Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[1.1] Fix error from runc run on noexec fs #3541

Merged
merged 1 commit into from
Aug 2, 2022
Merged

[1.1] Fix error from runc run on noexec fs #3541

merged 1 commit into from
Aug 2, 2022

Conversation

kolyshkin
Copy link
Contributor

Backport of #3522 to release-1.1 branch. See the original PR for details.

Draft until the original PR is merged.

@kolyshkin kolyshkin added the backport/1.1-pr A backport PR to release-1.1 label Jul 28, 2022
@kolyshkin kolyshkin changed the base branch from main to release-1.1 July 28, 2022 19:15
@kolyshkin kolyshkin changed the title [1.1][ Fix error from runc run on noexec fs [1.1] Fix error from runc run on noexec fs Jul 28, 2022
@kolyshkin kolyshkin added this to the 1.1.4 milestone Jul 28, 2022
@kolyshkin
Fix error from runc run on noexec fs
d83a861 
When starting a new container, and the very last step of executing of a
user process fails (last lines of (*linuxStandardInit).Init), it is too
late to print a proper error since both the log pipe and the init pipe
are closed.

This is partially mitigated by using exec.LookPath() which is supposed
to say whether we will be able to execute or not. Alas, it fails to do
so when the binary to be executed resides on a filesystem mounted with
noexec flag.

A workaround would be to use access(2) with X_OK flag. Alas, it is not
working when runc itself is a setuid (or setgid) binary. In this case,
faccessat2(2) with AT_EACCESS can be used, but it is only available
since Linux v5.8.

So, use faccessat2(2) with AT_EACCESS if available. If not, fall back to
access(2) for non-setuid runc, and do nothing for setuid runc (as there
is nothing we can do). Note that this check if in addition to whatever
exec.LookPath does.

Fixes opencontainers#3520

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 957d97b)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
@kolyshkin kolyshkin requested a review from cyphar July 28, 2022 19:16
@cyphar cyphar marked this pull request as ready for review August 2, 2022 02:41
@mrunalp mrunalp merged commit b54084f into opencontainers:release-1.1 Aug 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cyphar cyphar cyphar approved these changes

@mrunalp mrunalp mrunalp approved these changes

Assignees
No one assigned
Labels
backport/1.1-pr A backport PR to release-1.1
Projects
None yet
Milestone
1.1.4
Development

Successfully merging this pull request may close these issues.
3 participants
@kolyshkin @mrunalp @cyphar