Fix access denied on mounted vhdx root

It seems that in certain situations, like having the containerd root
and state on a file system hosted on a mounted VHDX, we need
SeSecurityPrivilege when opening a file with winio.ACCESS_SYSTEM_SECURITY.
This happens in the base layer writer in hcsshim when adding a new file.

Enabling SeSecurityPrivilege allows the containerd root to be hosted on
a vhdx.

Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
This commit is contained in:
Gabriel Adrian Samfira 2023-03-13 01:52:03 -07:00
parent 7cd72cce99
commit b41ca11598
2 changed files with 18 additions and 0 deletions

View File

@ -18,14 +18,24 @@ package archive
import (
"context"
"fmt"
"io"
"github.com/Microsoft/go-winio"
"github.com/Microsoft/hcsshim/pkg/ociwclayer"
)
// applyWindowsLayer applies a tar stream of an OCI style diff tar of a Windows layer
// See https://github.com/opencontainers/image-spec/blob/main/layer.md#applying-changesets
func applyWindowsLayer(ctx context.Context, root string, r io.Reader, options ApplyOptions) (size int64, err error) {
// It seems that in certain situations, like having the containerd root and state on a file system hosted on a
// mounted VHDX, we need SeSecurityPrivilege when opening a file with winio.ACCESS_SYSTEM_SECURITY. This happens
// in the base layer writer in hcsshim when adding a new file.
if err := winio.EnableProcessPrivileges([]string{winio.SeSecurityPrivilege}); err != nil {
return 0, fmt.Errorf("enabling privileges: %w", err)
}
defer winio.DisableProcessPrivileges([]string{winio.SeSecurityPrivilege})
return ociwclayer.ImportLayerFromTar(ctx, r, root, options.Parents)
}

View File

@ -478,6 +478,14 @@ func (s *snapshotter) convertScratchToReadOnlyLayer(ctx context.Context, snapsho
writer.CloseWithError(err)
}()
// It seems that in certain situations, like having the containerd root and state on a file system hosted on a
// mounted VHDX, we need SeSecurityPrivilege when opening a file with winio.ACCESS_SYSTEM_SECURITY. This happens
// in the base layer writer in hcsshim when adding a new file.
if err := winio.EnableProcessPrivileges([]string{winio.SeSecurityPrivilege}); err != nil {
return fmt.Errorf("enabling privileges: %w", err)
}
defer winio.DisableProcessPrivileges([]string{winio.SeSecurityPrivilege})
if _, err := ociwclayer.ImportLayerFromTar(ctx, reader, path, parentLayerPaths); err != nil {
return fmt.Errorf("failed to reimport snapshot: %w", err)
}