runc run: resolve tmpfs mount dest in container scope

In case a tmpfs mount path contains absolute symlinks, runc errors out because those symlinks are resolved in the host (rather than container) filesystem scope. The fix is similar to that for bind mounts -- resolve the destination in container rootfs scope using securejoin, and use the resolved path. A simple integration test case is added to prevent future regressions. Fixes opencontainers#2683. Signed-off-by: Kir Kolyshkin <[email protected]>
dqminh · Feb 3, 2021 · e2badb6 · e2badb6
1 parent 1e591f0
commit e2badb6
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 0 deletions.
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
@@ -340,6 +340,13 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b
 	case "tmpfs":
 		copyUp := m.Extensions&configs.EXT_COPYUP == configs.EXT_COPYUP
 		tmpDir := ""
+		// dest might be an absolute symlink, so it needs
+		// to be resolved under rootfs.
+		dest, err := securejoin.SecureJoin(rootfs, m.Destination)
+		if err != nil {
+			return err
+		}
+		m.Destination = dest
 		stat, err := os.Stat(dest)
 		if err != nil {
 			if err := os.MkdirAll(dest, 0755); err != nil {

diff --git a/tests/integration/mounts.bats b/tests/integration/mounts.bats
@@ -37,3 +37,19 @@ function teardown() {
 	[ "$status" -eq 0 ]
 	[[ "${lines[0]}" == *'ro,'* ]]
 }
+
+# https://github.com/opencontainers/runc/issues/2683
+@test "runc run [tmpfs mount with absolute symlink]" {
+	# in container, /conf -> /real/conf
+	mkdir -p rootfs/real/conf
+	ln -s /real/conf rootfs/conf
+	update_config '	  .mounts += [{
+					type: "tmpfs",
+					source: "tmpfs",
+					destination: "/conf/stack",
+					options: ["ro", "nodev", "nosuid"]
+				}]
+			| .process.args |= ["true"]'
+	runc run test_busybox
+	[ "$status" -eq 0 ]
+}