runc exec: setupRlimits after syscall.rlimit.init() completed

lifubang · lifubang · commit ebc0f656ad7f · 2024-05-09T10:56:55.000Z
Issue: opencontainers#4195 Since https://go-review.googlesource.com/c/go/+/476097, there is a get/set race between runc exec and syscall.rlimit.init, so we need to call setupRlimits after syscall.rlimit.init() completed. Signed-off-by: lifubang <lifubang@acmcoder.com> (cherry picked from commit a853a82) Signed-off-by: lifubang <lifubang@acmcoder.com>
diff --git a/libcontainer/process_linux.go b/libcontainer/process_linux.go
@@ -152,20 +152,22 @@ func (p *setnsProcess) start() (retErr error) {
 			}
 		}
 	}
-	// set rlimits, this has to be done here because we lose permissions
-	// to raise the limits once we enter a user-namespace
-	if err := setupRlimits(p.config.Rlimits, p.pid()); err != nil {
-		return fmt.Errorf("error setting rlimits for process: %w", err)
-	}
+
 	if err := utils.WriteJSON(p.messageSockPair.parent, p.config); err != nil {
 		return fmt.Errorf("error writing config to pipe: %w", err)
 	}
 
 	ierr := parseSync(p.messageSockPair.parent, func(sync *syncT) error {
 		switch sync.Type {
 		case procReady:
-			// This shouldn't happen.
-			panic("unexpected procReady in setns")
+			// Set rlimits, this has to be done here because we lose permissions
+			// to raise the limits once we enter a user-namespace
+			if err := setupRlimits(p.config.Rlimits, p.pid()); err != nil {
+				return fmt.Errorf("error setting rlimits for ready process: %w", err)
+			}
+
+			// Sync with child.
+			return writeSync(p.messageSockPair.parent, procRun)
 		case procHooks:
 			// This shouldn't happen.
 			panic("unexpected procHooks in setns")
@@ -495,7 +497,7 @@ func (p *initProcess) start() (retErr error) {
 				return err
 			}
 		case procReady:
-			// set rlimits, this has to be done here because we lose permissions
+			// Set rlimits, this has to be done here because we lose permissions
 			// to raise the limits once we enter a user-namespace
 			if err := setupRlimits(p.config.Rlimits, p.pid()); err != nil {
 				return fmt.Errorf("error setting rlimits for ready process: %w", err)
diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go
@@ -61,6 +61,14 @@ func (l *linuxSetnsInit) Init() error {
 			return err
 		}
 	}
+
+	// Tell our parent that we're ready to exec. This must be done before the
+	// Seccomp rules have been applied, because we need to be able to read and
+	// write to a socket.
+	if err := syncParentReady(l.pipe); err != nil {
+		return fmt.Errorf("sync ready: %w", err)
+	}
+
 	if err := selinux.SetExecLabel(l.config.ProcessLabel); err != nil {
 		return err
 	}

Original file line number	Diff line number	Diff line change
`@@ -61,6 +61,14 @@ func (l *linuxSetnsInit) Init() error {`
`61`	`61`	`return err`
`62`	`62`	`}`
`63`	`63`	`}`
	`64`	`+`
	`65`	`+ // Tell our parent that we're ready to exec. This must be done before the`
	`66`	`+ // Seccomp rules have been applied, because we need to be able to read and`
	`67`	`+ // write to a socket.`
	`68`	`+ if err := syncParentReady(l.pipe); err != nil {`
	`69`	`+ return fmt.Errorf("sync ready: %w", err)`
	`70`	`+ }`
	`71`	`+`
`64`	`72`	`if err := selinux.SetExecLabel(l.config.ProcessLabel); err != nil {`
`65`	`73`	`return err`
`66`	`74`	`}`