libct: fix stdio permission error for userns container

We should let stdio could be accessed in user ns container.
Please see opencontainers#4475
Because the default permission of stdio is 0o700, other user can't access
them. If we don't change the permission to 0o666, We'll get an error msg if
we access stdio in a userns contaienr: ***: /dev/std***: Permission denied.

Signed-off-by: lifubang <[email protected]>

Author: lifubang

libcontainer/container_linux.go

@@ -346,6 +346,15 @@ func (c *Container) start(process *Process) (retErr error) {
 	if err := utils.CloseExecFrom(3); err != nil {
 		return fmt.Errorf("unable to mark non-stdio fds as cloexec: %w", err)
 	}
+
+	// We should let stdio could be accessed in user ns container.
+	// Please see https://github.com/opencontainers/runc/issues/4475
+	// Because the default permission of stdio is 0o700, other user can't access
+	// them. If we don't change the permission to 0o666, We'll get an error msg if
+	// we access stdio in a userns contaienr: ***: /dev/std***: Permission denied.
+	if err := c.fixStdioPermission(); err != nil {
+		return fmt.Errorf("unable to change permission of stdio: %w", err)
+	}
 	if err := parent.start(); err != nil {
 		return fmt.Errorf("unable to start container process: %w", err)
 	}
@@ -506,6 +515,32 @@ func isDmzBinarySafe(c *configs.Config) bool {
 	return false
 }
 
+func (c *Container) fixStdioPermission() error {
+	rootuid, err := c.Config().HostRootUID()
+	if err != nil {
+		return err
+	}
+	rootgid, err := c.Config().HostRootGID()
+	if err != nil {
+		return err
+	}
+	uid := os.Getuid()
+	gid := os.Getgid()
+
+	if uid != rootuid && gid != rootgid {
+		if err := os.Stdin.Chmod(0o666); err != nil {
+			return err
+		}
+		if err := os.Stdout.Chmod(0o666); err != nil {
+			return err
+		}
+		if err := os.Stderr.Chmod(0o666); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
 func (c *Container) newParentProcess(p *Process) (parentProcess, error) {
 	comm, err := newProcessComm()
 	if err != nil {