Merge pull request opencontainers#1893 from cyphar/keyctl-ignore-enosys

Mrunal Patel · web-flow · commit 2abd837c8c25 · 2018-09-25T13:35:16.000-07:00
keyring: handle ENOSYS with keyctl(KEYCTL_JOIN_SESSION_KEYRING)
diff --git a/libcontainer/keys/keyctl.go b/libcontainer/keys/keyctl.go
@@ -7,6 +7,8 @@ import (
 	"strconv"
 	"strings"
 
+	"github.com/pkg/errors"
+
 	"golang.org/x/sys/unix"
 )
 
@@ -15,7 +17,7 @@ type KeySerial uint32
 func JoinSessionKeyring(name string) (KeySerial, error) {
 	sessKeyId, err := unix.KeyctlJoinSessionKeyring(name)
 	if err != nil {
-		return 0, fmt.Errorf("could not create session key: %v", err)
+		return 0, errors.Wrap(err, "create session key")
 	}
 	return KeySerial(sessKeyId), nil
 }
diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go
@@ -11,6 +11,7 @@ import (
 	"github.com/opencontainers/runc/libcontainer/seccomp"
 	"github.com/opencontainers/runc/libcontainer/system"
 	"github.com/opencontainers/selinux/go-selinux/label"
+	"github.com/pkg/errors"
 
 	"golang.org/x/sys/unix"
 )
@@ -29,9 +30,15 @@ func (l *linuxSetnsInit) getSessionRingName() string {
 
 func (l *linuxSetnsInit) Init() error {
 	if !l.config.Config.NoNewKeyring {
-		// do not inherit the parent's session keyring
+		// Do not inherit the parent's session keyring.
 		if _, err := keys.JoinSessionKeyring(l.getSessionRingName()); err != nil {
-			return err
+			// Same justification as in standart_init_linux.go as to why we
+			// don't bail on ENOSYS.
+			//
+			// TODO(cyphar): And we should have logging here too.
+			if errors.Cause(err) != unix.ENOSYS {
+				return errors.Wrap(err, "join session keyring")
+			}
 		}
 	}
 	if l.config.CreateConsole {
diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
@@ -48,13 +48,25 @@ func (l *linuxStandardInit) Init() error {
 		ringname, keepperms, newperms := l.getSessionRingParams()
 
 		// Do not inherit the parent's session keyring.
-		sessKeyId, err := keys.JoinSessionKeyring(ringname)
-		if err != nil {
-			return errors.Wrap(err, "join session keyring")
-		}
-		// Make session keyring searcheable.
-		if err := keys.ModKeyringPerm(sessKeyId, keepperms, newperms); err != nil {
-			return errors.Wrap(err, "mod keyring permissions")
+		if sessKeyId, err := keys.JoinSessionKeyring(ringname); err != nil {
+			// If keyrings aren't supported then it is likely we are on an
+			// older kernel (or inside an LXC container). While we could bail,
+			// the security feature we are using here is best-effort (it only
+			// really provides marignal protection since VFS credentials are
+			// the only significant protection of keyrings).
+			//
+			// TODO(cyphar): Log this so people know what's going on, once we
+			//               have proper logging in 'runc init'.
+			if errors.Cause(err) != unix.ENOSYS {
+				return errors.Wrap(err, "join session keyring")
+			}
+		} else {
+			// Make session keyring searcheable. If we've gotten this far we
+			// bail on any error -- we don't want to have a keyring with bad
+			// permissions.
+			if err := keys.ModKeyringPerm(sessKeyId, keepperms, newperms); err != nil {
+				return errors.Wrap(err, "mod keyring permissions")
+			}
 		}
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,8 @@ import (`
`7`	`7`	`"strconv"`
`8`	`8`	`"strings"`
`9`	`9`
	`10`	`+ "github.com/pkg/errors"`
	`11`	`+`
`10`	`12`	`"golang.org/x/sys/unix"`
`11`	`13`	`)`
`12`	`14`
`@@ -15,7 +17,7 @@ type KeySerial uint32`
`15`	`17`	`func JoinSessionKeyring(name string) (KeySerial, error) {`
`16`	`18`	`sessKeyId, err := unix.KeyctlJoinSessionKeyring(name)`
`17`	`19`	`if err != nil {`
`18`		`- return 0, fmt.Errorf("could not create session key: %v", err)`
	`20`	`+ return 0, errors.Wrap(err, "create session key")`
`19`	`21`	`}`
`20`	`22`	`return KeySerial(sessKeyId), nil`
`21`	`23`	`}`