Skip to content

[1.2] libct/nsenter: become root after joining userns #4477

Merged
lifubang merged 2 commits intoopencontainers:release-1.2from
kolyshkin:1.2-userns
Oct 26, 2024
Merged

[1.2] libct/nsenter: become root after joining userns #4477
lifubang merged 2 commits intoopencontainers:release-1.2from
kolyshkin:1.2-userns

Conversation

@kolyshkin
Copy link
Copy Markdown
Contributor

@kolyshkin kolyshkin commented Oct 26, 2024

Backport of #4473 to release1.2. Original description follows.

PS I checked the added test case in #4476.

Containerd pre-creates userns and netns before calling runc, which
results in the current code not working when SELinux is enabled,
resulting in the following error:

runc create failed: unable to start container process: error during
container init: error mounting "mqueue" to rootfs at "/dev/mqueue":
setxattr /path/to/rootfs/dev/mqueue: operation not permitted

The solution is to become root in the user namespace right after
we join it.

Fixes #4466.

Co-authored-by: Wei Fu fuweid89@gmail.com
Co-authored-by: Kir Kolyshkin kolyshkin@gmail.com
Co-authored-by: Aleksa Sarai cyphar@cyphar.com
Signed-off-by: lifubang lifubang@acmcoder.com

lifubang and others added 2 commits October 25, 2024 18:13
@lifubang @fuweid
@kolyshkin @cyphar
libct/nsenter: become root after joining userns
1eb9ad3 
Containerd pre-creates userns and netns before calling runc, which
results in the current code not working when SELinux is enabled,
resulting in the following error:

> runc create failed: unable to start container process: error during
container init: error mounting "mqueue" to rootfs at "/dev/mqueue":
setxattr /path/to/rootfs/dev/mqueue: operation not permitted

The solution is to become root in the user namespace right after
we join it.

Fixes opencontainers#4466.

Co-authored-by: Wei Fu <fuweid89@gmail.com>
Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com>
Co-authored-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit c78f3f2)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
@lifubang @kolyshkin
test join other container userns with selinux enabled
74a5c78 
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit 34a9285)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
@kolyshkin kolyshkin added the backport/1.2-pr A backport PR to release-1.2 label Oct 26, 2024
@kolyshkin kolyshkin added this to the 1.2.1 milestone Oct 26, 2024
@kolyshkin kolyshkin changed the base branch from main to release-1.2 October 26, 2024 01:16
@kolyshkin kolyshkin changed the title 1.2 userns [1.2] libct/nsenter: become root after joining userns Oct 26, 2024
@kolyshkin kolyshkin added area/selinux SELinux area/userns User Namespaces labels Oct 26, 2024
@kolyshkin kolyshkin marked this pull request as ready for review October 26, 2024 01:18
@kolyshkin kolyshkin mentioned this pull request Oct 26, 2024
Open
@lifubang lifubang merged commit 0e4ee02 into opencontainers:release-1.2 Oct 26, 2024
@kolyshkin kolyshkin mentioned this pull request Oct 28, 2024
Closed
@rata rata mentioned this pull request Nov 1, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lifubang lifubang lifubang approved these changes

@cyphar cyphar cyphar approved these changes

Assignees

No one assigned

Labels

area/selinux SELinux area/userns User Namespaces backport/1.2-pr A backport PR to release-1.2

Projects

None yet

Milestone

1.2.1

Development

Successfully merging this pull request may close these issues.

containerd's TestPodUserNS fails with runc v1.2 (succeeds with crun) on SELinux distro: setxattr /[...]/dev/mqueue: operation not permitted

3 participants

@kolyshkin @lifubang @cyphar