We need to read /etc/passwd and /etc/group in the container to
get an idea of how many UIDs and GIDs we need to allocate for a
user namespace when `--userns=auto` is specified. We were forming
paths for these using filepath.Join, which is not safe for paths
within a container, resulting in this CVE allowing crafted
symlinks in the container to access paths on the host instead.
Addresses CVE-2024-9676
Signed-off-by: Matt Heon <mheon@redhat.com>
Basically, PROJINHERIT causes all lower-level directories to get
the same project ID. This is a good thing for the directories
that are supposed to have quotas. It is not a nice thing for the
top-level directory. We set a project ID on that directory so we
know what the base ID is for our subdirectories to use, but we do
not want that ID propagated to subdirectories else everything
will end up using that single quota ID. Stripping the flag from
the top-level directory (if it is present) resolves this.
Partial fix for https://issues.redhat.com/browse/RHEL-18038
Full fix also requires Podman changes as we were setting quotas
on the incorrect directory.
Signed-off-by: Matt Heon <mheon@redhat.com>
This reverts commit f4c8d96190.
We do actually require the PROJINHERIT flag for proper operation.
The trick is that we have to remove it on the top-level directory
(which requires having the flag defined). Revert this commit as
such.
Signed-off-by: Matt Heon <mheon@redhat.com>
because it does not return nil when the slice length is 0.
This behavior caused the slices.Clone function to allocate
a unnecessary amount of memory when the slice length is 0,
and the c/common tests failed.
Signed-off-by: Jan Rodák <hony.com@seznam.cz>
Just performing an audit and cleanup of the OWNERS file. Cleaned out
duplicate reviewer entries as well. Made judgement calls on the names
based on the last 24 months of contributions, etc.
Signed-off-by: Brent Baude <bbaude@redhat.com>
define a new error type so that the caller can determine whether it is
safe to ignore the error and retrieve the resource fully.
Closes: https://github.com/containers/storage/issues/2115
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Avoid handling cases where the server doesn't support at least 64
ranges in a request, in order to prevent falling back to the
traditional pull mechanism.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
ignore the error if the layer is being deleted while we are processing
it without a lock on the store.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
... instead of our version which makes assumptions on the
internal decisions of the tar-split project, and needs heuristics
to guess where file padding ends.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
if the overlay data only layers feature is not available, then use a
regular overlay lower layer.
The same functionality is already present in the mount helper for
composefs.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Currently *Driver.get doesn't check existence of additional layers.
This result in an unclear error.
This commit fixes that function to check the existence of additional layers
before using and return a clear error.
Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
simplify the implementation of getStagingDir() to just create a new
staging directory and drop the check whether the correct staging base
directory as anyway the rename operation would fail later.
Closes: https://github.com/containers/storage/issues/2092
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
the alpine image defines a "nogroup":
$ podman run --rm alpine grep nogroup /etc/group
nogroup❌65533:
ignore it as we are already doing for the "nobody" user.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Matt Heon