Skip to content

Commit 427f511

Browse files
avagingvisor-bot
avagin
authored and
gvisor-bot
committed
runsc: dereference symlinks when checking for existing mount points
The kubernetes gvisor test fails, because it is trying to mount into /var/run which is a symlink to /run. PiperOrigin-RevId: 766439648
1 parent 36259b4 commit 427f511

File tree

1 file changed

+12
-5
lines changed

1 file changed

+12
-5
lines changed

runsc/boot/vfs.go

Lines changed: 12 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -878,6 +878,8 @@ func (c *containerMounter) mountSubmount(ctx context.Context, spec *specs.Spec,
878878
return nil, fmt.Errorf("creating mount point %q: %w", mount.Destination, err)
879879
}
880880

881+
// Avoid mounting on top of symlinks. The mount syscall on Linux always follows symlinks.
882+
target.FollowFinalSymlink = true
881883
if err := c.k.VFS().ConnectMountAt(ctx, creds, mnt, target); err != nil {
882884
return nil, fmt.Errorf("attaching %q to %q (type: %s): %w, opts: %v",
883885
mount.Source, mount.Destination, mount.Type, err, opts)
@@ -1274,6 +1276,8 @@ func (c *containerMounter) mountSharedSubmount(ctx context.Context, conf *config
12741276
return nil, fmt.Errorf("creating mount point %q: %w", mntInfo.mount.Destination, err)
12751277
}
12761278

1279+
// Avoid mounting on top of symlinks. The mount syscall on Linux always follows symlinks.
1280+
target.FollowFinalSymlink = true
12771281
if err := c.k.VFS().ConnectMountAt(ctx, creds, newMnt, target); err != nil {
12781282
return nil, err
12791283
}
@@ -1296,9 +1300,10 @@ func (c *containerMounter) makeMountPoint(
12961300
defer root.DecRef(ctx)
12971301

12981302
target := &vfs.PathOperation{
1299-
Root: root,
1300-
Start: root,
1301-
Path: fspath.Parse(dest),
1303+
Root: root,
1304+
Start: root,
1305+
Path: fspath.Parse(dest),
1306+
FollowFinalSymlink: true,
13021307
}
13031308

13041309
fs := c.k.VFS()
@@ -1309,9 +1314,9 @@ func (c *containerMounter) makeMountPoint(
13091314
case err == nil:
13101315
if mode.IsDir() != rootMode.IsDir() {
13111316
if rootMode.IsDir() {
1312-
return fmt.Errorf("mountpoint %q isn't a directory", dest)
1317+
return fmt.Errorf("mountpoint %q isn't a directory, got mode %s", dest, mode)
13131318
} else {
1314-
return fmt.Errorf("mountpoint %q isn't not a file", dest)
1319+
return fmt.Errorf("mountpoint %q isn't not a file, got mode %s", dest, mode)
13151320
}
13161321
}
13171322
// Target already exists.
@@ -1322,6 +1327,8 @@ func (c *containerMounter) makeMountPoint(
13221327
return fmt.Errorf("stat failed for %q during mountpoint creation: %w", dest, err)
13231328
}
13241329

1330+
// FollowFinalSymlink should be false to create new file or directory.
1331+
target.FollowFinalSymlink = false
13251332
mkdirOpts := &vfs.MkdirOptions{Mode: 0755, ForSyntheticMountpoint: true}
13261333

13271334
// Make sure the parent directory of target exists.

0 commit comments

Comments
 (0)