Recursive mounts with access-time settings do not work correctly

[saku3]

Description

Specifying the following OCI mount options results error.

• ratime
• rnostrictatime

I mentioned this in the reproduction steps below, but the error occurs in mount_setattr.

The error happens when clear flag is set to true for the access-time–related flags in recAttrFlags.

In parseMountOptions, we parse the options into recAttrSet and recAttrClr so they can be applied to mount_setattr’s attr_set and attr_clr. However, when clear is true, attr_clr ends up being set to flags like unix.MOUNT_ATTR_NOATIME or unix.MOUNT_ATTR_STRICTATIME.

This violates the following mount_setattr constraint:

MOUNT_ATTR__ATIME isn't partially set in attr_clr

The kernel will
verify that MOUNT_ATTR__ATIME isn't partially set in
attr_clr (i.e., either all bits in the MOUNT_ATTR__ATIME
bit field are either set or clear), and that attr_set
doesn't have any access-time bits set if MOUNT_ATTR__ATIME
isn't set in attr_clr.

• recAttrFlags
• parseMountOptions
• mount_setattr

Additional note: rnorelatime is also an access-time–related option and uses clear = true, but because unix.MOUNT_ATTR_RELATIME is 0x0, no bit is actually set in attr_clr, so mount_setattr succeeds.

Steps to reproduce the issue

1. Set up the mounts

TESTVOLUME=/tmp/mounts_recursive
sudo mkdir -p "$TESTVOLUME"
sudo mount -t tmpfs none "$TESTVOLUME"
sudo mkdir -p "$TESTVOLUME/subvol"
sudo mount -t tmpfs none "$TESTVOLUME/subvol"

2. Add a mount entry to config.json

{
	"destination": "/mnt",
	"source": "/tmp/mounts_recursive",
	"options": ["rbind", "ratime"]
}

3. Run runc

$ runc run container
ERRO[0000] runc run failed: unable to start container process: error during container init: error mounting "/tmp/mounts_recursive" to rootfs at "/mnt": invalid argument 

The error occurs in mount_setattr.

$ strace -f -e trace=mount_setattr runc run container
...
[pid 693277] mount_setattr(-1, "/proc/thread-self/fd/13", AT_RECURSIVE, {attr_set=0, attr_clr=MOUNT_ATTR_NOATIME, propagation=0 /* MS_??? */, userns_fd=0}, 32) = -1 EINVAL (Invalid argument)
...

Describe the results you received and expected

Specifying the mount options above should still allow the container to start successfully.

What version of runc are you using?

runc -v

runc version 1.4.0-rc.1+dev
commit: v1.4.0-rc.1-244-g08072e93
spec: 1.3.0
go: go1.24.0
libseccomp: 2.5.5

Host OS information

cat /etc/os-release

PRETTY_NAME="Ubuntu 24.04.2 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.2 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo

Host kernel information

No response

[lifubang]

Thanks for reporting this! I've managed to reproduce the issue, so it's definitely a bug. I'm tagging this as bug and will look into a fix shortly.

If you'd like to take a shot at fixing it, feel free to open a PR!