runc: fix permission denied

reason: when exec as root and config.Cwd is not owned by root, exec will fail because root doesn't have the caps. Signed-off-by: Kurnia D Win <kurnia.d.win@gmail.com> Signed-off-by: xiadanni <xiadanni1@huawei.com>
2020-07-09 16:01:04 +08:00 · 2020-07-09 16:01:04 +08:00 · 450a0907cf
commit 450a0907cf
parent e532736168
4 changed files with 48 additions and 2 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-Ib43bafb0ec680082520d85530ef783b68bc08671
+b12c2b4efdbaa500c4d380bda16fcf758792398e
--- a/patch/0120-runc-fix-permission-denied.patch
+++ b/patch/0120-runc-fix-permission-denied.patch
@ -0,0 +1,45 @@
+From 6594d5c042a2253386820a640b3a7087e07d0df2 Mon Sep 17 00:00:00 2001
+From: xiadanni <xiadanni1@huawei.com>
+Date: Thu, 9 Jul 2020 15:56:54 +0800
+Subject: [PATCH] runc: fix permission denied
+
+reason: when exec as root and config.Cwd is not owned by root,
+exec will fail because root doesn't have the caps.
+
+Signed-off-by: Kurnia D Win <kurnia.d.win@gmail.com>
+Signed-off-by: xiadanni <xiadanni1@huawei.com>
+---
+ libcontainer/init_linux.go | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
+index 2a93431..73505ef 100644
+--- a/libcontainer/init_linux.go
+++ b/libcontainer/init_linux.go
+@@ -118,6 +118,11 @@ func finalizeNamespace(config *initConfig) error {
+ 	if err := utils.CloseExecFrom(config.PassedFilesCount + 3); err != nil {
+ 		return err
+ 	}
+	if config.Cwd != "" {
+		if err := syscall.Chdir(config.Cwd); err != nil {
+			return fmt.Errorf("chdir to cwd (%q) set in config.json failed: %v", config.Cwd, err)
+		}
+	}
+ 
+ 	capabilities := &configs.Capabilities{}
+ 	if config.Capabilities != nil {
+@@ -146,11 +151,6 @@ func finalizeNamespace(config *initConfig) error {
+ 	if err := w.ApplyCaps(); err != nil {
+ 		return err
+ 	}
+-	if config.Cwd != "" {
+-		if err := syscall.Chdir(config.Cwd); err != nil {
+-			return fmt.Errorf("chdir to cwd (%q) set in config.json failed: %v", config.Cwd, err)
+-		}
+-	}
+ 	return nil
+ }
+ 
+-- 
+1.8.3.1
+
--- a/runc-openeuler.spec
+++ b/runc-openeuler.spec
@ -2,7 +2,7 @@

 Name: docker-runc
 Version: 1.0.0.rc3
-Release: 105
+Release: 106
 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.

 License: ASL 2.0
--- a/series.conf
+++ b/series.conf
@ -116,3 +116,4 @@
 0117-runc-Pass-back-the-pid-of-runc-1-CHILD-so-w.patch
 0118-runc-rootfs-do-not-permit-proc-mounts-to-no.patch
 0119-runc-use-git-commit-to-store-commit-ID.patch
+0120-runc-fix-permission-denied.patch