Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Merge pull request #678 from njhale/release-4.6/fix/xattrs
[release-4.6] Bug 1968681: fix(containerd): drop xattrs during unpack
  • Loading branch information
openshift-merge-robot committed Jun 24, 2021
2 parents d0b4914 + 01e242d commit d13e51c
Showing 1 changed file with 33 additions and 1 deletion.
34 changes: 33 additions & 1 deletion pkg/image/containerdregistry/registry.go
Expand Up @@ -8,6 +8,7 @@ import (
"fmt"
"io"
"os"
"strings"

"github.com/containerd/containerd/archive"
"github.com/containerd/containerd/archive/compression"
Expand Down Expand Up @@ -183,7 +184,9 @@ func (r *Registry) unpackLayer(ctx context.Context, layer ocispec.Descriptor, di
if err != nil {
return err
}
_, err = archive.Apply(ctx, dir, decompressed, archive.WithFilter(adjustPerms))

filters := filterList{adjustPerms, dropXattrs}
_, err = archive.Apply(ctx, dir, decompressed, archive.WithFilter(filters.and))

return err
}
Expand All @@ -195,6 +198,19 @@ func ensureNamespace(ctx context.Context) context.Context {
return ctx
}

type filterList []archive.Filter

func (f filterList) and(h *tar.Header) (bool, error) {
for _, filter := range f {
ok, err := filter(h)
if !ok || err != nil {
return ok, err
}
}

return true, nil
}

func adjustPerms(h *tar.Header) (bool, error) {
h.Uid = os.Getuid()
h.Gid = os.Getgid()
Expand All @@ -207,3 +223,19 @@ func adjustPerms(h *tar.Header) (bool, error) {

return true, nil
}

// paxSchilyXattr contains the key prefix for xattrs stored in PAXRecords (see https://golang.org/src/archive/tar/common.go for more details).
const paxSchilyXattr = "SCHILY.xattr."

// dropXattrs removes all xattrs from a Header.
// This is useful for unpacking on systems where writing certain xattrs is a restricted operation; e.g. "security.capability" on SELinux.
func dropXattrs(h *tar.Header) (bool, error) {
h.Xattrs = nil // Deprecated, but still in use, clear anyway.
for key := range h.PAXRecords {
if strings.HasPrefix(key, paxSchilyXattr) { // Xattrs are stored under keys with the "Schilly.xattr." prefix.
delete(h.PAXRecords, key)
}
}

return true, nil
}

0 comments on commit d13e51c

Please sign in to comment.