archive: fix mode for root dir with ForceMask

if force_mask is in use, we need to store the root directory permission after we read it from the tar archive. We were incorrectly reading it from the directory on the filesystem. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
containers · Oct 29, 2023 · ff5851d · ff5851d
1 parent 8254d6f
commit ff5851d
Showing 1 changed file with 12 additions and 7 deletions.
diff --git a/pkg/archive/archive.go b/pkg/archive/archive.go
@@ -955,14 +955,8 @@ func Unpack(decompressedArchive io.Reader, dest string, options *TarOptions) err
 	if options.ForceMask != nil {
 		// if ForceMask is in place, make sure lchown is disabled.
 		doChown = false
-		uid, gid, mode, err := GetFileOwner(dest)
-		if err == nil {
-			value := fmt.Sprintf("%d:%d:0%o", uid, gid, mode)
-			if err := system.Lsetxattr(dest, idtools.ContainersOverrideXattr, []byte(value), 0); err != nil {
-				return err
-			}
-		}
 	}
+	var rootHdr *tar.Header
 
 	// Iterate through the files in the archive.
 loop:
@@ -1007,6 +1001,9 @@ loop:
 		if err != nil {
 			return err
 		}
+		if rel == "." {
+			rootHdr = hdr
+		}
 		if strings.HasPrefix(rel, ".."+string(os.PathSeparator)) {
 			return breakoutError(fmt.Errorf("%q is outside of %q", hdr.Name, dest))
 		}
@@ -1080,6 +1077,14 @@ loop:
 			return err
 		}
 	}
+
+	if options.ForceMask != nil && rootHdr != nil {
+		value := fmt.Sprintf("%d:%d:0%o", rootHdr.Uid, rootHdr.Gid, rootHdr.Mode)
+		if err := system.Lsetxattr(dest, idtools.ContainersOverrideXattr, []byte(value), 0); err != nil {
+			return err
+		}
+	}
+
 	return nil
 }