Skip to content

Commit

Permalink
libct: fix stdio permission error for userns container
Browse files Browse the repository at this point in the history
We should let stdio could be accessed in userns container.
Please see opencontainers#4475
Because the default permission of stdio is 0o700, other user can't access
them. If we don't change the permission to 0o666, We'll get an error msg if
we access stdio in a userns contaienr: ***: /dev/std***: Permission denied.

Signed-off-by: lifubang <[email protected]>
  • Loading branch information
lifubang committed Oct 26, 2024
1 parent 4ad9f7f commit 9b17259
Showing 1 changed file with 35 additions and 0 deletions.
35 changes: 35 additions & 0 deletions libcontainer/container_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -346,6 +346,15 @@ func (c *Container) start(process *Process) (retErr error) {
if err := utils.CloseExecFrom(3); err != nil {
return fmt.Errorf("unable to mark non-stdio fds as cloexec: %w", err)
}

// We should let stdio could be accessed in userns container.
// Please see https://github.com/opencontainers/runc/issues/4475
// Because the default permission of stdio is 0o700, other user can't access
// them. If we don't change the permission to 0o666, We'll get an error msg if
// we access stdio in a userns container: ***: /dev/std***: Permission denied.
if err := c.fixStdioPermission(); err != nil {
return fmt.Errorf("unable to change permission of stdio: %w", err)
}
if err := parent.start(); err != nil {
return fmt.Errorf("unable to start container process: %w", err)
}
Expand Down Expand Up @@ -506,6 +515,32 @@ func isDmzBinarySafe(c *configs.Config) bool {
return false
}

func (c *Container) fixStdioPermission() error {
rootuid, err := c.Config().HostRootUID()
if err != nil {
return err
}
rootgid, err := c.Config().HostRootGID()
if err != nil {
return err
}
uid := os.Getuid()
gid := os.Getgid()

if uid != rootuid && gid != rootgid {
if err := os.Stdin.Chmod(0o666); err != nil {
return err
}
if err := os.Stdout.Chmod(0o666); err != nil {
return err
}
if err := os.Stderr.Chmod(0o666); err != nil {
return err
}
}
return nil
}

func (c *Container) newParentProcess(p *Process) (parentProcess, error) {
comm, err := newProcessComm()
if err != nil {
Expand Down

0 comments on commit 9b17259

Please sign in to comment.