Skip to content

Commit

Permalink
Revert "Fix error from runc run on noexec fs"
Browse files Browse the repository at this point in the history
Since this commit was made, a few things happened:

- a similar functionality appeared in go 1.20 [1], so the issue
  mentioned in the comment (being removed) is no longer true;
- a bug in runc was found [2], which also affects go [3];
- the bug was fixed in go 1.21 [4] and 1.20.2 [5];
- a similar fix was made to x/sys/unix.Faccessat [6].

Revert commit 957d97b
so we can fix the bug [2] when go > 1.21.1 is used.
Note that this will reintroduce the older bug [7]
when the older go version is used, but since this
is a minor bug which will be fixed once everyone
switches to a recent go version, let's keep things
simple and not introduce any complex code here.

[1] https://go-review.googlesource.com/c/go/+/414824
[2] opencontainers#3715
[3] https://go.dev/issue/58552
[4] https://go-review.googlesource.com/c/go/+/468735
[5] https://go-review.googlesource.com/c/go/+/469956
[6] https://go-review.googlesource.com/c/sys/+/468877
[7] opencontainers#3520

Signed-off-by: Kir Kolyshkin <[email protected]>
  • Loading branch information
kolyshkin committed Feb 28, 2023
1 parent 5a0642d commit 8afc914
Show file tree
Hide file tree
Showing 2 changed files with 0 additions and 26 deletions.
7 changes: 0 additions & 7 deletions libcontainer/standard_init_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -198,13 +198,6 @@ func (l *linuxStandardInit) Init() error {
if err != nil {
return err
}
// exec.LookPath might return no error for an executable residing on a
// file system mounted with noexec flag, so perform this extra check
// now while we can still return a proper error.
if err := system.Eaccess(name); err != nil {
return &os.PathError{Op: "exec", Path: name, Err: err}
}

// Set seccomp as close to execve as possible, so as few syscalls take
// place afterward (reducing the amount of syscalls that users need to
// enable in their seccomp profiles). However, this needs to be done
Expand Down
19 changes: 0 additions & 19 deletions libcontainer/system/linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,25 +31,6 @@ func (p ParentDeathSignal) Set() error {
return SetParentDeathSignal(uintptr(p))
}

// Eaccess is similar to unix.Access except for setuid/setgid binaries
// it checks against the effective (rather than real) uid and gid.
func Eaccess(path string) error {
err := unix.Faccessat2(unix.AT_FDCWD, path, unix.X_OK, unix.AT_EACCESS)
if err != unix.ENOSYS && err != unix.EPERM { //nolint:errorlint // unix errors are bare
return err
}

// Faccessat2() not available; check if we are a set[ug]id binary.
if os.Getuid() == os.Geteuid() && os.Getgid() == os.Getegid() {
// For a non-set[ug]id binary, use access(2).
return unix.Access(path, unix.X_OK)
}

// For a setuid/setgid binary, there is no fallback way
// so assume we can execute the binary.
return nil
}

func Execv(cmd string, args []string, env []string) error {
name, err := exec.LookPath(cmd)
if err != nil {
Expand Down

0 comments on commit 8afc914

Please sign in to comment.