Describe the bug
#2238 reported a bug with absolute symlinks, but it seems dropping relative symlinks also are aggresive
It makes sense to drop symlinks that escape the rootfs of the container but not within the rootfs.
Common examples, glibc, and many C tools when doing make install creates relative symlinks.
Relative symlinks found:
- image: tailscale
symlinks:
- rootfs/usr/local/lib/containers/tailscale/var/lock -> ../run/lock
- rootfs/usr/local/lib/containers/tailscale/var/run -> ../run
- image: glibc
symlinks:
- rootfs/usr/local/bin/ld.so -> ../lib/ld-linux-x86-64.so.2
- image: lldpd
symlinks:
- rootfs/usr/local/lib/containers/lldpd/var/lock -> ../run/lock
- rootfs/usr/local/lib/containers/lldpd/var/run -> ../run
- image: nfs-utils
symlinks:
- rootfs/usr/local/lib/containers/rpc-statd/var/lock -> ../run/lock
- rootfs/usr/local/lib/containers/rpc-statd/var/run -> ../run
- rootfs/usr/local/lib/containers/rpcbind/var/lock -> ../run/lock
- rootfs/usr/local/lib/containers/rpcbind/var/run -> ../run
- image: nut-client
symlinks:
- rootfs/usr/local/lib/containers/nut-client/var/lock -> ../run/lock
- rootfs/usr/local/lib/containers/nut-client/var/run -> ../run
I guess so it makes sense to drop symlinks starting with ../ that escapes the rootfs
Describe the bug
#2238 reported a bug with absolute symlinks, but it seems dropping relative symlinks also are aggresive
It makes sense to drop symlinks that escape the rootfs of the container but not within the rootfs.
Common examples, glibc, and many C tools when doing
make installcreates relative symlinks.I guess so it makes sense to drop symlinks starting with
../that escapes the rootfs