fix(3207, 3209) Difference between the exec command in runc and youki (#3210)

* chore(deps): bump the patch group with 4 updates

Bumps the patch group with 4 updates: [libc](https://github.com/rust-lang/libc), [clap](https://github.com/clap-rs/clap), [serde_json](https://github.com/serde-rs/json) and [clap_complete](https://github.com/clap-rs/clap).


Updates `libc` from 0.2.174 to 0.2.175
- [Release notes](https://github.com/rust-lang/libc/releases)
- [Changelog](https://github.com/rust-lang/libc/blob/0.2.175/CHANGELOG.md)
- [Commits](rust-lang/libc@0.2.174...0.2.175)

Updates `clap` from 4.5.4 to 4.5.13
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](clap-rs/clap@clap_complete-v4.5.4...clap_complete-v4.5.13)

Updates `serde_json` from 1.0.141 to 1.0.142
- [Release notes](https://github.com/serde-rs/json/releases)
- [Commits](serde-rs/json@v1.0.141...v1.0.142)

Updates `clap_complete` from 4.5.1 to 4.5.13
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](clap-rs/clap@clap_complete-v4.5.1...clap_complete-v4.5.13)

---
updated-dependencies:
- dependency-name: libc
  dependency-version: 0.2.175
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch
- dependency-name: clap
  dependency-version: 4.5.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch
- dependency-name: serde_json
  dependency-version: 1.0.142
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch
- dependency-name: clap_complete
  dependency-version: 4.5.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore(deps): bump the patch group with 3 updates

Bumps the patch group with 3 updates: [oci-spec](https://github.com/youki-dev/oci-spec-rs), [thiserror](https://github.com/dtolnay/thiserror) and [anyhow](https://github.com/dtolnay/anyhow).


Updates `oci-spec` from 0.8.1 to 0.8.2
- [Changelog](https://github.com/youki-dev/oci-spec-rs/blob/main/release.md)
- [Commits](youki-dev/oci-spec-rs@v0.8.1...v0.8.2)

Updates `thiserror` from 2.0.12 to 2.0.14
- [Release notes](https://github.com/dtolnay/thiserror/releases)
- [Commits](dtolnay/thiserror@2.0.12...2.0.14)

Updates `anyhow` from 1.0.98 to 1.0.99
- [Release notes](https://github.com/dtolnay/anyhow/releases)
- [Commits](dtolnay/anyhow@1.0.98...1.0.99)

---
updated-dependencies:
- dependency-name: oci-spec
  dependency-version: 0.8.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch
- dependency-name: thiserror
  dependency-version: 2.0.14
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch
- dependency-name: anyhow
  dependency-version: 1.0.99
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* add exec command with_capabilities

Signed-off-by: tommady <tommady@users.noreply.github.com>

* add exec command with_ignore_paused

Signed-off-by: tommady <tommady@users.noreply.github.com>

* fix issue 3209 and change exec arg cgroup from Option of string into Option of vector of string

Signed-off-by: tommady <tommady@users.noreply.github.com>

* add exec command with_cgroup

Signed-off-by: tommady <tommady@users.noreply.github.com>

* add exec command with_process_label, but youki does not support selinux yet

Signed-off-by: tommady <tommady@users.noreply.github.com>

* add exec command with_preserve_fds

Signed-off-by: tommady <tommady@users.noreply.github.com>

* add exec command with_apparmor

Signed-off-by: tommady <tommady@users.noreply.github.com>

* fix build error

Signed-off-by: tommady <tommady@users.noreply.github.com>

* fix build error

Signed-off-by: tommady <tommady@users.noreply.github.com>

* add preserve-fds test

Signed-off-by: tommady <tommady@users.noreply.github.com>

* chore(deps): bump thiserror from 2.0.14 to 2.0.15 in the patch group

Bumps the patch group with 1 update: [thiserror](https://github.com/dtolnay/thiserror).


Updates `thiserror` from 2.0.14 to 2.0.15
- [Release notes](https://github.com/dtolnay/thiserror/releases)
- [Commits](dtolnay/thiserror@2.0.14...2.0.15)

---
updated-dependencies:
- dependency-name: thiserror
  dependency-version: 2.0.15
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore(deps): bump serde_json from 1.0.142 to 1.0.143 in the patch group

Bumps the patch group with 1 update: [serde_json](https://github.com/serde-rs/json).


Updates `serde_json` from 1.0.142 to 1.0.143
- [Release notes](https://github.com/serde-rs/json/releases)
- [Commits](serde-rs/json@v1.0.142...v1.0.143)

---
updated-dependencies:
- dependency-name: serde_json
  dependency-version: 1.0.143
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* fix preserve_fds_test flank failure

Signed-off-by: tommady <tommady@users.noreply.github.com>

* chore(deps): bump thiserror from 2.0.15 to 2.0.16 in the patch group

Bumps the patch group with 1 update: [thiserror](https://github.com/dtolnay/thiserror).


Updates `thiserror` from 2.0.15 to 2.0.16
- [Release notes](https://github.com/dtolnay/thiserror/releases)
- [Commits](dtolnay/thiserror@2.0.15...2.0.16)

---
updated-dependencies:
- dependency-name: thiserror
  dependency-version: 2.0.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* add --ignore-paused e2e test

Signed-off-by: tommady <tommady@users.noreply.github.com>

* chore(deps): bump regex from 1.11.1 to 1.11.2 in the patch group

Bumps the patch group with 1 update: [regex](https://github.com/rust-lang/regex).


Updates `regex` from 1.11.1 to 1.11.2
- [Release notes](https://github.com/rust-lang/regex/releases)
- [Changelog](https://github.com/rust-lang/regex/blob/master/CHANGELOG.md)
- [Commits](rust-lang/regex@1.11.1...1.11.2)

---
updated-dependencies:
- dependency-name: regex
  dependency-version: 1.11.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore(deps): bump tracing-subscriber in the patch group

Bumps the patch group with 1 update: [tracing-subscriber](https://github.com/tokio-rs/tracing).


Updates `tracing-subscriber` from 0.3.19 to 0.3.20
- [Release notes](https://github.com/tokio-rs/tracing/releases)
- [Commits](tokio-rs/tracing@tracing-subscriber-0.3.19...tracing-subscriber-0.3.20)

---
updated-dependencies:
- dependency-name: tracing-subscriber
  dependency-version: 0.3.20
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore(deps): bump chrono from 0.4.41 to 0.4.42 in the patch group

Bumps the patch group with 1 update: [chrono](https://github.com/chronotope/chrono).


Updates `chrono` from 0.4.41 to 0.4.42
- [Release notes](https://github.com/chronotope/chrono/releases)
- [Changelog](https://github.com/chronotope/chrono/blob/main/CHANGELOG.md)
- [Commits](chronotope/chrono@v0.4.41...v0.4.42)

---
updated-dependencies:
- dependency-name: chrono
  dependency-version: 0.4.42
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore(deps): bump errno from 0.3.13 to 0.3.14 in the patch group

Bumps the patch group with 1 update: [errno](https://github.com/lambda-fairy/rust-errno).


Updates `errno` from 0.3.13 to 0.3.14
- [Release notes](https://github.com/lambda-fairy/rust-errno/releases)
- [Changelog](https://github.com/lambda-fairy/rust-errno/blob/main/CHANGELOG.md)
- [Commits](https://github.com/lambda-fairy/rust-errno/commits)

---
updated-dependencies:
- dependency-name: errno
  dependency-version: 0.3.14
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* add cgroup tests

Signed-off-by: tommady <tommady@users.noreply.github.com>

* chore(deps): bump the patch group with 2 updates

Bumps the patch group with 2 updates: [serde](https://github.com/serde-rs/serde) and [serde_json](https://github.com/serde-rs/json).


Updates `serde` from 1.0.219 to 1.0.223
- [Release notes](https://github.com/serde-rs/serde/releases)
- [Commits](serde-rs/serde@v1.0.219...v1.0.223)

Updates `serde_json` from 1.0.143 to 1.0.145
- [Release notes](https://github.com/serde-rs/json/releases)
- [Commits](serde-rs/json@v1.0.143...v1.0.145)

---
updated-dependencies:
- dependency-name: serde
  dependency-version: 1.0.223
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch
- dependency-name: serde_json
  dependency-version: 1.0.145
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore(deps): bump serde from 1.0.223 to 1.0.225 in the patch group

Bumps the patch group with 1 update: [serde](https://github.com/serde-rs/serde).


Updates `serde` from 1.0.223 to 1.0.225
- [Release notes](https://github.com/serde-rs/serde/releases)
- [Commits](serde-rs/serde@v1.0.223...v1.0.225)

---
updated-dependencies:
- dependency-name: serde
  dependency-version: 1.0.225
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* fix linter

Signed-off-by: tommady <tommady@users.noreply.github.com>

* fix validate tests on runc

Signed-off-by: tommady <tommady@users.noreply.github.com>

* add no capability test

Signed-off-by: tommady <tommady@users.noreply.github.com>

* add new_privileges test

Signed-off-by: tommady <tommady@users.noreply.github.com>

* add ignoring for typo of checking the CapInh

Signed-off-by: tommady <tommady@users.noreply.github.com>

* add some_capabilities test

Signed-off-by: tommady <tommady@users.noreply.github.com>

* add capabilities_by_flag test

Signed-off-by: tommady <tommady@users.noreply.github.com>

* address comment change to use utils normalize

Signed-off-by: tommady <tommady@users.noreply.github.com>

* address comment add comment for cap test to more detail description

Signed-off-by: tommady <tommady@users.noreply.github.com>

* add more part of the cgroup tests request from saku3

Signed-off-by: tommady <tommady@users.noreply.github.com>

* fix linter

Signed-off-by: tommady <tommady@users.noreply.github.com>

* add TODO comment for exec/cgroup_test.rs tests

Signed-off-by: tommady <tommady@users.noreply.github.com>

* fix linter

Signed-off-by: tommady <tommady@users.noreply.github.com>

* address comments

Signed-off-by: tommady <tommady@users.noreply.github.com>

* enhance ignore_paused_test.rs to ensure exec init then resume after

Signed-off-by: tommady <tommady@users.noreply.github.com>

* add -skip TestImagePullSchema1 since it is officially deprecated

Signed-off-by: tommady <tommady@users.noreply.github.com>

* fix potential race condition in init process channel

Signed-off-by: tommady <tommady@users.noreply.github.com>

* undo e2e workflow format

Signed-off-by: tommady <tommady@users.noreply.github.com>

* undo e2e workflow format

Signed-off-by: tommady <tommady@users.noreply.github.com>

* undo e2e workflow format

Signed-off-by: tommady <tommady@users.noreply.github.com>

* address comment

Signed-off-by: tommady <tommady@users.noreply.github.com>

* address comment fix up e2e.yaml format

Signed-off-by: tommady <tommady@users.noreply.github.com>

* address comment fix up e2e.yaml format

Signed-off-by: tommady <tommady@users.noreply.github.com>

* address comment fix up e2e.yaml format

Signed-off-by: tommady <tommady@users.noreply.github.com>

* fix failures of merge main

Signed-off-by: tommady <tommady@users.noreply.github.com>

* fix test-contest exec after merge main

Signed-off-by: tommady <tommady@users.noreply.github.com>

* try to fix x86_64 musl failure

Signed-off-by: tommady <tommady@users.noreply.github.com>

* add code comment for preserve_fds_test.rs

Signed-off-by: tommady <tommady@users.noreply.github.com>

* address comment: fix logic bug in container state validation

Signed-off-by: tommady <tommady@users.noreply.github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: tommady <tommady@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

Author: 3 people

.typos.toml

@@ -13,6 +13,10 @@ extend-exclude = [
 # instance than write a regex.
 569d5ce3afe1074769f67 = "569d5ce3afe1074769f67"
 
+[default.extend-words]
+# This is the capabilities used in the exec integration test
+Inh = "Inh"
+
 [type.rust.extend-words]
 ser = "ser"
 flate = "flate"

crates/libcontainer/src/container/builder_impl.rs

@@ -17,6 +17,7 @@ use crate::process::{self};
 use crate::syscall::syscall::SyscallType;
 use crate::user_ns::UserNamespaceConfig;
 use crate::utils;
+use crate::utils::PathBufExt;
 use crate::workload::Executor;
 
 pub(super) struct ContainerBuilderImpl {
@@ -59,6 +60,12 @@ pub(super) struct ContainerBuilderImpl {
     pub stderr: Option<OwnedFd>,
     // Indicate if the init process should be a sibling of the main process.
     pub as_sibling: bool,
+    // Run the process in an (existing) sub-cgroup(s)
+    pub sub_cgroup_path: Option<String>,
+    // Asm process label for the process commonly used with selinux.
+    // TODO: youki does not support selinux yet
+    #[allow(dead_code)]
+    pub process_label: Option<String>,
 }
 
 impl ContainerBuilderImpl {
@@ -85,9 +92,26 @@ impl ContainerBuilderImpl {
 
     fn run_container(&mut self) -> Result<Pid, LibcontainerError> {
         let linux = self.spec.linux().as_ref().ok_or(MissingSpecError::Linux)?;
-        let cgroups_path = utils::get_cgroup_path(linux.cgroups_path(), &self.container_id);
+        let base_cgroups_path = utils::get_cgroup_path(linux.cgroups_path(), &self.container_id);
+        let mut final_cgroups_path = base_cgroups_path;
+
+        if let Some(sub_cgroup_path) = &self.sub_cgroup_path {
+            if sub_cgroup_path != "/" {
+                let potential_path = final_cgroups_path.join(sub_cgroup_path);
+                let normalized = potential_path.normalize();
+
+                if !normalized.starts_with(&final_cgroups_path) {
+                    return Err(LibcontainerError::OtherCgroup(format!(
+                        "{} is not a sub cgroup path",
+                        sub_cgroup_path
+                    )));
+                }
+                final_cgroups_path = normalized;
+            }
+        }
+
         let cgroup_config = libcgroups::common::CgroupConfig {
-            cgroup_path: cgroups_path,
+            cgroup_path: final_cgroups_path,
             systemd_cgroup: self.use_systemd || self.user_ns_config.is_some(),
             container_name: self.container_id.to_owned(),
         };

crates/libcontainer/src/container/init_builder.rs

@@ -117,6 +117,8 @@ impl InitContainerBuilder {
             stdout: self.base.stdout,
             stderr: self.base.stderr,
             as_sibling: self.as_sibling,
+            sub_cgroup_path: None,
+            process_label: None,
         };
 
         builder_impl.create()?;

crates/libcontainer/src/container/tenant_builder.rs

@@ -21,6 +21,7 @@ use procfs::process::Namespace;
 use super::Container;
 use super::builder::ContainerBuilder;
 use crate::capabilities::CapabilityExt;
+use crate::container::ContainerStatus;
 use crate::container::builder_impl::ContainerBuilderImpl;
 use crate::error::{ErrInvalidSpec, LibcontainerError, MissingSpecError};
 use crate::notify_socket::NotifySocket;
@@ -48,6 +49,10 @@ pub struct TenantContainerBuilder {
     additional_gids: Vec<u32>,
     user: Option<u32>,
     group: Option<u32>,
+    ignore_paused: bool,
+    sub_cgroup: Option<String>,
+    process_label: Option<String>,
+    apparmor: Option<String>,
 }
 
 /// This is a helper function to get capabilities for tenant container, based on
@@ -143,6 +148,10 @@ impl TenantContainerBuilder {
             additional_gids: vec![],
             user: None,
             group: None,
+            ignore_paused: false,
+            sub_cgroup: None,
+            process_label: None,
+            apparmor: None,
         }
     }
 
@@ -206,6 +215,26 @@ impl TenantContainerBuilder {
         self
     }
 
+    pub fn with_ignore_paused(mut self, ignore_paused: bool) -> Self {
+        self.ignore_paused = ignore_paused;
+        self
+    }
+
+    pub fn with_sub_cgroup(mut self, sub_cgroup: Option<String>) -> Self {
+        self.sub_cgroup = sub_cgroup;
+        self
+    }
+
+    pub fn with_process_label(mut self, process_label: Option<String>) -> Self {
+        self.process_label = process_label;
+        self
+    }
+
+    pub fn with_apparmor(mut self, apparmor: Option<String>) -> Self {
+        self.apparmor = apparmor;
+        self
+    }
+
     /// Joins an existing container
     pub fn build(self) -> Result<Pid, LibcontainerError> {
         let container_dir = self.lookup_container_dir()?;
@@ -252,6 +281,8 @@ impl TenantContainerBuilder {
             stdout: self.base.stdout,
             stderr: self.base.stderr,
             as_sibling: self.as_sibling,
+            sub_cgroup_path: self.sub_cgroup,
+            process_label: self.process_label,
         };
 
         let pid = builder_impl.create()?;
@@ -419,12 +450,15 @@ impl TenantContainerBuilder {
 
     fn load_container_state(&self, container_dir: PathBuf) -> Result<Container, LibcontainerError> {
         let container = Container::load(container_dir)?;
-        if !container.can_exec() {
-            tracing::error!(status = ?container.status(), "cannot exec as container");
-            return Err(LibcontainerError::IncorrectStatus(container.status()));
-        }
 
-        Ok(container)
+        match container.status() {
+            ContainerStatus::Running => Ok(container),
+            ContainerStatus::Paused if self.ignore_paused => Ok(container),
+            _ => {
+                tracing::error!(status = ?container.status(), "cannot exec: invalid container state");
+                Err(LibcontainerError::IncorrectStatus(container.status()))
+            }
+        }
     }
 
     fn adapt_spec_for_tenant(
@@ -454,10 +488,14 @@ impl TenantContainerBuilder {
                 }
             }
 
-            if let Some(no_new_priv) = self.get_no_new_privileges() {
+            if let Some(no_new_priv) = self.get_no_new_privileges(spec) {
                 process_builder = process_builder.no_new_privileges(no_new_priv);
             }
 
+            if let Some(ref apparmor) = self.apparmor {
+                process_builder = process_builder.apparmor_profile(apparmor)
+            }
+
             let capabilities = get_capabilities(&self.capabilities, spec)?;
             process_builder = process_builder.capabilities(capabilities);
 
@@ -564,8 +602,10 @@ impl TenantContainerBuilder {
         env
     }
 
-    fn get_no_new_privileges(&self) -> Option<bool> {
+    fn get_no_new_privileges(&self, spec: &Spec) -> Option<bool> {
         self.no_new_privs
+            .filter(|&is_set| is_set)
+            .or_else(|| spec.process().as_ref().and_then(|p| p.no_new_privileges()))
     }
 
     fn get_namespaces(

crates/liboci-cli/src/exec.rs

@@ -55,11 +55,9 @@ pub struct Exec {
     /// Execute a process in a sub-cgroup
     #[clap(long)]
     pub cgroup: Option<String>,
-
     /// Container identifier
     #[clap(value_parser = clap::builder::NonEmptyStringValueParser::new(), required = true)]
     pub container_id: String,
-
     /// Command that should be executed in the container
     #[clap(required = false, trailing_var_arg = true)]
     pub command: Vec<String>,

crates/youki/src/commands/exec.rs

@@ -9,8 +9,6 @@ use nix::sys::wait::{WaitStatus, waitpid};
 use crate::workload::executor::default_executor;
 
 pub fn exec(args: Exec, root_path: PathBuf) -> Result<i32> {
-    // TODO: not all values from exec are used here. We need to support
-    // the remaining ones.
     let user = args.user.map(|(u, _)| u);
     let group = args.user.and_then(|(_, g)| g);
 
@@ -19,6 +17,7 @@ pub fn exec(args: Exec, root_path: PathBuf) -> Result<i32> {
         .with_root_path(root_path)?
         .with_console_socket(args.console_socket.as_ref())
         .with_pid_file(args.pid_file.as_ref())?
+        .with_preserved_fds(args.preserve_fds)
         .validate_id()?
         .as_tenant()
         .with_detach(args.detach)
@@ -30,6 +29,10 @@ pub fn exec(args: Exec, root_path: PathBuf) -> Result<i32> {
         .with_additional_gids(args.additional_gids)
         .with_user(user)
         .with_group(group)
+        .with_capabilities(args.cap)
+        .with_ignore_paused(args.ignore_paused)
+        .with_sub_cgroup(args.cgroup)
+        .with_apparmor(args.apparmor)
         .build()?;
 
     // See https://github.com/youki-dev/youki/pull/1252 for a detailed explanation