From 8afc9149e443a00c300f95cd00812166eba338f1 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Mon, 27 Feb 2023 15:40:38 -0800 Subject: [PATCH] Revert "Fix error from runc run on noexec fs" Since this commit was made, a few things happened: - a similar functionality appeared in go 1.20 [1], so the issue mentioned in the comment (being removed) is no longer true; - a bug in runc was found [2], which also affects go [3]; - the bug was fixed in go 1.21 [4] and 1.20.2 [5]; - a similar fix was made to x/sys/unix.Faccessat [6]. Revert commit 957d97bcf43f41beef9670fe22ec78ccb5c5c101 so we can fix the bug [2] when go > 1.21.1 is used. Note that this will reintroduce the older bug [7] when the older go version is used, but since this is a minor bug which will be fixed once everyone switches to a recent go version, let's keep things simple and not introduce any complex code here. [1] https://go-review.googlesource.com/c/go/+/414824 [2] https://github.com/opencontainers/runc/issues/3715 [3] https://go.dev/issue/58552 [4] https://go-review.googlesource.com/c/go/+/468735 [5] https://go-review.googlesource.com/c/go/+/469956 [6] https://go-review.googlesource.com/c/sys/+/468877 [7] https://github.com/opencontainers/runc/issues/3520 Signed-off-by: Kir Kolyshkin --- libcontainer/standard_init_linux.go | 7 ------- libcontainer/system/linux.go | 19 ------------------- 2 files changed, 26 deletions(-) diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go index 6ad25c9a4df..1a9c4979c26 100644 --- a/libcontainer/standard_init_linux.go +++ b/libcontainer/standard_init_linux.go @@ -198,13 +198,6 @@ func (l *linuxStandardInit) Init() error { if err != nil { return err } - // exec.LookPath might return no error for an executable residing on a - // file system mounted with noexec flag, so perform this extra check - // now while we can still return a proper error. - if err := system.Eaccess(name); err != nil { - return &os.PathError{Op: "exec", Path: name, Err: err} - } - // Set seccomp as close to execve as possible, so as few syscalls take // place afterward (reducing the amount of syscalls that users need to // enable in their seccomp profiles). However, this needs to be done diff --git a/libcontainer/system/linux.go b/libcontainer/system/linux.go index 039059a444c..e1d6eb18034 100644 --- a/libcontainer/system/linux.go +++ b/libcontainer/system/linux.go @@ -31,25 +31,6 @@ func (p ParentDeathSignal) Set() error { return SetParentDeathSignal(uintptr(p)) } -// Eaccess is similar to unix.Access except for setuid/setgid binaries -// it checks against the effective (rather than real) uid and gid. -func Eaccess(path string) error { - err := unix.Faccessat2(unix.AT_FDCWD, path, unix.X_OK, unix.AT_EACCESS) - if err != unix.ENOSYS && err != unix.EPERM { //nolint:errorlint // unix errors are bare - return err - } - - // Faccessat2() not available; check if we are a set[ug]id binary. - if os.Getuid() == os.Geteuid() && os.Getgid() == os.Getegid() { - // For a non-set[ug]id binary, use access(2). - return unix.Access(path, unix.X_OK) - } - - // For a setuid/setgid binary, there is no fallback way - // so assume we can execute the binary. - return nil -} - func Execv(cmd string, args []string, env []string) error { name, err := exec.LookPath(cmd) if err != nil {