Skip to content

Commit

Permalink
Merge pull request #667 from njhale/fix/ignore-xattrs
Browse files Browse the repository at this point in the history
fix(containerd): drop xattrs during unpack
  • Loading branch information
openshift-merge-robot authored May 25, 2021
2 parents 42d8e42 + 3bd849f commit 92e5523
Showing 1 changed file with 33 additions and 1 deletion.
34 changes: 33 additions & 1 deletion pkg/image/containerdregistry/registry.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (
"io"
"os"
"regexp"
"strings"
"time"

"github.com/containerd/containerd/archive"
Expand Down Expand Up @@ -205,7 +206,9 @@ func (r *Registry) unpackLayer(ctx context.Context, layer ocispec.Descriptor, di
if err != nil {
return err
}
_, err = archive.Apply(ctx, dir, decompressed, archive.WithFilter(adjustPerms))

filters := filterList{adjustPerms, dropXattrs}
_, err = archive.Apply(ctx, dir, decompressed, archive.WithFilter(filters.and))

return err
}
Expand All @@ -217,6 +220,19 @@ func ensureNamespace(ctx context.Context) context.Context {
return ctx
}

type filterList []archive.Filter

func (f filterList) and(h *tar.Header) (bool, error) {
for _, filter := range f {
ok, err := filter(h)
if !ok || err != nil {
return ok, err
}
}

return true, nil
}

func adjustPerms(h *tar.Header) (bool, error) {
h.Uid = os.Getuid()
h.Gid = os.Getgid()
Expand All @@ -229,3 +245,19 @@ func adjustPerms(h *tar.Header) (bool, error) {

return true, nil
}

// paxSchilyXattr contains the key prefix for xattrs stored in PAXRecords (see https://golang.org/src/archive/tar/common.go for more details).
const paxSchilyXattr = "SCHILY.xattr."

// dropXattrs removes all xattrs from a Header.
// This is useful for unpacking on systems where writing certain xattrs is a restricted operation; e.g. "security.capability" on SELinux.
func dropXattrs(h *tar.Header) (bool, error) {
h.Xattrs = nil // Deprecated, but still in use, clear anyway.
for key := range h.PAXRecords {
if strings.HasPrefix(key, paxSchilyXattr) { // Xattrs are stored under keys with the "Schilly.xattr." prefix.
delete(h.PAXRecords, key)
}
}

return true, nil
}

0 comments on commit 92e5523

Please sign in to comment.