runc exec: setupRlimits after syscall.rlimit.init() completed

lifubang · lifubang · commit a853a82677da · 2024-05-08T10:40:07.000Z
Issue: opencontainers#4195 Since https://go-review.googlesource.com/c/go/+/476097, there is a get/set race between runc exec and syscall.rlimit.init, so we need to call setupRlimits after syscall.rlimit.init() completed. Signed-off-by: lifubang <lifubang@acmcoder.com>
diff --git a/libcontainer/process_linux.go b/libcontainer/process_linux.go
@@ -268,20 +268,26 @@ func (p *setnsProcess) start() (retErr error) {
 			}
 		}
 	}
-	// set rlimits, this has to be done here because we lose permissions
-	// to raise the limits once we enter a user-namespace
-	if err := setupRlimits(p.config.Rlimits, p.pid()); err != nil {
-		return fmt.Errorf("error setting rlimits for process: %w", err)
-	}
+
 	if err := utils.WriteJSON(p.comm.initSockParent, p.config); err != nil {
 		return fmt.Errorf("error writing config to pipe: %w", err)
 	}
 
+	var seenProcReady bool
 	ierr := parseSync(p.comm.syncSockParent, func(sync *syncT) error {
 		switch sync.Type {
 		case procReady:
-			// This shouldn't happen.
-			panic("unexpected procReady in setns")
+			seenProcReady = true
+			// Set rlimits, this has to be done here because we lose permissions
+			// to raise the limits once we enter a user-namespace
+			if err := setupRlimits(p.config.Rlimits, p.pid()); err != nil {
+				return fmt.Errorf("error setting rlimits for ready process: %w", err)
+			}
+
+			// Sync with child.
+			if err := writeSync(p.comm.syncSockParent, procRun); err != nil {
+				return err
+			}
 		case procHooks:
 			// This shouldn't happen.
 			panic("unexpected procHooks in setns")
@@ -340,6 +346,9 @@ func (p *setnsProcess) start() (retErr error) {
 	if err := p.comm.syncSockParent.Shutdown(unix.SHUT_WR); err != nil && ierr == nil {
 		return err
 	}
+	if !seenProcReady && ierr == nil {
+		ierr = errors.New("procReady not received")
+	}
 	// Must be done after Shutdown so the child will exit and we can wait for it.
 	if ierr != nil {
 		_, _ = p.wait()
@@ -774,7 +783,7 @@ func (p *initProcess) start() (retErr error) {
 			}
 		case procReady:
 			seenProcReady = true
-			// set rlimits, this has to be done here because we lose permissions
+			// Set rlimits, this has to be done here because we lose permissions
 			// to raise the limits once we enter a user-namespace
 			if err := setupRlimits(p.config.Rlimits, p.pid()); err != nil {
 				return fmt.Errorf("error setting rlimits for ready process: %w", err)
diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go
@@ -77,6 +77,13 @@ func (l *linuxSetnsInit) Init() error {
 		}
 	}
 
+	// Tell our parent that we're ready to exec. This must be done before the
+	// Seccomp rules have been applied, because we need to be able to read and
+	// write to a socket.
+	if err := syncParentReady(l.pipe); err != nil {
+		return fmt.Errorf("sync ready: %w", err)
+	}
+
 	if err := selinux.SetExecLabel(l.config.ProcessLabel); err != nil {
 		return err
 	}

Original file line number	Diff line number	Diff line change
`@@ -77,6 +77,13 @@ func (l *linuxSetnsInit) Init() error {`
`77`	`77`	`}`
`78`	`78`	`}`
`79`	`79`
	`80`	`+ // Tell our parent that we're ready to exec. This must be done before the`
	`81`	`+ // Seccomp rules have been applied, because we need to be able to read and`
	`82`	`+ // write to a socket.`
	`83`	`+ if err := syncParentReady(l.pipe); err != nil {`
	`84`	`+ return fmt.Errorf("sync ready: %w", err)`
	`85`	`+ }`
	`86`	`+`
`80`	`87`	`if err := selinux.SetExecLabel(l.config.ProcessLabel); err != nil {`
`81`	`88`	`return err`
`82`	`89`	`}`