Skip to content

[1.1] Fix runc run "permission denied" when rootless#3817

Merged
kolyshkin merged 2 commits intoopencontainers:release-1.1from
kolyshkin:1.1-user-exec
Apr 7, 2023
Merged

[1.1] Fix runc run "permission denied" when rootless#3817
kolyshkin merged 2 commits intoopencontainers:release-1.1from
kolyshkin:1.1-user-exec

Conversation

@kolyshkin
Copy link
Contributor

@kolyshkin kolyshkin commented Apr 6, 2023

This is a backport of #3753 to release-1.1 branch. Original description follows.

Fixes: #3715

Since PR #3522 (commit 957d97b) was made to fix issue #3520,
a few things happened:

  • a similar functionality appeared in go 1.20 [1], so the issue
    mentioned in the comment (being removed) is no longer true;
  • a bug in runc was found [2], which also affects go [3];
  • the bug was fixed in go 1.21 [4] and 1.20.2 [5];
  • a similar fix was made to x/sys/unix.Faccessat [6].

The essense of the bug #3715 is, even if a (non-root) user that the container is
run as does not have execute permission bit set for the executable, it
should still work in case runc has the CAP_DAC_OVERRIDE capability set.

To fix #3715 without reintroducing the older bug [7]:

  • drop own Eaccess implementation;
  • use the one from x/sys/unix for Go 1.19 (depends on [6]);
  • do not use anything when Go 1.20+ is used.

Add a test case to make sure we won't regress.

NOTE it is virtually impossible to fix the bug [2] when Go 1.20 or Go
1.20.1 is used because of [3].

[1] https://go-review.googlesource.com/c/go/+/414824
[2] #3715
[3] https://go.dev/issue/58552
[4] https://go-review.googlesource.com/c/go/+/468735
[5] https://go-review.googlesource.com/c/go/+/469956
[6] https://go-review.googlesource.com/c/sys/+/468877
[7] #3520

@kolyshkin kolyshkin mentioned this pull request Apr 6, 2023
Merged
@kolyshkin kolyshkin added this to the 1.1.6 milestone Apr 6, 2023
@kolyshkin kolyshkin added regression backport/1.1-pr A backport PR to release-1.1 labels Apr 6, 2023
@kolyshkin kolyshkin marked this pull request as ready for review April 6, 2023 23:48
kolyshkin added 2 commits April 6, 2023 18:07
@kolyshkin
Fix runc run "permission denied" when rootless
840b953 
Since commit 957d97b was made to fix issue [7],
a few things happened:

- a similar functionality appeared in go 1.20 [1], so the issue
  mentioned in the comment (being removed) is no longer true;
- a bug in runc was found [2], which also affects go [3];
- the bug was fixed in go 1.21 [4] and 1.20.2 [5];
- a similar fix was made to x/sys/unix.Faccessat [6].

The essense of [2] is, even if a (non-root) user that the container is
run as does not have execute permission bit set for the executable, it
should still work in case runc has the CAP_DAC_OVERRIDE capability set.

To fix this [2] without reintroducing the older bug [7]:
- drop own Eaccess implementation;
- use the one from x/sys/unix for Go 1.19 (depends on [6]);
- do not use anything when Go 1.20+ is used.

NOTE it is virtually impossible to fix the bug [2] when Go 1.20 or Go
1.20.1 is used because of [3].

A test case is added by a separate commit.

Fixes: opencontainers#3715.

[1] https://go-review.googlesource.com/c/go/+/414824
[2] opencontainers#3715
[3] https://go.dev/issue/58552
[4] https://go-review.googlesource.com/c/go/+/468735
[5] https://go-review.googlesource.com/c/go/+/469956
[6] https://go-review.googlesource.com/c/sys/+/468877
[7] opencontainers#3520

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 8491d33)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
@kolyshkin
tests/int: test for CAP_DAC_OVERRIDE
d30d240 
This is a test case for issue reported as opencontainers#3715. In short, even if a
(non-root) user that the container is run as does not have execute
permission bit set for the executable, it should still work in case runc
has the CAP_DAC_OVERRIDE capability set.

Note that since the upstream golang is also broken (see [1]), this test
will fail for Go 1.20 and 1.20.1 (fix is in Go 1.20.2 as per [2]).

[1] https://go.dev/issue/58552
[2] https://go-review.googlesource.com/c/go/+/469956

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 8293ef2)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
@kolyshkin kolyshkin enabled auto-merge April 7, 2023 01:07
@kolyshkin kolyshkin merged commit 9c1c844 into opencontainers:release-1.1 Apr 7, 2023
This was referenced Apr 7, 2023
Closed
Merged
@kolyshkin kolyshkin mentioned this pull request Aug 10, 2023
Merged
@pacoxu pacoxu mentioned this pull request Feb 5, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrunalp mrunalp mrunalp approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees

No one assigned

Labels

backport/1.1-pr A backport PR to release-1.1 regression

Projects

None yet

Milestone

1.1.6

Development

Successfully merging this pull request may close these issues.

3 participants

@kolyshkin @mrunalp @AkihiroSuda