Merge pull request #3912 from cpuguy83/fix_tmpfs_mode

Fix tmpfs mode opts when dir already exists
opencontainers · Jun 28, 2023 · e42446f · e42446f
2 parents f9bd4a5 + 9fa8b9d
commit e42446f
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 12 deletions.
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
@@ -443,11 +443,16 @@ func mountToRootfs(c *mountConfig, m mountEntry) error {
 		}
 		return label.SetFileLabel(dest, mountLabel)
 	case "tmpfs":
-		stat, err := os.Stat(dest)
-		if err != nil {
+		if stat, err := os.Stat(dest); err != nil {
 			if err := os.MkdirAll(dest, 0o755); err != nil {
 				return err
 			}
+		} else {
+			dt := fmt.Sprintf("mode=%04o", stat.Mode())
+			if m.Data != "" {
+				dt = dt + "," + m.Data
+			}
+			m.Data = dt
 		}
 
 		if m.Extensions&configs.EXT_COPYUP == configs.EXT_COPYUP {
@@ -456,16 +461,7 @@ func mountToRootfs(c *mountConfig, m mountEntry) error {
 			err = mountPropagate(m, rootfs, mountLabel)
 		}
 
-		if err != nil {
-			return err
-		}
-
-		if stat != nil {
-			if err = os.Chmod(dest, stat.Mode()); err != nil {
-				return err
-			}
-		}
-		return nil
+		return err
 	case "bind":
 		if err := prepareBindMount(m, rootfs); err != nil {
 			return err

diff --git a/tests/integration/run.bats b/tests/integration/run.bats
@@ -76,3 +76,37 @@ function teardown() {
 	[ "$status" -eq 0 ]
 	[[ "${lines[0]}" == *'mydomainname'* ]]
 }
+
+@test "runc run with tmpfs perms" {
+	# shellcheck disable=SC2016
+	update_config '.process.args = ["sh", "-c", "stat -c %a /tmp/test"]'
+	update_config '.mounts += [{"destination": "/tmp/test", "type": "tmpfs", "source": "tmpfs", "options": ["mode=0444"]}]'
+
+	# Directory is to be created by runc.
+	runc run test_tmpfs
+	[ "$status" -eq 0 ]
+	[ "$output" = "444" ]
+
+	# Run a 2nd time with the pre-existing directory.
+	# Ref: https://github.com/opencontainers/runc/issues/3911
+	runc run test_tmpfs
+	[ "$status" -eq 0 ]
+	[ "$output" = "444" ]
+
+	# Existing directory, custom perms, no mode on the mount,
+	# so it should use the directory's perms.
+	update_config '.mounts[-1].options = []'
+	chmod 0710 rootfs/tmp/test
+	# shellcheck disable=SC2016
+	runc run test_tmpfs
+	[ "$status" -eq 0 ]
+	[ "$output" = "710" ]
+
+	# Add back the mode on the mount, and it should use that instead.
+	# Just for fun, use different perms than was used earlier.
+	# shellcheck disable=SC2016
+	update_config '.mounts[-1].options = ["mode=0410"]'
+	runc run test_tmpfs
+	[ "$status" -eq 0 ]
+	[ "$output" = "410" ]
+}