cache,solver,session: add centralized SeBackupPrivilege manager

rzlink · rzlink · commit bf339acf50f7 · 2025-11-15T06:47:14.000Z
Introduce util/winprivileges package with reference-counted privilege
management to prevent race conditions when multiple goroutines need
SeBackupPrivilege concurrently in parallel builds.

This fixes Windows COPY operations that fail with 'Access is denied'
errors when reading protected system files ('System Volume Information'
and 'WcSandboxState') in container mount roots.

Implementation:
- Create util/winprivileges with reference-counted Enable/Disable functions
- Use process-wide privileges (not thread-local) for multi-threaded context
- Update cache/contenthash to use centralized manager
- Update solver/llbsolver/file/backend_windows.go copyWithElevatedPrivileges
- Update session/filesync/diffcopy_windows.go sendDiffCopy
- Remove direct winio.EnableProcessPrivileges/DisableProcessPrivileges calls
- Coordinate privilege management across all components

The reference counting ensures that when multiple operations need the
privilege simultaneously (e.g., parallel builds), the privilege remains
enabled until all operations complete, preventing race conditions where
one goroutine disables the privilege while another still needs it.

Fixes #6635

Signed-off-by: Dawei Wei &lt;wei.dawei.cn@gmail.com&gt;
diff --git a/cache/contenthash/checksum_windows.go b/cache/contenthash/checksum_windows.go
@@ -2,47 +2,29 @@ package contenthash
 
 import (
 	"path/filepath"
-	"sync"
 
 	"github.com/Microsoft/go-winio"
-)
-
-var (
-	privileges        = []string{winio.SeBackupPrivilege}
-	privilegeLock     sync.Mutex
-	privilegeRefCount int
+	"github.com/moby/buildkit/util/winprivileges"
 )
 
 func (cc *cacheContext) walk(scanPath string, walkFunc filepath.WalkFunc) error {
 	// elevating the admin privileges to walk special files/directory
 	// like `System Volume Information`, etc. See similar in #4994
-	return winio.RunWithPrivileges(privileges, func() error {
+	return winio.RunWithPrivileges([]string{winio.SeBackupPrivilege}, func() error {
 		return filepath.Walk(scanPath, walkFunc)
 	})
 }
 
 // Adds the SeBackupPrivilege to the process
 // to be able to access some special files and directories.
+// Uses the centralized privilege manager to coordinate with other components.
 func enableProcessPrivileges() {
-	privilegeLock.Lock()
-	defer privilegeLock.Unlock()
-
-	if privilegeRefCount == 0 {
-		_ = winio.EnableProcessPrivileges(privileges)
-	}
-	privilegeRefCount++
+	_ = winprivileges.EnableSeBackupPrivilege()
 }
 
 // Disables the SeBackupPrivilege on the process
 // once the group of functions that needed it is complete.
+// Uses the centralized privilege manager to coordinate with other components.
 func disableProcessPrivileges() {
-	privilegeLock.Lock()
-	defer privilegeLock.Unlock()
-
-	if privilegeRefCount > 0 {
-		privilegeRefCount--
-		if privilegeRefCount == 0 {
-			_ = winio.DisableProcessPrivileges(privileges)
-		}
-	}
+	winprivileges.DisableSeBackupPrivilege()
 }
diff --git a/frontend/dockerfile/dockerfile_parents_test.go b/frontend/dockerfile/dockerfile_parents_test.go
@@ -76,10 +76,10 @@ COPY --parents foo1/foo2/ba* .
 }
 
 func testCopyRelativeParents(t *testing.T, sb integration.Sandbox) {
-	integration.SkipOnPlatform(t, "windows")
 	f := getFrontend(t, sb)
 
-	dockerfile := []byte(`
+	dockerfile := []byte(integration.UnixOrWindows(
+		`
 FROM alpine AS base
 WORKDIR /test
 RUN <<eot
@@ -155,7 +155,61 @@ RUN <<eot
 	[ -f /out/d/e2/baz ]
 	[ -f /out/c/d/e/bar ] # via b2
 eot
-`)
+`,
+		`
+FROM mcr.microsoft.com/windows/nanoserver:ltsc2022 AS base
+WORKDIR /test
+RUN mkdir a && mkdir a\b && mkdir a\b\c && mkdir a\b\c\d && mkdir a\b\c\d\e
+RUN mkdir a\b2 && mkdir a\b2\c && mkdir a\b2\c\d && mkdir a\b2\c\d\e
+RUN mkdir a\b\c2 && mkdir a\b\c2\d && mkdir a\b\c2\d\e
+RUN mkdir a\b\c2\d\e2
+RUN cmd /C "echo. > a\b\c\d\foo"
+RUN cmd /C "echo. > a\b\c\d\e\bay"
+RUN cmd /C "echo. > a\b2\c\d\e\bar"
+RUN cmd /C "echo. > a\b\c2\d\e\baz"
+RUN cmd /C "echo. > a\b\c2\d\e2\baz"
+
+FROM mcr.microsoft.com/windows/nanoserver:ltsc2022 AS middle
+COPY --from=base --parents /test/a/b/./c/d /out/
+RUN if not exist \out\c\d\e exit /b 1
+RUN if not exist \out\c\d\foo exit /b 1
+RUN if exist \out\a exit /b 1
+RUN if exist \out\e exit /b 1
+
+FROM mcr.microsoft.com/windows/nanoserver:ltsc2022 AS end
+COPY --from=base --parents /test/a/b/c/d/. /out/
+RUN if not exist \out\test\a\b\c\d\e exit /b 1
+RUN if not exist \out\test\a\b\c\d\foo exit /b 1
+
+FROM mcr.microsoft.com/windows/nanoserver:ltsc2022 AS start
+COPY --from=base --parents ./test/a/b/c/d /out/
+RUN if not exist \out\test\a\b\c\d\e exit /b 1
+RUN if not exist \out\test\a\b\c\d\foo exit /b 1
+
+FROM mcr.microsoft.com/windows/nanoserver:ltsc2022 AS double
+COPY --from=base --parents /test/a/./b/./c /out/
+RUN if not exist \out\b\c\d\e exit /b 1
+RUN if not exist \out\b\c\d\foo exit /b 1
+
+FROM mcr.microsoft.com/windows/nanoserver:ltsc2022 AS wildcard
+COPY --from=base --parents /test/a/./*/c /out/
+RUN if not exist \out\b\c\d\e exit /b 1
+RUN if not exist \out\b2\c\d\e\bar exit /b 1
+
+FROM mcr.microsoft.com/windows/nanoserver:ltsc2022 AS doublewildcard
+COPY --from=base --parents /test/a/b*/./c/**/e /out/
+RUN if not exist \out\c\d\e exit /b 1
+RUN if not exist \out\c\d\e\bay exit /b 1
+RUN if not exist \out\c\d\e\bar exit /b 1
+
+FROM mcr.microsoft.com/windows/nanoserver:ltsc2022 AS doubleinputs
+COPY --from=base --parents /test/a/b/c*/./d/**/baz /test/a/b*/./c/**/bar /out/
+RUN if not exist \out\d\e\baz exit /b 1
+RUN if exist \out\d\e\bay exit /b 1
+RUN if not exist \out\d\e2\baz exit /b 1
+RUN if not exist \out\c\d\e\bar exit /b 1
+`,
+	))
 
 	dir := integration.Tmpdir(
 		t,
@@ -182,10 +236,10 @@ eot
 }
 
 func testCopyParentsMissingDirectory(t *testing.T, sb integration.Sandbox) {
-	integration.SkipOnPlatform(t, "windows")
 	f := getFrontend(t, sb)
 
-	dockerfile := []byte(`
+	dockerfile := []byte(integration.UnixOrWindows(
+		`
 FROM alpine AS base
 WORKDIR /test
 RUN <<eot
@@ -234,7 +288,43 @@ RUN <<eot
 	[ ! -d /out/a ]
 	[ ! -d /out/c* ]
 eot
-`)
+`,
+		`
+FROM mcr.microsoft.com/windows/nanoserver:ltsc2022 AS base
+WORKDIR /test
+RUN mkdir a && mkdir a\b && mkdir a\b\c && mkdir a\b\c\d && mkdir a\b\c\d\e
+RUN cmd /C "echo. > a\b\c\d\foo"
+RUN cmd /C "echo. > a\b\c\d\e\bay"
+
+FROM mcr.microsoft.com/windows/nanoserver:ltsc2022 AS normal
+COPY --from=base --parents /test/a/b/c/d /out/
+RUN if not exist \out\test\a\b\c\d\e exit /b 1
+RUN if not exist \out\test\a\b\c\d\e\bay exit /b 1
+RUN if exist \out\e exit /b 1
+RUN if exist \out\a exit /b 1
+
+FROM mcr.microsoft.com/windows/nanoserver:ltsc2022 AS withpivot
+COPY --from=base --parents /test/a/b/./c/d /out/
+RUN if not exist \out\c\d\e exit /b 1
+RUN if not exist \out\c\d\foo exit /b 1
+RUN if exist \out\a exit /b 1
+RUN if exist \out\e exit /b 1
+
+FROM mcr.microsoft.com/windows/nanoserver:ltsc2022 AS nonexistentfile
+COPY --from=base --parents /test/nonexistent-file /out/
+
+FROM mcr.microsoft.com/windows/nanoserver:ltsc2022 AS wildcard-nonexistent
+COPY --from=base --parents /test/a/b2*/c /out/
+RUN if not exist \out exit /b 1
+RUN if exist \out\a exit /b 1
+
+FROM mcr.microsoft.com/windows/nanoserver:ltsc2022 AS wildcard-afterpivot
+COPY --from=base --parents /test/a/b/./c2* /out/
+RUN if not exist \out exit /b 1
+RUN if exist \out\a exit /b 1
+RUN if exist \out\c exit /b 1
+`,
+	))
 
 	dir := integration.Tmpdir(
 		t,
diff --git a/session/filesync/diffcopy_windows.go b/session/filesync/diffcopy_windows.go
@@ -3,18 +3,20 @@
 package filesync
 
 import (
-	"github.com/Microsoft/go-winio"
+	"github.com/moby/buildkit/util/winprivileges"
 	"github.com/pkg/errors"
 	"github.com/tonistiigi/fsutil"
 )
 
 func sendDiffCopy(stream Stream, fs fsutil.FS, progress progressCb) error {
-	// adding one SeBackupPrivilege to the process so as to be able
-	// to run the subsequent goroutines in fsutil.Send that need
-	// to copy over special Windows metadata files.
-	// TODO(profnandaa): need to cross-check that this cannot be
-	// exploited in any way.
-	winio.EnableProcessPrivileges([]string{winio.SeBackupPrivilege})
-	defer winio.DisableProcessPrivileges([]string{winio.SeBackupPrivilege})
+	// Enable SeBackupPrivilege to allow copying special Windows metadata files.
+	// Uses the centralized privilege manager to prevent race conditions when
+	// multiple goroutines in fsutil.Send need the privilege concurrently.
+	if err := winprivileges.EnableSeBackupPrivilege(); err != nil {
+		// Continue even if privilege elevation fails - it may already be enabled
+		// or the process may not have permission to enable it
+		_ = err
+	}
+	defer winprivileges.DisableSeBackupPrivilege()
 	return errors.WithStack(fsutil.Send(stream.Context(), stream, fs, progress))
 }
diff --git a/solver/llbsolver/file/backend.go b/solver/llbsolver/file/backend.go
@@ -261,7 +261,7 @@ func docopy(ctx context.Context, src, dest string, action *pb.FileActionCopy, u
 				continue
 			}
 		}
-		if err := copy.Copy(ctx, src, s, dest, destPath, opt...); err != nil {
+		if err := copyWithElevatedPrivileges(ctx, src, s, dest, destPath, opt...); err != nil {
 			return errors.WithStack(err)
 		}
 	}
diff --git a/solver/llbsolver/file/backend_unix.go b/solver/llbsolver/file/backend_unix.go
@@ -3,6 +3,8 @@
 package file
 
 import (
+	"context"
+
 	"github.com/moby/sys/user"
 	"github.com/pkg/errors"
 	copy "github.com/tonistiigi/fsutil/copy"
@@ -41,3 +43,7 @@ func mapUserToChowner(user *copy.User, idmap *user.IdentityMapping) (copy.Chowne
 		return &u, nil
 	}, nil
 }
+
+func copyWithElevatedPrivileges(ctx context.Context, srcRoot string, src string, destRoot string, dest string, opt ...copy.Opt) error {
+	return copy.Copy(ctx, srcRoot, src, destRoot, dest, opt...)
+}
diff --git a/solver/llbsolver/file/backend_windows.go b/solver/llbsolver/file/backend_windows.go
@@ -1,6 +1,9 @@
 package file
 
 import (
+	"context"
+
+	"github.com/moby/buildkit/util/winprivileges"
 	"github.com/moby/buildkit/util/windows"
 	"github.com/moby/sys/user"
 	copy "github.com/tonistiigi/fsutil/copy"
@@ -21,3 +24,26 @@ func mapUserToChowner(user *copy.User, _ *user.IdentityMapping) (copy.Chowner, e
 		return user, nil
 	}, nil
 }
+
+// copyWithElevatedPrivileges wraps copy.Copy to handle Windows protected system folders.
+// On Windows, container snapshots mounted to the host filesystem include protected folders
+// ("System Volume Information" and "WcSandboxState") at the mount root, which cause "Access is denied"
+// errors when attempting to read their metadata. This function uses SeBackupPrivilege to allow
+// reading these protected files.
+//
+// SeBackupPrivilege must be enabled process-wide (not thread-local) because copy.Copy spawns
+// goroutines that may execute in different OS threads.
+//
+// Uses the centralized privilege manager to coordinate with other components and prevent
+// race conditions in parallel builds.
+func copyWithElevatedPrivileges(ctx context.Context, srcRoot string, src string, destRoot string, dest string, opt ...copy.Opt) error {
+	if err := winprivileges.EnableSeBackupPrivilege(); err != nil {
+		// Continue even if privilege elevation fails - it may already be enabled
+		// or the process may not have permission to enable it
+		_ = err
+	}
+	defer winprivileges.DisableSeBackupPrivilege()
+
+	// Perform copy with elevated privileges
+	return copy.Copy(ctx, srcRoot, src, destRoot, dest, opt...)
+}
diff --git a/util/winprivileges/privileges.go b/util/winprivileges/privileges.go
@@ -0,0 +1,55 @@
+//go:build windows
+
+package winprivileges
+
+import (
+	"sync"
+
+	"github.com/Microsoft/go-winio"
+)
+
+var (
+	privileges        = []string{winio.SeBackupPrivilege}
+	privilegeLock     sync.Mutex
+	privilegeRefCount int
+)
+
+// EnableSeBackupPrivilege adds the SeBackupPrivilege to the process.
+// It uses reference counting to safely handle parallel operations.
+// Must be paired with DisableSeBackupPrivilege.
+func EnableSeBackupPrivilege() error {
+	privilegeLock.Lock()
+	defer privilegeLock.Unlock()
+
+	if privilegeRefCount == 0 {
+		if err := winio.EnableProcessPrivileges(privileges); err != nil {
+			return err
+		}
+	}
+	privilegeRefCount++
+	return nil
+}
+
+// DisableSeBackupPrivilege removes the SeBackupPrivilege from the process.
+// It uses reference counting, only actually disabling when the count reaches zero.
+func DisableSeBackupPrivilege() {
+	privilegeLock.Lock()
+	defer privilegeLock.Unlock()
+
+	if privilegeRefCount > 0 {
+		privilegeRefCount--
+		if privilegeRefCount == 0 {
+			_ = winio.DisableProcessPrivileges(privileges)
+		}
+	}
+}
+
+// RunWithPrivilege executes the given function with SeBackupPrivilege enabled.
+// This is a convenience wrapper that handles enable/disable automatically.
+func RunWithPrivilege(fn func() error) error {
+	if err := EnableSeBackupPrivilege(); err != nil {
+		return err
+	}
+	defer DisableSeBackupPrivilege()
+	return fn()
+}

Original file line number	Diff line number	Diff line change
`@@ -261,7 +261,7 @@ func docopy(ctx context.Context, src, dest string, action *pb.FileActionCopy, u`
`261`	`261`	`continue`
`262`	`262`	`}`
`263`	`263`	`}`
`264`		`- if err := copy.Copy(ctx, src, s, dest, destPath, opt...); err != nil {`
	`264`	`+ if err := copyWithElevatedPrivileges(ctx, src, s, dest, destPath, opt...); err != nil {`
`265`	`265`	`return errors.WithStack(err)`
`266`	`266`	`}`
`267`	`267`	`}`