libcontainer: skip EPERM from rootfsParentMountPrivate in userns

In a user namespace, mounts inherited from a more privileged mount
namespace are locked by the kernel. Attempting to change their
propagation to MS_PRIVATE returns EPERM. This is safe to ignore
because prepareRoot() has already set MS_SLAVE recursively, which
is sufficient for pivot_root() and prevents mount leaks.

This affects kernels before Linux 6.17, where commit cffd0441872e
("use uniform permission checks for all mount propagation changes",
CVE-2025-38498) reworked do_change_type() to use ns_capable()
instead of the stricter check that returned EPERM in user
namespaces. The fix is also backported to some enterprise kernels
(e.g. RHEL 9 5.14.0-570.46.1).

An integration test is added for the cross-userns exec scenario:
when two containers have separate user namespaces but share an IPC
namespace (the Kubernetes sandbox/workload pattern), runc exec
must handle the setns ordering correctly.

Fixes: #5241
Signed-off-by: yksun <yksun@alauda.io>

Author: lentil1016

libcontainer/rootfs_linux.go

@@ -1058,6 +1058,15 @@ func rootfsParentMountPrivate(path string) error {
 		}
 		path = filepath.Dir(path)
 	}
+	// In a user namespace, mounts inherited from a more privileged mount
+	// namespace are "locked" and cannot be changed to MS_PRIVATE (the
+	// kernel returns EPERM). This is safe to ignore because prepareRoot()
+	// has already set the propagation to MS_SLAVE recursively, which is
+	// sufficient for pivot_root() to succeed and prevents mount events
+	// from leaking to the parent namespace.
+	if err == unix.EPERM && userns.RunningInUserNS() {
+		return nil
+	}
 	return &mountError{
 		op:     "remount-private",
 		target: path,

tests/integration/userns.bats

@@ -264,6 +264,44 @@ function teardown() {
 	run ! ip link del dummy0
 }
 
+# Regression test for cross-userns exec failure.
+# When two containers have separate user namespaces but share IPC (the
+# Kubernetes sandbox/workload pattern), runc exec fails because nsexec
+# joins the user namespace BEFORE the IPC namespace. After joining a
+# different userns, setns to the IPC namespace (owned by the first
+# userns) returns EPERM.
+@test "userns exec with cross-userns shared IPC" {
+	requires root
+
+	# Container A (simulates sandbox): own userns, creates IPC namespace.
+	update_config '.process.args = ["sleep", "infinity"]'
+	runc run -d --console-socket "$CONSOLE_SOCKET" sandbox_userns
+	[ "$status" -eq 0 ]
+
+	sandbox_pid="$(__runc state sandbox_userns | jq .pid)"
+
+	# Container B (simulates workload): own userns (different instance),
+	# but joins sandbox's IPC namespace via path.
+	# Remove mqueue mount — mounting mqueue in a different userns than
+	# the IPC namespace owner is not permitted.
+	update_config '.process.args = ["sleep", "infinity"]
+		| .linux.namespaces |= map(
+			if .type == "ipc" then
+				(.path = "/proc/'"$sandbox_pid"'/ns/ipc")
+			else .
+			end
+		)
+		| .mounts |= map(select(.type != "mqueue"))'
+	runc run -d --console-socket "$CONSOLE_SOCKET" workload_userns
+	[ "$status" -eq 0 ]
+
+	# Exec into workload container — this fails because nsexec joins the
+	# workload's userns first, then tries to setns into the sandbox's IPC
+	# namespace which is owned by a different userns → EPERM.
+	runc exec workload_userns id
+	[ "$status" -eq 0 ]
+}
+
 @test "userns with network interface renamed" {
 	requires root