Fix fifo usage with userns

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>

libcontainer/factory_linux.go

@@ -159,16 +159,34 @@ func (l *LinuxFactory) Create(id string, config *configs.Config) (Container, err
 	if err := l.Validator.Validate(config); err != nil {
 		return nil, newGenericError(err, ConfigInvalid)
 	}
+	uid, err := config.HostUID()
+	if err != nil {
+		return nil, newGenericError(err, SystemError)
+	}
+	gid, err := config.HostGID()
+	if err != nil {
+		return nil, newGenericError(err, SystemError)
+	}
 	containerRoot := filepath.Join(l.Root, id)
 	if _, err := os.Stat(containerRoot); err == nil {
 		return nil, newGenericError(fmt.Errorf("container with id exists: %v", id), IdInUse)
 	} else if !os.IsNotExist(err) {
 		return nil, newGenericError(err, SystemError)
 	}
-	if err := os.MkdirAll(containerRoot, 0700); err != nil {
+	if err := os.MkdirAll(containerRoot, 0711); err != nil {
 		return nil, newGenericError(err, SystemError)
 	}
-	if err := syscall.Mkfifo(filepath.Join(containerRoot, execFifoFilename), 0666); err != nil {
+	if err := os.Chown(containerRoot, uid, gid); err != nil {
+		return nil, newGenericError(err, SystemError)
+	}
+	fifoName := filepath.Join(containerRoot, execFifoFilename)
+	oldMask := syscall.Umask(0000)
+	if err := syscall.Mkfifo(fifoName, 0622); err != nil {
+		syscall.Umask(oldMask)
+		return nil, newGenericError(err, SystemError)
+	}
+	syscall.Umask(oldMask)
+	if err := os.Chown(fifoName, uid, gid); err != nil {
 		return nil, newGenericError(err, SystemError)
 	}
 	c := &linuxContainer{
@@ -252,11 +270,11 @@ func (l *LinuxFactory) StartInitialization() (err error) {
 		// this defer function will never be called.
 		if _, ok := i.(*linuxStandardInit); ok {
 			//  Synchronisation only necessary for standard init.
-			if err := utils.WriteJSON(pipe, syncT{procError}); err != nil {
+			if werr := utils.WriteJSON(pipe, syncT{procError}); werr != nil {
 				panic(err)
 			}
 		}
-		if err := utils.WriteJSON(pipe, newSystemError(err)); err != nil {
+		if werr := utils.WriteJSON(pipe, newSystemError(err)); werr != nil {
 			panic(err)
 		}
 		// ensure that this pipe is always closed

libcontainer/standard_init_linux.go

@@ -161,15 +161,18 @@ func (l *linuxStandardInit) Init() error {
 	// exec'ing the users process.
 	fd, err := syscall.Openat(l.stateDirFD, execFifoFilename, os.O_WRONLY|syscall.O_CLOEXEC, 0)
 	if err != nil {
-		return err
+		return newSystemErrorWithCause(err, "openat exec fifo")
 	}
 	if _, err := syscall.Write(fd, []byte("0")); err != nil {
-		return err
+		return newSystemErrorWithCause(err, "write 0 exec fifo")
 	}
 	if l.config.Config.Seccomp != nil && l.config.NoNewPrivileges {
 		if err := seccomp.InitSeccomp(l.config.Config.Seccomp); err != nil {
-			return err
+			return newSystemErrorWithCause(err, "init seccomp")
 		}
 	}
-	return syscall.Exec(name, l.config.Args[0:], os.Environ())
+	if err := syscall.Exec(name, l.config.Args[0:], os.Environ()); err != nil {
+		return newSystemErrorWithCause(err, "exec user process")
+	}
+	return nil
 }