diff --git a/daemon/archive.go b/daemon/archive.go index 109376b4b5..9f56ca7503 100644 --- a/daemon/archive.go +++ b/daemon/archive.go @@ -39,11 +39,11 @@ func extractArchive(i interface{}, src io.Reader, dst string, opts *archive.TarO return chrootarchive.UntarWithRoot(src, dst, opts, root) } -func archivePath(i interface{}, src string, opts *archive.TarOptions, root string) (io.ReadCloser, error) { +func archivePath(i interface{}, src string, opts *archive.TarOptions) (io.ReadCloser, error) { if ap, ok := i.(archiver); ok { return ap.ArchivePath(src, opts) } - return chrootarchive.Tar(src, opts, root) + return archive.TarWithOptions(src, opts) } // ContainerCopy performs a deprecated operation of archiving the resource at @@ -239,7 +239,7 @@ func (daemon *Daemon) containerArchivePath(container *container.Container, path sourceDir, sourceBase := driver.Dir(resolvedPath), driver.Base(resolvedPath) opts := archive.TarResourceRebaseOpts(sourceBase, driver.Base(absPath)) - data, err := archivePath(driver, sourceDir, opts, container.BaseFS.Path()) + data, err := archivePath(driver, sourceDir, opts) if err != nil { return nil, nil, err } @@ -433,7 +433,7 @@ func (daemon *Daemon) containerCopy(container *container.Container, resource str archive, err := archivePath(driver, basePath, &archive.TarOptions{ Compression: archive.Uncompressed, IncludeFiles: filter, - }, container.BaseFS.Path()) + }) if err != nil { return nil, err } diff --git a/daemon/export.go b/daemon/export.go index 01593f4e8a..27bc35967d 100644 --- a/daemon/export.go +++ b/daemon/export.go @@ -70,7 +70,7 @@ func (daemon *Daemon) containerExport(container *container.Container) (arch io.R Compression: archive.Uncompressed, UIDMaps: daemon.idMapping.UIDs(), GIDMaps: daemon.idMapping.GIDs(), - }, basefs.Path()) + }) if err != nil { rwlayer.Unmount() return nil, err diff --git a/pkg/chrootarchive/archive.go b/pkg/chrootarchive/archive.go index 6ff61e6a76..7ebca3774c 100644 --- a/pkg/chrootarchive/archive.go +++ b/pkg/chrootarchive/archive.go @@ -87,11 +87,3 @@ func untarHandler(tarArchive io.Reader, dest string, options *archive.TarOptions return invokeUnpack(r, dest, options, root) } - -// Tar tars the requested path while chrooted to the specified root. -func Tar(srcPath string, options *archive.TarOptions, root string) (io.ReadCloser, error) { - if options == nil { - options = &archive.TarOptions{} - } - return invokePack(srcPath, options, root) -} diff --git a/pkg/chrootarchive/archive_unix.go b/pkg/chrootarchive/archive_unix.go index ea2879dc00..96f07c4bb4 100644 --- a/pkg/chrootarchive/archive_unix.go +++ b/pkg/chrootarchive/archive_unix.go @@ -12,11 +12,9 @@ import ( "os" "path/filepath" "runtime" - "strings" "github.com/docker/docker/pkg/archive" "github.com/docker/docker/pkg/reexec" - "github.com/pkg/errors" ) // untar is the entry-point for docker-untar on re-exec. This is not used on @@ -26,7 +24,7 @@ func untar() { runtime.LockOSThread() flag.Parse() - var options archive.TarOptions + var options *archive.TarOptions //read the options from the pipe "ExtraFiles" if err := json.NewDecoder(os.NewFile(3, "options")).Decode(&options); err != nil { @@ -47,7 +45,7 @@ func untar() { fatal(err) } - if err := archive.Unpack(os.Stdin, dst, &options); err != nil { + if err := archive.Unpack(os.Stdin, dst, options); err != nil { fatal(err) } // fully consume stdin in case it is zero padded @@ -59,9 +57,6 @@ func untar() { } func invokeUnpack(decompressedArchive io.Reader, dest string, options *archive.TarOptions, root string) error { - if root == "" { - return errors.New("must specify a root to chroot to") - } // We can't pass a potentially large exclude list directly via cmd line // because we easily overrun the kernel's max argument/environment size @@ -117,92 +112,3 @@ func invokeUnpack(decompressedArchive io.Reader, dest string, options *archive.T } return nil } - -func tar() { - runtime.LockOSThread() - flag.Parse() - - src := flag.Arg(0) - var root string - if len(flag.Args()) > 1 { - root = flag.Arg(1) - } - - if root == "" { - root = src - } - - if err := realChroot(root); err != nil { - fatal(err) - } - - var options archive.TarOptions - if err := json.NewDecoder(os.Stdin).Decode(&options); err != nil { - fatal(err) - } - - rdr, err := archive.TarWithOptions(src, &options) - if err != nil { - fatal(err) - } - defer rdr.Close() - - if _, err := io.Copy(os.Stdout, rdr); err != nil { - fatal(err) - } - - os.Exit(0) -} - -func invokePack(srcPath string, options *archive.TarOptions, root string) (io.ReadCloser, error) { - if root == "" { - return nil, errors.New("root path must not be empty") - } - - relSrc, err := filepath.Rel(root, srcPath) - if err != nil { - return nil, err - } - if relSrc == "." { - relSrc = "/" - } - if relSrc[0] != '/' { - relSrc = "/" + relSrc - } - - // make sure we didn't trim a trailing slash with the call to `Rel` - if strings.HasSuffix(srcPath, "/") && !strings.HasSuffix(relSrc, "/") { - relSrc += "/" - } - - cmd := reexec.Command("docker-tar", relSrc, root) - - errBuff := bytes.NewBuffer(nil) - cmd.Stderr = errBuff - - tarR, tarW := io.Pipe() - cmd.Stdout = tarW - - stdin, err := cmd.StdinPipe() - if err != nil { - return nil, errors.Wrap(err, "error getting options pipe for tar process") - } - - if err := cmd.Start(); err != nil { - return nil, errors.Wrap(err, "tar error on re-exec cmd") - } - - go func() { - err := cmd.Wait() - err = errors.Wrapf(err, "error processing tar file: %s", errBuff) - tarW.CloseWithError(err) - }() - - if err := json.NewEncoder(stdin).Encode(options); err != nil { - stdin.Close() - return nil, errors.Wrap(err, "tar json encode to pipe failed") - } - stdin.Close() - - return tarR, nil -} diff --git a/pkg/chrootarchive/archive_unix_test.go b/pkg/chrootarchive/archive_unix_test.go index f39a88ad38..d81c190481 100644 --- a/pkg/chrootarchive/archive_unix_test.go +++ b/pkg/chrootarchive/archive_unix_test.go @@ -3,14 +3,11 @@ package chrootarchive import ( - gotar "archive/tar" "bytes" "io" "io/ioutil" "os" - "path" "path/filepath" - "strings" "testing" "github.com/docker/docker/pkg/archive" @@ -78,94 +75,3 @@ func TestUntarWithMaliciousSymlinks(t *testing.T) { assert.NilError(t, err) assert.Equal(t, string(hostData), "pwn3d") } - -// Test for CVE-2018-15664 -// Assures that in the case where an "attacker" controlled path is a symlink to -// some path outside of a container's rootfs that we do not unwittingly leak -// host data into the archive. -func TestTarWithMaliciousSymlinks(t *testing.T) { - dir, err := ioutil.TempDir("", t.Name()) - assert.NilError(t, err) - // defer os.RemoveAll(dir) - t.Log(dir) - - root := filepath.Join(dir, "root") - - err = os.MkdirAll(root, 0755) - assert.NilError(t, err) - - hostFileData := []byte("I am a host file") - - // Add a file into a directory above root - // Ensure that we can't access this file while tarring. - err = ioutil.WriteFile(filepath.Join(dir, "host-file"), hostFileData, 0644) - assert.NilError(t, err) - - safe := filepath.Join(root, "safe") - err = unix.Symlink(dir, safe) - assert.NilError(t, err) - - data := filepath.Join(dir, "data") - err = os.MkdirAll(data, 0755) - assert.NilError(t, err) - - type testCase struct { - p string - includes []string - } - - cases := []testCase{ - {p: safe, includes: []string{"host-file"}}, - {p: safe + "/", includes: []string{"host-file"}}, - {p: safe, includes: nil}, - {p: safe + "/", includes: nil}, - {p: root, includes: []string{"safe/host-file"}}, - {p: root, includes: []string{"/safe/host-file"}}, - {p: root, includes: nil}, - } - - maxBytes := len(hostFileData) - - for _, tc := range cases { - t.Run(path.Join(tc.p+"_"+strings.Join(tc.includes, "_")), func(t *testing.T) { - // Here if we use archive.TarWithOptions directly or change the "root" parameter - // to be the same as "safe", data from the host will be leaked into the archive - var opts *archive.TarOptions - if tc.includes != nil { - opts = &archive.TarOptions{ - IncludeFiles: tc.includes, - } - } - rdr, err := Tar(tc.p, opts, root) - assert.NilError(t, err) - defer rdr.Close() - - tr := gotar.NewReader(rdr) - assert.Assert(t, !isDataInTar(t, tr, hostFileData, int64(maxBytes)), "host data leaked to archive") - }) - } -} - -func isDataInTar(t *testing.T, tr *gotar.Reader, compare []byte, maxBytes int64) bool { - for { - h, err := tr.Next() - if err == io.EOF { - break - } - assert.NilError(t, err) - - if h.Size == 0 { - continue - } - assert.Assert(t, h.Size <= maxBytes, "%s: file size exceeds max expected size %d: %d", h.Name, maxBytes, h.Size) - - data := make([]byte, int(h.Size)) - _, err = io.ReadFull(tr, data) - assert.NilError(t, err) - if bytes.Contains(data, compare) { - return true - } - } - - return false -} diff --git a/pkg/chrootarchive/archive_windows.go b/pkg/chrootarchive/archive_windows.go index de87113e95..bd5712c5c0 100644 --- a/pkg/chrootarchive/archive_windows.go +++ b/pkg/chrootarchive/archive_windows.go @@ -20,10 +20,3 @@ func invokeUnpack(decompressedArchive io.ReadCloser, // do the unpack. We call inline instead within the daemon process. return archive.Unpack(decompressedArchive, longpath.AddPrefix(dest), options) } - -func invokePack(srcPath string, options *archive.TarOptions, root string) (io.ReadCloser, error) { - // Windows is different to Linux here because Windows does not support - // chroot. Hence there is no point sandboxing a chrooted process to - // do the pack. We call inline instead within the daemon process. - return archive.TarWithOptions(srcPath, options) -} diff --git a/pkg/chrootarchive/init_unix.go b/pkg/chrootarchive/init_unix.go index c24fea7d9c..a15e4bb83c 100644 --- a/pkg/chrootarchive/init_unix.go +++ b/pkg/chrootarchive/init_unix.go @@ -14,7 +14,6 @@ import ( func init() { reexec.Register("docker-applyLayer", applyLayer) reexec.Register("docker-untar", untar) - reexec.Register("docker-tar", tar) } func fatal(err error) {