Distinguish --mount=type=cache locations by ownership, too

Normally, we select and distinguish --mount=type=cache directories that we create by either the "id" or "target" value used when mounting them, but we should also be distinguishing them by the "uid" and "gid" flags, or lack thereof. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2026-02-05 09:45:38 +01:00 · 2025-02-07 12:00:41 -05:00
parent a3701cb97d
commit 24826435f8
2 changed files with 28 additions and 4 deletions
--- a/internal/volumes/volumes.go
+++ b/internal/volumes/volumes.go
@@ -557,14 +557,19 @@ func GetCacheMount(sys *types.SystemContext, args []string, store storage.Store,
 			return newMount, "", "", "", nil, fmt.Errorf("unable to create build cache directory: %w", err)
 		}

+		ownerInfo := fmt.Sprintf(":%d:%d", uid, gid)
 		if id != "" {
-			// Don't let the user control where we place the directory.
-			dirID := digest.FromString(id).Encoded()[:16]
+			// Don't let the user try to inject pathname components by directly using
+			// the ID when constructing the cache directory location; distinguish
+			// between caches by ID and ownership
+			dirID := digest.FromString(id + ownerInfo).Encoded()[:16]
 			thisCacheRoot = filepath.Join(cacheParent, dirID)
 			buildahLockFilesDir = filepath.Join(cacheParent, BuildahCacheLockfileDir, dirID)
 		} else {
-			// Don't let the user control where we place the directory.
-			dirID := digest.FromString(newMount.Destination).Encoded()[:16]
+			// Don't let the user try to inject pathname components by directly using
+			// the target path when constructing the cache directory location;
+			// distinguish between caches by mount target location and ownership
+			dirID := digest.FromString(newMount.Destination + ownerInfo).Encoded()[:16]
 			thisCacheRoot = filepath.Join(cacheParent, dirID)
 			buildahLockFilesDir = filepath.Join(cacheParent, BuildahCacheLockfileDir, dirID)
 		}
--- a/tests/conformance/conformance_test.go
+++ b/tests/conformance/conformance_test.go
@@ -3455,6 +3455,25 @@ var internalTestCases = []testCase{
 		dockerUseBuildKit: true,
 		buildArgs:         map[string]string{"SOURCE": "e/**/**/*sub/*.txt"},
 	},
+	{
+		name:              "mount-cache-by-ownership",
+		dockerUseBuildKit: true,
+		dockerfileContents: strings.Join([]string{
+			"FROM mirror.gcr.io/busybox",
+			"USER 10",
+			"RUN --mount=type=cache,uid=10,target=/cache touch /cache/10.txt",
+			"USER 0",
+			"RUN --mount=type=cache,target=/cache touch /cache/0.txt",
+			"RUN mkdir -m 770 /results /results/0 /results/10 /results/0+10",
+			"RUN chown -R 10 /results",
+			"RUN --mount=type=cache,target=/cache cp -a /cache/* /results/0",
+			"USER 10",
+			"RUN --mount=type=cache,uid=10,target=/cache cp -a /cache/* /results/10",
+			"USER 0",
+			"RUN --mount=type=cache,uid=10,target=/cache cp -a /cache/* /results/0+10",
+			"RUN touch -r /bin `find /results -print`",
+		}, "\n"),
+	},
 }

 func TestCommit(t *testing.T) {