rootfs: re-allow dangling symlinks in mount targets

It seems there are a fair few images where dangling symlinks are used as path components for mount targets, which pathrs-lite does not support (and it would be difficult to fully support this in a race-free way). This was actually meant to be blocked by commit 63c2908164 ("rootfs: try to scope MkdirAll to stay inside the rootfs"), followed by commit dd827f7b71 ("utils: switch to securejoin.MkdirAllHandle"). However, we still used SecureJoin to construct mountpoint targets, which means that dangling symlinks were "resolved" before reaching pathrs-lite. This patch basically re-adds this hack in order to reduce the breakages we've seen so far. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-12-24 11:50:58 +08:00 · 2025-11-05 02:04:02 +11:00
parent a41366e740
commit 3f925525b4
1 changed files with 11 additions and 0 deletions
--- a/libcontainer/rootfs_linux.go
+++ b/libcontainer/rootfs_linux.go
@@ -532,6 +532,17 @@ func (m *mountEntry) createOpenMountpoint(rootfs string) (Err error) {
 			dstIsFile = !fi.IsDir()
 		}

+		// In previous runc versions, we would tolerate nonsense paths with
+		// dangling symlinks as path components. pathrs-lite does not support
+		// this, so instead we have to emulate this behaviour by doing
+		// SecureJoin *purely to get a semi-reasonable path to use* and then we
+		// use pathrs-lite to operate on the path safely.
+		newUnsafePath, err := securejoin.SecureJoin(rootfs, unsafePath)
+		if err != nil {
+			return err
+		}
+		unsafePath = utils.StripRoot(rootfs, newUnsafePath)
+
 		if dstIsFile {
 			dstFile, err = pathrs.CreateInRoot(rootfs, unsafePath, unix.O_CREAT|unix.O_EXCL|unix.O_NOFOLLOW, 0o644)
 		} else {