!156 [sync] PR-153: runc：fix shared pidns detection

From: @openeuler-sync-bot Reviewed-by: @duguhaotian Signed-off-by: @duguhaotian
2023-06-26 01:49:11 +00:00 · 2023-06-26 01:49:11 +00:00 · bc2770e358
commit bc2770e358
parent a363af70c1 52bc0f21b4
3 changed files with 75 additions and 1 deletions
--- a/patch/0138-runc-libct-fix-shared-pidns-detection.patch
+++ b/patch/0138-runc-libct-fix-shared-pidns-detection.patch
@ -0,0 +1,67 @@
+From fa6c4b2cbb985a765b4fae14470453b7a573c665 Mon Sep 17 00:00:00 2001
+From: Kir Kolyshkin <kolyshkin@gmail.com>
+Date: Fri, 12 May 2023 16:04:11 -0700
+Subject: [PATCH] libct: fix shared pidns detection
+
+When someone is using libcontainer to start and kill containers from a
+long lived process (i.e. the same process creates and removes the
+container), initProcess.wait method is used, which has a kludge to work
+around killing containers that do not have their own PID namespace.
+
+The code that checks for own PID namespace is not entirely correct.
+To be exact, it does not set sharePidns flag when the host/caller PID
+namespace is implicitly used. As a result, the above mentioned kludge
+does not work.
+
+Fix the issue, add a test case (which fails without the fix).
+
+Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
+---
+ libcontainer/configs/namespaces_syscall.go | 12 ++++++++++++
+ libcontainer/container_linux.go            |  3 +--
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/libcontainer/configs/namespaces_syscall.go b/libcontainer/configs/namespaces_syscall.go
+index fb4b8522..6171a3b6 100644
+--- a/libcontainer/configs/namespaces_syscall.go
+++ b/libcontainer/configs/namespaces_syscall.go
+@@ -29,3 +29,15 @@ func (n *Namespaces) CloneFlags() uintptr {
+ 	}
+ 	return uintptr(flag)
+ }
+
+// IsPrivate tells whether the namespace of type t is configured as private
+// (i.e. it exists and is not shared).
+func (n Namespaces) IsPrivate(t NamespaceType) bool {
+	for _, v := range n {
+		if v.Type == t {
+			return v.Path == ""
+		}
+	}
+	// Not found, so implicitly sharing a parent namespace.
+	return false
+}
+diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
+index 7be84a63..113dbf42 100644
+--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
+@@ -488,7 +488,6 @@ func (c *linuxContainer) newInitProcess(p *Process, cmd *exec.Cmd, parentPipe, c
+ 			nsMaps[ns.Type] = ns.Path
+ 		}
+ 	}
+-	_, sharePidns := nsMaps[configs.NEWPID]
+ 	data, err := c.bootstrapData(c.config.Namespaces.CloneFlags(), nsMaps)
+ 	if err != nil {
+ 		return nil, err
+@@ -502,7 +501,7 @@ func (c *linuxContainer) newInitProcess(p *Process, cmd *exec.Cmd, parentPipe, c
+ 		container:     c,
+ 		process:       p,
+ 		bootstrapData: data,
+-		sharePidns:    sharePidns,
+		sharePidns:    !c.config.Namespaces.IsPrivate(configs.NEWPID),
+ 		rootDir:       rootDir,
+ 	}, nil
+ }
+-- 
+2.33.0
+
--- a/runc.spec
+++ b/runc.spec
@ -2,7 +2,7 @@

 Name: docker-runc
 Version: 1.0.0.rc3
-Release: 212
+Release: 213
 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.

 License: ASL 2.0
@ -41,6 +41,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
 %{_bindir}/runc

 %changelog
+* Mon Jun 25 2023 zhongjiawei<zhongjiawei1@huawei.com> - 1.0.0.rc3-213
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:sync patch
+
 * Tue Apr 4 2023 zhongjiawei<zhongjiawei1@huawei.com> - 1.0.0.rc3-212
 - Type:bugfix
 - CVE:NA
--- a/series.conf
+++ b/series.conf
@ -129,3 +129,4 @@
 0135-runc-libct-cg-fs-blkio-do-not-set-weight-0.patch
 0136-runc-run-resolve-tmpfs-mount-dest-in-container-scope.patch
 0137-runc-Prohibit-proc-and-sys-to-be-symlinks.patch
+0138-runc-libct-fix-shared-pidns-detection.patch