Merge pull request #4900 from lifubang/fix-Personality-seccomp

kolyshkin · web-flow · commit 7d81b21c1a9a · 2025-09-25T16:59:28.000-07:00
libct: setup personality before initializing seccomp
diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go
@@ -80,6 +80,14 @@ func (l *linuxSetnsInit) Init() error {
 	if err := setupIOPriority(l.config); err != nil {
 		return err
 	}
+
+	// Set personality if specified.
+	if l.config.Config.Personality != nil {
+		if err := setupPersonality(l.config.Config); err != nil {
+			return err
+		}
+	}
+
 	// Tell our parent that we're ready to exec. This must be done before the
 	// Seccomp rules have been applied, because we need to be able to read and
 	// write to a socket.
@@ -110,11 +118,6 @@ func (l *linuxSetnsInit) Init() error {
 	if err := apparmor.ApplyProfile(l.config.AppArmorProfile); err != nil {
 		return err
 	}
-	if l.config.Config.Personality != nil {
-		if err := setupPersonality(l.config.Config); err != nil {
-			return err
-		}
-	}
 	// Check for the arg early to make sure it exists.
 	name, err := exec.LookPath(l.config.Args[0])
 	if err != nil {
diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
@@ -164,6 +164,13 @@ func (l *linuxStandardInit) Init() error {
 		return err
 	}
 
+	// Set personality if specified.
+	if l.config.Config.Personality != nil {
+		if err := setupPersonality(l.config.Config); err != nil {
+			return err
+		}
+	}
+
 	// Tell our parent that we're ready to exec. This must be done before the
 	// Seccomp rules have been applied, because we need to be able to read and
 	// write to a socket.
@@ -238,13 +245,6 @@ func (l *linuxStandardInit) Init() error {
 		}
 	}
 
-	// Set personality if specified.
-	if l.config.Config.Personality != nil {
-		if err := setupPersonality(l.config.Config); err != nil {
-			return err
-		}
-	}
-
 	// Close the pipe to signal that we have completed our init.
 	logrus.Debugf("init: closing the pipe to signal completion")
 	_ = l.pipe.Close()
diff --git a/tests/integration/personality.bats b/tests/integration/personality.bats
@@ -62,3 +62,21 @@ function teardown() {
 	[ "$status" -eq 0 ]
 	[[ "$output" == *"x86_64"* ]]
 }
+
+# check that personality can be set when the personality syscall is blocked by seccomp
+@test "runc run with personality syscall blocked by seccomp" {
+	update_config '
+      .linux.personality = {
+                "domain": "LINUX",
+      }
+	  | .linux.seccomp = {
+                "defaultAction":"SCMP_ACT_ALLOW",
+                "syscalls":[{"names":["personality"], "action":"SCMP_ACT_ERRNO"}]
+	  }'
+
+	runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox
+	[ "$status" -eq 0 ]
+	runc exec test_busybox /bin/sh -c "uname -a"
+	[ "$status" -eq 0 ]
+	[[ "$output" == *"x86_64"* ]]
+}
