diff --git a/libcontainer/factory_linux.go b/libcontainer/factory_linux.go index c00fb459..5f7b0064 100644 --- a/libcontainer/factory_linux.go +++ b/libcontainer/factory_linux.go @@ -159,16 +159,34 @@ func (l *LinuxFactory) Create(id string, config *configs.Config) (Container, err if err := l.Validator.Validate(config); err != nil { return nil, newGenericError(err, ConfigInvalid) } + uid, err := config.HostUID() + if err != nil { + return nil, newGenericError(err, SystemError) + } + gid, err := config.HostGID() + if err != nil { + return nil, newGenericError(err, SystemError) + } containerRoot := filepath.Join(l.Root, id) if _, err := os.Stat(containerRoot); err == nil { return nil, newGenericError(fmt.Errorf("container with id exists: %v", id), IdInUse) } else if !os.IsNotExist(err) { return nil, newGenericError(err, SystemError) } - if err := os.MkdirAll(containerRoot, 0700); err != nil { + if err := os.MkdirAll(containerRoot, 0711); err != nil { return nil, newGenericError(err, SystemError) } - if err := syscall.Mkfifo(filepath.Join(containerRoot, execFifoFilename), 0666); err != nil { + if err := os.Chown(containerRoot, uid, gid); err != nil { + return nil, newGenericError(err, SystemError) + } + fifoName := filepath.Join(containerRoot, execFifoFilename) + oldMask := syscall.Umask(0000) + if err := syscall.Mkfifo(fifoName, 0622); err != nil { + syscall.Umask(oldMask) + return nil, newGenericError(err, SystemError) + } + syscall.Umask(oldMask) + if err := os.Chown(fifoName, uid, gid); err != nil { return nil, newGenericError(err, SystemError) } c := &linuxContainer{ @@ -252,11 +270,11 @@ func (l *LinuxFactory) StartInitialization() (err error) { // this defer function will never be called. if _, ok := i.(*linuxStandardInit); ok { // Synchronisation only necessary for standard init. - if err := utils.WriteJSON(pipe, syncT{procError}); err != nil { + if werr := utils.WriteJSON(pipe, syncT{procError}); werr != nil { panic(err) } } - if err := utils.WriteJSON(pipe, newSystemError(err)); err != nil { + if werr := utils.WriteJSON(pipe, newSystemError(err)); werr != nil { panic(err) } // ensure that this pipe is always closed diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go index 14fbf636..b3ff6a0e 100644 --- a/libcontainer/standard_init_linux.go +++ b/libcontainer/standard_init_linux.go @@ -161,15 +161,18 @@ func (l *linuxStandardInit) Init() error { // exec'ing the users process. fd, err := syscall.Openat(l.stateDirFD, execFifoFilename, os.O_WRONLY|syscall.O_CLOEXEC, 0) if err != nil { - return err + return newSystemErrorWithCause(err, "openat exec fifo") } if _, err := syscall.Write(fd, []byte("0")); err != nil { - return err + return newSystemErrorWithCause(err, "write 0 exec fifo") } if l.config.Config.Seccomp != nil && l.config.NoNewPrivileges { if err := seccomp.InitSeccomp(l.config.Config.Seccomp); err != nil { - return err + return newSystemErrorWithCause(err, "init seccomp") } } - return syscall.Exec(name, l.config.Args[0:], os.Environ()) + if err := syscall.Exec(name, l.config.Args[0:], os.Environ()); err != nil { + return newSystemErrorWithCause(err, "exec user process") + } + return nil }