packages/runc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
runc/patch/0001-runc-add-timeout-for-syscall.Exec.patch
zhongjiawei d5a90ae6a3 runc:modify and complement patch information
2023-09-06 16:18:19 +08:00

65 lines
2.2 KiB
Diff
Raw Blame History

From 37103dc157e2946d688e8076b5b500ac11403863 Mon Sep 17 00:00:00 2001
From: yangshukui <yangshukui@huawei.com>
Date: Tue, 18 Apr 2017 19:35:30 +0800
Subject: [PATCH] runc:add timeout for syscall.Exec
Openat will be blocked until the fifo on the other side is opened, but in some
abnomal scenario(e.g. containerd is killed), Openat maybe be blocked all the time.
Signed-off-by: yangshukui <yangshukui@huawei.com>
---
libcontainer/standard_init_linux.go | 29 ++++++++++++++++++++++-------
1 file changed, 22 insertions(+), 7 deletions(-)
diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
index c09a7be..eaa73ba 100644
--- a/libcontainer/standard_init_linux.go
+++ b/libcontainer/standard_init_linux.go
@@ -6,6 +6,7 @@ import (
"os"
"os/exec"
"strconv"
+ "time"
"github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/selinux/go-selinux"
@@ -235,14 +236,28 @@ func (l *linuxStandardInit) Init() error {
// was given to us was an O_PATH fd to the fifo itself. Linux allows us to
// re-open an O_PATH fd through /proc.
fifoPath := "/proc/self/fd/" + strconv.Itoa(l.fifoFd)
- fd, err := unix.Open(fifoPath, unix.O_WRONLY|unix.O_CLOEXEC, 0)
- if err != nil {
- return &os.PathError{Op: "open exec fifo", Path: fifoPath, Err: err}
- }
- if _, err := unix.Write(fd, []byte("0")); err != nil {
- return &os.PathError{Op: "write exec fifo", Path: fifoPath, Err: err}
- }
+ ch := make(chan error, 1)
+ go func() {
+ fd, err := unix.Open(fifoPath, unix.O_WRONLY|unix.O_CLOEXEC, 0)
+ if err != nil {
+ ch <- &os.PathError{Op: "open exec fifo", Path: fifoPath, Err: err}
+ return
+ }
+ if _, err := unix.Write(fd, []byte("0")); err != nil {
+ ch <- &os.PathError{Op: "write exec fifo", Path: fifoPath, Err: err}
+ return
+ }
+ ch <- nil
+ }()
+ select {
+ case chErr := <- ch:
+ if chErr != nil {
+ return chErr
+ }
+ case <- time.After(120 * time.Second):
+ return fmt.Errorf("wait for the fifo to be opened on the other side timeout ")
+ }
// Close the O_PATH fifofd fd before exec because the kernel resets
// dumpable in the wrong order. This has been fixed in newer kernels, but
// we keep this to ensure CVE-2016-9962 doesn't re-emerge on older kernels.
--
2.33.0
Reference in New Issue View Git Blame Copy Permalink