libcontainer: create Cwd when it does not exist

AkihiroSuda · AkihiroSuda · commit 2edd36fdff86 · 2017-10-05T05:31:46.000Z
The benefit for doing this within runc is that it works well with
userns.
Actually, runc already does the same thing for mount points.

Signed-off-by: Akihiro Suda &lt;suda.akihiro@lab.ntt.co.jp&gt;
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
@@ -40,7 +40,8 @@ func needsSetupDev(config *configs.Config) bool {
 // prepareRootfs sets up the devices, mount points, and filesystems for use
 // inside a new mount namespace. It doesn't set anything as ro. You must call
 // finalizeRootfs after this function to finish setting up the rootfs.
-func prepareRootfs(pipe io.ReadWriter, config *configs.Config) (err error) {
+func prepareRootfs(pipe io.ReadWriter, iConfig *initConfig) (err error) {
+	config := iConfig.Config
 	if err := prepareRoot(config); err != nil {
 		return newSystemErrorWithCause(err, "preparing rootfs")
 	}
@@ -80,6 +81,7 @@ func prepareRootfs(pipe io.ReadWriter, config *configs.Config) (err error) {
 	// The hooks are run after the mounts are setup, but before we switch to the new
 	// root, so that the old root is still available in the hooks for any mount
 	// manipulations.
+	// Note that iConfig.Cwd is not guaranteed to exist here.
 	if err := syncParentHooks(pipe); err != nil {
 		return err
 	}
@@ -111,6 +113,14 @@ func prepareRootfs(pipe io.ReadWriter, config *configs.Config) (err error) {
 		}
 	}
 
+	if cwd := iConfig.Cwd; cwd != "" {
+		// Note that spec.Process.Cwd can contain unclean value like  "../../../../foo/bar...".
+		// However, we are safe to call MkDirAll directly because we are in the jail here.
+		if err := os.MkdirAll(cwd, 0755); err != nil {
+			return err
+		}
+	}
+
 	return nil
 }
 
diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
@@ -68,7 +68,7 @@ func (l *linuxStandardInit) Init() error {
 
 	// prepareRootfs() can be executed only for a new mount namespace.
 	if l.config.Config.Namespaces.Contains(configs.NEWNS) {
-		if err := prepareRootfs(l.pipe, l.config.Config); err != nil {
+		if err := prepareRootfs(l.pipe, l.config); err != nil {
 			return err
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,8 @@ func needsSetupDev(config *configs.Config) bool {`
`40`	`40`	`// prepareRootfs sets up the devices, mount points, and filesystems for use`
`41`	`41`	`// inside a new mount namespace. It doesn't set anything as ro. You must call`
`42`	`42`	`// finalizeRootfs after this function to finish setting up the rootfs.`
`43`		`-func prepareRootfs(pipe io.ReadWriter, config *configs.Config) (err error) {`
	`43`	`+func prepareRootfs(pipe io.ReadWriter, iConfig *initConfig) (err error) {`
	`44`	`+ config := iConfig.Config`
`44`	`45`	`if err := prepareRoot(config); err != nil {`
`45`	`46`	`return newSystemErrorWithCause(err, "preparing rootfs")`
`46`	`47`	`}`
`@@ -80,6 +81,7 @@ func prepareRootfs(pipe io.ReadWriter, config *configs.Config) (err error) {`
`80`	`81`	`// The hooks are run after the mounts are setup, but before we switch to the new`
`81`	`82`	`// root, so that the old root is still available in the hooks for any mount`
`82`	`83`	`// manipulations.`
	`84`	`+ // Note that iConfig.Cwd is not guaranteed to exist here.`
`83`	`85`	`if err := syncParentHooks(pipe); err != nil {`
`84`	`86`	`return err`
`85`	`87`	`}`
`@@ -111,6 +113,14 @@ func prepareRootfs(pipe io.ReadWriter, config *configs.Config) (err error) {`
`111`	`113`	`}`
`112`	`114`	`}`
`113`	`115`
	`116`	`+ if cwd := iConfig.Cwd; cwd != "" {`
	`117`	`+ // Note that spec.Process.Cwd can contain unclean value like "../../../../foo/bar...".`
	`118`	`+ // However, we are safe to call MkDirAll directly because we are in the jail here.`
	`119`	`+ if err := os.MkdirAll(cwd, 0755); err != nil {`
	`120`	`+ return err`
	`121`	`+ }`
	`122`	`+ }`
	`123`	`+`
`114`	`124`	`return nil`
`115`	`125`	`}`
`116`	`126`
Original file line number	Diff line number	Diff line change
`@@ -68,7 +68,7 @@ func (l *linuxStandardInit) Init() error {`
`68`	`68`
`69`	`69`	`// prepareRootfs() can be executed only for a new mount namespace.`
`70`	`70`	`if l.config.Config.Namespaces.Contains(configs.NEWNS) {`
`71`		`- if err := prepareRootfs(l.pipe, l.config.Config); err != nil {`
	`71`	`+ if err := prepareRootfs(l.pipe, l.config); err != nil {`
`72`	`72`	`return err`
`73`	`73`	`}`
`74`	`74`	`}`