The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/7862
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
From 0fb2a6e6fd2ce991d002d3296195566d1aafe200 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brau...@ubuntu.com>
Date: Mon, 14 Sep 2020 22:43:38 +0200
Subject: [PATCH 1/2] shift_linux: tweak ACL handling
Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
---
shared/idmap/shift_linux.go | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/shared/idmap/shift_linux.go b/shared/idmap/shift_linux.go
index b5e56f33ed..13742123d2 100644
--- a/shared/idmap/shift_linux.go
+++ b/shared/idmap/shift_linux.go
@@ -262,7 +262,12 @@ func shiftAclType(path string, aclType int, shiftIds
func(uid int64, gid int64)
}
// Shift the value
- newId, _ := shiftIds((int64)(*idp), -1)
+ newId := int64(-1)
+ if tag == C.ACL_USER {
+ newId, _ = shiftIds((int64)(*idp), -1)
+ } else {
+ _, newId = shiftIds(-1, (int64)(*idp))
+ }
// Update the new entry with the shifted value
ret = C.acl_set_qualifier(ent, unsafe.Pointer(&newId))
@@ -275,9 +280,9 @@ func shiftAclType(path string, aclType int, shiftIds
func(uid int64, gid int64)
// Update the on-disk ACLs to match
if update {
- ret := C.acl_set_file(cpath, C.uint(aclType), acl)
- if ret == -1 {
- return fmt.Errorf("Failed to change ACLs on %s", path)
+ ret, err := C.acl_set_file(cpath, C.uint(aclType), acl)
+ if ret < 0 {
+ return fmt.Errorf("%s - Failed to change ACLs on %s",
err, path)
}
}
From 2a7aef537e32e39074552b9ccceeb2e0a67a9ccd Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brau...@ubuntu.com>
Date: Mon, 14 Sep 2020 23:11:24 +0200
Subject: [PATCH 2/2] tar_write: switch to PAXRecords to preserve ACLs too
Link:
https://discuss.linuxcontainers.org/t/security-idmap-isolated-true-common-start-logic-failed-to-change-acls
Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
---
shared/instancewriter/instance_tar_writer.go | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/shared/instancewriter/instance_tar_writer.go
b/shared/instancewriter/instance_tar_writer.go
index d8f3950243..2714429cd0 100644
--- a/shared/instancewriter/instance_tar_writer.go
+++ b/shared/instancewriter/instance_tar_writer.go
@@ -100,10 +100,21 @@ func (ctw *InstanceTarWriter) WriteFile(name string,
srcPath string, fi os.FileI
// Handle xattrs (for real files only).
if link == "" {
- hdr.Xattrs, err = shared.GetAllXattr(srcPath)
+ xattrs, err := shared.GetAllXattr(srcPath)
if err != nil {
return errors.Wrapf(err, "Failed to read xattr for %q",
srcPath)
}
+
+ hdr.PAXRecords = make(map[string]string, len(xattrs))
+ for key, val := range xattrs {
+ if key == "system.posix_acl_access" {
+ hdr.PAXRecords["SCHILY.acl.access"] = val
+ } else if key == "system.posix_acl_default" {
+ hdr.PAXRecords["SCHILY.acl.default"] = val
+ } else {
+ hdr.PAXRecords["SCHILY.xattr."+key] = val
+ }
+ }
}
err = ctw.tarWriter.WriteHeader(hdr)
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
