableProcessPrivileges([]string{winio.SeSecurityPrivilege})
|
||||
|
||||
return ociwclayer.ImportLayerFromTar(ctx, r, root, options.Parents)
|
||||
}
|
||||
|
||||
|
@ -478,6 +478,14 @@ func (s *snapshotter) convertScratchToReadOnlyLayer(ctx context.Context, snapsho
|
||||
writer.CloseWithError(err)
|
||||
}()
|
||||
|
||||
// It seems that in certain situations, like having the containerd root and state on a file system hosted on a
|
||||
// mounted VHDX, we need SeSecurityPrivilege when opening a file with winio.ACCESS_SYSTEM_SECURITY. This happens
|
||||
// in the base layer writer in hcsshim when adding a new file.
|
||||
if err := winio.EnableProcessPrivileges([]string{winio.SeSecurityPrivilege}); err != nil {
|
||||
return fmt.Errorf("enabling privileges: %w", err)
|
||||
}
|
||||
defer winio.DisableProcessPrivileges([]string{winio.SeSecurityPrivilege})
|
||||
|
||||
if _, err := ociwclayer.ImportLayerFromTar(ctx, reader, path, parentLayerPaths); err != nil {
|
||||
return fmt.Errorf("failed to reimport snapshot: %w", err)
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user