rootfs: re-allow dangling symlinks in mount targets

It seems there are a fair few images where dangling symlinks are used as
path components for mount targets, which pathrs-lite does not support
(and it would be difficult to fully support this in a race-free way).

This was actually meant to be blocked by commit 63c2908 ("rootfs:
try to scope MkdirAll to stay inside the rootfs"), followed by commit
dd827f7 ("utils: switch to securejoin.MkdirAllHandle"). However, we
still used SecureJoin to construct mountpoint targets, which means that
dangling symlinks were "resolved" before reaching pathrs-lite.

This patch basically re-adds this hack in order to reduce the breakages
we've seen so far.

Signed-off-by: Aleksa Sarai <[email protected]>

Author: cyphar

libcontainer/rootfs_linux.go

@@ -532,6 +532,17 @@ func (m *mountEntry) createOpenMountpoint(rootfs string) (Err error) {
 			dstIsFile = !fi.IsDir()
 		}
 
+		// In previous runc versions, we would tolerate nonsense paths with
+		// dangling symlinks as path components. pathrs-lite does not support
+		// this, so instead we have to emulate this behaviour by doing
+		// SecureJoin *purely to get a semi-reasonable path to use* and then we
+		// use pathrs-lite to operate on the path safely.
+		newUnsafePath, err := securejoin.SecureJoin(rootfs, unsafePath)
+		if err != nil {
+			return err
+		}
+		unsafePath = utils.StripRoot(rootfs, newUnsafePath)
+
 		if dstIsFile {
 			dstFile, err = pathrs.CreateInRoot(rootfs, unsafePath, unix.O_CREAT|unix.O_EXCL|unix.O_NOFOLLOW, 0o644)
 		} else {