moby--moby/pkg/chrootarchive/archive.go

package chrootarchive // import "github.com/docker/docker/pkg/chrootarchive"

import (
	"fmt"
	"io"
	"io/ioutil"
	"net"
	"os"
	"os/user"
	"path/filepath"

	"github.com/docker/docker/pkg/archive"
	"github.com/docker/docker/pkg/idtools"
)

func init() {
	// initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host
	// environment not in the chroot from untrusted files.
	_, _ = user.Lookup("docker")
	_, _ = net.LookupHost("localhost")
}

// NewArchiver returns a new Archiver which uses chrootarchive.Untar
func NewArchiver(idMapping *idtools.IdentityMapping) *archive.Archiver {
	if idMapping == nil {
		idMapping = &idtools.IdentityMapping{}
	}
	return &archive.Archiver{
		Untar:     Untar,
		IDMapping: idMapping,
	}
}

// Untar reads a stream of bytes from `archive`, parses it as a tar archive,
// and unpacks it into the directory at `dest`.
// The archive may be compressed with one of the following algorithms:
//  identity (uncompressed), gzip, bzip2, xz.
func Untar(tarArchive io.Reader, dest string, options *archive.TarOptions) error {
	return untarHandler(tarArchive, dest, options, true, dest)
}

// UntarWithRoot is the same as `Untar`, but allows you to pass in a root directory
// The root directory is the directory that will be chrooted to.
// `dest` must be a path within `root`, if it is not an error will be returned.
//
// `root` should set to a directory which is not controlled by any potentially
// malicious process.
//
// This should be used to prevent a potential attacker from manipulating `dest`
// such that it would provide access to files outside of `dest` through things
// like symlinks. Normally `ResolveSymlinksInScope` would handle this, however
// sanitizing symlinks in this manner is inherrently racey:
// ref: CVE-2018-15664
func UntarWithRoot(tarArchive io.Reader, dest string, options *archive.TarOptions, root string) error {
	return untarHandler(tarArchive, dest, options, true, root)
}

// UntarUncompressed reads a stream of bytes from `archive`, parses it as a tar archive,
// and unpacks it into the directory at `dest`.
// The archive must be an uncompressed stream.
func UntarUncompressed(tarArchive io.Reader, dest string, options *archive.TarOptions) error {
	return untarHandler(tarArchive, dest, options, false, dest)
}

// Handler for teasing out the automatic decompression
func untarHandler(tarArchive io.Reader, dest string, options *archive.TarOptions, decompress bool, root string) error {
	if tarArchive == nil {
		return fmt.Errorf("Empty archive")
	}
	if options == nil {
		options = &archive.TarOptions{}
	}
	if options.ExcludePatterns == nil {
		options.ExcludePatterns = []string{}
	}

	idMapping := idtools.NewIDMappingsFromMaps(options.UIDMaps, options.GIDMaps)
	rootIDs := idMapping.RootPair()

	dest = filepath.Clean(dest)
	if _, err := os.Stat(dest); os.IsNotExist(err) {
		if err := idtools.MkdirAllAndChownNew(dest, 0755, rootIDs); err != nil {
			return err
		}
	}

	r := ioutil.NopCloser(tarArchive)
	if decompress {
		decompressedArchive, err := archive.DecompressStream(tarArchive)
		if err != nil {
			return err
		}
		defer decompressedArchive.Close()
		r = decompressedArchive
	}

	return invokeUnpack(r, dest, options, root)
}

// Tar tars the requested path while chrooted to the specified root.
func Tar(srcPath string, options *archive.TarOptions, root string) (io.ReadCloser, error) {
	if options == nil {
		options = &archive.TarOptions{}
	}
	return invokePack(srcPath, options, root)
}
Add canonical import comment Signed-off-by: Daniel Nephin <dnephin@docker.com> 2018-02-05 16:05:59 -05:00			`package chrootarchive // import "github.com/docker/docker/pkg/chrootarchive"`
add pkg/chrootarchive and use it on the daemon Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack) Conflicts: builder/internals.go daemon/graphdriver/aufs/aufs.go daemon/volumes.go fixed conflicts in imports 2014-10-29 15:06:51 -04:00
			`import (`
			`"fmt"`
			`"io"`
archive, chrootarchive: split out decompression In `ApplyLayer` and `Untar`, the stream is magically decompressed. Since this is not able to be toggled, rather than break this ./pkg/ API, add an `ApplyUncompressedLayer` and `UntarUncompressed` that does not magically decompress the layer stream. Signed-off-by: Vincent Batts <vbatts@redhat.com> 2015-07-27 09:46:20 -04:00			`"io/ioutil"`
Initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host environment not in the chroot from untrusted files. See also OpenVZ https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234 Signed-off-by: Justin Cormack <justin.cormack@docker.com> (cherry picked from commit cea6dca993c2b4cfa99b1e7a19ca134c8ebc236b) Signed-off-by: Tibor Vass <tibor@docker.com> 2019-07-25 10:24:39 -04:00			`"net"`
add pkg/chrootarchive and use it on the daemon Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack) Conflicts: builder/internals.go daemon/graphdriver/aufs/aufs.go daemon/volumes.go fixed conflicts in imports 2014-10-29 15:06:51 -04:00			`"os"`
Initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host environment not in the chroot from untrusted files. See also OpenVZ https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234 Signed-off-by: Justin Cormack <justin.cormack@docker.com> (cherry picked from commit cea6dca993c2b4cfa99b1e7a19ca134c8ebc236b) Signed-off-by: Tibor Vass <tibor@docker.com> 2019-07-25 10:24:39 -04:00			`"os/user"`
Decompress archive before streaming the unpack in a chroot Signed-off-by: Michael Crosby <crosbymichael@gmail.com> Conflicts: pkg/archive/archive.go pkg/chrootarchive/archive.go Conflicts: pkg/archive/archive.go 2014-12-08 16:19:24 -05:00			`"path/filepath"`
add pkg/chrootarchive and use it on the daemon Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack) Conflicts: builder/internals.go daemon/graphdriver/aufs/aufs.go daemon/volumes.go fixed conflicts in imports 2014-10-29 15:06:51 -04:00
			`"github.com/docker/docker/pkg/archive"`
Correct build-time directory creation with user namespaced daemon This fixes errors in ownership on directory creation during build that can cause inaccessible files depending on the paths in the Dockerfile and non-existing directories in the starting image. Add tests for the mkdir variants in pkg/idtools Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp) 2015-10-14 14:35:48 -04:00			`"github.com/docker/docker/pkg/idtools"`
add pkg/chrootarchive and use it on the daemon Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack) Conflicts: builder/internals.go daemon/graphdriver/aufs/aufs.go daemon/volumes.go fixed conflicts in imports 2014-10-29 15:06:51 -04:00			`)`

Initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host environment not in the chroot from untrusted files. See also OpenVZ https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234 Signed-off-by: Justin Cormack <justin.cormack@docker.com> (cherry picked from commit cea6dca993c2b4cfa99b1e7a19ca134c8ebc236b) Signed-off-by: Tibor Vass <tibor@docker.com> 2019-07-25 10:24:39 -04:00			`func init() {`
			`// initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host`
			`// environment not in the chroot from untrusted files.`
			`_, _ = user.Lookup("docker")`
			`_, _ = net.LookupHost("localhost")`
			`}`

Remove unused functions from archive. Signed-off-by: Daniel Nephin <dnephin@docker.com> 2017-05-24 11:53:41 -04:00			`// NewArchiver returns a new Archiver which uses chrootarchive.Untar`
Add ADD/COPY --chown flag support to Windows This implements chown support on Windows. Built-in accounts as well as accounts included in the SAM database of the container are supported. NOTE: IDPair is now named Identity and IDMappings is now named IdentityMapping. The following are valid examples: ADD --chown=Guest . <some directory> COPY --chown=Administrator . <some directory> COPY --chown=Guests . <some directory> COPY --chown=ContainerUser . <some directory> On Windows an owner is only granted the permission to read the security descriptor and read/write the discretionary access control list. This fix also grants read/write and execute permissions to the owner. Signed-off-by: Salahuddin Khan <salah@docker.com> 2017-11-16 01:20:33 -05:00			`func NewArchiver(idMapping idtools.IdentityMapping) archive.Archiver {`
			`if idMapping == nil {`
			`idMapping = &idtools.IdentityMapping{}`
Remove unused functions from archive. Signed-off-by: Daniel Nephin <dnephin@docker.com> 2017-05-24 11:53:41 -04:00			`}`
LCOW: Implemented support for docker cp + build This enables docker cp and ADD/COPY docker build support for LCOW. Originally, the graphdriver.Get() interface returned a local path to the container root filesystem. This does not work for LCOW, so the Get() method now returns an interface that LCOW implements to support copying to and from the container. Signed-off-by: Akash Gupta <akagup@microsoft.com> 2017-08-03 20:22:00 -04:00			`return &archive.Archiver{`
Add ADD/COPY --chown flag support to Windows This implements chown support on Windows. Built-in accounts as well as accounts included in the SAM database of the container are supported. NOTE: IDPair is now named Identity and IDMappings is now named IdentityMapping. The following are valid examples: ADD --chown=Guest . <some directory> COPY --chown=Administrator . <some directory> COPY --chown=Guests . <some directory> COPY --chown=ContainerUser . <some directory> On Windows an owner is only granted the permission to read the security descriptor and read/write the discretionary access control list. This fix also grants read/write and execute permissions to the owner. Signed-off-by: Salahuddin Khan <salah@docker.com> 2017-11-16 01:20:33 -05:00			`Untar: Untar,`
			`IDMapping: idMapping,`
LCOW: Implemented support for docker cp + build This enables docker cp and ADD/COPY docker build support for LCOW. Originally, the graphdriver.Get() interface returned a local path to the container root filesystem. This does not work for LCOW, so the Get() method now returns an interface that LCOW implements to support copying to and from the container. Signed-off-by: Akash Gupta <akagup@microsoft.com> 2017-08-03 20:22:00 -04:00			`}`
Remove unused functions from archive. Signed-off-by: Daniel Nephin <dnephin@docker.com> 2017-05-24 11:53:41 -04:00			`}`
Update chroot apply layer to handle decompression outside chroot Signed-off-by: Michael Crosby <crosbymichael@gmail.com> Conflicts: pkg/archive/diff.go pkg/chrootarchive/archive.go Conflicts: pkg/archive/diff.go pkg/chrootarchive/diff.go 2014-12-08 16:14:56 -05:00
linting changes Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> 2015-06-16 05:51:27 -04:00			// Untar reads a stream of bytes from `archive`, parses it as a tar archive,
			// and unpacks it into the directory at `dest`.
			`// The archive may be compressed with one of the following algorithms:`
			`// identity (uncompressed), gzip, bzip2, xz.`
Update chroot apply layer to handle decompression outside chroot Signed-off-by: Michael Crosby <crosbymichael@gmail.com> Conflicts: pkg/archive/diff.go pkg/chrootarchive/archive.go Conflicts: pkg/archive/diff.go pkg/chrootarchive/diff.go 2014-12-08 16:14:56 -05:00			`func Untar(tarArchive io.Reader, dest string, options *archive.TarOptions) error {`
Pass root to chroot to for chroot Untar This is useful for preventing CVE-2018-15664 where a malicious container process can take advantage of a race on symlink resolution/sanitization. Before this change chrootarchive would chroot to the destination directory which is attacker controlled. With this patch we always chroot to the container's root which is not attacker controlled. Signed-off-by: Brian Goff <cpuguy83@gmail.com> 2019-05-30 14:15:09 -04:00			`return untarHandler(tarArchive, dest, options, true, dest)`
			`}`

			// UntarWithRoot is the same as `Untar`, but allows you to pass in a root directory
			`// The root directory is the directory that will be chrooted to.`
			// `dest` must be a path within `root`, if it is not an error will be returned.
			`//`
			// `root` should set to a directory which is not controlled by any potentially
			`// malicious process.`
			`//`
			// This should be used to prevent a potential attacker from manipulating `dest`
			// such that it would provide access to files outside of `dest` through things
			// like symlinks. Normally `ResolveSymlinksInScope` would handle this, however
			`// sanitizing symlinks in this manner is inherrently racey:`
			`// ref: CVE-2018-15664`
			`func UntarWithRoot(tarArchive io.Reader, dest string, options *archive.TarOptions, root string) error {`
			`return untarHandler(tarArchive, dest, options, true, root)`
archive, chrootarchive: split out decompression In `ApplyLayer` and `Untar`, the stream is magically decompressed. Since this is not able to be toggled, rather than break this ./pkg/ API, add an `ApplyUncompressedLayer` and `UntarUncompressed` that does not magically decompress the layer stream. Signed-off-by: Vincent Batts <vbatts@redhat.com> 2015-07-27 09:46:20 -04:00			`}`

			// UntarUncompressed reads a stream of bytes from `archive`, parses it as a tar archive,
			// and unpacks it into the directory at `dest`.
			`// The archive must be an uncompressed stream.`
			`func UntarUncompressed(tarArchive io.Reader, dest string, options *archive.TarOptions) error {`
Pass root to chroot to for chroot Untar This is useful for preventing CVE-2018-15664 where a malicious container process can take advantage of a race on symlink resolution/sanitization. Before this change chrootarchive would chroot to the destination directory which is attacker controlled. With this patch we always chroot to the container's root which is not attacker controlled. Signed-off-by: Brian Goff <cpuguy83@gmail.com> 2019-05-30 14:15:09 -04:00			`return untarHandler(tarArchive, dest, options, false, dest)`
archive, chrootarchive: split out decompression In `ApplyLayer` and `Untar`, the stream is magically decompressed. Since this is not able to be toggled, rather than break this ./pkg/ API, add an `ApplyUncompressedLayer` and `UntarUncompressed` that does not magically decompress the layer stream. Signed-off-by: Vincent Batts <vbatts@redhat.com> 2015-07-27 09:46:20 -04:00			`}`

			`// Handler for teasing out the automatic decompression`
Pass root to chroot to for chroot Untar This is useful for preventing CVE-2018-15664 where a malicious container process can take advantage of a race on symlink resolution/sanitization. Before this change chrootarchive would chroot to the destination directory which is attacker controlled. With this patch we always chroot to the container's root which is not attacker controlled. Signed-off-by: Brian Goff <cpuguy83@gmail.com> 2019-05-30 14:15:09 -04:00			`func untarHandler(tarArchive io.Reader, dest string, options *archive.TarOptions, decompress bool, root string) error {`
Update chroot apply layer to handle decompression outside chroot Signed-off-by: Michael Crosby <crosbymichael@gmail.com> Conflicts: pkg/archive/diff.go pkg/chrootarchive/archive.go Conflicts: pkg/archive/diff.go pkg/chrootarchive/diff.go 2014-12-08 16:14:56 -05:00			`if tarArchive == nil {`
			`return fmt.Errorf("Empty archive")`
			`}`
			`if options == nil {`
			`options = &archive.TarOptions{}`
			`}`
Have .dockerignore support Dockerfile/.dockerignore If .dockerignore mentions either then the client will send them to the daemon but the daemon will erase them after the Dockerfile has been parsed to simulate them never being sent in the first place. an events test kept failing for me so I tried to fix that too Closes #8330 Signed-off-by: Doug Davis <dug@us.ibm.com> 2014-10-23 17:30:11 -04:00			`if options.ExcludePatterns == nil {`
			`options.ExcludePatterns = []string{}`
Update chroot apply layer to handle decompression outside chroot Signed-off-by: Michael Crosby <crosbymichael@gmail.com> Conflicts: pkg/archive/diff.go pkg/chrootarchive/archive.go Conflicts: pkg/archive/diff.go pkg/chrootarchive/diff.go 2014-12-08 16:14:56 -05:00			`}`
add pkg/chrootarchive and use it on the daemon Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack) Conflicts: builder/internals.go daemon/graphdriver/aufs/aufs.go daemon/volumes.go fixed conflicts in imports 2014-10-29 15:06:51 -04:00
Add ADD/COPY --chown flag support to Windows This implements chown support on Windows. Built-in accounts as well as accounts included in the SAM database of the container are supported. NOTE: IDPair is now named Identity and IDMappings is now named IdentityMapping. The following are valid examples: ADD --chown=Guest . <some directory> COPY --chown=Administrator . <some directory> COPY --chown=Guests . <some directory> COPY --chown=ContainerUser . <some directory> On Windows an owner is only granted the permission to read the security descriptor and read/write the discretionary access control list. This fix also grants read/write and execute permissions to the owner. Signed-off-by: Salahuddin Khan <salah@docker.com> 2017-11-16 01:20:33 -05:00			`idMapping := idtools.NewIDMappingsFromMaps(options.UIDMaps, options.GIDMaps)`
			`rootIDs := idMapping.RootPair()`
Correct build-time directory creation with user namespaced daemon This fixes errors in ownership on directory creation during build that can cause inaccessible files depending on the paths in the Dockerfile and non-existing directories in the starting image. Add tests for the mkdir variants in pkg/idtools Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp) 2015-10-14 14:35:48 -04:00
Pass excludes/options to tar unarchiver via environment Fixes #10426 Because of the ability to easily overload the shell max argument list length once the image count is several hundred, `docker load` will start to fail because of this as it passes an excludes list of all images in the graph. This patch uses an environment variable with the json marshalled through it to get around the arg length limitation. Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp) 2015-01-29 10:28:44 -05:00			`dest = filepath.Clean(dest)`
add pkg/chrootarchive and use it on the daemon Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack) Conflicts: builder/internals.go daemon/graphdriver/aufs/aufs.go daemon/volumes.go fixed conflicts in imports 2014-10-29 15:06:51 -04:00			`if _, err := os.Stat(dest); os.IsNotExist(err) {`
Remove MkdirAllNewAs and update tests. Signed-off-by: Daniel Nephin <dnephin@docker.com> 2017-05-31 17:36:48 -04:00			`if err := idtools.MkdirAllAndChownNew(dest, 0755, rootIDs); err != nil {`
add pkg/chrootarchive and use it on the daemon Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack) Conflicts: builder/internals.go daemon/graphdriver/aufs/aufs.go daemon/volumes.go fixed conflicts in imports 2014-10-29 15:06:51 -04:00			`return err`
			`}`
			`}`
Pass excludes/options to tar unarchiver via environment Fixes #10426 Because of the ability to easily overload the shell max argument list length once the image count is several hundred, `docker load` will start to fail because of this as it passes an excludes list of all images in the graph. This patch uses an environment variable with the json marshalled through it to get around the arg length limitation. Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp) 2015-01-29 10:28:44 -05:00
archive, chrootarchive: split out decompression In `ApplyLayer` and `Untar`, the stream is magically decompressed. Since this is not able to be toggled, rather than break this ./pkg/ API, add an `ApplyUncompressedLayer` and `UntarUncompressed` that does not magically decompress the layer stream. Signed-off-by: Vincent Batts <vbatts@redhat.com> 2015-07-27 09:46:20 -04:00			`r := ioutil.NopCloser(tarArchive)`
			`if decompress {`
			`decompressedArchive, err := archive.DecompressStream(tarArchive)`
			`if err != nil {`
			`return err`
			`}`
			`defer decompressedArchive.Close()`
			`r = decompressedArchive`
Decompress archive before streaming the unpack in a chroot Signed-off-by: Michael Crosby <crosbymichael@gmail.com> Conflicts: pkg/archive/archive.go pkg/chrootarchive/archive.go Conflicts: pkg/archive/archive.go 2014-12-08 16:19:24 -05:00			`}`
pkg/chrootarchive: pass TarOptions via CLI arg Signed-off-by: Tibor Vass <teabee89@gmail.com> Conflicts: graph/load.go fixed conflict in imports 2014-11-08 10:38:42 -05:00
Pass root to chroot to for chroot Untar This is useful for preventing CVE-2018-15664 where a malicious container process can take advantage of a race on symlink resolution/sanitization. Before this change chrootarchive would chroot to the destination directory which is attacker controlled. With this patch we always chroot to the container's root which is not attacker controlled. Signed-off-by: Brian Goff <cpuguy83@gmail.com> 2019-05-30 14:15:09 -04:00			`return invokeUnpack(r, dest, options, root)`
add pkg/chrootarchive and use it on the daemon Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack) Conflicts: builder/internals.go daemon/graphdriver/aufs/aufs.go daemon/volumes.go fixed conflicts in imports 2014-10-29 15:06:51 -04:00			`}`
Add chroot for tar packing operations Previously only unpack operations were supported with chroot. This adds chroot support for packing operations. This prevents potential breakouts when copying data from a container. Signed-off-by: Brian Goff <cpuguy83@gmail.com> 2019-05-30 17:55:52 -04:00
			`// Tar tars the requested path while chrooted to the specified root.`
			`func Tar(srcPath string, options *archive.TarOptions, root string) (io.ReadCloser, error) {`
			`if options == nil {`
			`options = &archive.TarOptions{}`
			`}`
			`return invokePack(srcPath, options, root)`
			`}`