Incorrect result from faccessat(AF_FDCWD, "...", X_OK) for file in volume bound to host directory

[chrisvest]

• I have tried with the latest version of Docker Desktop (4.10.1)
• I have tried disabling enabled experimental features
• I have uploaded Diagnostics
• Diagnostics ID: 6B3B0B53-9843-441E-81AF-3A933E4BA972/20221011195250

Expected behavior

If a file is not executable on a host, and the directory is bound to a volume in a docker guest, then the guest should also - consistently, across various different system calls - observe that the file is not executable.

Actual behavior

I’m observing that faccessat(AF_FDCWD, "...", X_OK) returns success (return value 0, meaning file should be executable for the user) for a file in a volume directory (e.g. docker compose file has something along the lines of volumes: dir:dir).
However, when I call fstatat(AT_FDCWD, ...) (which is what the ls -l command does) I see the st_mode field set to S_IFREG|0644 which says owner can read or write, but not execute.
The file was created in a way that is consistent with fstatat, so faccessat is returning the wrong result, unless I’m misunderstanding something about real/effective user.

Information

• Is it reproducible?
  • It shows up consistently on my system.
• Is the problem new?
  • I have seen file permission issues before, but cannot say if they're the same as this one.
• Did the problem appear with an update?
  • No, I noticed while making changes to a project CI set-up.
• macOS Version: macOS 12.6 (21G115), Kernel Version: Darwin 21.6.0
• Intel chip or Apple chip: m1 pro
• Docker Desktop Version: 4.10.1

The docker host is an M1 Pro, docker base image is arm64v8/centos:7.9.2009, the Docker Desktop settings are their defaults except for 7 GiB of RAM, and 4 CPU cores.

Output of /Applications/Docker.app/Contents/MacOS/com.docker.diagnose check

Starting diagnostics

[PASS] DD0027: is there available disk space on the host?
[PASS] DD0028: is there available VM disk space?
[PASS] DD0031: does the Docker API work?
[PASS] DD0004: is the Docker engine running?
[PASS] DD0011: are the LinuxKit services running?
[FAIL] DD0016: is the LinuxKit VM running? vm is not running: vm has not started
[PASS] DD0001: is the application running?
[PASS] DD0018: does the host support virtualization?
[FAIL] DD0017: can a VM be started? vm has not started: vm has not started
[PASS] DD0015: are the binary symlinks installed?
[PASS] DD0003: is the Docker CLI working?
[PASS] DD0013: is the $PATH ok?
[PASS] DD0007: is the backend responding?
[PASS] DD0014: are the backend processes running?
[PASS] DD0008: is the native API responding?
[PASS] DD0009: is the vpnkit API responding?
[PASS] DD0010: is the Docker API proxy responding?
[FAIL] DD0012: is the VM networking working? network checks failed: failed to ping host: exit status 1
[2022-10-11T20:17:00.338780000Z][com.docker.diagnose][I] ipc.NewClient: f4c68cfb-diagnose-network -> diagnosticd.sock diagnosticsd
[common/pkg/diagkit/gather/diagnose.runIsVMNetworkingOK()
[	common/pkg/diagkit/gather/diagnose/network.go:34 +0xc8
[common/pkg/diagkit/gather/diagnose.(*test).GetResult(0x101c0c200)
[	common/pkg/diagkit/gather/diagnose/test.go:46 +0x44
[common/pkg/diagkit/gather/diagnose.Run.func1(0x101c0c200)
[	common/pkg/diagkit/gather/diagnose/run.go:17 +0x44
[common/pkg/diagkit/gather/diagnose.walkOnce.func1(0x2?, 0x101c0c200)
[	common/pkg/diagkit/gather/diagnose/run.go:140 +0x84
[common/pkg/diagkit/gather/diagnose.walkDepthFirst(0x1, 0x101c0c200, 0x140009b1728)
[	common/pkg/diagkit/gather/diagnose/run.go:146 +0x3c
[common/pkg/diagkit/gather/diagnose.walkDepthFirst(0x0, 0x20?, 0x140009b1728)
[	common/pkg/diagkit/gather/diagnose/run.go:149 +0x78
[common/pkg/diagkit/gather/diagnose.walkOnce(0x1016ddce0?, 0x1400061f890)
[	common/pkg/diagkit/gather/diagnose/run.go:135 +0x8c
[common/pkg/diagkit/gather/diagnose.Run(0x101c0c380, 0x140000327a0?, {0x1400061fb08, 0x1, 0x1})
[	common/pkg/diagkit/gather/diagnose/run.go:16 +0x178
[main.checkCmd({0x140001ae010?, 0x6?, 0x4?}, {0x0, 0x0})
[	common/cmd/com.docker.diagnose/main.go:133 +0xe0
[main.main()
[	common/cmd/com.docker.diagnose/main.go:99 +0x310
[2022-10-11T20:17:00.341036000Z][com.docker.diagnose][I] (9dec1289) f4c68cfb-diagnose-network C->S diagnosticsd POST /check-network-connectivity: {"ips":["172.16.92.156","17.199.85.54"]}
[2022-10-11T20:17:00.875383000Z][com.docker.diagnose][W] (9dec1289) f4c68cfb-diagnose-network C<-S e7a355fa-diagnosticsd POST /check-network-connectivity (534.348584ms): failed to ping host: exit status 1

[PASS] DD0032: do Docker networks overlap with host IPs?
[SKIP] DD0030: is the image access management authorized?
[PASS] DD0019: is the com.docker.vmnetd process responding?
[PASS] DD0033: does the host have Internet access?

Please investigate the following 1 issue:

1 : The test: can a VM be started?
    Failed with: vm has not started: vm has not started

The Docker engine runs inside a Linux VM. Therefore we must be able to start Virtual Machines.

Note: Docker Desktop says the engine is running, and I can start and run containers just fine. Not sure why the diagnostics is having trouble with the VM.

Steps to reproduce the behavior

1. ...
2. ...

[nicks]

I'm pretty sure this is the same issue as #5509, so I'm going to mark as a duplicate to centralize communication.

[docker-robott]

Closed issues are locked after 30 days of inactivity.
This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

/lifecycle locked