2023-01-05 17:11:59 +08:00
|
|
|
From 1c953cdee5aa6c677bef7c7042dbec6fc9ddf172 Mon Sep 17 00:00:00 2001
|
2022-10-26 16:13:47 +08:00
|
|
|
From: zhongjiawei <zhongjiawei1@huawei.com>
|
2023-01-05 17:11:59 +08:00
|
|
|
Date: Thu, 5 Jan 2023 16:18:37 +0800
|
2022-10-26 16:13:47 +08:00
|
|
|
Subject: [PATCH] runc:add timeout for syscall.Openat
|
|
|
|
|
|
|
|
|
|
---
|
2023-01-05 17:11:59 +08:00
|
|
|
libcontainer/standard_init_linux.go | 29 ++++++++++++++++++++++-------
|
2022-10-26 16:13:47 +08:00
|
|
|
1 file changed, 22 insertions(+), 7 deletions(-)
|
|
|
|
|
|
2023-01-05 17:11:59 +08:00
|
|
|
diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
|
2022-10-26 16:13:47 +08:00
|
|
|
index 585a04f..ab553ef 100644
|
2023-01-05 17:11:59 +08:00
|
|
|
--- a/libcontainer/standard_init_linux.go
|
|
|
|
|
+++ b/libcontainer/standard_init_linux.go
|
2022-10-26 16:13:47 +08:00
|
|
|
@@ -6,6 +6,7 @@ import (
|
|
|
|
|
"os"
|
|
|
|
|
"os/exec"
|
|
|
|
|
"strconv"
|
|
|
|
|
+ "time"
|
|
|
|
|
|
|
|
|
|
"github.com/opencontainers/runtime-spec/specs-go"
|
|
|
|
|
"github.com/opencontainers/selinux/go-selinux"
|
|
|
|
|
@@ -227,14 +228,28 @@ func (l *linuxStandardInit) Init() error {
|
|
|
|
|
// was given to us was an O_PATH fd to the fifo itself. Linux allows us to
|
|
|
|
|
// re-open an O_PATH fd through /proc.
|
|
|
|
|
fifoPath := "/proc/self/fd/" + strconv.Itoa(l.fifoFd)
|
|
|
|
|
- fd, err := unix.Open(fifoPath, unix.O_WRONLY|unix.O_CLOEXEC, 0)
|
|
|
|
|
- if err != nil {
|
|
|
|
|
- return &os.PathError{Op: "open exec fifo", Path: fifoPath, Err: err}
|
|
|
|
|
- }
|
|
|
|
|
- if _, err := unix.Write(fd, []byte("0")); err != nil {
|
|
|
|
|
- return &os.PathError{Op: "write exec fifo", Path: fifoPath, Err: err}
|
|
|
|
|
- }
|
|
|
|
|
+ ch := make(chan error, 1)
|
|
|
|
|
+ go func() {
|
|
|
|
|
+ fd, err := unix.Open(fifoPath, unix.O_WRONLY|unix.O_CLOEXEC, 0)
|
|
|
|
|
+ if err != nil {
|
|
|
|
|
+ ch <- &os.PathError{Op: "open exec fifo", Path: fifoPath, Err: err}
|
|
|
|
|
+ return
|
|
|
|
|
+ }
|
|
|
|
|
+ if _, err := unix.Write(fd, []byte("0")); err != nil {
|
|
|
|
|
+ ch <- &os.PathError{Op: "write exec fifo", Path: fifoPath, Err: err}
|
|
|
|
|
+ return
|
|
|
|
|
+ }
|
|
|
|
|
+ ch <- nil
|
|
|
|
|
+ }()
|
|
|
|
|
|
|
|
|
|
+ select {
|
|
|
|
|
+ case chErr := <- ch:
|
|
|
|
|
+ if chErr != nil {
|
|
|
|
|
+ return chErr
|
|
|
|
|
+ }
|
|
|
|
|
+ case <- time.After(120 * time.Second):
|
|
|
|
|
+ return fmt.Errorf("wait for the fifo to be opened on the other side timeout ")
|
|
|
|
|
+ }
|
|
|
|
|
// Close the O_PATH fifofd fd before exec because the kernel resets
|
|
|
|
|
// dumpable in the wrong order. This has been fixed in newer kernels, but
|
|
|
|
|
// we keep this to ensure CVE-2016-9962 doesn't re-emerge on older kernels.
|
|
|
|
|
--
|
|
|
|
|
2.30.0
|
|
|
|
|
|
