wip: tar and local exporter running with privileges

TODO: need to cross-check that there is no way the SeBackupPrivilege can be abused/exploited. WIP: how best to handle the files to be exclused without touching `fsutil`. Signed-off-by: Anthony Nandaa <profnandaa@gmail.com>
moby · Jun 10, 2024 · 2a25c5b · 2a25c5b
1 parent 3d789eb
commit 2a25c5b
Show file tree

Hide file tree

Showing 10 changed files with 112 additions and 5 deletions.
diff --git a/exporter/tar/export.go b/exporter/tar/export.go
@@ -166,7 +166,7 @@ func (e *localExporterInstance) Export(ctx context.Context, inp *exporter.Source
 		return nil, nil, err
 	}
 	report := progress.OneOff(ctx, "sending tarball")
-	if err := fsutil.WriteTar(ctx, fs, w); err != nil {
+	if err := writeTar(ctx, fs, w); err != nil {
 		w.Close()
 		return nil, nil, report(err)
 	}

diff --git a/exporter/tar/export_unix.go b/exporter/tar/export_unix.go
@@ -0,0 +1,15 @@
+//go:build !windows
+// +build !windows
+
+package local
+
+import (
+	"context"
+	"io"
+
+	"github.com/tonistiigi/fsutil"
+)
+
+func writeTar(ctx context.Context, fs fsutil.FS, w io.WriteCloser) error {
+	return fsutil.WriteTar(ctx, fs, w)
+}
diff --git a/exporter/tar/export_windows.go b/exporter/tar/export_windows.go
@@ -0,0 +1,18 @@
+package local
+
+import (
+	"context"
+	"io"
+
+	"github.com/Microsoft/go-winio"
+	"github.com/tonistiigi/fsutil"
+)
+
+func writeTar(ctx context.Context, fs fsutil.FS, w io.WriteCloser) error {
+	// Windows rootfs has a few special metadata files that
+	// require extra privileges to be accessed.
+	privileges := []string{winio.SeBackupPrivilege}
+	return winio.RunWithPrivileges(privileges, func() error {
+		return fsutil.WriteTar(ctx, fs, w)
+	})
+}
diff --git a/session/filesync/diffcopy.go b/session/filesync/diffcopy.go
@@ -21,10 +21,6 @@ type Stream interface {
 	RecvMsg(m interface{}) error
 }
 
-func sendDiffCopy(stream Stream, fs fsutil.FS, progress progressCb) error {
-	return errors.WithStack(fsutil.Send(stream.Context(), stream, fs, progress))
-}
-
 func newStreamWriter(stream grpc.ClientStream) io.WriteCloser {
 	wc := &streamWriterCloser{ClientStream: stream}
 	return &bufferedWriteCloser{Writer: bufio.NewWriter(wc), Closer: wc}

diff --git a/session/filesync/diffcopy_unix.go b/session/filesync/diffcopy_unix.go
@@ -0,0 +1,13 @@
+//go:build !windows
+// +build !windows
+
+package filesync
+
+import (
+	"github.com/pkg/errors"
+	"github.com/tonistiigi/fsutil"
+)
+
+func sendDiffCopy(stream Stream, fs fsutil.FS, progress progressCb) error {
+	return errors.WithStack(fsutil.Send(stream.Context(), stream, fs, progress))
+}
diff --git a/session/filesync/diffcopy_windows.go b/session/filesync/diffcopy_windows.go
@@ -0,0 +1,21 @@
+//go:build windows
+// +build windows
+
+package filesync
+
+import (
+	"github.com/Microsoft/go-winio"
+	"github.com/pkg/errors"
+	"github.com/tonistiigi/fsutil"
+)
+
+func sendDiffCopy(stream Stream, fs fsutil.FS, progress progressCb) error {
+	// adding one SeBackupPrivilege to the process so as to be able
+	// to run the subsequent goroutines in fsutil.Send that need
+	// to copy over special Windows metadata files.
+	// TODO(profnandaa): need to cross-check that this cannot be
+	// exploited in any way.
+	winio.EnableProcessPrivileges([]string{winio.SeBackupPrivilege})
+	defer winio.DisableProcessPrivileges([]string{winio.SeBackupPrivilege})
+	return errors.WithStack(fsutil.Send(stream.Context(), stream, fs, progress))
+}
diff --git a/vendor/github.com/tonistiigi/fsutil/metadata_unix.go b/vendor/github.com/tonistiigi/fsutil/metadata_unix.go
diff --git a/vendor/github.com/tonistiigi/fsutil/metadata_windows.go b/vendor/github.com/tonistiigi/fsutil/metadata_windows.go
diff --git a/vendor/github.com/tonistiigi/fsutil/send.go b/vendor/github.com/tonistiigi/fsutil/send.go
diff --git a/vendor/github.com/tonistiigi/fsutil/tarwriter.go b/vendor/github.com/tonistiigi/fsutil/tarwriter.go