Fallback to bind mount for sysfs in user namespaces

Signed-off-by: HirazawaUi <695097494plus@gmail.com>

Author: HirazawaUi

libcontainer/rootfs_linux.go

@@ -622,7 +622,19 @@ func mountToRootfs(c *mountConfig, m mountEntry) error {
 		// "proc" and "sys" mounts need special handling (without resolving the
 		// destination) to avoid attacks.
 		m.dstFile = dstFile
-		return m.mountPropagate(rootfs, "")
+		err = m.mountPropagate(rootfs, "")
+		if err != nil && m.Device == "sysfs" && errors.Is(err, unix.EPERM) {
+			logrus.Debugf("cannot mount sysfs with properties, fallback to bind mount: %v", err)
+			bindM := &configs.Mount{
+				Device:           "bind",
+				Source:           "/sys",
+				Destination:      m.Destination,
+				Flags:            unix.MS_BIND | unix.MS_REC | m.Flags,
+				PropagationFlags: m.PropagationFlags,
+			}
+			return mountToRootfs(c, mountEntry{Mount: bindM})
+		}
+		return err
 	}
 
 	mountLabel := c.label

tests/integration/userns.bats

@@ -280,3 +280,27 @@ function teardown() {
 	# is deleted during the namespace cleanup.
 	run ! ip link del dummy0
 }
+
+@test "userns with host network: sysfs mount should fall back to bind mount" {
+	# This test runs in a user namespace (setup by default for this file).
+	# It also uses the host network namespace.
+
+	# Remove network namespace to use host network.
+	update_config '.linux.namespaces |= map(select(.type != "network"))'
+
+	# The default spec for rootless on cgroup v2 systems may use a bind
+	# mount for /sys. To test the sysfs mount fallback, we explicitly
+	# force a sysfs-type mount. In a user namespace, this is not
+	# permitted and should fail with EPERM. runc should then fall back
+	# to a bind mount.
+	update_config '.mounts |= map(if .destination == "/sys" then .type = "sysfs" | .source = "sysfs" | .options = ["nosuid", "noexec", "nodev", "ro"] else . end)'
+
+	# We check if /sys/class/net exists to verify that /sys is mounted
+	# correctly after the fallback.
+	update_config '.process.args = ["ls", "/sys/class/net"]'
+
+	runc run test_userns_sysfs_fallback
+	[ "$status" -eq 0 ]
+	# Check for loopback interface, which should always be present on the host.
+	[[ "$output" == *"lo"* ]]
+}