Perms of unix socket dentry different with runc
zhuangel opened this issue · comments
Description
Create unix socket and bind to filesystem, found the file permission is not same as runc container, this is the code and comments in sentry:
"// File mode matches net/socket.c:sock_alloc."
https://github.com/google/gvisor/blob/master/pkg/sentry/fsimpl/sockfs/sockfs.go#L120
And current implement in linux:
https://github.com/torvalds/linux/blob/master/net/socket.c#L633
Steps to reproduce
Compile this simple case and run inside container.
"test in runc container"
sh-4.2# /home/script/socketest
sh-4.2# ls -l
srwxr-xr-x 1 root root 0 Oct 22 16:17 server.sock
"test in runsc container"
sh-4.2# /home/script/socketest
sh-4.2# ls -l
srw------- 2 root root 0 Oct 22 16:17 server.sock
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <unistd.h>
int main()
{
int fd;
struct sockaddr_un addr;
if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) < 0) {
perror("socket");
}
memset(&addr, 0, sizeof(addr));
addr.sun_family = AF_UNIX;
strcpy(addr.sun_path, "server.sock");
unlink("server.sock");
if (bind(fd, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
perror("bind");
}
if (fd >= 0) {
close(fd);
}
return 0;
}
runsc version
#runsc --version
runsc version release-20211005.0-47-g33b41d8fe98e
spec: 1.0.2docker version (if using docker)
No response
uname
No response
kubectl (if using Kubernetes)
nonerepo state (if built from source)
No response
runsc debug logs (if available)
No response
Thanks for the investigation. Fix is coming up soon...