setupRlimits after the child process has been in go routine

Signed-off-by: lifubang <[email protected]>
opencontainers · Apr 30, 2024 · b5c3d30 · b5c3d30
1 parent 7a017af
commit b5c3d30
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 7 deletions.
diff --git a/libcontainer/process_linux.go b/libcontainer/process_linux.go
@@ -268,20 +268,26 @@ func (p *setnsProcess) start() (retErr error) {
 			}
 		}
 	}
-	// set rlimits, this has to be done here because we lose permissions
-	// to raise the limits once we enter a user-namespace
-	if err := setupRlimits(p.config.Rlimits, p.pid()); err != nil {
-		return fmt.Errorf("error setting rlimits for process: %w", err)
-	}
+
 	if err := utils.WriteJSON(p.comm.initSockParent, p.config); err != nil {
 		return fmt.Errorf("error writing config to pipe: %w", err)
 	}
 
+	var seenProcReady bool
 	ierr := parseSync(p.comm.syncSockParent, func(sync *syncT) error {
 		switch sync.Type {
 		case procReady:
-			// This shouldn't happen.
-			panic("unexpected procReady in setns")
+			seenProcReady = true
+			// set rlimits, this has to be done here because we lose permissions
+			// to raise the limits once we enter a user-namespace
+			if err := setupRlimits(p.config.Rlimits, p.pid()); err != nil {
+				return fmt.Errorf("error setting rlimits for ready process: %w", err)
+			}
+
+			// Sync with child.
+			if err := writeSync(p.comm.syncSockParent, procRun); err != nil {
+				return err
+			}
 		case procHooks:
 			// This shouldn't happen.
 			panic("unexpected procHooks in setns")
@@ -340,6 +346,9 @@ func (p *setnsProcess) start() (retErr error) {
 	if err := p.comm.syncSockParent.Shutdown(unix.SHUT_WR); err != nil && ierr == nil {
 		return err
 	}
+	if !seenProcReady && ierr == nil {
+		ierr = errors.New("procReady not received")
+	}
 	// Must be done after Shutdown so the child will exit and we can wait for it.
 	if ierr != nil {
 		_, _ = p.wait()

diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go
@@ -77,6 +77,13 @@ func (l *linuxSetnsInit) Init() error {
 		}
 	}
 
+	// Tell our parent that we're ready to Execv. This must be done before the
+	// Seccomp rules have been applied, because we need to be able to read and
+	// write to a socket.
+	if err := syncParentReady(l.pipe); err != nil {
+		return fmt.Errorf("sync ready: %w", err)
+	}
+
 	if err := selinux.SetExecLabel(l.config.ProcessLabel); err != nil {
 		return err
 	}