Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[1.2] libct/nsenter: become root after joining userns #4477

Merged
merged 2 commits into from
Oct 26, 2024
Merged

[1.2] libct/nsenter: become root after joining userns #4477

merged 2 commits into from
Oct 26, 2024
+31 −0

Conversation

kolyshkin
Copy link
Contributor

Backport of #4473 to release1.2. Original description follows.

PS I checked the added test case in #4476.

Containerd pre-creates userns and netns before calling runc, which
results in the current code not working when SELinux is enabled,
resulting in the following error:

runc create failed: unable to start container process: error during
container init: error mounting "mqueue" to rootfs at "/dev/mqueue":
setxattr /path/to/rootfs/dev/mqueue: operation not permitted

The solution is to become root in the user namespace right after
we join it.

Fixes #4466.

Co-authored-by: Wei Fu fuweid89@gmail.com
Co-authored-by: Kir Kolyshkin kolyshkin@gmail.com
Co-authored-by: Aleksa Sarai cyphar@cyphar.com
Signed-off-by: lifubang lifubang@acmcoder.com

lifubang and others added 2 commits October 25, 2024 18:13
@lifubang @fuweid
@kolyshkin @cyphar
libct/nsenter: become root after joining userns
1eb9ad3 
Containerd pre-creates userns and netns before calling runc, which
results in the current code not working when SELinux is enabled,
resulting in the following error:

> runc create failed: unable to start container process: error during
container init: error mounting "mqueue" to rootfs at "/dev/mqueue":
setxattr /path/to/rootfs/dev/mqueue: operation not permitted

The solution is to become root in the user namespace right after
we join it.

Fixes opencontainers#4466.

Co-authored-by: Wei Fu <fuweid89@gmail.com>
Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com>
Co-authored-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit c78f3f2)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
@lifubang @kolyshkin
test join other container userns with selinux enabled
74a5c78 
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit 34a9285)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
@kolyshkin kolyshkin added the backport/1.2-pr A backport PR to release-1.2 label Oct 26, 2024
@kolyshkin kolyshkin added this to the 1.2.1 milestone Oct 26, 2024
@kolyshkin kolyshkin changed the base branch from main to release-1.2 October 26, 2024 01:16
@kolyshkin kolyshkin changed the title 1.2 userns [1.2] libct/nsenter: become root after joining userns Oct 26, 2024
@kolyshkin kolyshkin added area/selinux SELinux area/userns User Namespaces labels Oct 26, 2024
@kolyshkin kolyshkin marked this pull request as ready for review October 26, 2024 01:18
@kolyshkin kolyshkin mentioned this pull request Oct 26, 2024
Open
@lifubang lifubang merged commit 0e4ee02 into opencontainers:release-1.2 Oct 26, 2024
42 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lifubang lifubang lifubang approved these changes

@cyphar cyphar cyphar approved these changes

Assignees
No one assigned
Labels
area/selinux SELinux area/userns User Namespaces backport/1.2-pr A backport PR to release-1.2
Projects
None yet
Milestone
1.2.1
3 participants
@kolyshkin @lifubang @cyphar