mirror of
https://github.com/opencontainers/runc.git
synced 2026-07-11 06:03:57 +08:00
50acb55233
A remount of a mount point must include all the current flags or these will be cleared: ``` The mountflags and data arguments should match the values used in the original mount() call, except for those parameters that are being deliberately changed. ``` The current code does not do this; the bug manifests in the specified flags for `/dev` being lost on remount read only at present. As we need to specify flags, split the code path for this from remounting paths which are not mount points, as these can only inherit the existing flags of the path, and these cannot be changed. In the bind case, remove extra flags from the bind remount. A bind mount can only be remounted read only, no other flags can be set, all other flags are inherited from the parent. From the man page: ``` Since Linux 2.6.26, this flag can also be used to make an existing bind mount read-only by specifying mountflags as: MS_REMOUNT | MS_BIND | MS_RDONLY Note that only the MS_RDONLY setting of the bind mount can be changed in this manner. ``` MS_REC can only be set on the original bind, so move this. See note in man page on bind mounts: ``` The remaining bits in the mountflags argument are also ignored, with the exception of MS_REC. ``` Signed-off-by: Justin Cormack <justin.cormack@docker.com>
187 lines
5.5 KiB
Go
187 lines
5.5 KiB
Go
// +build linux
|
|
|
|
package libcontainer
|
|
|
|
import (
|
|
"fmt"
|
|
"os"
|
|
"os/exec"
|
|
"syscall"
|
|
|
|
"github.com/opencontainers/runc/libcontainer/apparmor"
|
|
"github.com/opencontainers/runc/libcontainer/configs"
|
|
"github.com/opencontainers/runc/libcontainer/keys"
|
|
"github.com/opencontainers/runc/libcontainer/label"
|
|
"github.com/opencontainers/runc/libcontainer/seccomp"
|
|
"github.com/opencontainers/runc/libcontainer/system"
|
|
)
|
|
|
|
type linuxStandardInit struct {
|
|
pipe *os.File
|
|
parentPid int
|
|
stateDirFD int
|
|
config *initConfig
|
|
}
|
|
|
|
func (l *linuxStandardInit) getSessionRingParams() (string, uint32, uint32) {
|
|
var newperms uint32
|
|
|
|
if l.config.Config.Namespaces.Contains(configs.NEWUSER) {
|
|
// with user ns we need 'other' search permissions
|
|
newperms = 0x8
|
|
} else {
|
|
// without user ns we need 'UID' search permissions
|
|
newperms = 0x80000
|
|
}
|
|
|
|
// create a unique per session container name that we can
|
|
// join in setns; however, other containers can also join it
|
|
return fmt.Sprintf("_ses.%s", l.config.ContainerId), 0xffffffff, newperms
|
|
}
|
|
|
|
// PR_SET_NO_NEW_PRIVS isn't exposed in Golang so we define it ourselves copying the value
|
|
// the kernel
|
|
const PR_SET_NO_NEW_PRIVS = 0x26
|
|
|
|
func (l *linuxStandardInit) Init() error {
|
|
if !l.config.Config.NoNewKeyring {
|
|
ringname, keepperms, newperms := l.getSessionRingParams()
|
|
|
|
// do not inherit the parent's session keyring
|
|
sessKeyId, err := keys.JoinSessionKeyring(ringname)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
// make session keyring searcheable
|
|
if err := keys.ModKeyringPerm(sessKeyId, keepperms, newperms); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
if err := setupNetwork(l.config); err != nil {
|
|
return err
|
|
}
|
|
if err := setupRoute(l.config.Config); err != nil {
|
|
return err
|
|
}
|
|
|
|
label.Init()
|
|
|
|
// prepareRootfs() can be executed only for a new mount namespace.
|
|
if l.config.Config.Namespaces.Contains(configs.NEWNS) {
|
|
if err := prepareRootfs(l.pipe, l.config.Config); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
// Set up the console. This has to be done *before* we finalize the rootfs,
|
|
// but *after* we've given the user the chance to set up all of the mounts
|
|
// they wanted.
|
|
if l.config.CreateConsole {
|
|
if err := setupConsole(l.pipe, l.config, true); err != nil {
|
|
return err
|
|
}
|
|
if err := system.Setctty(); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
// Finish the rootfs setup.
|
|
if l.config.Config.Namespaces.Contains(configs.NEWNS) {
|
|
if err := finalizeRootfs(l.config.Config); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
if hostname := l.config.Config.Hostname; hostname != "" {
|
|
if err := syscall.Sethostname([]byte(hostname)); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
if err := apparmor.ApplyProfile(l.config.AppArmorProfile); err != nil {
|
|
return err
|
|
}
|
|
if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil {
|
|
return err
|
|
}
|
|
|
|
for key, value := range l.config.Config.Sysctl {
|
|
if err := writeSystemProperty(key, value); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
for _, path := range l.config.Config.ReadonlyPaths {
|
|
if err := readonlyPath(path); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
for _, path := range l.config.Config.MaskPaths {
|
|
if err := maskPath(path); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
pdeath, err := system.GetParentDeathSignal()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if l.config.NoNewPrivileges {
|
|
if err := system.Prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
// Tell our parent that we're ready to Execv. This must be done before the
|
|
// Seccomp rules have been applied, because we need to be able to read and
|
|
// write to a socket.
|
|
if err := syncParentReady(l.pipe); err != nil {
|
|
return err
|
|
}
|
|
// Without NoNewPrivileges seccomp is a privileged operation, so we need to
|
|
// do this before dropping capabilities; otherwise do it as late as possible
|
|
// just before execve so as few syscalls take place after it as possible.
|
|
if l.config.Config.Seccomp != nil && !l.config.NoNewPrivileges {
|
|
if err := seccomp.InitSeccomp(l.config.Config.Seccomp); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
if err := finalizeNamespace(l.config); err != nil {
|
|
return err
|
|
}
|
|
// finalizeNamespace can change user/group which clears the parent death
|
|
// signal, so we restore it here.
|
|
if err := pdeath.Restore(); err != nil {
|
|
return err
|
|
}
|
|
// compare the parent from the initial start of the init process and make sure that it did not change.
|
|
// if the parent changes that means it died and we were reparented to something else so we should
|
|
// just kill ourself and not cause problems for someone else.
|
|
if syscall.Getppid() != l.parentPid {
|
|
return syscall.Kill(syscall.Getpid(), syscall.SIGKILL)
|
|
}
|
|
// check for the arg before waiting to make sure it exists and it is returned
|
|
// as a create time error.
|
|
name, err := exec.LookPath(l.config.Args[0])
|
|
if err != nil {
|
|
return err
|
|
}
|
|
// close the pipe to signal that we have completed our init.
|
|
l.pipe.Close()
|
|
// wait for the fifo to be opened on the other side before
|
|
// exec'ing the users process.
|
|
fd, err := syscall.Openat(l.stateDirFD, execFifoFilename, os.O_WRONLY|syscall.O_CLOEXEC, 0)
|
|
if err != nil {
|
|
return newSystemErrorWithCause(err, "openat exec fifo")
|
|
}
|
|
if _, err := syscall.Write(fd, []byte("0")); err != nil {
|
|
return newSystemErrorWithCause(err, "write 0 exec fifo")
|
|
}
|
|
if l.config.Config.Seccomp != nil && l.config.NoNewPrivileges {
|
|
if err := seccomp.InitSeccomp(l.config.Config.Seccomp); err != nil {
|
|
return newSystemErrorWithCause(err, "init seccomp")
|
|
}
|
|
}
|
|
if err := syscall.Exec(name, l.config.Args[0:], os.Environ()); err != nil {
|
|
return newSystemErrorWithCause(err, "exec user process")
|
|
}
|
|
return nil
|
|
}
|