23dc194c07
This is useful for preventing CVE-2018-15664 where a malicious container process can take advantage of a race on symlink resolution/sanitization. Before this change chrootarchive would chroot to the destination directory which is attacker controlled. With this patch we always chroot to the container's root which is not attacker controlled. Signed-off-by: Brian Goff <cpuguy83@gmail.com> (cherry picked from commit d089b639372a8f9301747ea56eaf0a42df24016a) Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Upstream-commit: 155939994f453559676656bc4b05635e83ebef56 Component: engine