From e27a009f4de8b7a30c957b640ef1694b995d307a Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Mon, 27 Nov 2023 15:19:38 +0800
Subject: [PATCH] runc:create cwd when it does not exist

---
 git-commit                                    |  2 +-
 ...er-create-Cwd-when-it-does-not-exist.patch | 73 +++++++++++++++++++
 runc.spec                                     |  8 +-
 series.conf                                   |  1 +
 4 files changed, 82 insertions(+), 2 deletions(-)
 create mode 100644 patch/0152-runc-libcontainer-create-Cwd-when-it-does-not-exist.patch

diff --git a/git-commit b/git-commit
index 9cdb79d..b48ea5c 100644
--- a/git-commit
+++ b/git-commit
@@ -1 +1 @@
-781dd0d54fe8ad4116c4451f197662c1b732ca2d
+db1dcc6c9575d0a8ebc5d2d95bf70a65fcc35174
diff --git a/patch/0152-runc-libcontainer-create-Cwd-when-it-does-not-exist.patch b/patch/0152-runc-libcontainer-create-Cwd-when-it-does-not-exist.patch
new file mode 100644
index 0000000..913a67d
--- /dev/null
+++ b/patch/0152-runc-libcontainer-create-Cwd-when-it-does-not-exist.patch
@@ -0,0 +1,73 @@
+From 85840292ccceb506c988034a8ce951fcf459d34c Mon Sep 17 00:00:00 2001
+From: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
+Date: Wed, 4 Oct 2017 08:07:58 +0000
+Subject: [PATCH] libcontainer: create Cwd when it does not exist
+
+The benefit for doing this within runc is that it works well with
+userns.
+Actually, runc already does the same thing for mount points.
+
+Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
+---
+ libcontainer/rootfs_linux.go        | 17 +++++++++++++----
+ libcontainer/standard_init_linux.go |  2 +-
+ 2 files changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
+index 855bcdb0..f5d9214a 100644
+--- a/libcontainer/rootfs_linux.go
++++ b/libcontainer/rootfs_linux.go
+@@ -41,10 +41,10 @@ func needsSetupDev(config *configs.Config) bool {
+ }
+ 
+ // prepareRootfs sets up the devices, mount points, and filesystems for use
+-// inside a new mount namespace. It doesn't set anything as ro or pivot_root,
+-// because console setup happens inside the caller. You must call
+-// finalizeRootfs in order to finish the rootfs setup.
+-func prepareRootfs(pipe io.ReadWriter, config *configs.Config) (err error) {
++// inside a new mount namespace. It doesn't set anything as ro. You must call
++// finalizeRootfs after this function to finish setting up the rootfs.
++func prepareRootfs(pipe io.ReadWriter, iConfig *initConfig) (err error) {
++	config := iConfig.Config
+ 	if err := prepareRoot(config); err != nil {
+ 		return newSystemErrorWithCause(err, "preparing rootfs")
+ 	}
+@@ -84,6 +84,7 @@ func prepareRootfs(pipe io.ReadWriter, config *configs.Config) (err error) {
+ 	// The hooks are run after the mounts are setup, but before we switch to the new
+ 	// root, so that the old root is still available in the hooks for any mount
+ 	// manipulations.
++	// Note that iConfig.Cwd is not guaranteed to exist here.
+ 	if err := syncParentHooks(pipe); err != nil {
+ 		return err
+ 	}
+@@ -115,6 +116,14 @@ func prepareRootfs(pipe io.ReadWriter, config *configs.Config) (err error) {
+ 		}
+ 	}
+ 
++	if cwd := iConfig.Cwd; cwd != "" {
++		// Note that spec.Process.Cwd can contain unclean value like  "../../../../foo/bar...".
++		// However, we are safe to call MkDirAll directly because we are in the jail here.
++		if err := os.MkdirAll(cwd, 0755); err != nil {
++			return err
++		}
++	}
++
+ 	return nil
+ }
+ 
+diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
+index b4945c3d..69d2dfb5 100644
+--- a/libcontainer/standard_init_linux.go
++++ b/libcontainer/standard_init_linux.go
+@@ -76,7 +76,7 @@ func (l *linuxStandardInit) Init() error {
+ 
+ 	// prepareRootfs() can be executed only for a new mount namespace.
+ 	if l.config.Config.Namespaces.Contains(configs.NEWNS) {
+-		if err := prepareRootfs(l.pipe, l.config.Config); err != nil {
++		if err := prepareRootfs(l.pipe, l.config); err != nil {
+ 			return err
+ 		}
+ 	}
+-- 
+2.33.0
+
diff --git a/runc.spec b/runc.spec
index c12e66d..f8a7c2a 100644
--- a/runc.spec
+++ b/runc.spec
@@ -4,7 +4,7 @@
 
 Name: docker-runc
 Version: 1.0.0.rc3
-Release: 316
+Release: 317
 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.
 
 License: ASL 2.0
@@ -57,6 +57,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
 %{_bindir}/runc
 
 %changelog
+* Mon Nov 27 2023 zhongjiawei<zhongjiawei1@huawei.com> - 1.0.0.rc3-317
+- Type: bugfix
+- CVE:  NA
+- SUG:  NA
+- DESC: create cwd when it does not exist
+
 * Thu Oct 26 2023 zhongjiawei<zhongjiawei1@huawei.com> - 1.0.0.rc3-316
 - Type:bugfix
 - CVE:NA
diff --git a/series.conf b/series.conf
index 2d52c69..5e8c8d6 100644
--- a/series.conf
+++ b/series.conf
@@ -151,4 +151,5 @@ patch/0148-runc-delete-invalid-cgroupinfo-logs.patch
 patch/0149-runc-libct-init-unify-init-fix-its-error-logic.patch
 patch/0150-runc-freezer-add-delay-after-freeze.patch
 patch/0151-runc-fix-update-rt-runtime-us-and-rt-period-us-.patch
+patch/0152-runc-libcontainer-create-Cwd-when-it-does-not-exist.patch
 #end
-- 
Gitee