pub(crate) fn filter_tar(
src: impl Read,
dest: impl Write,
config: &TarImportConfig,
tmpdir: &Dir,
) -> Result<BTreeMap<String, u32>>Expand description
Perform various filtering on imported tar archives.
- Move /etc to /usr/etc
- Entirely drop files not in /usr
This also acts as a Rust “pre-parser” of the tar archive, hopefully catching anything corrupt that might be exploitable from the C libarchive side. Remember that we’re parsing this while we’re downloading it, and in order to verify integrity we rely on the total sha256 of the blob, so all content written before then must be considered untrusted.