Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitc59b45b

Browse files
committed
make exec.fifo can be safety read on readonly tmpfs
Signed-off-by: ningmingxiao <ning.mingxiao@zte.com.cn>
1 parent721d066 commitc59b45b

File tree

2 files changed

+39
-68
lines changed

2 files changed

+39
-68
lines changed

‎libcontainer/container_linux.go‎

Lines changed: 6 additions & 63 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@ import (
2020
"golang.org/x/sys/unix"
2121

2222
"github.com/opencontainers/cgroups"
23+
"github.com/opencontainers/runc/internal/linux"
2324
"github.com/opencontainers/runc/libcontainer/configs"
2425
"github.com/opencontainers/runc/libcontainer/exeseal"
2526
"github.com/opencontainers/runc/libcontainer/intelrdt"
@@ -231,76 +232,18 @@ func (c *Container) Exec() error {
231232
}
232233

233234
func (c*Container)exec()error {
234-
path:=filepath.Join(c.stateDir,execFifoFilename)
235-
pid:=c.initProcess.pid()
236-
blockingFifoOpenCh:=awaitFifoOpen(path)
237-
for {
238-
select {
239-
caseresult:=<-blockingFifoOpenCh:
240-
returnhandleFifoResult(result)
241-
242-
case<-time.After(time.Millisecond*100):
243-
stat,err:=system.Stat(pid)
244-
iferr!=nil||stat.State==system.Zombie {
245-
// could be because process started, ran, and completed between our 100ms timeout and our system.Stat() check.
246-
// see if the fifo exists and has data (with a non-blocking open, which will succeed if the writing process is complete).
247-
iferr:=handleFifoResult(fifoOpen(path,false));err!=nil {
248-
returnerrors.New("container process is already dead")
249-
}
250-
returnnil
251-
}
252-
}
253-
}
254-
}
255-
256-
funcreadFromExecFifo(execFifo io.Reader)error {
257-
data,err:=io.ReadAll(execFifo)
235+
fifoPath:=filepath.Join(c.stateDir,execFifoFilename)
236+
fd,err:=linux.Open(fifoPath,unix.O_WRONLY|unix.O_CLOEXEC,0)
258237
iferr!=nil {
259238
returnerr
260239
}
261-
iflen(data)<=0 {
262-
returnerrors.New("cannot start an already running container")
240+
deferunix.Close(fd)
241+
if_,err:=unix.Write(fd, []byte("0"));err!=nil {
242+
return&os.PathError{Op:"write exec fifo",Path:fifoPath,Err:err}
263243
}
264244
returnnil
265245
}
266246

267-
funcawaitFifoOpen(pathstring)<-chanopenResult {
268-
fifoOpened:=make(chanopenResult)
269-
gofunc() {
270-
result:=fifoOpen(path,true)
271-
fifoOpened<-result
272-
}()
273-
returnfifoOpened
274-
}
275-
276-
funcfifoOpen(pathstring,blockbool)openResult {
277-
flags:=os.O_RDONLY
278-
if!block {
279-
flags|=unix.O_NONBLOCK
280-
}
281-
f,err:=os.OpenFile(path,flags,0)
282-
iferr!=nil {
283-
returnopenResult{err:fmt.Errorf("exec fifo: %w",err)}
284-
}
285-
returnopenResult{file:f}
286-
}
287-
288-
funchandleFifoResult(resultopenResult)error {
289-
ifresult.err!=nil {
290-
returnresult.err
291-
}
292-
f:=result.file
293-
deferf.Close()
294-
iferr:=readFromExecFifo(f);err!=nil {
295-
returnerr
296-
}
297-
err:=os.Remove(f.Name())
298-
iferr==nil||os.IsNotExist(err) {
299-
returnnil
300-
}
301-
returnerr
302-
}
303-
304247
typeopenResultstruct {
305248
file*os.File
306249
errerror

‎libcontainer/standard_init_linux.go‎

Lines changed: 33 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ package libcontainer
33
import (
44
"errors"
55
"fmt"
6+
"io"
67
"os"
78
"os/exec"
89

@@ -266,14 +267,18 @@ func (l *linuxStandardInit) Init() error {
266267
// user process. We open it through /proc/self/fd/$fd, because the fd that
267268
// was given to us was an O_PATH fd to the fifo itself. Linux allows us to
268269
// re-open an O_PATH fd through /proc.
269-
fd,err:=linux.Open(fifoPath,unix.O_WRONLY|unix.O_CLOEXEC,0)
270-
iferr!=nil {
270+
271+
result:=fifoOpen(fifoPath,true)
272+
ifresult.err!=nil {
271273
returnerr
272274
}
273-
if_,err:=unix.Write(fd, []byte("0"));err!=nil {
274-
return&os.PathError{Op:"write exec fifo",Path:fifoPath,Err:err}
275+
iferr:=readFromExecFifo(result.file);err!=nil {
276+
returnerr
277+
}
278+
result.file.Close()
279+
iferr:=os.Remove(fifoPath);os.IsNotExist(err) {
280+
returnerr
275281
}
276-
277282
// Close the O_PATH fifofd fd before exec because the kernel resets
278283
// dumpable in the wrong order. This has been fixed in newer kernels, but
279284
// we keep this to ensure CVE-2016-9962 doesn't re-emerge on older kernels.
@@ -305,3 +310,26 @@ func (l *linuxStandardInit) Init() error {
305310
}
306311
returnlinux.Exec(name,l.config.Args,l.config.Env)
307312
}
313+
314+
funcfifoOpen(pathstring,blockbool)openResult {
315+
flags:=os.O_RDONLY
316+
if!block {
317+
flags|=unix.O_NONBLOCK
318+
}
319+
f,err:=os.OpenFile(path,flags,0)
320+
iferr!=nil {
321+
returnopenResult{err:fmt.Errorf("exec fifo: %w",err)}
322+
}
323+
returnopenResult{file:f}
324+
}
325+
326+
funcreadFromExecFifo(execFifo io.Reader)error {
327+
data,err:=io.ReadAll(execFifo)
328+
iferr!=nil {
329+
returnerr
330+
}
331+
iflen(data)<=0 {
332+
returnerrors.New("cannot start an already running container")
333+
}
334+
returnnil
335+
}

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp