|
 |
116c32 |
From 62b0c31d4b940ff93a23ac6fdb3a6ef345910abf Mon Sep 17 00:00:00 2001
|
|
|
116c32 |
From: Kir Kolyshkin <kolyshkin@gmail.com>
|
|
|
116c32 |
Date: Tue, 14 Jun 2022 17:19:10 -0700
|
|
|
116c32 |
Subject: [PATCH] libct: fix mounting via wrong proc fd
|
|
|
116c32 |
|
|
|
116c32 |
Due to a bug in commit 9c444070ec7, when the user and mount namespaces
|
|
|
116c32 |
are used, and the bind mount is followed by the cgroup mount in the
|
|
|
116c32 |
spec, the cgroup is mounted using the bind mount's mount fd.
|
|
|
116c32 |
|
|
|
116c32 |
This can be reproduced with podman 4.1 (when configured to use runc):
|
|
|
116c32 |
|
|
|
116c32 |
$ podman run --uidmap 0:100:10000 quay.io/libpod/testimage:20210610 mount
|
|
|
116c32 |
Error: /home/kir/git/runc/runc: runc create failed: unable to start container process: error during container init: error mounting "cgroup" to rootfs at "/sys/fs/cgroup": mount /proc/self/fd/11:/sys/fs/cgroup/systemd (via /proc/self/fd/12), flags: 0x20502f: operation not permitted: OCI permission denied
|
|
|
116c32 |
|
|
|
116c32 |
or manually with the spec mounts containing something like this:
|
|
|
116c32 |
|
|
|
116c32 |
{
|
|
|
116c32 |
"destination": "/etc/resolv.conf",
|
|
|
116c32 |
"type": "bind",
|
|
|
116c32 |
"source": "/userdata/resolv.conf",
|
|
|
116c32 |
"options": [
|
|
|
116c32 |
"bind"
|
|
|
116c32 |
]
|
|
|
116c32 |
},
|
|
|
116c32 |
{
|
|
|
116c32 |
"destination": "/sys/fs/cgroup",
|
|
|
116c32 |
"type": "cgroup",
|
|
|
116c32 |
"source": "cgroup",
|
|
|
116c32 |
"options": [
|
|
|
116c32 |
"rprivate",
|
|
|
116c32 |
"nosuid",
|
|
|
116c32 |
"noexec",
|
|
|
116c32 |
"nodev",
|
|
|
116c32 |
"relatime",
|
|
|
116c32 |
"ro"
|
|
|
116c32 |
]
|
|
|
116c32 |
}
|
|
|
116c32 |
|
|
|
116c32 |
The issue was not found earlier since it requires using userns, and even then
|
|
|
116c32 |
mount fd is ignored by mountToRootfs, except for bind mounts, and all the bind
|
|
|
116c32 |
mounts have mountfd set, except for the case of cgroup v1's /sys/fs/cgroup
|
|
|
116c32 |
which is internally transformed into a bunch of bind mounts.
|
|
|
116c32 |
|
|
|
116c32 |
This is a minimal fix for the issue, suitable for backporting.
|
|
|
116c32 |
|
|
|
116c32 |
Fixes: 9c444070ec7 ("Open bind mount sources from the host userns")
|
|
|
116c32 |
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
|
|
|
116c32 |
(cherry picked from commit b3aa20af7fb67ee1f2b381f3c82329e73c7d3a0c)
|
|
|
116c32 |
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
|
|
|
116c32 |
---
|
|
|
116c32 |
libcontainer/rootfs_linux.go | 2 ++
|
|
|
116c32 |
1 file changed, 2 insertions(+)
|
|
|
116c32 |
|
|
|
116c32 |
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
|
|
|
116c32 |
index 3cfd2bf1e4..ec7638e4d5 100644
|
|
|
116c32 |
--- a/libcontainer/rootfs_linux.go
|
|
|
116c32 |
+++ b/libcontainer/rootfs_linux.go
|
|
|
116c32 |
@@ -80,6 +80,8 @@ func prepareRootfs(pipe io.ReadWriter, iConfig *initConfig, mountFds []int) (err
|
|
|
116c32 |
// Therefore, we can access mountFds[i] without any concerns.
|
|
|
116c32 |
if mountFds != nil && mountFds[i] != -1 {
|
|
|
116c32 |
mountConfig.fd = &mountFds[i]
|
|
|
116c32 |
+ } else {
|
|
|
116c32 |
+ mountConfig.fd = nil
|
|
|
116c32 |
}
|
|
|
116c32 |
|
|
|
116c32 |
if err := mountToRootfs(m, mountConfig); err != nil {
|