[lxc-devel] [lxd/master] tar: fix ACL preservation

brauner on Github lxc-bot at linuxcontainers.org
Mon Sep 14 21:59:07 UTC 2020


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200914/dc2ab38a/attachment.bin>
-------------- next part --------------
From 0fb2a6e6fd2ce991d002d3296195566d1aafe200 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Mon, 14 Sep 2020 22:43:38 +0200
Subject: [PATCH 1/2] shift_linux: tweak ACL handling

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 shared/idmap/shift_linux.go | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/shared/idmap/shift_linux.go b/shared/idmap/shift_linux.go
index b5e56f33ed..13742123d2 100644
--- a/shared/idmap/shift_linux.go
+++ b/shared/idmap/shift_linux.go
@@ -262,7 +262,12 @@ func shiftAclType(path string, aclType int, shiftIds func(uid int64, gid int64)
 		}
 
 		// Shift the value
-		newId, _ := shiftIds((int64)(*idp), -1)
+		newId := int64(-1)
+		if tag == C.ACL_USER {
+			newId, _ = shiftIds((int64)(*idp), -1)
+		} else {
+			_, newId = shiftIds(-1, (int64)(*idp))
+		}
 
 		// Update the new entry with the shifted value
 		ret = C.acl_set_qualifier(ent, unsafe.Pointer(&newId))
@@ -275,9 +280,9 @@ func shiftAclType(path string, aclType int, shiftIds func(uid int64, gid int64)
 
 	// Update the on-disk ACLs to match
 	if update {
-		ret := C.acl_set_file(cpath, C.uint(aclType), acl)
-		if ret == -1 {
-			return fmt.Errorf("Failed to change ACLs on %s", path)
+		ret, err := C.acl_set_file(cpath, C.uint(aclType), acl)
+		if ret < 0 {
+			return fmt.Errorf("%s - Failed to change ACLs on %s", err, path)
 		}
 	}
 

From 2a7aef537e32e39074552b9ccceeb2e0a67a9ccd Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Mon, 14 Sep 2020 23:11:24 +0200
Subject: [PATCH 2/2] tar_write: switch to PAXRecords to preserve ACLs too

Link: https://discuss.linuxcontainers.org/t/security-idmap-isolated-true-common-start-logic-failed-to-change-acls
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 shared/instancewriter/instance_tar_writer.go | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/shared/instancewriter/instance_tar_writer.go b/shared/instancewriter/instance_tar_writer.go
index d8f3950243..2714429cd0 100644
--- a/shared/instancewriter/instance_tar_writer.go
+++ b/shared/instancewriter/instance_tar_writer.go
@@ -100,10 +100,21 @@ func (ctw *InstanceTarWriter) WriteFile(name string, srcPath string, fi os.FileI
 
 	// Handle xattrs (for real files only).
 	if link == "" {
-		hdr.Xattrs, err = shared.GetAllXattr(srcPath)
+		xattrs, err := shared.GetAllXattr(srcPath)
 		if err != nil {
 			return errors.Wrapf(err, "Failed to read xattr for %q", srcPath)
 		}
+
+		hdr.PAXRecords = make(map[string]string, len(xattrs))
+		for key, val := range xattrs {
+			if key == "system.posix_acl_access" {
+				hdr.PAXRecords["SCHILY.acl.access"] = val
+			} else if key == "system.posix_acl_default" {
+				hdr.PAXRecords["SCHILY.acl.default"] = val
+			} else {
+				hdr.PAXRecords["SCHILY.xattr."+key] = val
+			}
+		}
 	}
 
 	err = ctw.tarWriter.WriteHeader(hdr)


More information about the lxc-devel mailing list