runc run: resolve tmpfs mount dest in container scope

In case a tmpfs mount path contains absolute symlinks, runc errors out because those symlinks are resolved in the host (rather than container) filesystem scope. The fix is similar to that for bind mounts -- resolve the destination in container rootfs scope using securejoin, and use the resolved path. A simple integration test case is added to prevent future regressions. Fixes opencontainers/runc#2683. Signed-off-by: Kir Kolyshkin <[email protected]> (cherry-picked from 637f82d6)
nestybox · Feb 10, 2021 · eb4cbf9 · eb4cbf9
1 parent 9feb732
commit eb4cbf9
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 0 deletions.
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
@@ -370,6 +370,13 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns,
 	case "tmpfs":
 		copyUp := m.Extensions&configs.EXT_COPYUP == configs.EXT_COPYUP
 		tmpDir := ""
+		// dest might be an absolute symlink, so it needs
+		// to be resolved under rootfs.
+		dest, err := securejoin.SecureJoin(rootfs, m.Destination)
+		if err != nil {
+			return err
+		}
+		m.Destination = dest
 		stat, err := os.Stat(dest)
 		if err != nil {
 			if err := mkdirall(dest, 0755); err != nil {

diff --git a/tests/integration/mounts.bats b/tests/integration/mounts.bats
@@ -176,3 +176,24 @@ function teardown() {
 
 	rm -rf /tmp/busyboxtest
 }
+
+@test "runc run [tmpfs mount with absolute symlink]" {
+	# in container, /conf -> /real/conf
+	mkdir -p rootfs/real/conf
+
+	if [ -z "$SHIFT_UIDS" ]; then
+		chown -R "$UID_MAP":"$GID_MAP" rootfs/real/conf
+	fi
+
+	ln -s /real/conf rootfs/conf
+
+	update_config '  .mounts += [{
+					type: "tmpfs",
+					source: "tmpfs",
+					destination: "/conf/stack",
+					options: ["ro", "nodev", "nosuid"]
+				}]
+			| .process.args |= ["true"]'
+	runc run test_busybox
+	[ "$status" -eq 0 ]
+}