archive, rootless: use user.* instead of trusted.*

unprivileged users cannot use the trusted.* xattrs. Since for rootless we always mount overlay with userxattr, we can just check if running in rootless mode and use user.* instead of trusted.*. Closes: containers/podman#9936 Signed-off-by: Giuseppe Scrivano <[email protected]>
giuseppe · Apr 6, 2021 · ba36642 · ba36642
1 parent 7282e5e
commit ba36642
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 7 deletions.
diff --git a/pkg/archive/archive_linux.go b/pkg/archive/archive_linux.go
@@ -9,9 +9,14 @@ import (
 
 	"github.com/containers/storage/pkg/idtools"
 	"github.com/containers/storage/pkg/system"
+	"github.com/containers/storage/drivers/overlay"
 	"golang.org/x/sys/unix"
 )
 
+func getWhiteoutXattrName() string {
+	return overlay.GetXattrName("opaque")
+}
+
 func GetWhiteoutConverter(format WhiteoutFormat, data interface{}) TarWhiteoutConverter {
 	if format == OverlayWhiteoutFormat {
 		if rolayers, ok := data.([]string); ok && len(rolayers) > 0 {
@@ -39,13 +44,13 @@ func (o overlayWhiteoutConverter) ConvertWrite(hdr *tar.Header, path string, fi
 
 	if fi.Mode()&os.ModeDir != 0 {
 		// convert opaque dirs to AUFS format by writing an empty file with the whiteout prefix
-		opaque, err := system.Lgetxattr(path, "trusted.overlay.opaque")
+		opaque, err := system.Lgetxattr(path, getWhiteoutXattrName())
 		if err != nil {
 			return nil, err
 		}
 		if len(opaque) == 1 && opaque[0] == 'y' {
 			if hdr.Xattrs != nil {
-				delete(hdr.Xattrs, "trusted.overlay.opaque")
+				delete(hdr.Xattrs, getWhiteoutXattrName())
 			}
 			// If there are no lower layers, then it can't have been deleted in this layer.
 			if len(o.rolayers) == 0 {
@@ -114,7 +119,7 @@ func (overlayWhiteoutConverter) ConvertReadWithHandler(hdr *tar.Header, path str
 
 	// if a directory is marked as opaque by the AUFS special file, we need to translate that to overlay
 	if base == WhiteoutOpaqueDir {
-		err := handler.Setxattr(dir, "trusted.overlay.opaque", []byte{'y'})
+		err := handler.Setxattr(dir, getWhiteoutXattrName(), []byte{'y'})
 		// don't write the file itself
 		return false, err
 	}

diff --git a/pkg/archive/archive_linux_test.go b/pkg/archive/archive_linux_test.go
@@ -26,7 +26,7 @@ func setupOverlayTestDir(t *testing.T, src string) {
 	err := os.Mkdir(filepath.Join(src, "d1"), 0700)
 	require.NoError(t, err)
 
-	err = system.Lsetxattr(filepath.Join(src, "d1"), "trusted.overlay.opaque", []byte("y"), 0)
+	err = system.Lsetxattr(filepath.Join(src, "d1"), getWhiteoutXattrName(), []byte("y"), 0)
 	require.NoError(t, err)
 
 	err = ioutil.WriteFile(filepath.Join(src, "d1", "f1"), []byte{}, 0600)
@@ -36,7 +36,7 @@ func setupOverlayTestDir(t *testing.T, src string) {
 	err = os.Mkdir(filepath.Join(src, "d2"), 0750)
 	require.NoError(t, err)
 
-	err = system.Lsetxattr(filepath.Join(src, "d2"), "trusted.overlay.opaque", []byte("y"), 0)
+	err = system.Lsetxattr(filepath.Join(src, "d2"), getWhiteoutXattrName(), []byte("y"), 0)
 	require.NoError(t, err)
 
 	err = ioutil.WriteFile(filepath.Join(src, "d2", "f1"), []byte{}, 0660)
@@ -60,7 +60,7 @@ func setupOverlayLowerDir(t *testing.T, lower string) {
 }
 
 func checkOpaqueness(t *testing.T, path string, opaque string) {
-	xattrOpaque, err := system.Lgetxattr(path, "trusted.overlay.opaque")
+	xattrOpaque, err := system.Lgetxattr(path, getWhiteoutXattrName())
 	require.NoError(t, err)
 
 	if string(xattrOpaque) != opaque {

diff --git a/pkg/archive/changes_linux.go b/pkg/archive/changes_linux.go
@@ -349,7 +349,7 @@ func overlayDeletedFile(layers []string, root, path string, fi os.FileInfo) (str
 		return "", nil
 	}
 	// If the directory isn't marked as opaque, then it's just a normal directory.
-	opaque, err := system.Lgetxattr(filepath.Join(root, path), "trusted.overlay.opaque")
+	opaque, err := system.Lgetxattr(filepath.Join(root, path), getWhiteoutXattrName())
 	if err != nil {
 		return "", err
 	}