Skip to content

Commit a0e436e

Browse files
committed
use chrootarchive over plain archive package
Just as additional hardening. Note chrootarchive does not work on macos/windows, in that case it still falls back to the regular pkg/archive. Signed-off-by: Paul Holzinger <pholzing@redhat.com> (cherry picked from commit 25aee24) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
1 parent d0ded9d commit a0e436e

8 files changed

Lines changed: 28 additions & 28 deletions

File tree

libpod/container_internal_common.go

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -54,6 +54,7 @@ import (
5454
"go.podman.io/common/pkg/umask"
5555
is "go.podman.io/image/v5/storage"
5656
"go.podman.io/storage/pkg/archive"
57+
"go.podman.io/storage/pkg/chrootarchive"
5758
"go.podman.io/storage/pkg/fileutils"
5859
"go.podman.io/storage/pkg/idtools"
5960
"go.podman.io/storage/pkg/lockfile"
@@ -1207,11 +1208,10 @@ func (c *Container) exportCheckpoint(options ContainerCheckpointOptions) error {
12071208
if mp == "" {
12081209
return fmt.Errorf("volume %s is not mounted, cannot export: %w", volume.Name(), define.ErrInternal)
12091210
}
1210-
1211-
input, err := archive.TarWithOptions(mp, &archive.TarOptions{
1211+
input, err := chrootarchive.Tar(mp, &archive.TarOptions{
12121212
Compression: archive.Uncompressed,
12131213
IncludeSourceDir: true,
1214-
})
1214+
}, mp)
12151215
if err != nil {
12161216
return fmt.Errorf("reading volume directory %q: %w", v.Dest, err)
12171217
}
@@ -1226,12 +1226,12 @@ func (c *Container) exportCheckpoint(options ContainerCheckpointOptions) error {
12261226
}
12271227
}
12281228

1229-
input, err := archive.TarWithOptions(c.bundlePath(), &archive.TarOptions{
1229+
bundle := c.bundlePath()
1230+
input, err := chrootarchive.Tar(bundle, &archive.TarOptions{
12301231
Compression: options.Compression,
12311232
IncludeSourceDir: true,
12321233
IncludeFiles: includeFiles,
1233-
})
1234-
1234+
}, bundle)
12351235
if err != nil {
12361236
return fmt.Errorf("reading checkpoint directory %q: %w", c.ID(), err)
12371237
}
@@ -1312,10 +1312,10 @@ func (c *Container) checkpoint(ctx context.Context, options ContainerCheckpointO
13121312
}
13131313
defer shmDirTarFile.Close()
13141314

1315-
input, err := archive.TarWithOptions(c.config.ShmDir, &archive.TarOptions{
1315+
input, err := chrootarchive.Tar(c.config.ShmDir, &archive.TarOptions{
13161316
Compression: archive.Uncompressed,
13171317
IncludeSourceDir: true,
1318-
})
1318+
}, c.config.ShmDir)
13191319
if err != nil {
13201320
return nil, 0, err
13211321
}
@@ -1488,7 +1488,7 @@ func (c *Container) importPreCheckpoint(input string) error {
14881488

14891489
defer archiveFile.Close()
14901490

1491-
err = archive.Untar(archiveFile, c.bundlePath(), nil)
1491+
err = chrootarchive.Untar(archiveFile, c.bundlePath(), nil)
14921492
if err != nil {
14931493
return fmt.Errorf("unpacking of pre-checkpoint archive %s failed: %w", input, err)
14941494
}
@@ -1751,7 +1751,7 @@ func (c *Container) restore(ctx context.Context, options ContainerCheckpointOpti
17511751
}
17521752
defer shmDirTarFile.Close()
17531753

1754-
if err := archive.UntarUncompressed(shmDirTarFile, c.config.ShmDir, nil); err != nil {
1754+
if err := chrootarchive.UntarUncompressed(shmDirTarFile, c.config.ShmDir, nil); err != nil {
17551755
return nil, 0, err
17561756
}
17571757
}
@@ -1791,7 +1791,7 @@ func (c *Container) restore(ctx context.Context, options ContainerCheckpointOpti
17911791
if mountPoint == "" {
17921792
return nil, 0, fmt.Errorf("unable to import volume %s as it is not mounted: %w", volume.Name(), err)
17931793
}
1794-
if err := archive.UntarUncompressed(volumeFile, mountPoint, nil); err != nil {
1794+
if err := chrootarchive.UntarUncompressed(volumeFile, mountPoint, nil); err != nil {
17951795
return nil, 0, fmt.Errorf("failed to extract volume %s to %s: %w", volumeFilePath, mountPoint, err)
17961796
}
17971797
}

libpod/volume.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ import (
1313
"github.com/containers/podman/v5/libpod/plugin"
1414
"github.com/containers/podman/v5/utils"
1515
"github.com/sirupsen/logrus"
16-
"go.podman.io/storage/pkg/archive"
16+
"go.podman.io/storage/pkg/chrootarchive"
1717
"go.podman.io/storage/pkg/directory"
1818
)
1919

@@ -342,7 +342,7 @@ func (v *Volume) Import(r io.Reader) error {
342342
}
343343
}()
344344

345-
if err := archive.Untar(r, mountPoint, nil); err != nil {
345+
if err := chrootarchive.Untar(r, mountPoint, nil); err != nil {
346346
return fmt.Errorf("extracting into volume %s: %w", v.Name(), err)
347347
}
348348

pkg/api/handlers/compat/images_build.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1237,6 +1237,6 @@ func extractTarFile(anchorDir string, r io.ReadCloser) (string, error) {
12371237
return "", err
12381238
}
12391239

1240-
err = archive.Untar(r, buildDir, nil)
1240+
err = chrootarchive.Untar(r, buildDir, nil)
12411241
return buildDir, err
12421242
}

pkg/api/handlers/libpod/kube.go

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -12,8 +12,6 @@ import (
1212
"os"
1313
"path/filepath"
1414

15-
"go.podman.io/storage/pkg/archive"
16-
1715
"github.com/containers/podman/v5/libpod"
1816
"github.com/containers/podman/v5/pkg/api/handlers/utils"
1917
api "github.com/containers/podman/v5/pkg/api/types"
@@ -23,6 +21,7 @@ import (
2321
"github.com/gorilla/schema"
2422
"github.com/sirupsen/logrus"
2523
"go.podman.io/image/v5/types"
24+
"go.podman.io/storage/pkg/chrootarchive"
2625
)
2726

2827
// ExtractPlayReader provide an io.Reader given a http.Request object
@@ -52,7 +51,7 @@ func extractPlayReader(anchorDir string, r *http.Request) (io.Reader, error) {
5251
reader = r.Body
5352
case "application/x-tar":
5453
// un-tar the content
55-
err := archive.Untar(r.Body, anchorDir, nil)
54+
err := chrootarchive.Untar(r.Body, anchorDir, nil)
5655
if err != nil {
5756
return nil, err
5857
}

pkg/api/handlers/libpod/quadlets.go

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -11,8 +11,6 @@ import (
1111
"path/filepath"
1212
"strings"
1313

14-
"go.podman.io/storage/pkg/archive"
15-
1614
"github.com/containers/podman/v5/libpod"
1715
"github.com/containers/podman/v5/libpod/define"
1816
"github.com/containers/podman/v5/pkg/api/handlers/utils"
@@ -23,6 +21,7 @@ import (
2321
"github.com/containers/podman/v5/pkg/util"
2422
"github.com/gorilla/schema"
2523
"github.com/sirupsen/logrus"
24+
"go.podman.io/storage/pkg/chrootarchive"
2625
)
2726

2827
func ListQuadlets(w http.ResponseWriter, r *http.Request) {
@@ -94,7 +93,7 @@ func extractQuadletFiles(tempDir string, r io.ReadCloser) ([]string, error) {
9493
return nil, err
9594
}
9695

97-
err = archive.Untar(r, quadletDir, nil)
96+
err = chrootarchive.Untar(r, quadletDir, nil)
9897
if err != nil {
9998
return nil, err
10099
}

pkg/checkpoint/crutils/checkpoint_restore_utils.go

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ import (
1414
securejoin "github.com/cyphar/filepath-securejoin"
1515
"github.com/opencontainers/selinux/go-selinux/label"
1616
"go.podman.io/storage/pkg/archive"
17+
"go.podman.io/storage/pkg/chrootarchive"
1718
)
1819

1920
// This file mainly exists to make the checkpoint/restore functions
@@ -35,7 +36,7 @@ func CRImportCheckpointWithoutConfig(destination, input string) error {
3536
metadata.SpecDumpFile,
3637
},
3738
}
38-
if err = archive.Untar(archiveFile, destination, options); err != nil {
39+
if err = chrootarchive.Untar(archiveFile, destination, options); err != nil {
3940
return fmt.Errorf("unpacking of checkpoint archive %s failed: %w", input, err)
4041
}
4142

@@ -65,7 +66,7 @@ func CRImportCheckpointConfigOnly(destination, input string) error {
6566
metadata.CheckpointVolumesDirectory,
6667
},
6768
}
68-
if err = archive.Untar(archiveFile, destination, options); err != nil {
69+
if err = chrootarchive.Untar(archiveFile, destination, options); err != nil {
6970
return fmt.Errorf("unpacking of checkpoint archive %s failed: %w", input, err)
7071
}
7172

@@ -114,7 +115,7 @@ func CRApplyRootFsDiffTar(baseDirectory, containerRootDirectory string) error {
114115
}
115116
defer rootfsDiffFile.Close()
116117

117-
if err := archive.Untar(rootfsDiffFile, containerRootDirectory, nil); err != nil {
118+
if err := chrootarchive.Untar(rootfsDiffFile, containerRootDirectory, nil); err != nil {
118119
return fmt.Errorf("failed to apply root file-system diff file %s: %w", rootfsDiffPath, err)
119120
}
120121

@@ -157,11 +158,11 @@ func CRCreateRootFsDiffTar(changes *[]archive.Change, mountPoint, destination st
157158
}
158159

159160
if len(rootfsIncludeFiles) > 0 {
160-
rootfsTar, err := archive.TarWithOptions(mountPoint, &archive.TarOptions{
161+
rootfsTar, err := chrootarchive.Tar(mountPoint, &archive.TarOptions{
161162
Compression: archive.Uncompressed,
162163
IncludeSourceDir: true,
163164
IncludeFiles: rootfsIncludeFiles,
164-
})
165+
}, mountPoint)
165166
if err != nil {
166167
return includeFiles, fmt.Errorf("exporting root file-system diff to %q: %w", rootfsDiffPath, err)
167168
}

pkg/domain/infra/abi/play.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ import (
4343
"go.podman.io/common/pkg/secrets"
4444
"go.podman.io/image/v5/docker/reference"
4545
"go.podman.io/image/v5/types"
46-
"go.podman.io/storage/pkg/archive"
46+
"go.podman.io/storage/pkg/chrootarchive"
4747
"go.podman.io/storage/pkg/fileutils"
4848
yamlv3 "gopkg.in/yaml.v3"
4949
"sigs.k8s.io/yaml"
@@ -1503,7 +1503,7 @@ func (ic *ContainerEngine) importVolume(ctx context.Context, vol *libpod.Volume,
15031503
}
15041504

15051505
// dont care if volume is mounted or not we are gonna import everything to mountPoint
1506-
return archive.Untar(tarFile, mountPoint, nil)
1506+
return chrootarchive.Untar(tarFile, mountPoint, nil)
15071507
}
15081508

15091509
// readConfigMapFromFile returns a kubernetes configMap obtained from --configmap flag

pkg/domain/infra/tunnel/images.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@ import (
2424
"go.podman.io/image/v5/docker/reference"
2525
"go.podman.io/image/v5/types"
2626
"go.podman.io/storage/pkg/archive"
27+
"go.podman.io/storage/pkg/chrootarchive"
2728
)
2829

2930
func (ir *ImageEngine) Exists(_ context.Context, nameOrID string) (*entities.BoolReport, error) {
@@ -371,7 +372,7 @@ func (ir *ImageEngine) Save(_ context.Context, nameOrID string, tags []string, o
371372
return err
372373
}
373374

374-
return archive.Untar(f, opts.Output, &archive.TarOptions{NoLchown: true})
375+
return chrootarchive.Untar(f, opts.Output, &archive.TarOptions{NoLchown: true})
375376
}
376377

377378
func (ir *ImageEngine) Search(_ context.Context, term string, opts entities.ImageSearchOptions) ([]entities.ImageSearchReport, error) {

0 commit comments

Comments
 (0)