Movatterモバイル変換


[0]ホーム

URL:


Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up
Appearance settings

Commitebb3e9c

Browse files
committed
make exec.fifo can be safety read on readonly tmpfs
Signed-off-by: ningmingxiao <ning.mingxiao@zte.com.cn>
1 parent721d066 commitebb3e9c

File tree

2 files changed

+38
-67
lines changed

2 files changed

+38
-67
lines changed

‎libcontainer/container_linux.go‎

Lines changed: 8 additions & 62 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@ import (
2020
"golang.org/x/sys/unix"
2121

2222
"github.com/opencontainers/cgroups"
23+
"github.com/opencontainers/runc/internal/linux"
2324
"github.com/opencontainers/runc/libcontainer/configs"
2425
"github.com/opencontainers/runc/libcontainer/exeseal"
2526
"github.com/opencontainers/runc/libcontainer/intelrdt"
@@ -231,74 +232,19 @@ func (c *Container) Exec() error {
231232
}
232233

233234
func (c*Container)exec()error {
234-
path:=filepath.Join(c.stateDir,execFifoFilename)
235-
pid:=c.initProcess.pid()
236-
blockingFifoOpenCh:=awaitFifoOpen(path)
237-
for {
238-
select {
239-
caseresult:=<-blockingFifoOpenCh:
240-
returnhandleFifoResult(result)
241-
242-
case<-time.After(time.Millisecond*100):
243-
stat,err:=system.Stat(pid)
244-
iferr!=nil||stat.State==system.Zombie {
245-
// could be because process started, ran, and completed between our 100ms timeout and our system.Stat() check.
246-
// see if the fifo exists and has data (with a non-blocking open, which will succeed if the writing process is complete).
247-
iferr:=handleFifoResult(fifoOpen(path,false));err!=nil {
248-
returnerrors.New("container process is already dead")
249-
}
250-
returnnil
251-
}
252-
}
253-
}
254-
}
255-
256-
funcreadFromExecFifo(execFifo io.Reader)error {
257-
data,err:=io.ReadAll(execFifo)
235+
fifoPath:=filepath.Join(c.stateDir,execFifoFilename)
236+
fd,err:=linux.Open(fifoPath,unix.O_WRONLY|unix.O_CLOEXEC,0)
258237
iferr!=nil {
259238
returnerr
260239
}
261-
iflen(data)<=0 {
262-
returnerrors.New("cannot start an already running container")
240+
deferunix.Close(fd)
241+
if_,err:=unix.Write(fd, []byte("0"));err!=nil {
242+
return&os.PathError{Op:"write exec fifo",Path:fifoPath,Err:err}
263243
}
264-
returnnil
265-
}
266-
267-
funcawaitFifoOpen(pathstring)<-chanopenResult {
268-
fifoOpened:=make(chanopenResult)
269-
gofunc() {
270-
result:=fifoOpen(path,true)
271-
fifoOpened<-result
272-
}()
273-
returnfifoOpened
274-
}
275-
276-
funcfifoOpen(pathstring,blockbool)openResult {
277-
flags:=os.O_RDONLY
278-
if!block {
279-
flags|=unix.O_NONBLOCK
280-
}
281-
f,err:=os.OpenFile(path,flags,0)
282-
iferr!=nil {
283-
returnopenResult{err:fmt.Errorf("exec fifo: %w",err)}
284-
}
285-
returnopenResult{file:f}
286-
}
287-
288-
funchandleFifoResult(resultopenResult)error {
289-
ifresult.err!=nil {
290-
returnresult.err
291-
}
292-
f:=result.file
293-
deferf.Close()
294-
iferr:=readFromExecFifo(f);err!=nil {
244+
iferr:=os.Remove(fifoPath);os.IsNotExist(err) {
295245
returnerr
296246
}
297-
err:=os.Remove(f.Name())
298-
iferr==nil||os.IsNotExist(err) {
299-
returnnil
300-
}
301-
returnerr
247+
returnnil
302248
}
303249

304250
typeopenResultstruct {

‎libcontainer/standard_init_linux.go‎

Lines changed: 30 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ package libcontainer
33
import (
44
"errors"
55
"fmt"
6+
"io"
67
"os"
78
"os/exec"
89

@@ -266,14 +267,15 @@ func (l *linuxStandardInit) Init() error {
266267
// user process. We open it through /proc/self/fd/$fd, because the fd that
267268
// was given to us was an O_PATH fd to the fifo itself. Linux allows us to
268269
// re-open an O_PATH fd through /proc.
269-
fd,err:=linux.Open(fifoPath,unix.O_WRONLY|unix.O_CLOEXEC,0)
270-
iferr!=nil {
270+
271+
result:=fifoOpen(fifoPath,true)
272+
ifresult.err!=nil {
271273
returnerr
272274
}
273-
if_,err:=unix.Write(fd, []byte("0"));err!=nil {
274-
return&os.PathError{Op:"write exec fifo",Path:fifoPath,Err:err}
275+
iferr:=readFromExecFifo(result.file);err!=nil {
276+
returnerr
275277
}
276-
278+
result.file.Close()
277279
// Close the O_PATH fifofd fd before exec because the kernel resets
278280
// dumpable in the wrong order. This has been fixed in newer kernels, but
279281
// we keep this to ensure CVE-2016-9962 doesn't re-emerge on older kernels.
@@ -305,3 +307,26 @@ func (l *linuxStandardInit) Init() error {
305307
}
306308
returnlinux.Exec(name,l.config.Args,l.config.Env)
307309
}
310+
311+
funcfifoOpen(pathstring,blockbool)openResult {
312+
flags:=os.O_RDONLY
313+
if!block {
314+
flags|=unix.O_NONBLOCK
315+
}
316+
f,err:=os.OpenFile(path,flags,0)
317+
iferr!=nil {
318+
returnopenResult{err:fmt.Errorf("exec fifo: %w",err)}
319+
}
320+
returnopenResult{file:f}
321+
}
322+
323+
funcreadFromExecFifo(execFifo io.Reader)error {
324+
data,err:=io.ReadAll(execFifo)
325+
iferr!=nil {
326+
returnerr
327+
}
328+
iflen(data)<=0 {
329+
returnerrors.New("cannot start an already running container")
330+
}
331+
returnnil
332+
}

0 commit comments

Comments
 (0)

[8]ページ先頭

©2009-2025 Movatter.jp