Skip to content

Commit

Permalink
Merge pull request #4509 from cyphar/overlay-exe-fixups
Browse files Browse the repository at this point in the history
dmz: overlay: minor fixups
  • Loading branch information
AkihiroSuda authored Nov 8, 2024
2 parents ef3999d + b9dfb22 commit 2fc0caf
Show file tree
Hide file tree
Showing 3 changed files with 19 additions and 3 deletions.
2 changes: 0 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -113,8 +113,6 @@ The following build tags were used earlier, but are now obsoleted:
- **apparmor** (since runc v1.0.0-rc93 the feature is always enabled)
- **selinux** (since runc v1.0.0-rc93 the feature is always enabled)

[contrib-memfd-bind]: /contrib/cmd/memfd-bind/README.md

### Running the test suite

`runc` currently supports running its test suite via Docker.
Expand Down
13 changes: 12 additions & 1 deletion contrib/cmd/memfd-bind/README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,15 @@
## memfd-bind ##

`runc` normally has to make a binary copy of itself when constructing a
> **NOTE**: Since runc 1.2.0, runc will now use a private overlayfs mount to
> protect the runc binary. This protection is far more light-weight than
> memfd-bind, and for most users this should obviate the need for `memfd-bind`
> entirely. Rootless containers will still make a memfd copy (unless you are
> using `runc` itself inside a user namespace -- a-la
> [`rootlesskit`][rootlesskit]), but `memfd-bind` is not particularly useful
> for rootless container users anyway (see [Caveats](#Caveats) for more
> details).
`runc` sometimes has to make a binary copy of itself when constructing a
container process in order to defend against certain container runtime attacks
such as CVE-2019-5736.

Expand Down Expand Up @@ -38,6 +47,8 @@ much memory usage they can use:
container process setup takes up about 10MB per process spawned inside the
container by runc (both pid1 and `runc exec`).

[rootlesskit]: https://github.com/rootless-containers/rootlesskit

### Caveats ###

There are several downsides with using `memfd-bind` on the `runc` binary:
Expand Down
7 changes: 7 additions & 0 deletions libcontainer/dmz/overlayfs_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,13 @@ func sealedOverlayfs(binPath, tmpDir string) (_ *os.File, Err error) {
return nil, fmt.Errorf("fsconfig set overlayfs lowerdir=%s: %w", lowerDirStr, err)
}

// We don't care about xino (Linux 4.17) but it will be auto-enabled on
// some systems (if /run/runc and /usr/bin are on different filesystems)
// and this produces spurious dmesg log entries. We can safely ignore
// errors when disabling this because we don't actually care about the
// setting and we're just opportunistically disabling it.
_ = unix.FsconfigSetString(int(overlayCtx.Fd()), "xino", "off")

// Get an actual handle to the overlayfs.
if err := unix.FsconfigCreate(int(overlayCtx.Fd())); err != nil {
return nil, os.NewSyscallError("fsconfig create overlayfs", err)
Expand Down

0 comments on commit 2fc0caf

Please sign in to comment.