mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
763d839261
This implements chown support on Windows. Built-in accounts as well as accounts included in the SAM database of the container are supported. NOTE: IDPair is now named Identity and IDMappings is now named IdentityMapping. The following are valid examples: ADD --chown=Guest . <some directory> COPY --chown=Administrator . <some directory> COPY --chown=Guests . <some directory> COPY --chown=ContainerUser . <some directory> On Windows an owner is only granted the permission to read the security descriptor and read/write the discretionary access control list. This fix also grants read/write and execute permissions to the owner. Signed-off-by: Salahuddin Khan <salah@docker.com>
193 lines
6.3 KiB
Go
193 lines
6.3 KiB
Go
package system // import "github.com/docker/docker/pkg/system"
|
|
|
|
import (
|
|
"fmt"
|
|
"syscall"
|
|
"unsafe"
|
|
|
|
"github.com/sirupsen/logrus"
|
|
"golang.org/x/sys/windows"
|
|
)
|
|
|
|
const (
|
|
OWNER_SECURITY_INFORMATION = 0x00000001
|
|
GROUP_SECURITY_INFORMATION = 0x00000002
|
|
DACL_SECURITY_INFORMATION = 0x00000004
|
|
SACL_SECURITY_INFORMATION = 0x00000008
|
|
LABEL_SECURITY_INFORMATION = 0x00000010
|
|
ATTRIBUTE_SECURITY_INFORMATION = 0x00000020
|
|
SCOPE_SECURITY_INFORMATION = 0x00000040
|
|
PROCESS_TRUST_LABEL_SECURITY_INFORMATION = 0x00000080
|
|
ACCESS_FILTER_SECURITY_INFORMATION = 0x00000100
|
|
BACKUP_SECURITY_INFORMATION = 0x00010000
|
|
PROTECTED_DACL_SECURITY_INFORMATION = 0x80000000
|
|
PROTECTED_SACL_SECURITY_INFORMATION = 0x40000000
|
|
UNPROTECTED_DACL_SECURITY_INFORMATION = 0x20000000
|
|
UNPROTECTED_SACL_SECURITY_INFORMATION = 0x10000000
|
|
)
|
|
|
|
const (
|
|
SE_UNKNOWN_OBJECT_TYPE = iota
|
|
SE_FILE_OBJECT
|
|
SE_SERVICE
|
|
SE_PRINTER
|
|
SE_REGISTRY_KEY
|
|
SE_LMSHARE
|
|
SE_KERNEL_OBJECT
|
|
SE_WINDOW_OBJECT
|
|
SE_DS_OBJECT
|
|
SE_DS_OBJECT_ALL
|
|
SE_PROVIDER_DEFINED_OBJECT
|
|
SE_WMIGUID_OBJECT
|
|
SE_REGISTRY_WOW64_32KEY
|
|
)
|
|
|
|
const (
|
|
SeTakeOwnershipPrivilege = "SeTakeOwnershipPrivilege"
|
|
)
|
|
|
|
const (
|
|
ContainerAdministratorSidString = "S-1-5-93-2-1"
|
|
ContainerUserSidString = "S-1-5-93-2-2"
|
|
)
|
|
|
|
var (
|
|
ntuserApiset = windows.NewLazyDLL("ext-ms-win-ntuser-window-l1-1-0")
|
|
modadvapi32 = windows.NewLazySystemDLL("advapi32.dll")
|
|
procGetVersionExW = modkernel32.NewProc("GetVersionExW")
|
|
procGetProductInfo = modkernel32.NewProc("GetProductInfo")
|
|
procSetNamedSecurityInfo = modadvapi32.NewProc("SetNamedSecurityInfoW")
|
|
procGetSecurityDescriptorDacl = modadvapi32.NewProc("GetSecurityDescriptorDacl")
|
|
)
|
|
|
|
// OSVersion is a wrapper for Windows version information
|
|
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms724439(v=vs.85).aspx
|
|
type OSVersion struct {
|
|
Version uint32
|
|
MajorVersion uint8
|
|
MinorVersion uint8
|
|
Build uint16
|
|
}
|
|
|
|
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms724833(v=vs.85).aspx
|
|
type osVersionInfoEx struct {
|
|
OSVersionInfoSize uint32
|
|
MajorVersion uint32
|
|
MinorVersion uint32
|
|
BuildNumber uint32
|
|
PlatformID uint32
|
|
CSDVersion [128]uint16
|
|
ServicePackMajor uint16
|
|
ServicePackMinor uint16
|
|
SuiteMask uint16
|
|
ProductType byte
|
|
Reserve byte
|
|
}
|
|
|
|
// GetOSVersion gets the operating system version on Windows. Note that
|
|
// docker.exe must be manifested to get the correct version information.
|
|
func GetOSVersion() OSVersion {
|
|
var err error
|
|
osv := OSVersion{}
|
|
osv.Version, err = windows.GetVersion()
|
|
if err != nil {
|
|
// GetVersion never fails.
|
|
panic(err)
|
|
}
|
|
osv.MajorVersion = uint8(osv.Version & 0xFF)
|
|
osv.MinorVersion = uint8(osv.Version >> 8 & 0xFF)
|
|
osv.Build = uint16(osv.Version >> 16)
|
|
return osv
|
|
}
|
|
|
|
func (osv OSVersion) ToString() string {
|
|
return fmt.Sprintf("%d.%d.%d", osv.MajorVersion, osv.MinorVersion, osv.Build)
|
|
}
|
|
|
|
// IsWindowsClient returns true if the SKU is client
|
|
// @engine maintainers - this function should not be removed or modified as it
|
|
// is used to enforce licensing restrictions on Windows.
|
|
func IsWindowsClient() bool {
|
|
osviex := &osVersionInfoEx{OSVersionInfoSize: 284}
|
|
r1, _, err := procGetVersionExW.Call(uintptr(unsafe.Pointer(osviex)))
|
|
if r1 == 0 {
|
|
logrus.Warnf("GetVersionExW failed - assuming server SKU: %v", err)
|
|
return false
|
|
}
|
|
const verNTWorkstation = 0x00000001
|
|
return osviex.ProductType == verNTWorkstation
|
|
}
|
|
|
|
// IsIoTCore returns true if the currently running image is based off of
|
|
// Windows 10 IoT Core.
|
|
// @engine maintainers - this function should not be removed or modified as it
|
|
// is used to enforce licensing restrictions on Windows.
|
|
func IsIoTCore() bool {
|
|
var returnedProductType uint32
|
|
r1, _, err := procGetProductInfo.Call(6, 1, 0, 0, uintptr(unsafe.Pointer(&returnedProductType)))
|
|
if r1 == 0 {
|
|
logrus.Warnf("GetProductInfo failed - assuming this is not IoT: %v", err)
|
|
return false
|
|
}
|
|
const productIoTUAP = 0x0000007B
|
|
const productIoTUAPCommercial = 0x00000083
|
|
return returnedProductType == productIoTUAP || returnedProductType == productIoTUAPCommercial
|
|
}
|
|
|
|
// Unmount is a platform-specific helper function to call
|
|
// the unmount syscall. Not supported on Windows
|
|
func Unmount(dest string) error {
|
|
return nil
|
|
}
|
|
|
|
// CommandLineToArgv wraps the Windows syscall to turn a commandline into an argument array.
|
|
func CommandLineToArgv(commandLine string) ([]string, error) {
|
|
var argc int32
|
|
|
|
argsPtr, err := windows.UTF16PtrFromString(commandLine)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
argv, err := windows.CommandLineToArgv(argsPtr, &argc)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defer windows.LocalFree(windows.Handle(uintptr(unsafe.Pointer(argv))))
|
|
|
|
newArgs := make([]string, argc)
|
|
for i, v := range (*argv)[:argc] {
|
|
newArgs[i] = string(windows.UTF16ToString((*v)[:]))
|
|
}
|
|
|
|
return newArgs, nil
|
|
}
|
|
|
|
// HasWin32KSupport determines whether containers that depend on win32k can
|
|
// run on this machine. Win32k is the driver used to implement windowing.
|
|
func HasWin32KSupport() bool {
|
|
// For now, check for ntuser API support on the host. In the future, a host
|
|
// may support win32k in containers even if the host does not support ntuser
|
|
// APIs.
|
|
return ntuserApiset.Load() == nil
|
|
}
|
|
|
|
func SetNamedSecurityInfo(objectName *uint16, objectType uint32, securityInformation uint32, sidOwner *windows.SID, sidGroup *windows.SID, dacl *byte, sacl *byte) (result error) {
|
|
r0, _, _ := syscall.Syscall9(procSetNamedSecurityInfo.Addr(), 7, uintptr(unsafe.Pointer(objectName)), uintptr(objectType), uintptr(securityInformation), uintptr(unsafe.Pointer(sidOwner)), uintptr(unsafe.Pointer(sidGroup)), uintptr(unsafe.Pointer(dacl)), uintptr(unsafe.Pointer(sacl)), 0, 0)
|
|
if r0 != 0 {
|
|
result = syscall.Errno(r0)
|
|
}
|
|
return
|
|
}
|
|
|
|
func GetSecurityDescriptorDacl(securityDescriptor *byte, daclPresent *uint32, dacl **byte, daclDefaulted *uint32) (result error) {
|
|
r1, _, e1 := syscall.Syscall6(procGetSecurityDescriptorDacl.Addr(), 4, uintptr(unsafe.Pointer(securityDescriptor)), uintptr(unsafe.Pointer(daclPresent)), uintptr(unsafe.Pointer(dacl)), uintptr(unsafe.Pointer(daclDefaulted)), 0, 0)
|
|
if r1 == 0 {
|
|
if e1 != 0 {
|
|
result = syscall.Errno(e1)
|
|
} else {
|
|
result = syscall.EINVAL
|
|
}
|
|
}
|
|
return
|
|
}
|