[lxc-devel] [lxd/master] Container: Fix export crash when shiftfs is in use
tomponline on Github
lxc-bot at linuxcontainers.org
Wed Sep 16 16:59:13 UTC 2020
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200916/136b3155/attachment.bin>
-------------- next part --------------
From 2012aab0046ad5367f521626647819c0ff0b3ef9 Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Wed, 16 Sep 2020 17:57:11 +0100
Subject: [PATCH 1/2] shared/idmap/shift/linux: Handle nil IdmapSet in
UnshiftACL and UnshiftCaps
Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
shared/idmap/shift_linux.go | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/shared/idmap/shift_linux.go b/shared/idmap/shift_linux.go
index f0d7393fb8..05fdd6cd6f 100644
--- a/shared/idmap/shift_linux.go
+++ b/shared/idmap/shift_linux.go
@@ -440,6 +440,10 @@ func SupportsVFS3Fscaps(prefix string) bool {
}
func UnshiftACL(value string, set *IdmapSet) (string, error) {
+ if set == nil {
+ return "", fmt.Errorf("Invalid IdmapSet supplied")
+ }
+
buf := []byte(value)
cBuf := C.CBytes(buf)
defer C.free(cBuf)
@@ -502,6 +506,10 @@ func UnshiftACL(value string, set *IdmapSet) (string, error) {
}
func UnshiftCaps(value string, set *IdmapSet) (string, error) {
+ if set == nil {
+ return "", fmt.Errorf("Invalid IdmapSet supplied")
+ }
+
buf := []byte(value)
cBuf := C.CBytes(buf)
defer C.free(cBuf)
From b66d417b088ec9149fed0ca1d1818d69ef77f28c Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Wed, 16 Sep 2020 17:57:46 +0100
Subject: [PATCH 2/2] shared/instancewriter/instance/tar/writer: Handle nil
idmapSet and log shifting errors in WriteFile
Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
shared/instancewriter/instance_tar_writer.go | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/shared/instancewriter/instance_tar_writer.go b/shared/instancewriter/instance_tar_writer.go
index 9d842664f6..3a1599ad36 100644
--- a/shared/instancewriter/instance_tar_writer.go
+++ b/shared/instancewriter/instance_tar_writer.go
@@ -108,24 +108,24 @@ func (ctw *InstanceTarWriter) WriteFile(name string, srcPath string, fi os.FileI
hdr.PAXRecords = make(map[string]string, len(xattrs))
for key, val := range xattrs {
- if key == "system.posix_acl_access" {
+ if key == "system.posix_acl_access" && ctw.idmapSet != nil {
aclAccess, err := idmap.UnshiftACL(val, ctw.idmapSet)
if err != nil {
- logger.Debugf("%s - Failed to unshift ACL access permissions", err)
+ logger.Debugf("Failed to unshift ACL access permissions of %q: %v", srcPath, err)
continue
}
hdr.PAXRecords["SCHILY.acl.access"] = aclAccess
- } else if key == "system.posix_acl_default" {
+ } else if key == "system.posix_acl_default" && ctw.idmapSet != nil {
aclDefault, err := idmap.UnshiftACL(val, ctw.idmapSet)
if err != nil {
- logger.Debugf("%s - Failed to unshift ACL default permissions", err)
+ logger.Debugf("Failed to unshift ACL default permissions of %q: %v", srcPath, err)
continue
}
hdr.PAXRecords["SCHILY.acl.default"] = aclDefault
- } else if key == "security.capability" {
+ } else if key == "security.capability" && ctw.idmapSet != nil {
vfsCaps, err := idmap.UnshiftCaps(val, ctw.idmapSet)
if err != nil {
- logger.Debugf("%s - Failed to unshift vfs capabilities", err)
+ logger.Debugf("Failed to unshift VFS capabilities of %q: %v", srcPath, err)
continue
}
hdr.PAXRecords["SCHILY.xattr."+key] = vfsCaps
More information about the lxc-devel
mailing list