Revert "Add chroot for tar packing operations"

This reverts commit 3e057d527d. Signed-off-by: Tibor Vass <tibor@docker.com>
2022-11-09 12:21:53 -05:00 · 2019-06-12 04:06:14 +00:00 · 2019-06-12 04:06:14 +00:00 · 96df6d4d0b
commit 96df6d4d0b
parent a33a82b42f
7 changed files with 7 additions and 211 deletions
--- a/daemon/archive.go
+++ b/daemon/archive.go
@ -39,11 +39,11 @@ func extractArchive(i interface{}, src io.Reader, dst string, opts *archive.TarO
 	return chrootarchive.UntarWithRoot(src, dst, opts, root)
 }
-func archivePath(i interface{}, src string, opts *archive.TarOptions, root string) (io.ReadCloser, error) {
+func archivePath(i interface{}, src string, opts *archive.TarOptions) (io.ReadCloser, error) {
 	if ap, ok := i.(archiver); ok {
 		return ap.ArchivePath(src, opts)
 	}
-	return chrootarchive.Tar(src, opts, root)
+	return archive.TarWithOptions(src, opts)
 }
 // ContainerCopy performs a deprecated operation of archiving the resource at
@ -239,7 +239,7 @@ func (daemon *Daemon) containerArchivePath(container *container.Container, path
 	sourceDir, sourceBase := driver.Dir(resolvedPath), driver.Base(resolvedPath)
 	opts := archive.TarResourceRebaseOpts(sourceBase, driver.Base(absPath))
-	data, err := archivePath(driver, sourceDir, opts, container.BaseFS.Path())
+	data, err := archivePath(driver, sourceDir, opts)
 	if err != nil {
 		return nil, nil, err
 	}
@ -433,7 +433,7 @@ func (daemon *Daemon) containerCopy(container *container.Container, resource str
 	archive, err := archivePath(driver, basePath, &archive.TarOptions{
 		Compression:  archive.Uncompressed,
 		IncludeFiles: filter,
-	}, container.BaseFS.Path())
+	})
 	if err != nil {
 		return nil, err
 	}
--- a/daemon/export.go
+++ b/daemon/export.go
@ -70,7 +70,7 @@ func (daemon *Daemon) containerExport(container *container.Container) (arch io.R
 		Compression: archive.Uncompressed,
 		UIDMaps:     daemon.idMapping.UIDs(),
 		GIDMaps:     daemon.idMapping.GIDs(),
-	}, basefs.Path())
+	})
 	if err != nil {
 		rwlayer.Unmount()
 		return nil, err
--- a/pkg/chrootarchive/archive.go
+++ b/pkg/chrootarchive/archive.go
@ -87,11 +87,3 @@ func untarHandler(tarArchive io.Reader, dest string, options *archive.TarOptions
 	return invokeUnpack(r, dest, options, root)
 }
 // Tar tars the requested path while chrooted to the specified root.
 func Tar(srcPath string, options *archive.TarOptions, root string) (io.ReadCloser, error) {
 	if options == nil {
 		options = &archive.TarOptions{}
 	}
 	return invokePack(srcPath, options, root)
 }
--- a/pkg/chrootarchive/archive_unix.go
+++ b/pkg/chrootarchive/archive_unix.go
@ -12,11 +12,9 @@ import (
 	"os"
 	"path/filepath"
 	"runtime"
 	"strings"
 	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/pkg/reexec"
 	"github.com/pkg/errors"
 )
 // untar is the entry-point for docker-untar on re-exec. This is not used on
@ -26,7 +24,7 @@ func untar() {
 	runtime.LockOSThread()
 	flag.Parse()
-	var options archive.TarOptions
+	var options *archive.TarOptions
 	//read the options from the pipe "ExtraFiles"
 	if err := json.NewDecoder(os.NewFile(3, "options")).Decode(&options); err != nil {
@ -47,7 +45,7 @@ func untar() {
 		fatal(err)
 	}
-	if err := archive.Unpack(os.Stdin, dst, &options); err != nil {
+	if err := archive.Unpack(os.Stdin, dst, options); err != nil {
 		fatal(err)
 	}
 	// fully consume stdin in case it is zero padded
@ -59,9 +57,6 @@ func untar() {
 }
 func invokeUnpack(decompressedArchive io.Reader, dest string, options *archive.TarOptions, root string) error {
 	if root == "" {
 		return errors.New("must specify a root to chroot to")
 	}
 	// We can't pass a potentially large exclude list directly via cmd line
 	// because we easily overrun the kernel's max argument/environment size
@ -117,92 +112,3 @@ func invokeUnpack(decompressedArchive io.Reader, dest string, options *archive.T
 	}
 	return nil
 }
 func tar() {
 	runtime.LockOSThread()
 	flag.Parse()
 	src := flag.Arg(0)
 	var root string
 	if len(flag.Args()) > 1 {
 		root = flag.Arg(1)
 	}
 	if root == "" {
 		root = src
 	}
 	if err := realChroot(root); err != nil {
 		fatal(err)
 	}
 	var options archive.TarOptions
 	if err := json.NewDecoder(os.Stdin).Decode(&options); err != nil {
 		fatal(err)
 	}
 	rdr, err := archive.TarWithOptions(src, &options)
 	if err != nil {
 		fatal(err)
 	}
 	defer rdr.Close()
 	if _, err := io.Copy(os.Stdout, rdr); err != nil {
 		fatal(err)
 	}
 	os.Exit(0)
 }
 func invokePack(srcPath string, options *archive.TarOptions, root string) (io.ReadCloser, error) {
 	if root == "" {
 		return nil, errors.New("root path must not be empty")
 	}
 	relSrc, err := filepath.Rel(root, srcPath)
 	if err != nil {
 		return nil, err
 	}
 	if relSrc == "." {
 		relSrc = "/"
 	}
 	if relSrc[0] != '/' {
 		relSrc = "/" + relSrc
 	}
 	// make sure we didn't trim a trailing slash with the call to `Rel`
 	if strings.HasSuffix(srcPath, "/") && !strings.HasSuffix(relSrc, "/") {
 		relSrc += "/"
 	}
 	cmd := reexec.Command("docker-tar", relSrc, root)
 	errBuff := bytes.NewBuffer(nil)
 	cmd.Stderr = errBuff
 	tarR, tarW := io.Pipe()
 	cmd.Stdout = tarW
 	stdin, err := cmd.StdinPipe()
 	if err != nil {
 		return nil, errors.Wrap(err, "error getting options pipe for tar process")
 	}
 	if err := cmd.Start(); err != nil {
 		return nil, errors.Wrap(err, "tar error on re-exec cmd")
 	}
 	go func() {
 		err := cmd.Wait()
 		err = errors.Wrapf(err, "error processing tar file: %s", errBuff)
 		tarW.CloseWithError(err)
 	}()
 	if err := json.NewEncoder(stdin).Encode(options); err != nil {
 		stdin.Close()
 		return nil, errors.Wrap(err, "tar json encode to pipe failed")
 	}
 	stdin.Close()
 	return tarR, nil
 }
--- a/pkg/chrootarchive/archive_unix_test.go
+++ b/pkg/chrootarchive/archive_unix_test.go
@ -3,14 +3,11 @@
 package chrootarchive
 import (
 	gotar "archive/tar"
 	"bytes"
 	"io"
 	"io/ioutil"
 	"os"
 	"path"
 	"path/filepath"
 	"strings"
 	"testing"
 	"github.com/docker/docker/pkg/archive"
@ -78,94 +75,3 @@ func TestUntarWithMaliciousSymlinks(t *testing.T) {
 	assert.NilError(t, err)
 	assert.Equal(t, string(hostData), "pwn3d")
 }
 // Test for CVE-2018-15664
 // Assures that in the case where an "attacker" controlled path is a symlink to
 // some path outside of a container's rootfs that we do not unwittingly leak
 // host data into the archive.
 func TestTarWithMaliciousSymlinks(t *testing.T) {
 	dir, err := ioutil.TempDir("", t.Name())
 	assert.NilError(t, err)
 	// defer os.RemoveAll(dir)
 	t.Log(dir)
 	root := filepath.Join(dir, "root")
 	err = os.MkdirAll(root, 0755)
 	assert.NilError(t, err)
 	hostFileData := []byte("I am a host file")
 	// Add a file into a directory above root
 	// Ensure that we can't access this file while tarring.
 	err = ioutil.WriteFile(filepath.Join(dir, "host-file"), hostFileData, 0644)
 	assert.NilError(t, err)
 	safe := filepath.Join(root, "safe")
 	err = unix.Symlink(dir, safe)
 	assert.NilError(t, err)
 	data := filepath.Join(dir, "data")
 	err = os.MkdirAll(data, 0755)
 	assert.NilError(t, err)
 	type testCase struct {
 		p        string
 		includes []string
 	}
 	cases := []testCase{
 		{p: safe, includes: []string{"host-file"}},
 		{p: safe + "/", includes: []string{"host-file"}},
 		{p: safe, includes: nil},
 		{p: safe + "/", includes: nil},
 		{p: root, includes: []string{"safe/host-file"}},
 		{p: root, includes: []string{"/safe/host-file"}},
 		{p: root, includes: nil},
 	}
 	maxBytes := len(hostFileData)
 	for _, tc := range cases {
 		t.Run(path.Join(tc.p+"_"+strings.Join(tc.includes, "_")), func(t *testing.T) {
 			// Here if we use archive.TarWithOptions directly or change the "root" parameter
 			// to be the same as "safe", data from the host will be leaked into the archive
 			var opts *archive.TarOptions
 			if tc.includes != nil {
 				opts = &archive.TarOptions{
 					IncludeFiles: tc.includes,
 				}
 			}
 			rdr, err := Tar(tc.p, opts, root)
 			assert.NilError(t, err)
 			defer rdr.Close()
 			tr := gotar.NewReader(rdr)
 			assert.Assert(t, !isDataInTar(t, tr, hostFileData, int64(maxBytes)), "host data leaked to archive")
 		})
 	}
 }
 func isDataInTar(t *testing.T, tr *gotar.Reader, compare []byte, maxBytes int64) bool {
 	for {
 		h, err := tr.Next()
 		if err == io.EOF {
 			break
 		}
 		assert.NilError(t, err)
 		if h.Size == 0 {
 			continue
 		}
 		assert.Assert(t, h.Size <= maxBytes, "%s: file size exceeds max expected size %d: %d", h.Name, maxBytes, h.Size)
 		data := make([]byte, int(h.Size))
 		_, err = io.ReadFull(tr, data)
 		assert.NilError(t, err)
 		if bytes.Contains(data, compare) {
 			return true
 		}
 	}
 	return false
 }
--- a/pkg/chrootarchive/archive_windows.go
+++ b/pkg/chrootarchive/archive_windows.go
@ -20,10 +20,3 @@ func invokeUnpack(decompressedArchive io.ReadCloser,
 	// do the unpack. We call inline instead within the daemon process.
 	return archive.Unpack(decompressedArchive, longpath.AddPrefix(dest), options)
 }
 func invokePack(srcPath string, options *archive.TarOptions, root string) (io.ReadCloser, error) {
 	// Windows is different to Linux here because Windows does not support
 	// chroot. Hence there is no point sandboxing a chrooted process to
 	// do the pack. We call inline instead within the daemon process.
 	return archive.TarWithOptions(srcPath, options)
 }
--- a/pkg/chrootarchive/init_unix.go
+++ b/pkg/chrootarchive/init_unix.go
@ -14,7 +14,6 @@ import (
 func init() {
 	reexec.Register("docker-applyLayer", applyLayer)
 	reexec.Register("docker-untar", untar)
 	reexec.Register("docker-tar", tar)
 }
 func fatal(err error) {