From d65601fd64f7776da04448793fa84a206cffd1d2 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Tue, 5 May 2026 14:35:26 +0200 Subject: [PATCH 1/2] common, storage: drop O_RDONLY with O_PATH the kernel accepts only few flags with O_PATH, these do not include O_RDONLY, it works only because `O_RDONLY == 0`. followup for https://github.com/containers/container-libs/pull/820#discussion_r3187919255 Signed-off-by: Giuseppe Scrivano --- common/pkg/timezone/timezone.go | 2 +- storage/pkg/chunked/filesystem_linux.go | 2 +- storage/pkg/chunked/storage_linux.go | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/common/pkg/timezone/timezone.go b/common/pkg/timezone/timezone.go index 40333841e2..10a972355f 100644 --- a/common/pkg/timezone/timezone.go +++ b/common/pkg/timezone/timezone.go @@ -106,5 +106,5 @@ func copyTimezoneFile(containerRunDir, zonePath string) (string, error) { } func openDirectory(path string) (fd int, err error) { - return unix.Open(path, unix.O_RDONLY|O_PATH|unix.O_CLOEXEC, 0) + return unix.Open(path, O_PATH|unix.O_CLOEXEC, 0) } diff --git a/storage/pkg/chunked/filesystem_linux.go b/storage/pkg/chunked/filesystem_linux.go index ceba7d0f3d..152ffee392 100644 --- a/storage/pkg/chunked/filesystem_linux.go +++ b/storage/pkg/chunked/filesystem_linux.go @@ -510,7 +510,7 @@ func safeMkdir(dirfd int, mode os.FileMode, name string, metadata *fileMetadata, } func safeLink(dirfd int, mode os.FileMode, metadata *fileMetadata, options *archive.TarOptions) error { - sourceFile, err := openFileUnderRoot(dirfd, metadata.Linkname, unix.O_PATH|unix.O_RDONLY|unix.O_NOFOLLOW|unix.O_CLOEXEC, 0) + sourceFile, err := openFileUnderRoot(dirfd, metadata.Linkname, unix.O_PATH|unix.O_NOFOLLOW|unix.O_CLOEXEC, 0) if err != nil { return err } diff --git a/storage/pkg/chunked/storage_linux.go b/storage/pkg/chunked/storage_linux.go index e42359d845..2cae973775 100644 --- a/storage/pkg/chunked/storage_linux.go +++ b/storage/pkg/chunked/storage_linux.go @@ -1549,7 +1549,7 @@ func (c *chunkedDiffer) ApplyDiff(dest string, options *archive.TarOptions, diff } } - dirfd, err := unix.Open(dest, unix.O_RDONLY|unix.O_PATH|unix.O_CLOEXEC, 0) + dirfd, err := unix.Open(dest, unix.O_PATH|unix.O_CLOEXEC, 0) if err != nil { return output, &fs.PathError{Op: "open", Path: dest, Err: err} } From 363943ac4b5ef166cdc4c8a2728ded732109eeb1 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Thu, 19 Feb 2026 11:48:33 +0100 Subject: [PATCH 2/2] storage, overlay: use openat2 instead of using procfs Signed-off-by: Giuseppe Scrivano --- storage/drivers/overlay/overlay.go | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/storage/drivers/overlay/overlay.go b/storage/drivers/overlay/overlay.go index b12366852a..e7e6131dab 100644 --- a/storage/drivers/overlay/overlay.go +++ b/storage/drivers/overlay/overlay.go @@ -2057,17 +2057,27 @@ func (g *overlayFileGetter) Get(path string) (io.ReadCloser, error) { buf := make([]byte, unix.PathMax) for _, d := range g.diffDirs { if f, found := g.composefsMounts[d]; found { - // there is no *at equivalent for getxattr, but it can be emulated by opening the file under /proc/self/fd/$FD/$PATH - len, err := unix.Getxattr(fmt.Sprintf("/proc/self/fd/%d/%s", int(f.Fd()), path), "trusted.overlay.redirect", buf) + cfd, err := unix.Openat2(int(f.Fd()), path, &unix.OpenHow{ + Flags: unix.O_CLOEXEC | unix.O_PATH, + Resolve: unix.RESOLVE_NO_SYMLINKS | unix.RESOLVE_BENEATH, + }) + if err != nil { + if errors.Is(err, unix.ENOENT) { + continue + } + return nil, &fs.PathError{Op: "openat2", Path: path, Err: err} + } + n, err := unix.Fgetxattr(cfd, "trusted.overlay.redirect", buf) + unix.Close(cfd) if err != nil { if errors.Is(err, unix.ENODATA) { continue } - return nil, &fs.PathError{Op: "getxattr", Path: path, Err: err} + return nil, &fs.PathError{Op: "fgetxattr", Path: path, Err: err} } // the xattr value is the path to the file in the composefs layer diff directory - return os.Open(filepath.Join(d, string(buf[:len]))) + return os.Open(filepath.Join(d, string(buf[:n]))) } f, err := os.Open(filepath.Join(d, path))