From 52bc0f21b4f99b7095a845276e8195df03905272 Mon Sep 17 00:00:00 2001 From: zhongjiawei Date: Sun, 25 Jun 2023 11:46:31 +0800 Subject: [PATCH] runc:fix shared pidns detection (cherry picked from commit f53823b004a027b8f20ba8db81010342bdc7ac1c) --- ...unc-libct-fix-shared-pidns-detection.patch | 67 +++++++++++++++++++ runc.spec | 8 ++- series.conf | 1 + 3 files changed, 75 insertions(+), 1 deletion(-) create mode 100644 patch/0138-runc-libct-fix-shared-pidns-detection.patch diff --git a/patch/0138-runc-libct-fix-shared-pidns-detection.patch b/patch/0138-runc-libct-fix-shared-pidns-detection.patch new file mode 100644 index 0000000..91e800e --- /dev/null +++ b/patch/0138-runc-libct-fix-shared-pidns-detection.patch @@ -0,0 +1,67 @@ +From fa6c4b2cbb985a765b4fae14470453b7a573c665 Mon Sep 17 00:00:00 2001 +From: Kir Kolyshkin +Date: Fri, 12 May 2023 16:04:11 -0700 +Subject: [PATCH] libct: fix shared pidns detection + +When someone is using libcontainer to start and kill containers from a +long lived process (i.e. the same process creates and removes the +container), initProcess.wait method is used, which has a kludge to work +around killing containers that do not have their own PID namespace. + +The code that checks for own PID namespace is not entirely correct. +To be exact, it does not set sharePidns flag when the host/caller PID +namespace is implicitly used. As a result, the above mentioned kludge +does not work. + +Fix the issue, add a test case (which fails without the fix). + +Signed-off-by: Kir Kolyshkin +--- + libcontainer/configs/namespaces_syscall.go | 12 ++++++++++++ + libcontainer/container_linux.go | 3 +-- + 2 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/libcontainer/configs/namespaces_syscall.go b/libcontainer/configs/namespaces_syscall.go +index fb4b8522..6171a3b6 100644 +--- a/libcontainer/configs/namespaces_syscall.go ++++ b/libcontainer/configs/namespaces_syscall.go +@@ -29,3 +29,15 @@ func (n *Namespaces) CloneFlags() uintptr { + } + return uintptr(flag) + } ++ ++// IsPrivate tells whether the namespace of type t is configured as private ++// (i.e. it exists and is not shared). ++func (n Namespaces) IsPrivate(t NamespaceType) bool { ++ for _, v := range n { ++ if v.Type == t { ++ return v.Path == "" ++ } ++ } ++ // Not found, so implicitly sharing a parent namespace. ++ return false ++} +diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go +index 7be84a63..113dbf42 100644 +--- a/libcontainer/container_linux.go ++++ b/libcontainer/container_linux.go +@@ -488,7 +488,6 @@ func (c *linuxContainer) newInitProcess(p *Process, cmd *exec.Cmd, parentPipe, c + nsMaps[ns.Type] = ns.Path + } + } +- _, sharePidns := nsMaps[configs.NEWPID] + data, err := c.bootstrapData(c.config.Namespaces.CloneFlags(), nsMaps) + if err != nil { + return nil, err +@@ -502,7 +501,7 @@ func (c *linuxContainer) newInitProcess(p *Process, cmd *exec.Cmd, parentPipe, c + container: c, + process: p, + bootstrapData: data, +- sharePidns: sharePidns, ++ sharePidns: !c.config.Namespaces.IsPrivate(configs.NEWPID), + rootDir: rootDir, + }, nil + } +-- +2.33.0 + diff --git a/runc.spec b/runc.spec index 6933716..1c03dbc 100644 --- a/runc.spec +++ b/runc.spec @@ -2,7 +2,7 @@ Name: docker-runc Version: 1.0.0.rc3 -Release: 212 +Release: 213 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification. License: ASL 2.0 @@ -41,6 +41,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc %{_bindir}/runc %changelog +* Mon Jun 25 2023 zhongjiawei - 1.0.0.rc3-213 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:sync patch + * Tue Apr 4 2023 zhongjiawei - 1.0.0.rc3-212 - Type:bugfix - CVE:NA diff --git a/series.conf b/series.conf index 1f7041a..4e53cac 100644 --- a/series.conf +++ b/series.conf @@ -129,3 +129,4 @@ 0135-runc-libct-cg-fs-blkio-do-not-set-weight-0.patch 0136-runc-run-resolve-tmpfs-mount-dest-in-container-scope.patch 0137-runc-Prohibit-proc-and-sys-to-be-symlinks.patch +0138-runc-libct-fix-shared-pidns-detection.patch -- Gitee