libct/nsenter: become root after joining userns

Containerd pre-creates userns and netns before calling runc, which results in the current code not working when SELinux is enabled, resulting in the following error: > runc create failed: unable to start container process: error during container init: error mounting "mqueue" to rootfs at "/dev/mqueue": setxattr /path/to/rootfs/dev/mqueue: operation not permitted The solution is to become root in the user namespace right after we join it. Fixes 4473. Co-authored-by: Wei Fu <[email protected]> Co-authored-by: Kir Kolyshkin <[email protected]> Signed-off-by: lifubang <[email protected]>
opencontainers · Oct 25, 2024 · 1771ca7 · 1771ca7
1 parent d545279
commit 1771ca7
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
@@ -505,6 +505,12 @@ void join_namespaces(char *nslist)
 		if (setns(ns->fd, flag) < 0)
 			bail("failed to setns into %s namespace", ns->type);
 
+		/* See https://github.com/opencontainers/runc/issues/4466. */
+		if (flag == CLONE_NEWUSER) {
+			if (setresuid(0, 0, 0) < 0)
+				bail("failed to become root in user namespace");
+		}
+
 		close(ns->fd);
 	}