!131 runc：libcontainer: skip chown of /dev/null caused by fd redirection

From: @zhong-jiawei-1 
Reviewed-by: @zhangsong234, @duguhaotian 
Signed-off-by: @duguhaotian

git-commit

@@ -1 +1 @@
-b17d05d6bfb1f6d087f5585e5236ffc04173af69
+bc3b1abe72220ea5a0a8390f174f1db0b76888f6

patch/0036-runc-libcontainer-skip-chown-of-dev-null-caused-by-fd-red.patch

@@ -0,0 +1,41 @@
+From 52d2b0f2598c255f8fcc295e12a3ddfd4a89dd43 Mon Sep 17 00:00:00 2001
+From: Jaroslav Jindrak <dzejrou@gmail.com>
+Date: Fri, 20 Jan 2023 21:41:12 +0100
+Subject: [PATCH 1/2] libcontainer: skip chown of /dev/null caused by fd
+ redirection
+
+In 18c4760a (libct: fixStdioPermissions: skip chown if not needed)
+the check whether the STDIO file descriptors point to /dev/null was
+removed which can cause /dev/null to change ownership e.g. when using
+docker exec on a running container:
+
+$ ls -l /dev/null
+crw-rw-rw- 1 root root 1, 3 Aug 1 14:12 /dev/null
+$ docker exec -u test 0ad6d3064e9d ls
+$ ls -l /dev/null
+crw-rw-rw- 1 test root 1, 3 Aug 1 14:12 /dev/null
+
+Signed-off-by: Jaroslav Jindrak <dzejrou@gmail.com>
+---
+ libcontainer/init_linux.go | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
+index 1e5c394c..2e4c5935 100644
+--- a/libcontainer/init_linux.go
++++ b/libcontainer/init_linux.go
+@@ -411,8 +411,9 @@ func fixStdioPermissions(u *user.ExecUser) error {
+ 			return &os.PathError{Op: "fstat", Path: file.Name(), Err: err}
+ 		}
+ 
+-		// Skip chown if uid is already the one we want.
+-		if int(s.Uid) == u.Uid {
++		// Skip chown if uid is already the one we want or any of the STDIO descriptors
++		// were redirected to /dev/null.
++		if int(s.Uid) == u.Uid || s.Rdev == null.Rdev {
+ 			continue
+ 		}
+ 
+-- 
+2.33.0
+

patch/0037-runc-Fixed-init-state-error-variable.patch

@@ -0,0 +1,29 @@
+From ab18f1e6bf59d651889a9483f45f0e88368669c9 Mon Sep 17 00:00:00 2001
+From: Vipul Newaskar <vipulnewaskar7@gmail.com>
+Date: Sun, 13 Nov 2022 23:46:12 +0530
+Subject: [PATCH 2/2] Fixed init state error variable
+
+Init State Error message was using the err variable instead of uerr, which has been fixed now.
+The error message should not show "nil" now.
+
+Signed-off-by: Vipul Newaskar <vipulnewaskar7@gmail.com>
+---
+ libcontainer/process_linux.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libcontainer/process_linux.go b/libcontainer/process_linux.go
+index 1124cf54..3b453ccd 100644
+--- a/libcontainer/process_linux.go
++++ b/libcontainer/process_linux.go
+@@ -555,7 +555,7 @@ func (p *initProcess) start() (retErr error) {
+ 			// procRun sync.
+ 			state, uerr := p.container.updateState(p)
+ 			if uerr != nil {
+-				return fmt.Errorf("unable to store init state: %w", err)
++				return fmt.Errorf("unable to store init state: %w", uerr)
+ 			}
+ 			p.container.initProcessStartTime = state.InitProcessStartTime
+ 
+-- 
+2.33.0
+

runc.spec

@@ -3,7 +3,7 @@
 
 Name: docker-runc
 Version: 1.1.3
-Release: 12
+Release: 13
 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.
 
 License: ASL 2.0
@@ -58,6 +58,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
 %{_bindir}/runc
 
 %changelog
+* Tue Mar 21 2023 zhongjiawei<zhongjiawei1@huawei.com> - 1.1.3-13
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:libcontainer: skip chown of /dev/null caused by fd redirection
+
 * Thu Mar 16 2023 zhaozhen <zhaozhen@loongson.cn> - 1.1.3-12
 - Type:feature
 - CVE:NA

series.conf

@@ -31,3 +31,5 @@ patch/0030-runc-support-specify-umask.patch
 patch/0031-runc-modify-linuxcontainer-starttime-uint64-type-tob.patch
 patch/0032-runc-make-runc-spec-compatible-1.0.0.rc3.patch
 patch/0033-add-loongarch-support-for-libcontainer.patch
+patch/0036-runc-libcontainer-skip-chown-of-dev-null-caused-by-fd-red.patch
+patch/0037-runc-Fixed-init-state-error-variable.patch