libct: fix stdio permission error for userns container

If the root in the container is different from current root user, we need to change the owner of stdio before we enter the user namespace, or else we may can't access stdio in the container. Please see opencontainers#4475 Signed-off-by: lifubang <[email protected]>
lifubang · Oct 28, 2024 · 1bfef02 · 1bfef02
1 parent 4ad9f7f
commit 1bfef02
Showing 1 changed file with 28 additions and 0 deletions.
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
@@ -346,6 +346,14 @@ func (c *Container) start(process *Process) (retErr error) {
 	if err := utils.CloseExecFrom(3); err != nil {
 		return fmt.Errorf("unable to mark non-stdio fds as cloexec: %w", err)
 	}
+
+	// If the root in the container is different from current root user, we
+	// need to change the owner of stdio before we enter the user namespace,
+	// or else we may can't access stdio in the container.
+	// Please see https://github.com/opencontainers/runc/issues/4475
+	if err := c.fixStdioPermission(); err != nil {
+		return fmt.Errorf("unable to change permission of stdio: %w", err)
+	}
 	if err := parent.start(); err != nil {
 		return fmt.Errorf("unable to start container process: %w", err)
 	}
@@ -506,6 +514,26 @@ func isDmzBinarySafe(c *configs.Config) bool {
 	return false
 }
 
+func (c *Container) fixStdioPermission() error {
+	rootuid, err := c.Config().HostRootUID()
+	if err != nil {
+		return err
+	}
+	rootgid, err := c.Config().HostRootGID()
+	if err != nil {
+		return err
+	}
+
+	if rootuid > 0 || rootgid > 0 {
+		for _, file := range []*os.File{os.Stdin, os.Stdout, os.Stderr} {
+			if err := file.Chown(rootuid, rootgid); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
 func (c *Container) newParentProcess(p *Process) (parentProcess, error) {
 	comm, err := newProcessComm()
 	if err != nil {