Stream processor for image layer unpack

Created binary stream processors to extract tar layers and then convert
to a VHD for LCOW or WCOW (via tar2ext4.Convert or
ociwclayer.ImportLayerFromTar, respectively).

Currently, binary re-execs itself using a restricted token with limited
privileges and reduced access.

Signed-off-by: Hamza El-Saawy <hamzaelsaawy@microsoft.com>

Author: helsaawy

cmd/differ/app.go

@@ -0,0 +1,233 @@
+package main
+
+import (
+	"context"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"syscall"
+
+	"github.com/Microsoft/go-winio/pkg/etw"
+	"github.com/Microsoft/go-winio/pkg/etwlogrus"
+	"github.com/Microsoft/go-winio/pkg/guid"
+	"github.com/sirupsen/logrus"
+	cli "github.com/urfave/cli/v2"
+	"go.opencensus.io/trace"
+	"go.opencensus.io/trace/propagation"
+	"golang.org/x/sys/windows"
+
+	"github.com/Microsoft/hcsshim/internal/log"
+	"github.com/Microsoft/hcsshim/internal/logfields"
+	"github.com/Microsoft/hcsshim/internal/oc"
+	"github.com/Microsoft/hcsshim/internal/winapi"
+)
+
+/*
+todo:
+restricted token
+run on not default-desktop
+ https://docs.microsoft.com/en-us/windows/win32/secauthz/restricted-tokens
+*/
+
+var appCommands = []*cli.Command{
+	decompressCommand,
+	convertCommand,
+	wclayerCommand,
+}
+
+func app() *cli.App {
+	app := &cli.App{
+		Name:           "hcsshim-differ",
+		Usage:          "Containerd stream processors for applying for Windows container (WCOW and LCOW) diffs and layers",
+		Commands:       appCommands,
+		ExitErrHandler: errHandler,
+		Before:         beforeApp,
+		Flags: []cli.Flag{
+			&cli.BoolFlag{
+				Name:   reExecFlagName,
+				Usage:  "set after re-execing into this command with proper permissions and environment variables",
+				Hidden: true,
+			},
+		},
+	}
+	return app
+}
+
+func beforeApp(c *cli.Context) (err error) {
+	if err := setupLogging(); err != nil {
+		return fmt.Errorf("logging setup: %w", err)
+	}
+	return nil
+}
+
+func errHandler(c *cli.Context, err error) {
+	if err == nil {
+		return
+	}
+	// reexec will return an exit code, so check for that edge case and
+	if ee := (&exec.ExitError{}); errors.As(err, &ee) {
+		err = cli.Exit("", ee.ExitCode())
+	} else {
+		n := c.App.Name
+		if nn := c.Command.FullName(); nn != "" {
+			n += " " + nn
+		}
+		err = cli.Exit(fmt.Errorf("%s: %w", n, err), 1)
+	}
+	cli.HandleExitCoder(err)
+}
+
+// actionReExecWrapper returns a cli.ActionFunc that first checks if the re-exec flag
+// is set, and if not, re-execs the command, with the flag set, and a stripped
+// set of permissions. If r != nil, it will be run after creating the cmd to re-exec
+func actionReExecWrapper(f cli.ActionFunc, opts ...reExecOpts) cli.ActionFunc {
+	conf := reExecConfig{}
+	var confErr error // cant return an error here, so punt error checking till action
+	opts = append(opts, defaultPrivileges)
+	for _, o := range opts {
+		if confErr := o(&conf); confErr != nil {
+			break
+		}
+	}
+	return func(c *cli.Context) (err error) {
+		if confErr != nil {
+			return fmt.Errorf("could not properly initialize re-exec config: %w", confErr)
+		}
+
+		if c.Bool(reExecFlagName) {
+			if sc, ok := spanContextFromEnv(); ok {
+				// rather than starting a new span, fake it by adding span and trace ID to all logs
+				c.Context, _ = log.S(c.Context, logrus.Fields{
+					logfields.TraceID: sc.TraceID.String(),
+					logfields.SpanID:  sc.SpanID.String(),
+				})
+			}
+			return f(c)
+		}
+
+		span := startSpan(c, c.App.Name+"::"+c.Command.FullName())
+		defer span.End()
+		defer func() { oc.SetSpanStatus(span, err) }()
+
+		cmd := exec.CommandContext(c.Context, os.Args[0], append([]string{"-" + reExecFlagName}, os.Args[1:]...)...)
+		cmd.Stdin = os.Stdin
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stderr
+
+		cmd.Env = []string{}
+		for _, k := range []string{
+			mediaTypeEnvVar,
+			payloadPineEnvVar,
+			logLevelEnvVar,
+			logETWProviderEnvVar,
+		} {
+			if v, ok := os.LookupEnv(k); ok {
+				cmd.Env = append(cmd.Env, k+"="+v)
+			}
+		}
+		if sc, ok := spanContextToString(c.Context); ok {
+			cmd.Env = append(cmd.Env, spanContextEnvVar+"="+sc)
+		}
+
+		var etoken windows.Token
+		if err := windows.OpenProcessToken(windows.CurrentProcess(),
+			windows.TOKEN_DUPLICATE|windows.TOKEN_ASSIGN_PRIMARY|windows.TOKEN_QUERY|windows.TOKEN_WRITE,
+			&etoken,
+		); err != nil {
+			return fmt.Errorf("could not open process token: %w", err)
+		}
+
+		log.G(c.Context).WithField("privileges", conf.keepPrivleges).Debug("needed privileges")
+		deleteLUIDs, err := privilegesToDelete(etoken, conf.keepPrivleges)
+		if err != nil {
+			return fmt.Errorf("could not get privileges to delete: %w", err)
+		}
+
+		var token windows.Token
+		if err := winapi.CreateRestrictedToken(
+			etoken,
+			0,   // flags
+			nil, // SIDs to disable
+			deleteLUIDs,
+			nil, // SIDs to restrict
+			&token,
+		); err != nil {
+			return fmt.Errorf("could not create restricted token: %w", err)
+		}
+		defer token.Close()
+		cmd.SysProcAttr = &syscall.SysProcAttr{
+			HideWindow: true,
+			Token:      syscall.Token(token),
+		}
+
+		if err := cmd.Start(); err != nil {
+			return fmt.Errorf("could not start command: %w", err)
+		}
+		return cmd.Wait()
+	}
+}
+
+func setupLogging() error {
+	logrus.SetOutput(ioutil.Discard)
+	logrus.AddHook(log.NewHook())
+	if lvl, err := logrus.ParseLevel(os.Getenv(logLevelEnvVar)); err == nil {
+		logrus.SetLevel(lvl)
+	}
+
+	f := func(guid.GUID, etw.ProviderState, etw.Level, uint64, uint64, uintptr) {}
+	prov := "Containerd"
+	if p, ok := os.LookupEnv(logETWProviderEnvVar); ok {
+		prov = p
+	}
+	provider, err := etw.NewProvider(prov, f)
+	if err != nil {
+		return err
+	}
+
+	hook, err := etwlogrus.NewHookFromProvider(provider)
+	if err != nil {
+		return err
+	}
+	logrus.AddHook(hook)
+
+	trace.ApplyConfig(trace.Config{DefaultSampler: oc.DefaultSampler})
+	trace.RegisterExporter(&oc.LogrusExporter{})
+	return nil
+}
+
+func startSpan(c *cli.Context, n string, o ...trace.StartOption) (s *trace.Span) {
+	if sc, ok := spanContextFromEnv(); ok {
+		c.Context, s = oc.StartSpanWithRemoteParent(c.Context, n, sc, o...)
+	} else {
+		c.Context, s = oc.StartSpan(c.Context, n, o...)
+	}
+	return s
+}
+
+func spanContextFromEnv() (sc trace.SpanContext, ok bool) {
+	s, ok := os.LookupEnv(spanContextEnvVar)
+	if !ok {
+		return sc, ok
+	}
+	// b := make([]byte, base64.StdEncoding.DecodedLen(len(s)))
+	// if _, err := base64.StdEncoding.Decode(b, []byte(s)); err != nil {
+	// 	return sc, false
+	// }
+	b, err := base64.StdEncoding.DecodeString(s)
+	if err != nil {
+		return sc, false
+	}
+	return propagation.FromBinary(b)
+}
+
+func spanContextToString(ctx context.Context) (string, bool) {
+	span := trace.FromContext(ctx)
+	if span == nil {
+		return "", false
+	}
+	b := propagation.Binary(span.SpanContext())
+	return base64.StdEncoding.EncodeToString(b), true
+}

cmd/differ/app_opts.go

@@ -0,0 +1,17 @@
+package main
+
+type reExecOpts func(*reExecConfig) error
+
+// reExecOpts are options to change how a subcommand is re-execed
+type reExecConfig struct {
+	keepPrivleges []string
+}
+
+var defaultPrivileges = withPrivileges([]string{"SeChangeNotifyPrivilege"})
+
+func withPrivileges(keep []string) reExecOpts {
+	return func(o *reExecConfig) error {
+		o.keepPrivleges = append(o.keepPrivleges, keep...)
+		return nil
+	}
+}

cmd/differ/decompress.go

@@ -0,0 +1,32 @@
+//go:build windows
+
+package main
+
+import (
+	"fmt"
+	"io"
+	"os"
+
+	"github.com/containerd/containerd/archive/compression"
+	"github.com/containerd/containerd/images"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/urfave/cli/v2"
+)
+
+var decompressCommand = &cli.Command{
+	Name:    "decompress",
+	Aliases: []string{"decomp", "d"},
+	Usage:   fmt.Sprintf("Decompress a %q stream into a %q", images.MediaTypeDockerSchema2LayerGzip, ocispec.MediaTypeImageLayer),
+	Action:  actionReExecWrapper(decompress),
+}
+
+func decompress(c *cli.Context) error {
+	dc, err := compression.DecompressStream(os.Stdin)
+	if err != nil {
+		return fmt.Errorf("decompress stream creation: %w", err)
+	}
+	if _, err = io.Copy(os.Stdout, dc); err != nil {
+		return fmt.Errorf("io copy to std out: %w", err)
+	}
+	return nil
+}

cmd/differ/main.go

@@ -0,0 +1,64 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"log"
+	"os"
+
+	"github.com/Microsoft/go-winio"
+	"github.com/gogo/protobuf/proto"
+	"github.com/gogo/protobuf/types"
+
+	"github.com/Microsoft/hcsshim/cmd/differ/payload"
+)
+
+const reExecFlagName = "reexec"
+
+const (
+	mediaTypeEnvVar      = "STREAM_PROCESSOR_MEDIATYPE"
+	payloadPineEnvVar    = "STREAM_PROCESSOR_PIPE"
+	logLevelEnvVar       = "STREAM_PROCESSOR_LOG_LEVEL"
+	logETWProviderEnvVar = "STREAM_PROCESSOR_LOG_ETW_PROVIDER"
+	spanContextEnvVar    = "STREAM_PROCESSOR_SPAN_CONTEXT"
+)
+
+func main() {
+	// Run() should not return an error because of ExitErrHandler, but just in case ...
+	if err := app().Run(os.Args); err != nil {
+		log.New(os.Stderr, "", 0).Fatal(err)
+	}
+}
+
+func getMediaType() string {
+	return os.Getenv(mediaTypeEnvVar)
+}
+
+func getPayload(ctx context.Context, p payload.FromAny) error {
+	b, err := readAllEnvPipe(ctx, payloadPineEnvVar)
+	if err != nil || b == nil {
+		return err
+	}
+
+	a := &types.Any{}
+	if err := proto.Unmarshal(b, a); err != nil {
+		return fmt.Errorf("proto.Unmarshal(): %w", err)
+	}
+	return p.FromAny(a)
+}
+
+func readAllEnvPipe(ctx context.Context, env string) ([]byte, error) {
+	n := os.Getenv(env)
+	if n == "" {
+		return nil, nil
+	}
+
+	p, err := winio.DialPipeContext(ctx, n)
+	if err != nil {
+		return nil, fmt.Errorf("dial pipe %s from env var %v: %w", n, env, err)
+	}
+	defer p.Close()
+
+	return ioutil.ReadAll(p)
+}

cmd/differ/mediatype/mediatype.go

@@ -0,0 +1,13 @@
+// This package deals with media types and extensions specific to Windows containers (LCOW and WCOW).
+package mediatype
+
+const (
+	ExtensionIsolated = "isolated"
+	ExtensionLCOW     = "lcow"
+	ExtensionWCOW     = "wcow"
+
+	MediaTypeMicrosoftBase              = "application/vnd.microsoft"
+	MediaTypeMicrosoftImageLayerVHD     = "application/vnd.microsoft.image.layer.v1.vhd"
+	MediaTypeMicrosoftImageLayerExt4    = "application/vnd.microsoft.image.layer.v1.vhd+ext4"
+	MediaTypeMicrosoftImageLayerWCLayer = "application/vnd.microsoft.image.layer.v1.vhd+wclayer"
+)

cmd/differ/payload/payload.go

@@ -0,0 +1,7 @@
+package payload
+
+import "github.com/gogo/protobuf/types"
+
+type FromAny interface {
+	FromAny(a *types.Any) error
+}