packages/runc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
runc/patch/0001-runc-add-timeout-for-syscall.Exec.patch
zhongjiawei e6be706e79 runc:modify patch for 1.1.8
2023-07-28 09:46:10 +08:00

61 lines
2.0 KiB
Diff
Raw Blame History

From 37103dc157e2946d688e8076b5b500ac11403863 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Mon, 24 Jul 2023 15:30:32 +0800
Subject: [PATCH] runc:add timeout for syscall.Exec
---
libcontainer/standard_init_linux.go | 29 ++++++++++++++++++++++-------
1 file changed, 22 insertions(+), 7 deletions(-)
diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
index c09a7be..eaa73ba 100644
--- a/libcontainer/standard_init_linux.go
+++ b/libcontainer/standard_init_linux.go
@@ -6,6 +6,7 @@ import (
"os"
"os/exec"
"strconv"
+ "time"
"github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/selinux/go-selinux"
@@ -235,14 +236,28 @@ func (l *linuxStandardInit) Init() error {
// was given to us was an O_PATH fd to the fifo itself. Linux allows us to
// re-open an O_PATH fd through /proc.
fifoPath := "/proc/self/fd/" + strconv.Itoa(l.fifoFd)
- fd, err := unix.Open(fifoPath, unix.O_WRONLY|unix.O_CLOEXEC, 0)
- if err != nil {
- return &os.PathError{Op: "open exec fifo", Path: fifoPath, Err: err}
- }
- if _, err := unix.Write(fd, []byte("0")); err != nil {
- return &os.PathError{Op: "write exec fifo", Path: fifoPath, Err: err}
- }
+ ch := make(chan error, 1)
+ go func() {
+ fd, err := unix.Open(fifoPath, unix.O_WRONLY|unix.O_CLOEXEC, 0)
+ if err != nil {
+ ch <- &os.PathError{Op: "open exec fifo", Path: fifoPath, Err: err}
+ return
+ }
+ if _, err := unix.Write(fd, []byte("0")); err != nil {
+ ch <- &os.PathError{Op: "write exec fifo", Path: fifoPath, Err: err}
+ return
+ }
+ ch <- nil
+ }()
+ select {
+ case chErr := <- ch:
+ if chErr != nil {
+ return chErr
+ }
+ case <- time.After(120 * time.Second):
+ return fmt.Errorf("wait for the fifo to be opened on the other side timeout ")
+ }
// Close the O_PATH fifofd fd before exec because the kernel resets
// dumpable in the wrong order. This has been fixed in newer kernels, but
// we keep this to ensure CVE-2016-9962 doesn't re-emerge on older kernels.
--
2.33.0
Reference in New Issue View Git Blame Copy Permalink