2023-07-26 17:09:55 +08:00
|
|
|
From 37103dc157e2946d688e8076b5b500ac11403863 Mon Sep 17 00:00:00 2001
|
2023-09-06 15:26:39 +08:00
|
|
|
From: yangshukui <yangshukui@huawei.com>
|
|
|
|
|
Date: Tue, 18 Apr 2017 19:35:30 +0800
|
2023-07-26 17:09:55 +08:00
|
|
|
Subject: [PATCH] runc:add timeout for syscall.Exec
|
2022-10-26 16:13:47 +08:00
|
|
|
|
2023-09-06 15:26:39 +08:00
|
|
|
Openat will be blocked until the fifo on the other side is opened, but in some
|
|
|
|
|
abnomal scenario(e.g. containerd is killed), Openat maybe be blocked all the time.
|
|
|
|
|
|
|
|
|
|
Signed-off-by: yangshukui <yangshukui@huawei.com>
|
2022-10-26 16:13:47 +08:00
|
|
|
---
|
2023-01-05 17:11:59 +08:00
|
|
|
libcontainer/standard_init_linux.go | 29 ++++++++++++++++++++++-------
|
2022-10-26 16:13:47 +08:00
|
|
|
1 file changed, 22 insertions(+), 7 deletions(-)
|
|
|
|
|
|
2023-01-05 17:11:59 +08:00
|
|
|
diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
|
2023-07-26 17:09:55 +08:00
|
|
|
index c09a7be..eaa73ba 100644
|
2023-01-05 17:11:59 +08:00
|
|
|
--- a/libcontainer/standard_init_linux.go
|
|
|
|
|
+++ b/libcontainer/standard_init_linux.go
|
2022-10-26 16:13:47 +08:00
|
|
|
@@ -6,6 +6,7 @@ import (
|
|
|
|
|
"os"
|
|
|
|
|
"os/exec"
|
|
|
|
|
"strconv"
|
|
|
|
|
+ "time"
|
|
|
|
|
|
|
|
|
|
"github.com/opencontainers/runtime-spec/specs-go"
|
|
|
|
|
"github.com/opencontainers/selinux/go-selinux"
|
2023-07-26 17:09:55 +08:00
|
|
|
@@ -235,14 +236,28 @@ func (l *linuxStandardInit) Init() error {
|
2022-10-26 16:13:47 +08:00
|
|
|
// was given to us was an O_PATH fd to the fifo itself. Linux allows us to
|
|
|
|
|
// re-open an O_PATH fd through /proc.
|
|
|
|
|
fifoPath := "/proc/self/fd/" + strconv.Itoa(l.fifoFd)
|
|
|
|
|
- fd, err := unix.Open(fifoPath, unix.O_WRONLY|unix.O_CLOEXEC, 0)
|
|
|
|
|
- if err != nil {
|
|
|
|
|
- return &os.PathError{Op: "open exec fifo", Path: fifoPath, Err: err}
|
|
|
|
|
- }
|
|
|
|
|
- if _, err := unix.Write(fd, []byte("0")); err != nil {
|
|
|
|
|
- return &os.PathError{Op: "write exec fifo", Path: fifoPath, Err: err}
|
|
|
|
|
- }
|
|
|
|
|
+ ch := make(chan error, 1)
|
|
|
|
|
+ go func() {
|
|
|
|
|
+ fd, err := unix.Open(fifoPath, unix.O_WRONLY|unix.O_CLOEXEC, 0)
|
|
|
|
|
+ if err != nil {
|
|
|
|
|
+ ch <- &os.PathError{Op: "open exec fifo", Path: fifoPath, Err: err}
|
|
|
|
|
+ return
|
|
|
|
|
+ }
|
|
|
|
|
+ if _, err := unix.Write(fd, []byte("0")); err != nil {
|
|
|
|
|
+ ch <- &os.PathError{Op: "write exec fifo", Path: fifoPath, Err: err}
|
|
|
|
|
+ return
|
|
|
|
|
+ }
|
|
|
|
|
+ ch <- nil
|
|
|
|
|
+ }()
|
|
|
|
|
|
|
|
|
|
+ select {
|
|
|
|
|
+ case chErr := <- ch:
|
|
|
|
|
+ if chErr != nil {
|
|
|
|
|
+ return chErr
|
|
|
|
|
+ }
|
|
|
|
|
+ case <- time.After(120 * time.Second):
|
|
|
|
|
+ return fmt.Errorf("wait for the fifo to be opened on the other side timeout ")
|
|
|
|
|
+ }
|
|
|
|
|
// Close the O_PATH fifofd fd before exec because the kernel resets
|
|
|
|
|
// dumpable in the wrong order. This has been fixed in newer kernels, but
|
|
|
|
|
// we keep this to ensure CVE-2016-9962 doesn't re-emerge on older kernels.
|
|
|
|
|
--
|
2023-07-26 17:09:55 +08:00
|
|
|
2.33.0
|
2022-10-26 16:13:47 +08:00
|
|
|
|
