gofer: don't create bind-mounts in /proc/self

selinux doesn't allow to do that. Fixes #8205 PiperOrigin-RevId: 588891222
google · Dec 7, 2023 · 43d1baa · 43d1baa
1 parent d7a3ec8
commit 43d1baa
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 7 deletions.
diff --git a/runsc/boot/loader_test.go b/runsc/boot/loader_test.go
@@ -42,7 +42,7 @@ import (
 func init() {
 	log.SetLevel(log.Debug)
 	rand.Seed(time.Now().UnixNano())
-	if err := fsgofer.OpenProcSelfFD(); err != nil {
+	if err := fsgofer.OpenProcSelfFD("/proc/self/fd"); err != nil {
 		panic(err)
 	}
 }

diff --git a/runsc/cmd/gofer.go b/runsc/cmd/gofer.go
@@ -219,7 +219,11 @@ func (g *Gofer) Execute(_ context.Context, f *flag.FlagSet, args ...any) subcomm
 	// modes exactly as sent by the sandbox, which will have applied its own umask.
 	unix.Umask(0)
 
-	if err := fsgofer.OpenProcSelfFD(); err != nil {
+	procFDPath := procFDBindMount
+	if conf.TestOnlyAllowRunAsCurrentUserWithoutChroot {
+		procFDPath = "/proc/self/fd"
+	}
+	if err := fsgofer.OpenProcSelfFD(procFDPath); err != nil {
 		util.Fatalf("failed to open /proc/self/fd: %v", err)
 	}
 
@@ -358,6 +362,10 @@ func (g *Gofer) writeMounts(mounts []specs.Mount) error {
 	return nil
 }
 
+// Redhat distros don't allow to create bind-mounts in /proc/self directories.
+// It is protected by selinux rules.
+const procFDBindMount = "/proc/fs"
+
 func (g *Gofer) setupRootFS(spec *specs.Spec, conf *config.Config) error {
 	// Convert all shared mounts into slaves to be sure that nothing will be
 	// propagated outside of our namespace.
@@ -396,8 +404,8 @@ func (g *Gofer) setupRootFS(spec *specs.Spec, conf *config.Config) error {
 		}
 		// self/fd is bind-mounted, so that the FD return by
 		// OpenProcSelfFD() does not allow escapes with walking ".." .
-		if err := unix.Mount("/proc/proc/self/fd", "/proc/proc/self/fd",
-			"", unix.MS_RDONLY|unix.MS_BIND|unix.MS_NOEXEC, ""); err != nil {
+		if err := unix.Mount("/proc/proc/self/fd", "/proc"+procFDBindMount,
+			"", unix.MS_RDONLY|unix.MS_BIND|flags, ""); err != nil {
 			util.Fatalf("error mounting proc/self/fd: %v", err)
 		}
 		if err := copyFile("/proc/etc/localtime", "/etc/localtime"); err != nil {

diff --git a/runsc/fsgofer/lisafs.go b/runsc/fsgofer/lisafs.go
@@ -69,8 +69,8 @@ var procSelfFD *rwfd.FD
 
 // OpenProcSelfFD opens the /proc/self/fd directory, which will be used to
 // reopen file descriptors.
-func OpenProcSelfFD() error {
-	d, err := unix.Open("/proc/self/fd", unix.O_RDONLY|unix.O_DIRECTORY, 0)
+func OpenProcSelfFD(path string) error {
+	d, err := unix.Open(path, unix.O_RDONLY|unix.O_DIRECTORY, 0)
 	if err != nil {
 		return fmt.Errorf("error opening /proc/self/fd: %v", err)
 	}

diff --git a/runsc/fsgofer/lisafs_test.go b/runsc/fsgofer/lisafs_test.go
@@ -29,7 +29,7 @@ import (
 
 func init() {
 	log.SetLevel(log.Debug)
-	if err := fsgofer.OpenProcSelfFD(); err != nil {
+	if err := fsgofer.OpenProcSelfFD("/proc/self/fd"); err != nil {
 		panic(err)
 	}
 }