Merge pull request #1243 from tonistiigi/1903-update

AkihiroSuda · web-flow · commit ff93519eefb7 · 2019-11-02T12:07:39.000+09:00
[19.03] bugfixes cherry-pick
diff --git a/frontend/dockerfile/dockerfile2llb/convert.go b/frontend/dockerfile/dockerfile2llb/convert.go
@@ -1202,31 +1202,13 @@ func normalizeContextPaths(paths map[string]struct{}) []string {
 		if p == "/" {
 			return nil
 		}
-		pathSlice = append(pathSlice, p)
+		pathSlice = append(pathSlice, path.Join(".", p))
 	}
 
-	toDelete := map[string]struct{}{}
-	for i := range pathSlice {
-		for j := range pathSlice {
-			if i == j {
-				continue
-			}
-			if strings.HasPrefix(pathSlice[j], pathSlice[i]+"/") {
-				delete(paths, pathSlice[j])
-			}
-		}
-	}
-
-	toSort := make([]string, 0, len(paths))
-	for p := range paths {
-		if _, ok := toDelete[p]; !ok {
-			toSort = append(toSort, path.Join(".", p))
-		}
-	}
-	sort.Slice(toSort, func(i, j int) bool {
-		return toSort[i] < toSort[j]
+	sort.Slice(pathSlice, func(i, j int) bool {
+		return pathSlice[i] < pathSlice[j]
 	})
-	return toSort
+	return pathSlice
 }
 
 func proxyEnvFromBuildArgs(args map[string]string) *llb.ProxyEnv {
diff --git a/frontend/dockerfile/dockerfile_test.go b/frontend/dockerfile/dockerfile_test.go
@@ -113,6 +113,7 @@ var fileOpTests = []integration.Test{
 	testWorkdirUser,
 	testWorkdirExists,
 	testWorkdirCopyIgnoreRelative,
+	testCopyFollowAllSymlinks,
 }
 
 var securityTests = []integration.Test{}
@@ -1392,6 +1393,46 @@ COPY foo /
 	require.Equal(t, len(du), len(du2))
 }
 
+// #1197
+func testCopyFollowAllSymlinks(t *testing.T, sb integration.Sandbox) {
+	f := getFrontend(t, sb)
+	isFileOp := getFileOp(t, sb)
+
+	dockerfile := []byte(`
+FROM scratch
+COPY foo /
+COPY foo/sub bar
+`)
+
+	dir, err := tmpdir(
+		fstest.CreateFile("Dockerfile", dockerfile, 0600),
+		fstest.CreateFile("bar", []byte(`bar-contents`), 0600),
+		fstest.CreateDir("foo", 0700),
+		fstest.Symlink("../bar", "foo/sub"),
+	)
+	require.NoError(t, err)
+	defer os.RemoveAll(dir)
+
+	c, err := client.New(context.TODO(), sb.Address())
+	require.NoError(t, err)
+	defer c.Close()
+
+	destDir, err := ioutil.TempDir("", "buildkit")
+	require.NoError(t, err)
+	defer os.RemoveAll(destDir)
+
+	_, err = f.Solve(context.TODO(), c, client.SolveOpt{
+		FrontendAttrs: map[string]string{
+			"build-arg:BUILDKIT_DISABLE_FILEOP": strconv.FormatBool(!isFileOp),
+		},
+		LocalDirs: map[string]string{
+			builder.DefaultLocalNameDockerfile: dir,
+			builder.DefaultLocalNameContext:    dir,
+		},
+	}, nil)
+	require.NoError(t, err)
+}
+
 func testCopySymlinks(t *testing.T, sb integration.Sandbox) {
 	f := getFrontend(t, sb)
 	isFileOp := getFileOp(t, sb)
diff --git a/session/sshforward/ssh.go b/session/sshforward/ssh.go
@@ -75,6 +75,10 @@ func MountSSHSocket(ctx context.Context, c session.Caller, opt SocketOpt) (sockP
 		}
 	}()
 
+	if err := os.Chmod(dir, 0711); err != nil {
+		return "", nil, errors.WithStack(err)
+	}
+
 	sockPath = filepath.Join(dir, "ssh_auth_sock")
 
 	l, err := net.Listen("unix", sockPath)
diff --git a/solver/llbsolver/ops/exec.go b/solver/llbsolver/ops/exec.go
@@ -525,7 +525,7 @@ func (sm *secretMountInstance) Mount() ([]mount.Mount, func() error, error) {
 	return []mount.Mount{{
 		Type:    "bind",
 		Source:  fp,
-		Options: []string{"ro", "rbind"},
+		Options: []string{"ro", "rbind", "nodev", "nosuid", "noexec"},
 	}}, cleanup, nil
 }
 

Original file line number	Diff line number	Diff line change
`@@ -75,6 +75,10 @@ func MountSSHSocket(ctx context.Context, c session.Caller, opt SocketOpt) (sockP`
`75`	`75`	`}`
`76`	`76`	`}()`
`77`	`77`
	`78`	`+ if err := os.Chmod(dir, 0711); err != nil {`
	`79`	`+ return "", nil, errors.WithStack(err)`
	`80`	`+ }`
	`81`	`+`
`78`	`82`	`sockPath = filepath.Join(dir, "ssh_auth_sock")`
`79`	`83`
`80`	`84`	`l, err := net.Listen("unix", sockPath)`
Original file line number	Diff line number	Diff line change
`@@ -525,7 +525,7 @@ func (sm *secretMountInstance) Mount() ([]mount.Mount, func() error, error) {`
`525`	`525`	`return []mount.Mount{{`
`526`	`526`	`Type: "bind",`
`527`	`527`	`Source: fp,`
`528`		`- Options: []string{"ro", "rbind"},`
	`528`	`+ Options: []string{"ro", "rbind", "nodev", "nosuid", "noexec"},`
`529`	`529`	`}}, cleanup, nil`
`530`	`530`	`}`
`531`	`531`