zishuo/runc
1
0
Fork 0
mirror of https://github.com/opencontainers/runc.git synced 2025-09-26 19:41:35 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4900 from lifubang/fix-Personality-seccomp

Browse Source 
libct: setup personality before initializing seccomp
This commit is contained in:
Kir Kolyshkin
2025-09-25 16:59:28 -07:00
committed by GitHub
parent 77ead42c9f 57f1bef422
commit 7d81b21c1a
3 changed files with 33 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
libcontainer/setns_init_linux.go
View File

@@ -80,6 +80,14 @@ func (l *linuxSetnsInit) Init() error {
if err := setupIOPriority(l.config); err != nil { if err := setupIOPriority(l.config); err != nil {
return err return err
} }
// Set personality if specified.
if l.config.Config.Personality != nil {
if err := setupPersonality(l.config.Config); err != nil {
return err
}
}
// Tell our parent that we're ready to exec. This must be done before the // Tell our parent that we're ready to exec. This must be done before the
// Seccomp rules have been applied, because we need to be able to read and // Seccomp rules have been applied, because we need to be able to read and
// write to a socket. // write to a socket.
@@ -110,11 +118,6 @@ func (l *linuxSetnsInit) Init() error {
if err := apparmor.ApplyProfile(l.config.AppArmorProfile); err != nil { if err := apparmor.ApplyProfile(l.config.AppArmorProfile); err != nil {
return err return err
} }
if l.config.Config.Personality != nil {
if err := setupPersonality(l.config.Config); err != nil {
return err
}
}
// Check for the arg early to make sure it exists. // Check for the arg early to make sure it exists.
name, err := exec.LookPath(l.config.Args[0]) name, err := exec.LookPath(l.config.Args[0])
if err != nil { if err != nil {

14
libcontainer/standard_init_linux.go
View File

@@ -164,6 +164,13 @@ func (l *linuxStandardInit) Init() error {
return err return err
} }
// Set personality if specified.
if l.config.Config.Personality != nil {
if err := setupPersonality(l.config.Config); err != nil {
return err
}
}
// Tell our parent that we're ready to exec. This must be done before the // Tell our parent that we're ready to exec. This must be done before the
// Seccomp rules have been applied, because we need to be able to read and // Seccomp rules have been applied, because we need to be able to read and
// write to a socket. // write to a socket.
@@ -238,13 +245,6 @@ func (l *linuxStandardInit) Init() error {
} }
} }
// Set personality if specified.
if l.config.Config.Personality != nil {
if err := setupPersonality(l.config.Config); err != nil {
return err
}
}
// Close the pipe to signal that we have completed our init. // Close the pipe to signal that we have completed our init.
logrus.Debugf("init: closing the pipe to signal completion") logrus.Debugf("init: closing the pipe to signal completion")
_ = l.pipe.Close() _ = l.pipe.Close()

18
tests/integration/personality.bats
View File

@@ -62,3 +62,21 @@ function teardown() {
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
[[ "$output" == *"x86_64"* ]] [[ "$output" == *"x86_64"* ]]
} }
# check that personality can be set when the personality syscall is blocked by seccomp
@test "runc run with personality syscall blocked by seccomp" {
update_config '
.linux.personality = {
"domain": "LINUX",
}
| .linux.seccomp = {
"defaultAction":"SCMP_ACT_ALLOW",
"syscalls":[{"names":["personality"], "action":"SCMP_ACT_ERRNO"}]
}'
runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox
[ "$status" -eq 0 ]
runc exec test_busybox /bin/sh -c "uname -a"
[ "$status" -eq 0 ]
[[ "$output" == *"x86_64"* ]]
}