Use the Go toolchain to cross-compile the "This image is designed to be
run as a confidential workload using libkrun." entrypoint that we add to
confidential workload images. It's bigger than it was before, but
easier to port and can be built from source every time when desired.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Try to limit which image transports we accept in stages, and scope the
ones that use path names to the context directory. At some point
anything that isn't an image ID or pullable spec should start being
rejected.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Mount a read-write overlay directory over the build context directory to
restore the ability to use it as a covert cache of sorts during the
lifetime of each platform's build, but in a way that still ensures that
we don't modify the real build context directory.
N.B.: builds where FROM in one stage referenced a relative path which
had been written to a bind-mounted default build context directory by an
earlier stage broke when we started making those bind mounts into
overlays to prevent/discard modifications to that directory, and while
this extends the lifetime of that overlay so that it's consistent
throughout the build, those relative path names are still going to point
to the wrong location.
Since we need to determine SELinux labeling before mounting the overlay,
go ahead and calculate the labels to use before creating the first
builder, and remove the logic that had whichever stage thought it was
the first one set them in its parent object for use by other stages, in
what was probably a racey way.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a MetadataFile field to BuildOptions, to which we write a dictionary
of information about a just-committed image.
Pay more attention to sourceDateEpoch than to timestamp when we're
tagging an existing image with the intended destination name.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Drop the "omitempty" tag from the "json" tag on struct members that are
themselves structs, since the JSON encoder doesn't actually do that, per
golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Use maps.Copy() instead of iterating over a map's keys and values to
copy the keys and values to a new map. Overdue from
golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Use the CutPrefix(), SplitSeq(), and FieldsSeq() functions from the
strings package when chopping up or iterating over parts of strings, per
golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Use $SOURCE_DATE_EPOCH as the default for the --source-date-epoch flag
to the "build" CLI.
When a source-date-epoch is set, we'll use it when writing new history
entries, force timestamps in data written for --output to the specified
timestamp, and populate a "SOURCE_DATE_EPOCH" ARG that we treat as
always being set, and which we don't complain about being left unused.
By default, this will not affect timestamps in newly-added layers.
Add a --rewrite-timestamp flag, which "clamps" timestamps in newly-added
layers to not be later than the --source-date-epoch value if the
--source-date-epoch flag is set, but has no effect otherwise.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a --source-date-epoch flag, defaulting to $SOURCE_DATE_EPOCH if set,
which sets the created-on date and the timestamp for the new history
entries, but does not default to modifying the timestamps on contents in
new layers.
Add a --rewrite-timestamp flag, which "clamps" timestamps in the new
layers to not be later than the --source-date-epoch value if both
the --rewrite-timestamp and --source-date-epoch flags were set.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a dummy "runtime" that just dumps its runtime config, either the
entirety of it, or a section of it corresponding to each command line
argument. Tests can use it to ensure that we set the right thing in the
configuration without also depending on the runtime to do as its asked,
which isn't always something we have control over.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Make SetHas() a generic function for checking if a map holds a value of
whatever kind for a key of some comparable kind.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* Refactor NewImageSource to add a manifest type abstraction
Currently, NewImageSource creates a Docker schema2 manifest and an OCI
manifest at the same time. This precludes functionality that isn't
supported by both manifest types, for example zstd compression.
Refactoring this to create only the desired manifest type solves this
and also cleans up the code by separating manifest-type-specific code
into distinct implementations of a "manifest builder".
See discussion in https://github.com/containers/buildah/pull/5452.
Signed-off-by: Aaron Lehmann <alehmann@netflix.com>
* Review feedback
Signed-off-by: Aaron Lehmann <alehmann@netflix.com>
* Review feedback, round 2
Signed-off-by: Aaron Lehmann <alehmann@netflix.com>
---------
Signed-off-by: Aaron Lehmann <alehmann@netflix.com>
Co-authored-by: flouthoc <flouthoc@users.noreply.github.com>
Disable warnings like this one:
> internal/mkcw/workload.go:34:2: ST1003: should not use ALL_CAPS in Go names; use CamelCase instead (staticcheck)
> SEV_NO_ES = types.SEV_NO_ES //revive:disable-line:var-naming
> ^
(
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Use the AtomicWriteFile() from github.com/containers/storage/pkg/ioutils
instead of the one from github.com/docker/docker/pkg/ioutils.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
... to validate that the manifests match expected digests, if any.
In some cases, using an UnparsedInstance can also avoid redundant I/O.
Do this everywhere, even where we read local storage which is
mostly trusted, because it is cheap enough and being consistent
makes it less likely for the code to be copied into other
contexts where the sources are not trusted.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Normally, we select and distinguish --mount=type=cache directories that
we create by either the "id" or "target" value used when mounting them,
but we should also be distinguishing them by the "uid" and "gid" flags,
or lack thereof.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Allow the "from" option for cache mounts to refer to an image, which, if
we attempt to mount read-write, is mounted using an overlay to avoid
getting errors if the process we're running with the cache mount
attempts to write to it.
Add logic to clean up the bind mount in Builder.getBindMount() that's
triggered if Builder.runSetupVolumeMounts() returns an error.
When creating cache directories for cache mounts, process the
container's ID mappings.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* Make volumes.GetBindMount(), volumes.GetCacheMount(), and
volumes.GetTmpfsMount() return errors when flags which expect
arguments are given empty arguments, when flags which don't expect
arguments are given arguments, and when the "relabel" flag, which
expects an argument, doesn't get one.
* Make volumes.GetCacheMount() not treat the "U" flag as affecting bind
propagation.
* Drop the special-case error message when a caller attempts to use
"src" or "source" options in volumes.GetTmpfsMount(), which would
already be covered by the general-purpose "unrecognized option"
default.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Fix a time-of-check/time-of-use error when mounting type=bind and
type=cache directories that use a "src" flag. A hostile writer could
use a concurrently-running stage or build to replace that "src" location
between the point when we had resolved possible symbolic links and when
runc/crun/whatever actually went to create the bind mount
(CVE-2024-11218).
Stop ignoring the "src" option for cache mounts when there's no "from"
option.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When handling RUN --mount=type=bind, where the mount is read-write,
instead of a simple bind mount, create an overlay mount with an upper
directory that will be discarded after the overlay mount is unmounted.
This brings us in line with the expected behavior, wherein writes to
bind mounts should be discarded.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a helper that uses the new internal/open package to bind mount a
location inside of a chroot direct to a new temporary location, for
ensuring that the latter is not bind-mounted from outside of the chroot.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a package that lets us open a directory in a chroot, pass its
descriptor up, and then bind mount that directory to a specified
location.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Allow cache mounts (RUN --mount=type=cache) to refer to other stages or
additional build contexts.
Update the build-check-cve-2024-9675 integration test to use different
directories for its main build context and the additional build context
that it uses for its final run.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When the target location of a RUN --mount is specified as a relative
path, we normally try to convert it to an absolute path by combining it
with the currently-configured working directory. If there is no such
value, though, the result is still not an absolute path. Work around
this by using "/" when the configured working directory is "".
Set this field in the `runMountInfo` struct on FreeBSD, as we already
did on Linux.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
The `--mount type=cache` argument to the `RUN` instruction in
Dockerfiles was using `filepath.Join` on user input, allowing
crafted paths to be used to gain access to paths on the host,
when the command should normally be limited only to Buildah;s own
cache and context directories. Switch to `filepath.SecureJoin` to
resolve the issue.
Fixes CVE-2024-9675
Signed-off-by: Matt Heon <mheon@redhat.com>
CVE-2024-9407: validate that the value for the "bind-propagation" flag
when handling "bind" and "cache" mounts in `buildah run` or in RUN
instructions is one of the values that we would accept without the
"bind-propagation=" prefix.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Update some godocs, and update an octal value in a godoc to start with
0o instead of just 0, to match the literal on the next line.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Use slices.Clone() and maps.Clone() instead of our own non-generic
functions. We have to be more careful in a couple of places where we
set items in maps which aren't unconditionally initialized.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
