From 49dc18552a13ee76dc012c35ff073ed07aaeb05b Mon Sep 17 00:00:00 2001
From: Matthew Heon <matthew.heon@pm.me>
Date: Tue, 28 May 2019 13:11:55 -0400
Subject: Pause containers while copying into them

Should fix CVE-2018-15664 for Podman.

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
---
 cmd/podman/cliconfig/create.go |  1 +
 cmd/podman/cp.go               | 18 +++++++++++++++---
 2 files changed, 16 insertions(+), 3 deletions(-)

(limited to 'cmd/podman')

diff --git a/cmd/podman/cliconfig/create.go b/cmd/podman/cliconfig/create.go
index 49ab3d827..5fb2eed10 100644
--- a/cmd/podman/cliconfig/create.go
+++ b/cmd/podman/cliconfig/create.go
@@ -24,4 +24,5 @@ type BuildValues struct {
 type CpValues struct {
 	PodmanCommand
 	Extract bool
+	Pause   bool
 }
diff --git a/cmd/podman/cp.go b/cmd/podman/cp.go
index 5addf88d3..7092da5e7 100644
--- a/cmd/podman/cp.go
+++ b/cmd/podman/cp.go
@@ -50,6 +50,7 @@ func init() {
 	cpCommand.Command = _cpCommand
 	flags := cpCommand.Flags()
 	flags.BoolVar(&cpCommand.Extract, "extract", false, "Extract the tar file into the destination directory.")
+	flags.BoolVar(&cpCommand.Pause, "pause", true, "Pause the container while copying")
 	cpCommand.SetHelpTemplate(HelpTemplate())
 	cpCommand.SetUsageTemplate(UsageTemplate())
 	rootCmd.AddCommand(cpCommand.Command)
@@ -67,11 +68,10 @@ func cpCmd(c *cliconfig.CpValues) error {
 	}
 	defer runtime.Shutdown(false)
 
-	extract := c.Flag("extract").Changed
-	return copyBetweenHostAndContainer(runtime, args[0], args[1], extract)
+	return copyBetweenHostAndContainer(runtime, args[0], args[1], c.Extract, c.Pause)
 }
 
-func copyBetweenHostAndContainer(runtime *libpod.Runtime, src string, dest string, extract bool) error {
+func copyBetweenHostAndContainer(runtime *libpod.Runtime, src string, dest string, extract bool, pause bool) error {
 
 	srcCtr, srcPath := parsePath(runtime, src)
 	destCtr, destPath := parsePath(runtime, dest)
@@ -94,6 +94,18 @@ func copyBetweenHostAndContainer(runtime *libpod.Runtime, src string, dest strin
 		return err
 	}
 	defer ctr.Unmount(false)
+
+	if pause {
+		if err := ctr.Pause(); err != nil {
+			return err
+		}
+		defer func() {
+			if err := ctr.Unpause(); err != nil {
+				logrus.Errorf("Error unpausing container after copying: %v", err)
+			}
+		}()
+	}
+
 	user, err := getUser(mountPoint, ctr.User())
 	if err != nil {
 		return err
-- 
cgit v1.2.3-54-g00ecf