containers
/
automation-tests
mirror of https://github.com/containers/automation-tests.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #17528 from flouthoc/volume-security-patch 

volume,container: `chroot` to source before exporting content
This commit is contained in:
OpenShift Merge Robot 2023-02-16 11:20:03 -05:00 committed by GitHub
parent 5d78547ec2 6ca857feb0
commit e7616b457d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 26 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
libpod/container_internal.go
View File

@ -34,7 +34,7 @@ import (
"github.com/containers/podman/v4/pkg/systemd/notifyproxy" "github.com/containers/podman/v4/pkg/systemd/notifyproxy"
"github.com/containers/podman/v4/pkg/util" "github.com/containers/podman/v4/pkg/util"
"github.com/containers/storage" "github.com/containers/storage"
"github.com/containers/storage/pkg/archive" "github.com/containers/storage/pkg/chrootarchive"
"github.com/containers/storage/pkg/idmap" "github.com/containers/storage/pkg/idmap"
"github.com/containers/storage/pkg/idtools" "github.com/containers/storage/pkg/idtools"
"github.com/containers/storage/pkg/lockfile" "github.com/containers/storage/pkg/lockfile"
@ -761,7 +761,7 @@ func (c *Container) export(out io.Writer) error {
}() }()
} }
input, err := archive.Tar(mountPoint, archive.Uncompressed) input, err := chrootarchive.Tar(mountPoint, nil, mountPoint)
if err != nil { if err != nil {
return fmt.Errorf("reading container directory %q: %w", c.ID(), err) return fmt.Errorf("reading container directory %q: %w", c.ID(), err)
} }

25
utils/utils.go
View File

@ -13,6 +13,7 @@ import (
"github.com/containers/common/pkg/cgroups" "github.com/containers/common/pkg/cgroups"
"github.com/containers/storage/pkg/archive" "github.com/containers/storage/pkg/archive"
"github.com/containers/storage/pkg/chrootarchive"
"github.com/godbus/dbus/v5" "github.com/godbus/dbus/v5"
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
) )
@ -63,7 +64,7 @@ func CreateTarFromSrc(source string, dest string) error {
return fmt.Errorf("could not create tarball file '%s': %w", dest, err) return fmt.Errorf("could not create tarball file '%s': %w", dest, err)
} }
defer file.Close() defer file.Close()
return TarToFilesystem(source, file) return TarChrootToFilesystem(source, file)
} }
// TarToFilesystem creates a tarball from source and writes to an os.file // TarToFilesystem creates a tarball from source and writes to an os.file
@ -87,6 +88,28 @@ func Tar(source string) (io.ReadCloser, error) {
return archive.Tar(source, archive.Uncompressed) return archive.Tar(source, archive.Uncompressed)
} }
// TarChrootToFilesystem creates a tarball from source and writes to an os.file
// provided while chrooted to the source.
func TarChrootToFilesystem(source string, tarball *os.File) error {
tb, err := TarWithChroot(source)
if err != nil {
return err
}
_, err = io.Copy(tarball, tb)
if err != nil {
return err
}
logrus.Debugf("wrote tarball file %s", tarball.Name())
return nil
}
// TarWithChroot creates a tarball from source and returns a readcloser of it
// while chrooted to the source.
func TarWithChroot(source string) (io.ReadCloser, error) {
logrus.Debugf("creating tarball of %s", source)
return chrootarchive.Tar(source, nil, source)
}
// RemoveScientificNotationFromFloat returns a float without any // RemoveScientificNotationFromFloat returns a float without any
// scientific notation if the number has any. // scientific notation if the number has any.
// golang does not handle conversion of float64s that have scientific // golang does not handle conversion of float64s that have scientific