[1.4] rootfs: only set mode= for tmpfs mount if target already existed#4976
Merged
lifubang merged 1 commit intoopencontainers:release-1.4from Nov 11, 2025
Merged
Conversation
cyphar
force-pushed
the
1.4-tmpfs-mode
branch
from
f32d284 to
152a2b9
Compare
This was always the intended behaviour but commit 72fbb34 ("rootfs: switch to fd-based handling of mountpoint targets") regressed it when adding a mechanism to create a file handle to the target if it didn't already exist (causing the later stat to always succeed). A lot of people depend on this functionality, so add some tests to make sure we don't break it in the future. Fixes: 72fbb34 ("rootfs: switch to fd-based handling of mountpoint targets") Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (cherry picked from commit 9a9719e) Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
cyphar
force-pushed
the
1.4-tmpfs-mode
branch
from
152a2b9 to
fbf9e99
Compare
kolyshkin
approved these changes
Nov 11, 2025
lifubang
approved these changes
Nov 11, 2025
Merged
Merged
Xeeynamo
added a commit
to Xeeynamo/moby
that referenced
this pull request
Dec 1, 2025
- release notes: https://github.com/opencontainers/runc/releases/tag/v1.3.4 - full diff: opencontainers/runc@v1.3.3...v1.3.4 This version bump aims to fix a regression in runc v1.3.3, which caused /dev/shm to have inappropriate permissions exposed to containers: * opencontainers/runc#4971 * opencontainers/runc#4976
Xeeynamo
added a commit
to Xeeynamo/moby
that referenced
this pull request
Dec 1, 2025
- release notes: https://github.com/opencontainers/runc/releases/tag/v1.3.4 - full diff: opencontainers/runc@v1.3.3...v1.3.4 This version bump aims to fix a regression in runc v1.3.3, which caused /dev/shm to have inappropriate permissions exposed to containers: * opencontainers/runc#4971 * opencontainers/runc#4976 Signed-off-by: Luciano Ciccariello <xeeynamo@hotmail.com>
Xeeynamo
added a commit
to Xeeynamo/moby
that referenced
this pull request
Dec 1, 2025
- release notes: https://github.com/opencontainers/runc/releases/tag/v1.4.0 - full diff: opencontainers/runc@v1.3.3...v1.4.0 This version bump aims to fix a regression in runc v1.3.3, which caused /dev/shm to have inappropriate permissions exposed to containers: * opencontainers/runc#4971 * opencontainers/runc#4976 Signed-off-by: Luciano Ciccariello <xeeynamo@hotmail.com>
Xeeynamo
added a commit
to Xeeynamo/moby
that referenced
this pull request
Dec 2, 2025
- release notes: https://github.com/opencontainers/runc/releases/tag/v1.4.0 - full diff: opencontainers/runc@v1.3.3...v1.4.0 This version bump aims to fix a regression in runc v1.3.3, which caused /dev/shm to have inappropriate permissions exposed to containers: * opencontainers/runc#4971 * opencontainers/runc#4976 Signed-off-by: Luciano Ciccariello <xeeynamo@hotmail.com>
smallprogram
added a commit
to smallprogram/openwrt_packages
that referenced
this pull request
Jan 29, 2026
cgroups: provide iocost statistics for cgroupv2. (opencontainers/cgroups#43) cgroups: retry DBus connection when it fails with EAGAIN.(opencontainers/cgroups#45) cgroups: improve cpuacct.usage_all resilience when parsing data from patched kernels (such as the Tencent kernels). (opencontainers/cgroups#46,opencontainers/cgroups#50) libct: close child fds on prepareCgroupFD error. (opencontainers/runc#4936) libct: fix mips compilation. (opencontainers/runc#4962, opencontainers/runc#4967) When configuring a tmpfs mount, only set the mode= argument if the target path already existed. This fixes a regression introduced in our CVE-2025-52881 mitigation patches. (opencontainers/runc#4971, opencontainers/runc#4976) Fix various file descriptor leaks and add additional tests to detect them as comprehensively as possible. (opencontainers/runc#5007, opencontainers/runc#5021, opencontainers/runc#5034) The "hallucination" helpers added as part of the CVE-2025-52881 mitigation have been made more generic and now apply to all of our pathrs helper functions, which should ensure we will not regress dangling symlink users. (opencontainers/runc#4985) Signed-off-by: David Mandy <smallprogramzhusir@gmail.com>
1 task
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport of #4973.
(Draft until merged.)This was always the intended behaviour but commit 72fbb34 ("rootfs:
switch to fd-based handling of mountpoint targets") regressed it when
adding a mechanism to create a file handle to the target if it didn't
already exist (causing the later stat to always succeed).
A lot of people depend on this functionality, so add some tests to make
sure we don't break it in the future.
Fixes #4971
Fixes: 72fbb34 ("rootfs: switch to fd-based handling of mountpoint targets")
Signed-off-by: Aleksa Sarai cyphar@cyphar.com