zishuo/runc
1
0
Fork 0
mirror of https://github.com/opencontainers/runc.git synced 2025-09-26 19:41:35 +08:00
Code Issues Packages Projects Releases Wiki Activity

libct: setup personality before initializing seccomp

Browse Source 
Set the process personality early to ensure it takes effect before
seccomp is initialized. If seccomp filters are applied first and they
block personality-related system calls (e.g., `personality(2)`),
subsequent attempts to set the personality will fail.

Signed-off-by: lifubang <lifubang@acmcoder.com>
This commit is contained in:
lifubang
2025-09-25 09:39:29 +00:00
parent a746c53cef
commit f7dda6e6dc
2 changed files with 15 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
libcontainer/setns_init_linux.go
View File

@@ -80,6 +80,14 @@ func (l *linuxSetnsInit) Init() error {
if err := setupIOPriority(l.config); err != nil {
return err
}
// Set personality if specified.
if l.config.Config.Personality != nil {
if err := setupPersonality(l.config.Config); err != nil {
return err
}
}
// Tell our parent that we're ready to exec. This must be done before the
// Seccomp rules have been applied, because we need to be able to read and
// write to a socket.
@@ -110,11 +118,6 @@ func (l *linuxSetnsInit) Init() error {
if err := apparmor.ApplyProfile(l.config.AppArmorProfile); err != nil {
return err
}
if l.config.Config.Personality != nil {
if err := setupPersonality(l.config.Config); err != nil {
return err
}
}
// Check for the arg early to make sure it exists.
name, err := exec.LookPath(l.config.Args[0])
if err != nil {

14
libcontainer/standard_init_linux.go
View File

@@ -164,6 +164,13 @@ func (l *linuxStandardInit) Init() error {
return err
}
// Set personality if specified.
if l.config.Config.Personality != nil {
if err := setupPersonality(l.config.Config); err != nil {
return err
}
}
// Tell our parent that we're ready to exec. This must be done before the
// Seccomp rules have been applied, because we need to be able to read and
// write to a socket.
@@ -238,13 +245,6 @@ func (l *linuxStandardInit) Init() error {
}
}
// Set personality if specified.
if l.config.Config.Personality != nil {
if err := setupPersonality(l.config.Config); err != nil {
return err
}
}
// Close the pipe to signal that we have completed our init.
logrus.Debugf("init: closing the pipe to signal completion")
_ = l.pipe.Close()