Fix race in runc exec

There is a race in runc exec when the init process stops just before the check for the container status. It is then wrongly assumed that we are trying to start an init process instead of an exec process. This commit add an Init field to libcontainer Process to distinguish between init and exec processes to prevent this race. Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2025-10-05 07:27:03 +08:00 · 2018-06-01 12:56:13 -07:00
parent ecd55a4135
commit bd3c4f844a
9 changed files with 54 additions and 22 deletions
--- a/utils_linux.go
+++ b/utils_linux.go
@@ -105,7 +105,7 @@ func getDefaultImagePath(context *cli.Context) string {

 // newProcess returns a new libcontainer Process with the arguments from the
 // spec and stdio from the current process.
-func newProcess(p specs.Process) (*libcontainer.Process, error) {
+func newProcess(p specs.Process, init bool) (*libcontainer.Process, error) {
 	lp := &libcontainer.Process{
 		Args: p.Args,
 		Env:  p.Env,
@@ -115,6 +115,7 @@ func newProcess(p specs.Process) (*libcontainer.Process, error) {
 		Label:           p.SelinuxLabel,
 		NoNewPrivileges: &p.NoNewPrivileges,
 		AppArmorProfile: p.ApparmorProfile,
+		Init:            init,
 	}

 	if p.ConsoleSize != nil {
@@ -269,6 +270,7 @@ func createContainer(context *cli.Context, id string, spec *specs.Spec) (libcont
 }

 type runner struct {
+	init            bool
 	enableSubreaper bool
 	shouldDestroy   bool
 	detach          bool
@@ -287,7 +289,7 @@ func (r *runner) run(config *specs.Process) (int, error) {
 		r.destroy()
 		return -1, err
 	}
-	process, err := newProcess(*config)
+	process, err := newProcess(*config, r.init)
 	if err != nil {
 		r.destroy()
 		return -1, err
@@ -450,6 +452,7 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp
 		preserveFDs:     context.Int("preserve-fds"),
 		action:          action,
 		criuOpts:        criuOpts,
+		init:            true,
 	}
 	return r.run(spec.Process)
 }