Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix docker cp issues BZ1723491 & BZ1717087 #348

Closed
wants to merge 2 commits into from
Closed

Fix docker cp issues BZ1723491 & BZ1717087 #348

wants to merge 2 commits into from

Conversation

TomSweeneyRedHat
Copy link
Member

Signed-off-by: TomSweeneyRedHat tsweeney@redhat.com

- What I did
There are two BZs https://bugzilla.redhat.com/show_bug.cgi?id=1723491 and https://bugzilla.redhat.com/show_bug.cgi?id=1717087 reporting an issue using docker cp to a container. Upon testing, further issues were discovered if the target in the container was a symlink. This code finds the target directory on the host's local container storage (/var/lib/docker/overlay2), resolves any symlinks and ensures the file gets copied to/from the container without any potential cve leakage.

- How I did it
VI and lots of blood, sweat and tears for this one.

- How to verify it

# docker run -t -i --name testctr --rm fedora bash

//Inside the container:
# ln -s /tmp /test

//Outside the container:
# touch testfile; docker cp testfile testctr:/test

//In the container,
# ls /tmp

// Outside the container,
# ls /tmp

//The file "testfile" should be shown in the ls within the container, but NOT with the ls outside the container.

# docker cp testctr:/test/testfile.txt  /tmp/newtestfile.txt
// /tmp on the host should have the file newtestfile.txt

- Description for the changelog
Addresses docker cp issue noted in BZ1717087 and BZ1723491

- A picture of a cute animal (not mandatory but encouraged)

@TomSweeneyRedHat
Fix docker cp issues BZ1723491i & BZ1717087
22bf936 
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
@TomSweeneyRedHat
Copy link
Member Author

This is a WIP until I can have @edsantiago run tests on it. Please review prior, I believe it's gtg.

@TomSweeneyRedHat
Copy link
Member Author

Follow on PR for #341 #342 and completes #347

giuseppe
giuseppe reviewed Jun 30, 2019
View reviewed changes
daemon/archive.go
// to the container.Basefs to get the full container target directory
// on the host.
if fileInfo.Mode()&os.ModeSymlink != 0 {
resolvedCtrDir = filepath.Join(container.BaseFS, resolvedCtrDir)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we ensure that after the Join the path is still under container.BaseFS?

Could happen that resolvedCtrDir has .. components, so it can potentially point outside of the basefs once we do the join?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I played with it tonight, and excellent spot. I think I've a solution for that, testing now.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, I played more and add a symlink in the container like: ln -s /tmp ../../../../../../testy and that just resolved to the root directory of the container. However I did come up with a quick check that will make it completely safe, so I've added it.

@TomSweeneyRedHat
WIP - Fix docker cp issues BZ1723491i & BZ1717087
cec24f5 
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
@TomSweeneyRedHat TomSweeneyRedHat changed the title WIP - Fix docker cp issues BZ1723491i & BZ1717087 Fix docker cp issues BZ1723491i & BZ1717087 Jul 2, 2019
@TomSweeneyRedHat TomSweeneyRedHat changed the title Fix docker cp issues BZ1723491i & BZ1717087 Fix docker cp issues BZ1723491 & BZ1717087 Jul 2, 2019
@rhatdan
Copy link
Member

rhatdan commented Jul 3, 2019

@TomSweeneyRedHat I am confused by this, is this ready Now?

@TomSweeneyRedHat
Copy link
Member Author

@rhatdan yes, ready to go given LGTM's which I don't have any atm.

@TomSweeneyRedHat TomSweeneyRedHat mentioned this pull request Jul 3, 2019
Merged
@giuseppe
Copy link
Member

giuseppe commented Jul 3, 2019

LGTM

vrothberg
vrothberg reviewed Jul 8, 2019
View reviewed changes
Copy link

@vrothberg vrothberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
Commit cec24f5 is still marked as WIP though.

@giuseppe
Copy link
Member

this was fixed by another PR. Let's close it

@rhatdan
Copy link
Member

rhatdan commented Jul 11, 2019

@giuseppe So should we close this PR?

@TomSweeneyRedHat
Copy link
Member Author

I think #353 by @giuseppe takes care of this. @giuseppe can you confirm?

@TomSweeneyRedHat
Copy link
Member Author

I've looked through #353 from @giuseppe and have tested with it. It does appear to replace this one and solves a wart that this PR had in a specific pull sequence. I'm going to close this and we can resurrect it if we find out it's not necessary.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@giuseppe giuseppe giuseppe left review comments

@vrothberg vrothberg vrothberg left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@TomSweeneyRedHat @rhatdan @giuseppe @vrothberg