runc:Fix failed exec after systemctl daemon-reload

(cherry picked from commit b75845b6560995ef89690157496b35517e8f0ad2)

git-commit

@@ -1 +1 @@
-ae908e306b8682a184ba191e4a810afe367c607c
+f93bc478fbbc54f67e5883f09d3ced9ce5789766

patch/0060-runc-fix-failed-exec-after-systemctl-daemon-reload.patch

@@ -0,0 +1,66 @@
+From f7dc43d7b356f2e70968e229f3fbab3e19d7b134 Mon Sep 17 00:00:00 2001
+From: xulei <xulei@xfusion.com>
+Date: Wed, 25 Dec 2024 11:11:08 +0800
+Subject: [PATCH] runc:Fix failed exec after systemctl daemon-reload
+ 
+Reference: https://github.com/opencontainers/runc/pull/3554/files
+
+---
+ libcontainer/cgroups/systemd/common.go | 16 +++++++++-------
+ tests/integration/dev.bats             | 16 ++++++++++++++++
+ 2 files changed, 25 insertions(+), 7 deletions(-)
+ 
+diff --git a/libcontainer/cgroups/systemd/common.go b/libcontainer/cgroups/systemd/common.go
+index 5a68a3c..45744c1 100644
+--- a/libcontainer/cgroups/systemd/common.go
++++ b/libcontainer/cgroups/systemd/common.go
+@@ -288,14 +288,16 @@ func generateDeviceProperties(r *configs.Resources) ([]systemdDbus.Property, err
+ 			case devices.CharDevice:
+ 				entry.Path = fmt.Sprintf("/dev/char/%d:%d", rule.Major, rule.Minor)
+ 			}
++			// systemd will issue a warning if the path we give here doesn't exist.
++			// Since all of this logic is best-effort anyway (we manually set these
++			// rules separately to systemd) we can safely skip entries that don't
++			// have a corresponding path.
++			if _, err := os.Stat(entry.Path); err != nil {
++				logrus.Debugf("skipping device %s for systemd: %s", entry.Path, err)
++				continue
++			}
+ 		}
+-		// systemd will issue a warning if the path we give here doesn't exist.
+-		// Since all of this logic is best-effort anyway (we manually set these
+-		// rules separately to systemd) we can safely skip entries that don't
+-		// have a corresponding path.
+-		if _, err := os.Stat(entry.Path); err == nil {
+-			deviceAllowList = append(deviceAllowList, entry)
+-		}
++		deviceAllowList = append(deviceAllowList, entry)
+ 	}
+ 
+ 	properties = append(properties, newProp("DeviceAllow", deviceAllowList))
+diff --git a/tests/integration/dev.bats b/tests/integration/dev.bats
+index 01f6778..2433157 100644
+--- a/tests/integration/dev.bats
++++ b/tests/integration/dev.bats
+@@ -128,3 +128,19 @@ function teardown() {
+ 	runc exec test_allow_block sh -c 'fdisk -l '"$device"''
+ 	[ "$status" -eq 0 ]
+ }
++
++# https://github.com/opencontainers/runc/issues/3551
++@test "runc exec vs systemctl daemon-reload" {
++	requires systemd root
++
++	runc run -d --console-socket "$CONSOLE_SOCKET" test_exec
++	[ "$status" -eq 0 ]
++
++	runc exec -t test_exec sh -c "ls -l /proc/self/fd/0; echo 123"
++	[ "$status" -eq 0 ]
++
++	systemctl daemon-reload
++
++	runc exec -t test_exec sh -c "ls -l /proc/self/fd/0; echo 123"
++	[ "$status" -eq 0 ]
++}
+-- 
+2.33.0

runc.spec

@@ -3,7 +3,7 @@
 
 Name: runc
 Version: 1.1.3
-Release: 31
+Release: 32
 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.
 
 License: ASL 2.0
@@ -54,6 +54,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
 %{_bindir}/runc
 
 %changelog
+* Mon Jan 06 2025 xulei <xulei@xfusion.com> - 1.1.3-32
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:Fix failed exec after systemctl daemon-reload
+
 * Sun Sep 29 2024 zhongjiawei<zhongjiawei1@huawei.com> - 1.1.3-31
 - Type:bugfix
 - CVE:NA

series.conf

@@ -57,3 +57,4 @@ patch/0056-runc-format-log-instead-panic-when-procError-missing.patch
 patch/0057-rootfs-consolidate-mountpoint-creation-logic.patch
 patch/0058-rootfs-try-to-scope-MkdirAll-to-stay-inside-the-root.patch
 patch/0059-runc-fix-can-t-set-cpuset-cpus-and-cpuset-mems-at-th.patch
+patch/0060-runc-fix-failed-exec-after-systemctl-daemon-reload.patch