Use raw syscalls to avoid sporadic hangs

Signed-off-by: Jorge Prendes <jorge.prendes@gmail.com>
2024-11-23 01:11:58 +01:00 · 2023-10-10 10:01:54 +01:00 · 2023-10-10 10:01:54 +01:00 · 32ffc4d231
commit 32ffc4d231
parent 1be3353835
1 changed files with 25 additions and 10 deletions
--- a/crates/libcontainer/src/syscall/linux.rs
+++ b/crates/libcontainer/src/syscall/linux.rs
@ -7,8 +7,7 @@ use nix::{
    mount::{mount, umount2, MntFlags, MsFlags},
    sched::{unshare, CloneFlags},
    sys::stat::{mknod, Mode, SFlag},
-    unistd,
-    unistd::{chown, fchdir, pivot_root, setgroups, sethostname, Gid, Uid},
+    unistd::{chown, chroot, fchdir, pivot_root, sethostname, Gid, Uid},
 };
 use oci_spec::runtime::LinuxRlimit;
 use std::ffi::{CStr, CString, OsStr};
@ -318,22 +317,30 @@ impl Syscall for LinuxSyscall {
            nix::errno::from_i32(errno)
        })?;
        // args : real *id, effective *id, saved set *id respectively
-        unistd::setresgid(gid, gid, gid).map_err(|err| {
+
+        // This is safe because at this point we have only
+        // one thread in the process
+        if unsafe { libc::syscall(libc::SYS_setresgid, gid, gid, gid) } == -1 {
+            let err = nix::errno::Errno::last();
            tracing::error!(
                ?err,
                ?gid,
                "failed to set real, effective and saved set gid"
            );
-            err
-        })?;
-        unistd::setresuid(uid, uid, uid).map_err(|err| {
+            return Err(err.into());
+        }
+
+        // This is safe because at this point we have only
+        // one thread in the process
+        if unsafe { libc::syscall(libc::SYS_setresuid, uid, uid, uid) } == -1 {
+            let err = nix::errno::Errno::last();
            tracing::error!(
                ?err,
                ?uid,
                "failed to set real, effective and saved set uid"
            );
-            err
-        })?;
+            return Err(err.into());
+        }

        // if not the root user, reset capabilities to effective capabilities,
        // which are used by kernel to perform checks
@ -456,7 +463,7 @@ impl Syscall for LinuxSyscall {
    }

    fn chroot(&self, path: &Path) -> Result<()> {
-        unistd::chroot(path)?;
+        chroot(path)?;

        Ok(())
    }
@ -492,8 +499,16 @@ impl Syscall for LinuxSyscall {
    }

    fn set_groups(&self, groups: &[Gid]) -> Result<()> {
-        setgroups(groups)?;
+        let n_groups = groups.len() as libc::size_t;
+        let groups_ptr = groups.as_ptr() as *const libc::gid_t;

+        // This is safe because at this point we have only
+        // one thread in the process
+        if unsafe { libc::syscall(libc::SYS_setgroups, n_groups, groups_ptr) } == -1 {
+            let err = nix::errno::Errno::last();
+            tracing::error!(?err, ?groups, "failed to set groups");
+            return Err(err.into());
+        }
        Ok(())
    }