Merge pull request #2897 from kolyshkin/fix-ro-paths

runc run: fix readonly path error for rootless + host pidns
opencontainers · Apr 19, 2021 · 3a20ccb · 3a20ccb
2 parents fce58ab + 31dd1e4
commit 3a20ccb
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 2 deletions.
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
@@ -931,9 +931,20 @@ func readonlyPath(path string) error {
 		if os.IsNotExist(err) {
 			return nil
 		}
-		return err
+		return &os.PathError{Op: "bind-mount", Path: path, Err: err}
+	}
+
+	var s unix.Statfs_t
+	if err := unix.Statfs(path, &s); err != nil {
+		return &os.PathError{Op: "statfs", Path: path, Err: err}
 	}
-	return unix.Mount(path, path, "", unix.MS_BIND|unix.MS_REMOUNT|unix.MS_RDONLY|unix.MS_REC, "")
+	flags := uintptr(s.Flags) & (unix.MS_NOSUID | unix.MS_NODEV | unix.MS_NOEXEC)
+
+	if err := unix.Mount(path, path, "", flags|unix.MS_BIND|unix.MS_REMOUNT|unix.MS_RDONLY, ""); err != nil {
+		return &os.PathError{Op: "bind-mount-ro", Path: path, Err: err}
+	}
+
+	return nil
 }
 
 // remountReadonly will remount an existing mount point and ensure that it is read-only.

diff --git a/tests/integration/start_hello.bats b/tests/integration/start_hello.bats
@@ -59,3 +59,20 @@ function teardown() {
 
 	[[ "$(cat pid.txt)" =~ [0-9]+ ]]
 }
+
+# https://github.com/opencontainers/runc/pull/2897
+@test "runc run [rootless with host pidns]" {
+	requires rootless_no_features
+
+	# Remove pid namespace, and replace /proc mount
+	# with a bind mount from the host.
+	update_config '	  .linux.namespaces -= [{"type": "pid"}]
+			| .mounts |= map((select(.type == "proc")
+				| .type = "none"
+				| .source = "/proc"
+				| .options = ["rbind", "nosuid", "nodev", "noexec"]
+			  ) // .)'
+
+	runc run test_hello
+	[ "$status" -eq 0 ]
+}