!156 [sync] PR-153: runc：fix shared pidns detection

From: @openeuler-sync-bot Reviewed-by: @duguhaotian Signed-off-by: @duguhaotian
2023-06-26 01:49:11 +00:00 · 2023-06-26 01:49:11 +00:00 · bc2770e358
commit bc2770e358
parent a363af70c1 52bc0f21b4
3 changed files with 75 additions and 1 deletions
--- a/patch/0138-runc-libct-fix-shared-pidns-detection.patch
+++ b/patch/0138-runc-libct-fix-shared-pidns-detection.patch
@ -0,0 +1,67 @@
 From fa6c4b2cbb985a765b4fae14470453b7a573c665 Mon Sep 17 00:00:00 2001
 From: Kir Kolyshkin <kolyshkin@gmail.com>
 Date: Fri, 12 May 2023 16:04:11 -0700
 Subject: [PATCH] libct: fix shared pidns detection
 When someone is using libcontainer to start and kill containers from a
 long lived process (i.e. the same process creates and removes the
 container), initProcess.wait method is used, which has a kludge to work
 around killing containers that do not have their own PID namespace.
 The code that checks for own PID namespace is not entirely correct.
 To be exact, it does not set sharePidns flag when the host/caller PID
 namespace is implicitly used. As a result, the above mentioned kludge
 does not work.
 Fix the issue, add a test case (which fails without the fix).
 Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
 ---
 libcontainer/configs/namespaces_syscall.go | 12 ++++++++++++
 libcontainer/container_linux.go            |  3 +--
 2 files changed, 13 insertions(+), 2 deletions(-)
 diff --git a/libcontainer/configs/namespaces_syscall.go b/libcontainer/configs/namespaces_syscall.go
 index fb4b8522..6171a3b6 100644
 --- a/libcontainer/configs/namespaces_syscall.go
 +++ b/libcontainer/configs/namespaces_syscall.go
@@ -29,3 +29,15 @@ func (n *Namespaces) CloneFlags() uintptr {
 	}
 	return uintptr(flag)
 }
 +
 +// IsPrivate tells whether the namespace of type t is configured as private
 +// (i.e. it exists and is not shared).
 +func (n Namespaces) IsPrivate(t NamespaceType) bool {
 +	for _, v := range n {
 +		if v.Type == t {
 +			return v.Path == ""
 +		}
 +	}
 +	// Not found, so implicitly sharing a parent namespace.
 +	return false
 +}
 diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
 index 7be84a63..113dbf42 100644
 --- a/libcontainer/container_linux.go
 +++ b/libcontainer/container_linux.go
@@ -488,7 +488,6 @@ func (c *linuxContainer) newInitProcess(p *Process, cmd *exec.Cmd, parentPipe, c
 			nsMaps[ns.Type] = ns.Path
 		}
 	}
 -	_, sharePidns := nsMaps[configs.NEWPID]
 	data, err := c.bootstrapData(c.config.Namespaces.CloneFlags(), nsMaps)
 	if err != nil {
 		return nil, err
@@ -502,7 +501,7 @@ func (c *linuxContainer) newInitProcess(p *Process, cmd *exec.Cmd, parentPipe, c
 		container:     c,
 		process:       p,
 		bootstrapData: data,
 -		sharePidns:    sharePidns,
 +		sharePidns:    !c.config.Namespaces.IsPrivate(configs.NEWPID),
 		rootDir:       rootDir,
 	}, nil
 }
 -- 
 2.33.0
--- a/runc.spec
+++ b/runc.spec
@ -2,7 +2,7 @@
 Name: docker-runc
 Version: 1.0.0.rc3
-Release: 212
+Release: 213
 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.
 License: ASL 2.0
@ -41,6 +41,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
 %{_bindir}/runc
 %changelog
 * Mon Jun 25 2023 zhongjiawei<zhongjiawei1@huawei.com> - 1.0.0.rc3-213
 - Type:bugfix
 - CVE:NA
 - SUG:NA
 - DESC:sync patch
 * Tue Apr 4 2023 zhongjiawei<zhongjiawei1@huawei.com> - 1.0.0.rc3-212
 - Type:bugfix
 - CVE:NA
--- a/series.conf
+++ b/series.conf
@ -129,3 +129,4 @@
 0135-runc-libct-cg-fs-blkio-do-not-set-weight-0.patch
 0136-runc-run-resolve-tmpfs-mount-dest-in-container-scope.patch
 0137-runc-Prohibit-proc-and-sys-to-be-symlinks.patch
 0138-runc-libct-fix-shared-pidns-detection.patch