Add functionality to deserialize a tar archive to rootfs upper layer.

milantracy · gvisor-bot · commit 3eb1b76e083f · 2025-09-09T23:58:30.000-07:00
This is only supported for single-container sandboxes for now. It is meant to
be used when rootfs is an overlayfs mount.

PiperOrigin-RevId: 805223689
diff --git a/pkg/sentry/fsimpl/tmpfs/tar.go b/pkg/sentry/fsimpl/tmpfs/tar.go
@@ -16,18 +16,251 @@ package tmpfs
 
 import (
 	"archive/tar"
+	"bytes"
 	"fmt"
 	"io"
 	"os"
+	"path/filepath"
+	"strings"
 	"time"
 
 	"gvisor.dev/gvisor/pkg/abi/linux"
 	"gvisor.dev/gvisor/pkg/context"
 	"gvisor.dev/gvisor/pkg/log"
+	"gvisor.dev/gvisor/pkg/sentry/kernel/auth"
 	"gvisor.dev/gvisor/pkg/sentry/vfs"
 	"gvisor.dev/gvisor/pkg/usermem"
 )
 
+// UntarUpperLayer creates the corresponding dentry and its children from the
+// given snapshot tar file.
+func (fs *filesystem) UntarUpperLayer(ctx context.Context, inFile *os.File) error {
+	tr := tar.NewReader(inFile)
+
+	fs.mu.Lock()
+	defer fs.mu.Unlock()
+
+	return fs.readFromTar(ctx, tr)
+}
+
+// readFromTar creates the corresponding dentry and its children from the given
+// tar reader.
+//
+// Preconditions:
+//   - filesystem.mu must be locked.
+func (fs *filesystem) readFromTar(ctx context.Context, tr *tar.Reader) error {
+	pathToInode := map[string]*inode{}
+	pathToInode["./"] = fs.root.inode
+	directoryToHeader := map[string]*tar.Header{}
+	fileToHeader := map[string]*tar.Header{}
+	symlinkToHeader := map[string]*tar.Header{}
+	linkToHeader := map[string]*tar.Header{}
+	fileToContent := map[string]*bytes.Buffer{}
+	for {
+		header, err := tr.Next()
+		if err != nil {
+			if err == io.EOF {
+				break
+			}
+			return fmt.Errorf("failed to read tar header: %w", err)
+		}
+
+		switch header.Typeflag {
+		case tar.TypeDir:
+			directoryToHeader[header.Name] = header
+		case tar.TypeReg:
+			var buffer bytes.Buffer
+			n, err := io.Copy(&buffer, tr)
+			if err != nil {
+				return fmt.Errorf("failed to read file content: %w", err)
+			}
+			if n != header.Size {
+				return fmt.Errorf("failed to read all file content, got %d bytes, want %d", n, header.Size)
+			}
+			fileToHeader[header.Name] = header
+			fileToContent[header.Name] = &buffer
+		case tar.TypeFifo, tar.TypeBlock, tar.TypeChar:
+			fileToHeader[header.Name] = header
+		case tar.TypeSymlink:
+			symlinkToHeader[header.Name] = header
+		case tar.TypeLink:
+			linkToHeader[header.Name] = header
+		default:
+			return fmt.Errorf("readfrom unsupported file type %v for %v", header.Typeflag, header.Name)
+		}
+	}
+	// Re-create all directories.
+	for path, hdr := range directoryToHeader {
+		if _, err := fs.mkdirFromTar(hdr, pathToInode, directoryToHeader); err != nil {
+			return fmt.Errorf("failed to make directory %v: %w", path, err)
+		}
+	}
+	// Re-create all regular files, FIFOs, block devices, and character devices.
+	for path, hdr := range fileToHeader {
+		if err := fs.mknodFromTar(ctx, hdr, pathToInode, fileToContent); err != nil {
+			return fmt.Errorf("failed to make file %v: %w", path, err)
+		}
+	}
+	// Re-create all symlinks.
+	for path, hdr := range symlinkToHeader {
+		if err := fs.symlinkFromTar(hdr, pathToInode); err != nil {
+			return fmt.Errorf("failed to make symlink %v: %w", path, err)
+		}
+	}
+	// Re-create all hard links.
+	// Note that hard links are created after the rest of the supported file types
+	// since they need to link to existing inodes.
+	for path, hdr := range linkToHeader {
+		if err := fs.linkFromTar(hdr, pathToInode); err != nil {
+			return fmt.Errorf("failed to make hard link %v: %w", path, err)
+		}
+	}
+	return nil
+}
+
+// mkdirFromTar recursively creates a directory and its parent directories
+// using the provided headers.
+func (fs *filesystem) mkdirFromTar(hdr *tar.Header, pathToInode map[string]*inode, pathToHeader map[string]*tar.Header) (*inode, error) {
+	path := hdr.Name
+	if ino, ok := pathToInode[hdr.Name]; ok {
+		return ino, nil
+	}
+	dir, name := filepath.Split(strings.TrimSuffix(path, "/"))
+	parentInode, ok := pathToInode[dir]
+	if !ok {
+		parentHdr, ok := pathToHeader[dir]
+		if !ok {
+			return nil, fmt.Errorf("failed to find header for %v", dir)
+		}
+		var err error
+		// Recursively create the parent directories.
+		if parentInode, err = fs.mkdirFromTar(parentHdr, pathToInode, pathToHeader); err != nil {
+			return nil, err
+		}
+	}
+	if parentInode.nlink.Load() == maxLinks {
+		return nil, fmt.Errorf("maximum number of links reached for %v", dir)
+	}
+	parentDir, ok := parentInode.impl.(*directory)
+	if !ok {
+		return nil, fmt.Errorf("parent inode at %v is not a directory", dir)
+	}
+	parentDir.inode.incLinksLocked()
+	childDir := fs.newDirectory(auth.KUID(hdr.Uid), auth.KGID(hdr.Gid), linux.FileMode(hdr.Mode), parentDir)
+	childDir.inode.mtime.Store(hdr.ModTime.UnixNano())
+	parentDir.insertChildLocked(&childDir.dentry, name)
+	pathToInode[path] = childDir.dentry.inode
+	return childDir.dentry.inode, nil
+}
+
+// mknodFromTar creates a regular file,FIFO, block device, or character device file using
+// the provided header. It also writes the file content to the corresponding regular file if it
+// exists.
+func (fs *filesystem) mknodFromTar(ctx context.Context, hdr *tar.Header, pathToInode map[string]*inode, pathToContent map[string]*bytes.Buffer) error {
+	dir, name := filepath.Split(hdr.Name)
+	parentInode, ok := pathToInode[dir]
+	if !ok {
+		return fmt.Errorf("parent directory %v does not exist", dir)
+	}
+	parentDir, ok := parentInode.impl.(*directory)
+	if !ok {
+		return fmt.Errorf("%v is not a directory", dir)
+	}
+	var childInode *inode
+	switch hdr.Typeflag {
+	case tar.TypeReg:
+		childInode = fs.newRegularFile(auth.KUID(hdr.Uid), auth.KGID(hdr.Gid), linux.FileMode(hdr.Mode), parentDir)
+	case tar.TypeFifo:
+		childInode = fs.newNamedPipe(auth.KUID(hdr.Uid), auth.KGID(hdr.Gid), linux.FileMode(hdr.Mode), parentDir)
+	case tar.TypeBlock:
+		childInode = fs.newDeviceFileLocked(auth.KUID(hdr.Uid), auth.KGID(hdr.Gid), linux.FileMode(hdr.Mode|linux.S_IFBLK), uint32(hdr.Devmajor), uint32(hdr.Devminor), parentDir)
+	case tar.TypeChar:
+		childInode = fs.newDeviceFileLocked(auth.KUID(hdr.Uid), auth.KGID(hdr.Gid), linux.FileMode(hdr.Mode|linux.S_IFCHR), uint32(hdr.Devmajor), uint32(hdr.Devminor), parentDir)
+	default:
+		return fmt.Errorf("mknod unsupported file type %v for %v", hdr.Typeflag, hdr.Name)
+	}
+	childInode.mtime.Store(hdr.ModTime.UnixNano())
+	child := fs.newDentry(childInode)
+	parentDir.insertChildLocked(child, name)
+	pathToInode[hdr.Name] = childInode
+
+	// Write file contents to the corresponding regular files if they exist.
+	if buf, ok := pathToContent[hdr.Name]; ok {
+		if err := fs.writeTo(ctx, hdr.Name, pathToInode, int64(len(buf.Bytes())), buf); err != nil {
+			return fmt.Errorf("failed to write file content for %v: %w", hdr.Name, err)
+		}
+	}
+
+	return nil
+}
+
+// linkFromTar creates a hard link from the given tar header.
+func (fs *filesystem) linkFromTar(hdr *tar.Header, pathToInode map[string]*inode) error {
+	dir, name := filepath.Split(hdr.Name)
+	parentInode, ok := pathToInode[dir]
+	if !ok {
+		return fmt.Errorf("parent directory %v does not exist", dir)
+	}
+	parentDir, ok := parentInode.impl.(*directory)
+	if !ok {
+		return fmt.Errorf("%v is not a directory", dir)
+	}
+	childInode, ok := pathToInode[hdr.Linkname]
+	if !ok {
+		return fmt.Errorf("child inode %v does not exist", hdr.Linkname)
+	}
+	if childInode.nlink.Load() == maxLinks {
+		return fmt.Errorf("maximum number of links reached for %s", hdr.Linkname)
+	}
+	childInode.incLinksLocked()
+	child := fs.newDentry(childInode)
+	parentDir.insertChildLocked(child, name)
+	pathToInode[hdr.Name] = child.inode
+	return nil
+}
+
+// symlinkFromTar creates a symlink from the given tar header.
+func (fs *filesystem) symlinkFromTar(hdr *tar.Header, pathToInode map[string]*inode) error {
+	dir, name := filepath.Split(hdr.Name)
+	parentInode, ok := pathToInode[dir]
+	if !ok {
+		return fmt.Errorf("parent directory %v does not exist", dir)
+	}
+	if len(hdr.Linkname) >= shortSymlinkLen {
+		return fmt.Errorf("symlink %v is too long", hdr.Linkname)
+	}
+	parentDir, ok := parentInode.impl.(*directory)
+	if !ok {
+		return fmt.Errorf("%v is not a directory", dir)
+	}
+	child := fs.newDentry(fs.newSymlink(auth.KUID(hdr.Uid), auth.KGID(hdr.Gid), 0777, hdr.Linkname, parentDir))
+	child.inode.mtime.Store(hdr.ModTime.UnixNano())
+	parentDir.insertChildLocked(child, name)
+	pathToInode[hdr.Name] = child.inode
+	return nil
+}
+
+func (fs *filesystem) writeTo(ctx context.Context, path string, pathToInode map[string]*inode, size int64, buf *bytes.Buffer) error {
+	i, ok := pathToInode[path]
+	if !ok {
+		return fmt.Errorf("failed to find inode for %v", path)
+	}
+	rf := i.impl.(*regularFile)
+	rf.inode.mu.Lock()
+	defer rf.inode.mu.Unlock()
+	src := usermem.BytesIOSequence(buf.Bytes())
+	rw := getRegularFileReadWriter(rf, 0, 0)
+	n, err := src.CopyInTo(ctx, rw)
+	if err != nil {
+		return fmt.Errorf("failed to write file content: %w", err)
+	}
+	if n != size {
+		return fmt.Errorf("failed to write all file content to %v, got %d bytes, want %d", path, n, size)
+	}
+	putRegularFileReadWriter(rw)
+	return nil
+}
+
 // TarUpperLayer implements vfs.TarSerializer.TarUpperLayer.
 func (fs *filesystem) TarUpperLayer(ctx context.Context, outFD *os.File) error {
 	tw := tar.NewWriter(outFD)
@@ -125,6 +358,8 @@ func (d *dentry) createTarHeader(path string, inoToPath map[uint64]string) (*tar
 		} else {
 			header.Typeflag = tar.TypeChar
 		}
+		header.Devmajor = int64(impl.major)
+		header.Devminor = int64(impl.minor)
 	case *socketFile:
 		// This is consistent with the behavior of tar(1).
 		log.Warningf("Skipping socket file %q while generating tar archive", path)
diff --git a/pkg/sentry/fsimpl/tmpfs/tmpfs.go b/pkg/sentry/fsimpl/tmpfs/tmpfs.go
@@ -32,6 +32,7 @@ package tmpfs
 import (
 	"fmt"
 	"math"
+	"os"
 	"strconv"
 	"strings"
 	"sync/atomic"
@@ -279,6 +280,16 @@ func (fstype FilesystemType) GetFilesystem(ctx context.Context, vfsObj *vfs.Virt
 		}
 	}
 
+	sourceTarFD := -1
+	if sourceTar, ok := mopts["source_tar_fd"]; ok {
+		delete(mopts, "source_tar_fd")
+		var err error
+		sourceTarFD, err = strconv.Atoi(sourceTar)
+		if err != nil {
+			return nil, nil, fmt.Errorf("failed to parse source_tar option: %w", err)
+		}
+	}
+
 	if len(mopts) != 0 {
 		ctx.Warningf("tmpfs.FilesystemType.GetFilesystem: unknown options: %v", mopts)
 		return nil, nil, linuxerr.EINVAL
@@ -321,6 +332,21 @@ func (fstype FilesystemType) GetFilesystem(ctx context.Context, vfsObj *vfs.Virt
 		return nil, nil, fmt.Errorf("invalid tmpfs root file type: %#o", rootFileType)
 	}
 	fs.root = root
+
+	if sourceTarFD != -1 {
+		sourceTar := os.NewFile(uintptr(sourceTarFD), "source_tar")
+		if sourceTar == nil {
+			fs.vfsfs.DecRef(ctx)
+			return nil, nil, fmt.Errorf("source_tar_fd: %d is an invalid file descriptor", sourceTarFD)
+		}
+		defer sourceTar.Close()
+
+		if err := fs.UntarUpperLayer(ctx, sourceTar); err != nil {
+			fs.vfsfs.DecRef(ctx)
+			return nil, nil, err
+		}
+	}
+
 	return &fs.vfsfs, &root.vfsd, nil
 }
 
