Skip to content

Commit

Permalink
Relax /var/lib/sysbox access permissions for the shiftfs checker.
Browse files Browse the repository at this point in the history 
The shiftfs checker needs to create dirs and files under /var/lib/sysbox. Since
the checker does this from within a user-namespace, it needs read-write-execute
"other" permissions. Adjust sysbox-mgr to temporarily provide such access to
the shiftfs checker. Once the check completes, the permissions of
/var/lib/sysbox are set to the usual (0710).

Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>
  • Loading branch information
@ctalledo
ctalledo committed Dec 10, 2024
1 parent 2a8aff4 commit 648c6e1
Showing 1 changed file with 11 additions and 6 deletions.
17 changes: 11 additions & 6 deletions utils.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -923,7 +923,9 @@ func checkIDMapMountSupport(ctx *cli.Context) (bool, bool, error) {

// The sysbox lib dir may have restrictive permissions; loosen those up
// temporarily while we perform the ID-map check since it runs inside a
// Linux user-ns.
// Linux user-ns. Note that unlike the shiftfs checker, the ID-map checker
// does not create files from within the user-namespace so it does not need
// write-other permissions.
fi, err := os.Stat(sysboxLibDir)
if err != nil {
return false, false, err
Expand Down Expand Up @@ -957,20 +959,23 @@ func checkIDMapMountSupport(ctx *cli.Context) (bool, bool, error) {

func checkShiftfsSupport(ctx *cli.Context) (bool, bool, error) {

// The sysbox lib dir may have restrictive permissions; loosen those up
// temporarily while we perform the shiftfs check since it runs inside a
// Linux user-ns.
// The sysbox lib dir may have restrictive permissions; relax those up
// temporarily while we perform the shiftfs check because it runs inside a
// Linux user-ns. Since the shiftfs checker creates files from within the
// user-namespace, we temporarily allow "rwx-other" permissions on the sysbox
// lib dir.
fi, err := os.Stat(sysboxLibDir)
if err != nil {
return false, false, err
}
origPerm := fi.Mode()

if err := os.Chmod(sysboxLibDir, 0755); err != nil {
return false, false, fmt.Errorf("failed to chmod %s to 0755: %s", sysboxLibDir, err)
if err := os.Chmod(sysboxLibDir, 0777); err != nil {
return false, false, fmt.Errorf("failed to chmod %s to 0777: %s", sysboxLibDir, err)
}

defer func() {
// Revert back to the original sysbox lib dir permissions once the shiftfs check is done.
os.Chmod(sysboxLibDir, origPerm)
}()

Expand Down

0 comments on commit 648c6e1

Please sign in to comment.