checkpoint: resolve symlink for external bind mount(fix ci broken)

runc resolves symlink before doing bind mount. So we should save original path while formatting CriuReq for dump and restore. "checkpoint: resolve symlink for external bind mount" is merged as da22625(PR 2902) previously. And reverted in commit 70fdc05(PR 3043) duo to behavior changes caused by commit 0ca91f4(Fixes: CVE-2021-30465) Signed-off-by: Liu Hua <[email protected]>
opencontainers · Jul 29, 2021 · a153102 · a153102
1 parent 1f5f237
commit a153102
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
@@ -758,6 +758,9 @@ const descriptorsFilename = "descriptors.json"
 
 func (c *linuxContainer) addCriuDumpMount(req *criurpc.CriuReq, m *configs.Mount) {
 	mountDest := strings.TrimPrefix(m.Destination, c.config.Rootfs)
+	if dest, err := securejoin.SecureJoin(c.config.Rootfs, mountDest); err == nil {
+		mountDest = dest[len(c.config.Rootfs):]
+	}
 	extMnt := &criurpc.ExtMountMap{
 		Key: proto.String(mountDest),
 		Val: proto.String(mountDest),
@@ -1134,6 +1137,9 @@ func (c *linuxContainer) Checkpoint(criuOpts *CriuOpts) error {
 
 func (c *linuxContainer) addCriuRestoreMount(req *criurpc.CriuReq, m *configs.Mount) {
 	mountDest := strings.TrimPrefix(m.Destination, c.config.Rootfs)
+	if dest, err := securejoin.SecureJoin(c.config.Rootfs, mountDest); err == nil {
+		mountDest = dest[len(c.config.Rootfs):]
+	}
 	extMnt := &criurpc.ExtMountMap{
 		Key: proto.String(mountDest),
 		Val: proto.String(m.Source),

diff --git a/tests/integration/checkpoint.bats b/tests/integration/checkpoint.bats
@@ -126,7 +126,18 @@ function simple_cr() {
 	done
 }
 
-@test "checkpoint and restore " {
+@test "checkpoint and restore" {
+	simple_cr
+}
+
+@test "checkpoint and restore (bind mount, destination is symlink)" {
+	mkdir -p rootfs/real/conf
+	ln -s /real/conf rootfs/conf
+	update_config '	  .mounts += [{
+					source: ".",
+					destination: "/conf",
+					options: ["bind"]
+				}]'
 	simple_cr
 }