From 5e0e67d76cc99d76c8228d48f38f37034503f315 Mon Sep 17 00:00:00 2001
From: Kurnia D Win <kurnia.d.win@gmail.com>
Date: Thu, 18 Jul 2019 05:57:23 +0700
Subject: [PATCH] fix permission denied

when exec as root and config.Cwd is not owned by root, exec will fail
because root doesn't have the caps.

So, Chdir should be done before setting the caps.

Signed-off-by: Kurnia D Win <kurnia.d.win@gmail.com>
---
 libcontainer/init_linux.go | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
index cd7ff67a702..c1b1560020e 100644
--- a/libcontainer/init_linux.go
+++ b/libcontainer/init_linux.go
@@ -127,6 +127,12 @@ func finalizeNamespace(config *initConfig) error {
 		return errors.Wrap(err, "close exec fds")
 	}
 
+	if config.Cwd != "" {
+		if err := unix.Chdir(config.Cwd); err != nil {
+			return fmt.Errorf("chdir to cwd (%q) set in config.json failed: %v", config.Cwd, err)
+		}
+	}
+
 	capabilities := &configs.Capabilities{}
 	if config.Capabilities != nil {
 		capabilities = config.Capabilities
@@ -154,11 +160,6 @@ func finalizeNamespace(config *initConfig) error {
 	if err := w.ApplyCaps(); err != nil {
 		return errors.Wrap(err, "apply caps")
 	}
-	if config.Cwd != "" {
-		if err := unix.Chdir(config.Cwd); err != nil {
-			return fmt.Errorf("chdir to cwd (%q) set in config.json failed: %v", config.Cwd, err)
-		}
-	}
 	return nil
 }