libcontainer: skip EPERM from rootfsParentMountPrivate in userns

  In a user namespace, mounts inherited from a more privileged mount
  namespace are locked by the kernel. Attempting to change their
  propagation to MS_PRIVATE returns EPERM. This is safe to ignore
  because prepareRoot() has already set MS_SLAVE recursively, which
  is sufficient for pivot_root() and prevents mount leaks.

Signed-off-by: yksun <yksun@alauda.io>

Author: lentil1016

libcontainer/rootfs_linux.go

@@ -1058,6 +1058,15 @@ func rootfsParentMountPrivate(path string) error {
 		}
 		path = filepath.Dir(path)
 	}
+	// In a user namespace, mounts inherited from a more privileged mount
+	// namespace are "locked" and cannot be changed to MS_PRIVATE (the
+	// kernel returns EPERM). This is safe to ignore because prepareRoot()
+	// has already set the propagation to MS_SLAVE recursively, which is
+	// sufficient for pivot_root() to succeed and prevents mount events
+	// from leaking to the parent namespace.
+	if err == unix.EPERM && userns.RunningInUserNS() {
+		return nil
+	}
 	return &mountError{
 		op:     "remount-private",
 		target: path,

tests/integration/userns.bats

@@ -264,6 +264,39 @@ function teardown() {
 	run ! ip link del dummy0
 }
 
+# Regression test for https://github.com/opencontainers/runc/pull/XXXX.
+# In a user namespace, mounts inherited from a more privileged mount namespace
+# are locked and cannot have their propagation changed to MS_PRIVATE (EPERM).
+# rootfsParentMountPrivate should skip EPERM in this case.
+@test "userns with shared parent mount" {
+	requires root
+
+	# Relocate the bundle into a shared mount. Using a separate tmpdir
+	# (rather than making $ROOT/bundle shared in-place) avoids cleanup
+	# ordering issues with teardown_bundle's rm -rf of $ROOT.
+	shared_dir=$(mktemp -d "$BATS_RUN_TMPDIR/shared-parent.XXXXXX")
+	chmod a+x "$shared_dir"
+	mount --bind "$shared_dir" "$shared_dir"
+	mount --make-shared "$shared_dir"
+	echo "$shared_dir" >>"$to_umount_list"
+
+	mv "$ROOT/bundle" "$shared_dir/bundle"
+	cd "$shared_dir/bundle"
+
+	update_config '.process.args = ["cat", "/proc/self/mountinfo"]'
+
+	runc run test_busybox
+	[ "$status" -eq 0 ]
+
+	# Verify the EPERM-skip path was exercised: if rootfsParentMountPrivate
+	# successfully changed the parent mount to MS_PRIVATE, the root mount
+	# would be private (no propagation tag in mountinfo). If EPERM was hit
+	# and skipped (the fix), the parent stays slave, so the root mount
+	# inherits slave propagation (shown as "master:N" in mountinfo).
+	root_mnt_line=$(grep ' / / ' <<<"$output" | head -1)
+	[[ "$root_mnt_line" == *master:* ]]
+}
+
 @test "userns with network interface renamed" {
 	requires root