From 5a5b2cc3af5512631abb13239f1e57c9cf54391f Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Wed, 4 Oct 2023 10:53:23 -0700 Subject: [PATCH] Fix directory perms vs umask for tmpcopyup MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bump fileutils to v0.5.1, which fixes permissions of newly created directories to not depend on the value of umask. Add a test case which fails like this before the fix: mounts.bats ✗ runc run [tmpcopyup] (in test file tests/integration/mounts.bats, line 28) `[[ "${lines[0]}" == *'drwxrwxrwx'* ]]' failed runc spec (status=0): runc run test_busybox (status=0): drwxr-xr-x 2 root root 40 Oct 4 22:35 /dir1/dir2 Fixes 3991. (cherry picked from commit 730bc844189c4374152651bc4ee7b427fa081898) Signed-off-by: Kir Kolyshkin --- go.mod | 2 +- go.sum | 4 ++-- tests/integration/mounts.bats | 18 ++++++++++++++++++ .../github.com/mrunalp/fileutils/fileutils.go | 11 +++++++---- vendor/github.com/mrunalp/fileutils/idtools.go | 3 +++ vendor/modules.txt | 2 +- 6 files changed, 32 insertions(+), 8 deletions(-) diff --git a/go.mod b/go.mod index 630efc8e776..16d0f31bd87 100644 --- a/go.mod +++ b/go.mod @@ -11,7 +11,7 @@ require ( github.com/docker/go-units v0.4.0 github.com/godbus/dbus/v5 v5.0.6 github.com/moby/sys/mountinfo v0.5.0 - github.com/mrunalp/fileutils v0.5.0 + github.com/mrunalp/fileutils v0.5.1 github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 github.com/opencontainers/selinux v1.10.0 github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646 diff --git a/go.sum b/go.sum index 1ef82c6c5d1..ceee93a85ec 100644 --- a/go.sum +++ b/go.sum @@ -31,8 +31,8 @@ github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/moby/sys/mountinfo v0.5.0 h1:2Ks8/r6lopsxWi9m58nlwjaeSzUX9iiL1vj5qB/9ObI= github.com/moby/sys/mountinfo v0.5.0/go.mod h1:3bMD3Rg+zkqx8MRYPi7Pyb0Ie97QEBmdxbhnCLlSvSU= -github.com/mrunalp/fileutils v0.5.0 h1:NKzVxiH7eSk+OQ4M+ZYW1K6h27RUV3MI6NUTsHhU6Z4= -github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ= +github.com/mrunalp/fileutils v0.5.1 h1:F+S7ZlNKnrwHfSwdlgNSkKo67ReVf8o9fel6C3dkm/Q= +github.com/mrunalp/fileutils v0.5.1/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 h1:3snG66yBm59tKhhSPQrQ/0bCrv1LQbKt40LnUPiUxdc= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/selinux v1.10.0 h1:rAiKF8hTcgLI3w0DHm6i0ylVVcOrlgR1kK99DRLDhyU= diff --git a/tests/integration/mounts.bats b/tests/integration/mounts.bats index d94b412e9aa..3cd01da840f 100644 --- a/tests/integration/mounts.bats +++ b/tests/integration/mounts.bats @@ -10,6 +10,24 @@ function teardown() { teardown_bundle } +# https://github.com/opencontainers/runc/issues/3991 +@test "runc run [tmpcopyup]" { + mkdir -p rootfs/dir1/dir2 + chmod 777 rootfs/dir1/dir2 + update_config ' .mounts += [{ + source: "tmpfs", + destination: "/dir1", + type: "tmpfs", + options: ["tmpcopyup"] + }] + | .process.args |= ["ls", "-ld", "/dir1/dir2"]' + + umask 022 + runc run test_busybox + [ "$status" -eq 0 ] + [[ "${lines[0]}" == *'drwxrwxrwx'* ]] +} + @test "runc run [bind mount]" { update_config ' .mounts += [{ source: ".", diff --git a/vendor/github.com/mrunalp/fileutils/fileutils.go b/vendor/github.com/mrunalp/fileutils/fileutils.go index 7421e6207f6..81851c81943 100644 --- a/vendor/github.com/mrunalp/fileutils/fileutils.go +++ b/vendor/github.com/mrunalp/fileutils/fileutils.go @@ -125,6 +125,7 @@ func CopyDirectory(source string, dest string) error { if err != nil { return nil } + destPath := filepath.Join(dest, relPath) if info.IsDir() { // Skip the source directory. @@ -138,18 +139,20 @@ func CopyDirectory(source string, dest string) error { uid := int(st.Uid) gid := int(st.Gid) - if err := os.Mkdir(filepath.Join(dest, relPath), info.Mode()); err != nil { + if err := os.Mkdir(destPath, info.Mode()); err != nil { return err } - - if err := os.Lchown(filepath.Join(dest, relPath), uid, gid); err != nil { + if err := os.Lchown(destPath, uid, gid); err != nil { + return err + } + if err := os.Chmod(destPath, info.Mode()); err != nil { return err } } return nil } - return CopyFile(path, filepath.Join(dest, relPath)) + return CopyFile(path, destPath) }) } diff --git a/vendor/github.com/mrunalp/fileutils/idtools.go b/vendor/github.com/mrunalp/fileutils/idtools.go index bad6539df53..0ae2dfb29f4 100644 --- a/vendor/github.com/mrunalp/fileutils/idtools.go +++ b/vendor/github.com/mrunalp/fileutils/idtools.go @@ -49,6 +49,9 @@ func MkdirAllNewAs(path string, mode os.FileMode, ownerUID, ownerGID int) error if err := os.Chown(pathComponent, ownerUID, ownerGID); err != nil { return err } + if err := os.Chmod(pathComponent, mode); err != nil { + return err + } } return nil } diff --git a/vendor/modules.txt b/vendor/modules.txt index 557c6d5d23b..5f48b38d49a 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -32,7 +32,7 @@ github.com/godbus/dbus/v5 # github.com/moby/sys/mountinfo v0.5.0 ## explicit; go 1.16 github.com/moby/sys/mountinfo -# github.com/mrunalp/fileutils v0.5.0 +# github.com/mrunalp/fileutils v0.5.1 ## explicit; go 1.13 github.com/mrunalp/fileutils # github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417