Skip to content

Commit 3c37a1b

Browse files
authored
Merge pull request #40 from stacklok/rootfs-root-xattr
Fix rootfs root directory permissions and xattr
2 parents 2e9a5e9 + 206fa10 commit 3c37a1b

File tree

2 files changed

+13
-0
lines changed

2 files changed

+13
-0
lines changed

image/pull.go

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -130,6 +130,15 @@ func PullWithFetcher(ctx context.Context, imageRef string, cache *Cache, fetcher
130130
}
131131
}
132132

133+
// Ensure the rootfs root directory itself is world-accessible and has
134+
// the override_stat xattr. The root dir is created by os.MkdirTemp
135+
// (mode 0700) and no tar entry covers it, so without this fix the
136+
// guest's uid 1000 user cannot traverse /.
137+
if err := os.Chmod(tmpDir, 0o755); err != nil {
138+
slog.Warn("chmod rootfs root dir failed", "err", err)
139+
}
140+
xattr.SetOverrideStat(tmpDir, 0, 0, os.ModeDir|0o755)
141+
133142
// Move into cache if available. The extraction is fresh and this is
134143
// the only reference, so FromCache stays false — callers may safely
135144
// modify the rootfs in place without a COW clone.

rootfs/clone.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -115,6 +115,10 @@ func CloneDir(srcDir, dstDir string) error {
115115
_ = os.Chmod(dirsToRestore[i].path, dirsToRestore[i].perm)
116116
}
117117

118+
// Copy the override_stat xattr on the root directory itself.
119+
// The walk skips "." so the root dir's xattr is not covered above.
120+
xattr.CopyOverrideStat(srcDir, dstDir)
121+
118122
return nil
119123
}
120124

0 commit comments

Comments
 (0)