@@ -39,11 +39,11 @@ func extractArchive(i interface{}, src io.Reader, dst string, opts *archive.TarO

 	return chrootarchive.UntarWithRoot(src, dst, opts, root)

 }

-func archivePath(i interface{}, src string, opts *archive.TarOptions, root string) (io.ReadCloser, error) {

+func archivePath(i interface{}, src string, opts *archive.TarOptions) (io.ReadCloser, error) {

 	if ap, ok := i.(archiver); ok {

 		return ap.ArchivePath(src, opts)

 	}

-	return chrootarchive.Tar(src, opts, root)

+	return archive.TarWithOptions(src, opts)

 }

 // ContainerCopy performs a deprecated operation of archiving the resource at

@@ -239,7 +239,7 @@ func (daemon *Daemon) containerArchivePath(container *container.Container, path

 	sourceDir, sourceBase := driver.Dir(resolvedPath), driver.Base(resolvedPath)

 	opts := archive.TarResourceRebaseOpts(sourceBase, driver.Base(absPath))

-	data, err := archivePath(driver, sourceDir, opts, container.BaseFS.Path())

+	data, err := archivePath(driver, sourceDir, opts)

 	if err != nil {

 		return nil, nil, err

 	}

@@ -433,7 +433,7 @@ func (daemon *Daemon) containerCopy(container *container.Container, resource str

 	archive, err := archivePath(driver, basePath, &archive.TarOptions{

 		Compression:  archive.Uncompressed,

 		IncludeFiles: filter,

-	}, container.BaseFS.Path())

+	})

 	if err != nil {

 		return nil, err

 	}

@@ -70,7 +70,7 @@ func (daemon *Daemon) containerExport(container *container.Container) (arch io.R

 		Compression: archive.Uncompressed,

 		UIDMaps:     daemon.idMapping.UIDs(),

 		GIDMaps:     daemon.idMapping.GIDs(),

-	}, basefs.Path())

+	})

 	if err != nil {

 		rwlayer.Unmount()

 		return nil, err

@@ -87,11 +87,3 @@ func untarHandler(tarArchive io.Reader, dest string, options *archive.TarOptions

 	return invokeUnpack(r, dest, options, root)

 }

-

-// Tar tars the requested path while chrooted to the specified root.

-func Tar(srcPath string, options *archive.TarOptions, root string) (io.ReadCloser, error) {

-	if options == nil {

-		options = &archive.TarOptions{}

-	}

-	return invokePack(srcPath, options, root)

-}

@@ -12,11 +12,9 @@ import (

 	"os"

 	"path/filepath"

 	"runtime"

-	"strings"

 	"github.com/docker/docker/pkg/archive"

 	"github.com/docker/docker/pkg/reexec"

-	"github.com/pkg/errors"

 )

 // untar is the entry-point for docker-untar on re-exec. This is not used on

@@ -26,7 +24,7 @@ func untar() {

 	runtime.LockOSThread()

 	flag.Parse()

-	var options archive.TarOptions

+	var options *archive.TarOptions

 	//read the options from the pipe "ExtraFiles"

 	if err := json.NewDecoder(os.NewFile(3, "options")).Decode(&options); err != nil {

@@ -47,7 +45,7 @@ func untar() {

 		fatal(err)

 	}

-	if err := archive.Unpack(os.Stdin, dst, &options); err != nil {

+	if err := archive.Unpack(os.Stdin, dst, options); err != nil {

 		fatal(err)

 	}

 	// fully consume stdin in case it is zero padded

@@ -59,9 +57,6 @@ func untar() {

 }

 func invokeUnpack(decompressedArchive io.Reader, dest string, options *archive.TarOptions, root string) error {

-	if root == "" {

-		return errors.New("must specify a root to chroot to")

-	}

 	// We can't pass a potentially large exclude list directly via cmd line

 	// because we easily overrun the kernel's max argument/environment size

@@ -117,92 +112,3 @@ func invokeUnpack(decompressedArchive io.Reader, dest string, options *archive.T

 	}

 	return nil

 }

-

-func tar() {

-	runtime.LockOSThread()

-	flag.Parse()

-

-	src := flag.Arg(0)

-	var root string

-	if len(flag.Args()) > 1 {

-		root = flag.Arg(1)

-	}

-

-	if root == "" {

-		root = src

-	}

-

-	if err := realChroot(root); err != nil {

-		fatal(err)

-	}

-

-	var options archive.TarOptions

-	if err := json.NewDecoder(os.Stdin).Decode(&options); err != nil {

-		fatal(err)

-	}

-

-	rdr, err := archive.TarWithOptions(src, &options)

-	if err != nil {

-		fatal(err)

-	}

-	defer rdr.Close()

-

-	if _, err := io.Copy(os.Stdout, rdr); err != nil {

-		fatal(err)

-	}

-

-	os.Exit(0)

-}

-

-func invokePack(srcPath string, options *archive.TarOptions, root string) (io.ReadCloser, error) {

-	if root == "" {

-		return nil, errors.New("root path must not be empty")

-	}

-

-	relSrc, err := filepath.Rel(root, srcPath)

-	if err != nil {

-		return nil, err

-	}

-	if relSrc == "." {

-		relSrc = "/"

-	}

-	if relSrc[0] != '/' {

-		relSrc = "/" + relSrc

-	}

-

-	// make sure we didn't trim a trailing slash with the call to `Rel`

-	if strings.HasSuffix(srcPath, "/") && !strings.HasSuffix(relSrc, "/") {

-		relSrc += "/"

-	}

-

-	cmd := reexec.Command("docker-tar", relSrc, root)

-

-	errBuff := bytes.NewBuffer(nil)

-	cmd.Stderr = errBuff

-

-	tarR, tarW := io.Pipe()

-	cmd.Stdout = tarW

-

-	stdin, err := cmd.StdinPipe()

-	if err != nil {

-		return nil, errors.Wrap(err, "error getting options pipe for tar process")

-	}

-

-	if err := cmd.Start(); err != nil {

-		return nil, errors.Wrap(err, "tar error on re-exec cmd")

-	}

-

-	go func() {

-		err := cmd.Wait()

-		err = errors.Wrapf(err, "error processing tar file: %s", errBuff)

-		tarW.CloseWithError(err)

-	}()

-

-	if err := json.NewEncoder(stdin).Encode(options); err != nil {

-		stdin.Close()

-		return nil, errors.Wrap(err, "tar json encode to pipe failed")

-	}

-	stdin.Close()

-

-	return tarR, nil

-}

@@ -3,14 +3,11 @@

 package chrootarchive

 import (

-	gotar "archive/tar"

 	"bytes"

 	"io"

 	"io/ioutil"

 	"os"

-	"path"

 	"path/filepath"

-	"strings"

 	"testing"

 	"github.com/docker/docker/pkg/archive"

@@ -78,94 +75,3 @@ func TestUntarWithMaliciousSymlinks(t *testing.T) {

 	assert.NilError(t, err)

 	assert.Equal(t, string(hostData), "pwn3d")

 }

-

-// Test for CVE-2018-15664

-// Assures that in the case where an "attacker" controlled path is a symlink to

-// some path outside of a container's rootfs that we do not unwittingly leak

-// host data into the archive.

-func TestTarWithMaliciousSymlinks(t *testing.T) {

-	dir, err := ioutil.TempDir("", t.Name())

-	assert.NilError(t, err)

-	// defer os.RemoveAll(dir)

-	t.Log(dir)

-

-	root := filepath.Join(dir, "root")

-

-	err = os.MkdirAll(root, 0755)

-	assert.NilError(t, err)

-

-	hostFileData := []byte("I am a host file")

-

-	// Add a file into a directory above root

-	// Ensure that we can't access this file while tarring.

-	err = ioutil.WriteFile(filepath.Join(dir, "host-file"), hostFileData, 0644)

-	assert.NilError(t, err)

-

-	safe := filepath.Join(root, "safe")

-	err = unix.Symlink(dir, safe)

-	assert.NilError(t, err)

-

-	data := filepath.Join(dir, "data")

-	err = os.MkdirAll(data, 0755)

-	assert.NilError(t, err)

-

-	type testCase struct {

-		p        string

-		includes []string

-	}

-

-	cases := []testCase{

-		{p: safe, includes: []string{"host-file"}},

-		{p: safe + "/", includes: []string{"host-file"}},

-		{p: safe, includes: nil},

-		{p: safe + "/", includes: nil},

-		{p: root, includes: []string{"safe/host-file"}},

-		{p: root, includes: []string{"/safe/host-file"}},

-		{p: root, includes: nil},

-	}

-

-	maxBytes := len(hostFileData)

-

-	for _, tc := range cases {

-		t.Run(path.Join(tc.p+"_"+strings.Join(tc.includes, "_")), func(t *testing.T) {

-			// Here if we use archive.TarWithOptions directly or change the "root" parameter

-			// to be the same as "safe", data from the host will be leaked into the archive

-			var opts *archive.TarOptions

-			if tc.includes != nil {

-				opts = &archive.TarOptions{

-					IncludeFiles: tc.includes,

-				}

-			}

-			rdr, err := Tar(tc.p, opts, root)

-			assert.NilError(t, err)

-			defer rdr.Close()

-

-			tr := gotar.NewReader(rdr)

-			assert.Assert(t, !isDataInTar(t, tr, hostFileData, int64(maxBytes)), "host data leaked to archive")

-		})

-	}

-}

-

-func isDataInTar(t *testing.T, tr *gotar.Reader, compare []byte, maxBytes int64) bool {

-	for {

-		h, err := tr.Next()

-		if err == io.EOF {

-			break

-		}

-		assert.NilError(t, err)

-

-		if h.Size == 0 {

-			continue

-		}

-		assert.Assert(t, h.Size <= maxBytes, "%s: file size exceeds max expected size %d: %d", h.Name, maxBytes, h.Size)

-

-		data := make([]byte, int(h.Size))

-		_, err = io.ReadFull(tr, data)

-		assert.NilError(t, err)

-		if bytes.Contains(data, compare) {

-			return true

-		}

-	}

-

-	return false

-}

@@ -20,10 +20,3 @@ func invokeUnpack(decompressedArchive io.ReadCloser,

 	// do the unpack. We call inline instead within the daemon process.

 	return archive.Unpack(decompressedArchive, longpath.AddPrefix(dest), options)

 }

-

-func invokePack(srcPath string, options *archive.TarOptions, root string) (io.ReadCloser, error) {

-	// Windows is different to Linux here because Windows does not support

-	// chroot. Hence there is no point sandboxing a chrooted process to

-	// do the pack. We call inline instead within the daemon process.

-	return archive.TarWithOptions(srcPath, options)

-}

@@ -14,7 +14,6 @@ import (

 func init() {

 	reexec.Register("docker-applyLayer", applyLayer)

 	reexec.Register("docker-untar", untar)

-	reexec.Register("docker-tar", tar)

 }

 func fatal(err error) {