Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dmz: cloned binary: set +x permissions when creating regular tmpfile #4444

Merged
merged 1 commit into from
Oct 15, 2024
Merged

dmz: cloned binary: set +x permissions when creating regular tmpfile #4444

merged 1 commit into from
Oct 15, 2024

Conversation

lifubang
Copy link
Member

Though creates a classic temp file for runc binary is the last fallback method of CloneBinary, we should also fix the error of it.

@lifubang lifubang requested a review from cyphar October 13, 2024 12:12
cyphar
cyphar reviewed Oct 13, 2024
View reviewed changes
libcontainer/dmz/cloned_binary_linux.go Outdated
Comment on lines 107 to 109
if err := file.Chmod(0o511); err != nil {
return nil, nil, fmt.Errorf("chmod classic tmpfile: %w", err)
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't this already done in sealFile?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, but because of isExecutable check, we will get an error because we can't find any executable file after we traversed all the tmpDirs:

runc/libcontainer/dmz/cloned_binary_linux.go

Lines 165 to 169 in e2647bd

if !isExecutable(file) {
logrus.Debugf("tmpdir %s is noexec -- trying a different tmpdir", dir)
file.Close()
continue
}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, okay so we should move the code from sealFile then rather than duplicating it. Also we should do this after we do os.Remove() so if there is an error we don't leak the temporary file.

Copy link
Member

@cyphar cyphar Oct 14, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be nice to explain the issue in the commit message btw 😸, something like:

dmz: cloned binary: set +x permissions when creating regular tmpfile

While we did set +x when "sealing" regular temporary files, the "is
executable" checks were done before then and would thus fail, causing
the fallback to not work properly.

So just set +x after we create the file. We already have a O_RDWR handle
open when we do the chmod so we won't get permission issues when writing
to the file.

Fixes: e089db3b4a31 ("dmz: add fallbacks to handle noexec for O_TMPFILE and mktemp()")
Signed-off-by: lifubang <lifubang@acmcoder.com>

@lifubang
dmz: cloned binary: set +x permissions when creating regular tmpfile
9fa324c 
While we did set +x when "sealing" regular temporary files, the "is
executable" checks were done before then and would thus fail, causing
the fallback to not work properly.

So just set +x after we create the file. We already have a O_RDWR handle
open when we do the chmod so we won't get permission issues when writing
to the file.

Fixes: e089db3 ("dmz: add fallbacks to handle noexec for O_TMPFILE and mktemp()")

Signed-off-by: lifubang <lifubang@acmcoder.com>
@lifubang lifubang changed the title Should set exec bit for runc temp file dmz: cloned binary: set +x permissions when creating regular tmpfile Oct 14, 2024
kolyshkin
kolyshkin approved these changes Oct 15, 2024
View reviewed changes
Copy link
Contributor

@kolyshkin kolyshkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lifubang how have you found this? Is this a very old kernel?

If yes, can you check what error otmpfile returns?

I'm thinking, if older kernels return EISDIR, we should not retry otmpfile with a different directory, but jump straight to mktemp fallback.

Of course, this is not really related to this PR and can be done separately.

@lifubang
Copy link
Member Author

how have you found this? Is this a very old kernel?

No, it's from code review. I find there may be an error, so I delete the memfd and otmpfile code to test it.

cyphar
cyphar approved these changes Oct 15, 2024
View reviewed changes
Copy link
Member

@cyphar cyphar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cyphar cyphar merged commit d82235c into opencontainers:main Oct 15, 2024
42 checks passed
@lifubang lifubang deleted the fix-mktemp-exec branch October 15, 2024 05:40
@github-actions github-actions bot mentioned this pull request Oct 27, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kolyshkin kolyshkin kolyshkin approved these changes

@cyphar cyphar cyphar approved these changes

Assignees
No one assigned
Labels
easy-to-review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lifubang @cyphar @kolyshkin