chunked: fix linkat for rootless

Using unix.AT_EMPTY_PATH requires CAP_DAC_READ_SEARCH. Use an equivalent variant that uses /proc/self/fd that can be used with rootless. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
containers · Sep 6, 2021 · 980f24e · 980f24e
1 parent 4ef5ee0
commit 980f24e
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/pkg/chunked/storage_linux.go b/pkg/chunked/storage_linux.go
@@ -84,7 +84,10 @@ func copyFileContent(srcFd int, destFile string, dirfd int, mode os.FileMode, us
 			defer destDir.Close()
 
 			doLink := func() error {
-				return unix.Linkat(srcFd, "", int(destDir.Fd()), destBase, unix.AT_EMPTY_PATH)
+				// Using unix.AT_EMPTY_PATH requires CAP_DAC_READ_SEARCH while this variant that uses
+				// /proc/self/fd doesn't and can be used with rootless.
+				srcPath := fmt.Sprintf("/proc/self/fd/%d", srcFd)
+				return unix.Linkat(unix.AT_FDCWD, srcPath, int(destDir.Fd()), destBase, unix.AT_SYMLINK_FOLLOW)
 			}
 
 			err := doLink()