|
| 1 | +From 46223b256bfb3f42e193d947d1b1ef551260749f Mon Sep 17 00:00:00 2001 |
| 2 | +From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> |
| 3 | +Date: Mon, 27 Oct 2025 16:42:59 +0900 |
| 4 | +Subject: [PATCH] Fix directory permissions |
| 5 | + |
| 6 | +- Create /var/lib/containerd with 0o700 (was: 0o711). |
| 7 | +- Create config.TempDir with 0o700 (was: 0o711). |
| 8 | +- Create /run/containerd/io.containerd.grpc.v1.cri with 0o700 (was: 0o755). |
| 9 | +- Create /run/containerd/io.containerd.sandbox.controller.v1.shim with 0o700 (was: 0o711). |
| 10 | +- Leave /run/containerd and /run/containerd/io.containerd.runtime.v2.task created with 0o711, |
| 11 | + as required by userns-remapped containers. |
| 12 | + /run/containerd/io.containerd.runtime.v2.task/<NS>/<ID> is created with: |
| 13 | + - 0o700 for non-userns-remapped containers |
| 14 | + - 0o710 for userns-remapped containers with the remapped root group as the owner group. |
| 15 | + |
| 16 | +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> |
| 17 | +Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> |
| 18 | +Upstream-reference: https://github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5.patch |
| 19 | +--- |
| 20 | + cmd/containerd/server/server.go | 14 ++++++++++++-- |
| 21 | + core/runtime/v2/task_manager.go | 2 ++ |
| 22 | + plugins/cri/runtime/plugin.go | 7 +++++++ |
| 23 | + plugins/sandbox/controller.go | 6 +++++- |
| 24 | + 4 files changed, 26 insertions(+), 3 deletions(-) |
| 25 | + |
| 26 | +diff --git a/cmd/containerd/server/server.go b/cmd/containerd/server/server.go |
| 27 | +index 9f38cb3..c9e3698 100644 |
| 28 | +--- a/cmd/containerd/server/server.go |
| 29 | ++++ b/cmd/containerd/server/server.go |
| 30 | +@@ -81,10 +81,16 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error { |
| 31 | + return errors.New("root and state must be different paths") |
| 32 | + } |
| 33 | + |
| 34 | +- if err := sys.MkdirAllWithACL(config.Root, 0o711); err != nil { |
| 35 | ++ if err := sys.MkdirAllWithACL(config.Root, 0o700); err != nil { |
| 36 | ++ return err |
| 37 | ++ } |
| 38 | ++ // chmod is needed for upgrading from an older release that created the dir with 0o711 |
| 39 | ++ if err := os.Chmod(config.Root, 0o700); err != nil { |
| 40 | + return err |
| 41 | + } |
| 42 | + |
| 43 | ++ // For supporting userns-remapped containers, the state dir cannot be just mkdired with 0o700. |
| 44 | ++ // Each of plugins creates a dedicated directory beneath the state dir with appropriate permission bits. |
| 45 | + if err := sys.MkdirAllWithACL(config.State, 0o711); err != nil { |
| 46 | + return err |
| 47 | + } |
| 48 | +@@ -99,7 +105,11 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error { |
| 49 | + } |
| 50 | + |
| 51 | + if config.TempDir != "" { |
| 52 | +- if err := sys.MkdirAllWithACL(config.TempDir, 0o711); err != nil { |
| 53 | ++ if err := sys.MkdirAllWithACL(config.TempDir, 0o700); err != nil { |
| 54 | ++ return err |
| 55 | ++ } |
| 56 | ++ // chmod is needed for upgrading from an older release that created the dir with 0o711 |
| 57 | ++ if err := os.Chmod(config.Root, 0o700); err != nil { |
| 58 | + return err |
| 59 | + } |
| 60 | + if runtime.GOOS == "windows" { |
| 61 | +diff --git a/core/runtime/v2/task_manager.go b/core/runtime/v2/task_manager.go |
| 62 | +index f396ced..024763a 100644 |
| 63 | +--- a/core/runtime/v2/task_manager.go |
| 64 | ++++ b/core/runtime/v2/task_manager.go |
| 65 | +@@ -74,6 +74,8 @@ func init() { |
| 66 | + shimManager := shimManagerI.(*ShimManager) |
| 67 | + root, state := ic.Properties[plugins.PropertyRootDir], ic.Properties[plugins.PropertyStateDir] |
| 68 | + for _, d := range []string{root, state} { |
| 69 | ++ // root: the parent of this directory is created as 0o700, not 0o711. |
| 70 | ++ // state: the parent of this directory is created as 0o711 too, so as to support userns-remapped containers. |
| 71 | + if err := os.MkdirAll(d, 0711); err != nil { |
| 72 | + return nil, err |
| 73 | + } |
| 74 | +diff --git a/plugins/cri/runtime/plugin.go b/plugins/cri/runtime/plugin.go |
| 75 | +index adc64d9..07f64a1 100644 |
| 76 | +--- a/plugins/cri/runtime/plugin.go |
| 77 | ++++ b/plugins/cri/runtime/plugin.go |
| 78 | +@@ -91,6 +91,13 @@ func initCRIRuntime(ic *plugin.InitContext) (interface{}, error) { |
| 79 | + rootDir := filepath.Join(containerdRootDir, "io.containerd.grpc.v1.cri") |
| 80 | + containerdStateDir := filepath.Dir(ic.Properties[plugins.PropertyStateDir]) |
| 81 | + stateDir := filepath.Join(containerdStateDir, "io.containerd.grpc.v1.cri") |
| 82 | ++ if err := os.MkdirAll(stateDir, 0o700); err != nil { |
| 83 | ++ return nil, err |
| 84 | ++ } |
| 85 | ++ // chmod is needed for upgrading from an older release that created the dir with 0o755 |
| 86 | ++ if err := os.Chmod(stateDir, 0o700); err != nil { |
| 87 | ++ return nil, err |
| 88 | ++ } |
| 89 | + c := criconfig.Config{ |
| 90 | + RuntimeConfig: *pluginConfig, |
| 91 | + ContainerdRootDir: containerdRootDir, |
| 92 | +diff --git a/plugins/sandbox/controller.go b/plugins/sandbox/controller.go |
| 93 | +index aec9cc3..165f2e8 100644 |
| 94 | +--- a/plugins/sandbox/controller.go |
| 95 | ++++ b/plugins/sandbox/controller.go |
| 96 | +@@ -68,7 +68,11 @@ func init() { |
| 97 | + state := ic.Properties[plugins.PropertyStateDir] |
| 98 | + root := ic.Properties[plugins.PropertyRootDir] |
| 99 | + for _, d := range []string{root, state} { |
| 100 | +- if err := os.MkdirAll(d, 0711); err != nil { |
| 101 | ++ if err := os.MkdirAll(d, 0700); err != nil { |
| 102 | ++ return nil, err |
| 103 | ++ } |
| 104 | ++ // chmod is needed for upgrading from an older release that created the dir with 0o711 |
| 105 | ++ if err := os.Chmod(d, 0o700); err != nil { |
| 106 | + return nil, err |
| 107 | + } |
| 108 | + } |
| 109 | +-- |
| 110 | +2.45.4 |
| 111 | + |
0 commit comments