crun and krun have different exit status when the command is a file with permission mode `000` or a directory

[eriksjolund]

crun and krun have different exit status when the command is a file with permission mode 000 or a directory

Example 1: command is a directory

OCI runtime	podman exit value	podman error message
crun	126	Error: crun: open executable: Operation not permitted: OCI permission denied
runc	126	Error: OCI runtime error: runc: runc create failed: unable to start container process: error during container init: exec: "/etc": is a directory
krun	0	Couldn't execute '/etc' inside the vm: Permission denied

$ sudo bash -c 'podman run --runtime=crun -t docker.io/library/fedora:41 /etc ; echo $?'
Error: crun: open executable: Operation not permitted: OCI permission denied
126
$ sudo bash -c 'podman run --runtime=runc -t docker.io/library/fedora:41 /etc ; echo $?'
Error: OCI runtime error: runc: runc create failed: unable to start container process: error during container init: exec: "/etc": is a directory
126
$ sudo bash -c 'podman run --runtime=krun -t docker.io/library/fedora:41 /etc ; echo $?'
Couldn't execute '/etc' inside the vm: Permission denied
0
$

Example 2: command is a file with permission mode 000

runtime	podman exit value	podman error message
crun	126	Error: crun: open executable: Permission denied: OCI permission denied
runc	126	Error: runc: runc create failed: unable to start container process: error during container init: exec: "/usr/bin/restricted-file": permission denied: OCI permission denied
krun	0	Couldn't execute '/usr/bin/restricted-file' inside the vm: Permission denied

$ sudo bash -c 'podman run --runtime=crun -t localhost/test /usr/bin/restricted-file ; echo $?'
Error: crun: open executable: Permission denied: OCI permission denied
126
$ sudo bash -c 'podman run --runtime=runc -t localhost/test /usr/bin/restricted-file ; echo $?'
Error: runc: runc create failed: unable to start container process: error during container init: exec: "/usr/bin/restricted-file": permission denied: OCI permission denied
126
$ sudo bash -c 'podman run --runtime=krun -t localhost/test /usr/bin/restricted-file ; echo $?'
Couldn't execute '/usr/bin/restricted-file' inside the vm: Permission denied
0
$ 

This Containerfile was used to build the container image localhost/test

FROM docker.io/library/fedora
RUN cp /usr/bin/echo /usr/bin/restricted-file
RUN chmod 000 /usr/bin/restricted-file

About the system:

$ cat /etc/os-release | grep ^VERSION=
VERSION="41 (Forty One)"
$ rpm -qa | grep -E 'krun|crun|runc'
libkrunfw-4.7.1-1.fc41.x86_64
libkrun-1.10.1-2.fc41.x86_64
crun-1.20-2.fc41.x86_64
crun-krun-1.20-2.fc41.x86_64
runc-1.2.5-1.fc41.x86_64
libkrun-devel-1.10.1-2.fc41.x86_64
libkrunfw-sev-4.7.1-1.fc41.x86_64
libkrun-sev-1.10.1-2.fc41.x86_64
libkrun-sev-devel-1.10.1-2.fc41.x86_64
libkrunfw-sev-devel-4.7.1-1.fc41.x86_64
libkrunfw-devel-4.7.1-1.fc41.x86_64
$

Side note: This issue has similarities with the issue

• nonexistent executable gives different exit status for crun and krun #1688

[rhatdan]

@slp PTAL

[slp]

The root cause on this and #1688 is the same. In libkrun we don't support relying the exit code from the guest to the host. But, for container use case, there's a relatively simple way of relying such value. I'll implement something next week.