mirror of
https://github.com/opencontainers/runc.git
synced 2025-11-03 09:51:06 +08:00
8491d33482
Since commit 957d97bcf4 was made to fix issue [7],
a few things happened:
- a similar functionality appeared in go 1.20 [1], so the issue
mentioned in the comment (being removed) is no longer true;
- a bug in runc was found [2], which also affects go [3];
- the bug was fixed in go 1.21 [4] and 1.20.2 [5];
- a similar fix was made to x/sys/unix.Faccessat [6].
The essense of [2] is, even if a (non-root) user that the container is
run as does not have execute permission bit set for the executable, it
should still work in case runc has the CAP_DAC_OVERRIDE capability set.
To fix this [2] without reintroducing the older bug [7]:
- drop own Eaccess implementation;
- use the one from x/sys/unix for Go 1.19 (depends on [6]);
- do not use anything when Go 1.20+ is used.
NOTE it is virtually impossible to fix the bug [2] when Go 1.20 or Go
1.20.1 is used because of [3].
A test case is added by a separate commit.
Fixes: #3715.
[1] https://go-review.googlesource.com/c/go/+/414824
[2] https://github.com/opencontainers/runc/issues/3715
[3] https://go.dev/issue/58552
[4] https://go-review.googlesource.com/c/go/+/468735
[5] https://go-review.googlesource.com/c/go/+/469956
[6] https://go-review.googlesource.com/c/sys/+/468877
[7] https://github.com/opencontainers/runc/issues/3520
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
11 lines
280 B
Go
11 lines
280 B
Go
//go:build go1.20
|
|
|
|
package libcontainer
|
|
|
|
func eaccess(path string) error {
|
|
// Not needed in Go 1.20+ as the functionality is already in there
|
|
// (added by https://go.dev/cl/416115, https://go.dev/cl/414824,
|
|
// and fixed in Go 1.20.2 by https://go.dev/cl/469956).
|
|
return nil
|
|
}
|