runc security upgrade regresses docker tmpfs permission handling

I luckily have an existing jammy VM with runc at version 1.3.0 and can see the same behavior

- With runc 1.3.3 , the mount option in the container is:

tmpfs on /my-tmp type tmpfs (rw,nosuid,nodev,relatime,mode=755,inode64)

- With runc 1.3.0, the mount option in the container is:

tmpfs on /my-tmp type tmpfs (rw,nosuid,nodev,relatime,inode64)

Hello Kyle,

Thanks for taking the time to report this bug and helping to make Ubuntu better. The latest runc update indeed introduced many changes regarding permissions, in an attempt to fix 3 high severity CVEs.

From an initial triage, this seems like an unintended behaviour that was caused due to hardening of permissions, that should not apply in this case.

I must note however, that in Ubuntu, in order to fix those issues we introduced the latest 1.3 tarball from upstream. Thus, I would like to redirect you to upstream's repo, where you can file a bug with the maintainers. Fell free to link it here as well, I will leave this one as unresolved until we figure this out.

https://github.com/opencontainers/runc/issues/4971

While checking the changes from 1.3.0 to 1.3.3, https://github.com/opencontainers/runc/commit/d40b3439a9614a86e87b81a94c6811ec6fa2d7d2 seems to be the culprit here.

This was introduced in 1.3.3 as a fix to CVE-2025-52881, i.e., this is not a regression due to the version upgrade, but due to the CVE fix. We need to confirm this (reverting the patch in a test build should suffice) and, if this is indeed the case, filing a bug upstream should be the proper approach as suggested by Nick.

Kyle, are you experience any specific use case regressions issues with the change? It would be nice to know what other components/use cases this affects.

Yes, the tmpfs is unusable in a docker container that uses a non-root user, which breaks a lot of stuff for me.

Thanks, Kyle. And thanks for reporting the bug upstream (https://github.com/opencontainers/runc/issues/4971). There is a straightforward workaround for now (which I also see you already figured out) which is to explicitly pass the mode you want to use for the tmpfs. I am mentioning it here and adding an example below to help others who may end up with the same issue (if it applies to you, keep reading).

Reproducing on questing:

$ docker run --tmpfs /my-tmp:exec --rm -it ubuntu:latest ls -al /my-tmp
total 4
drwxrwxrwt 2 root root 40 Nov 7 02:04 .
drwxr-xr-x 1 root root 4096 Nov 7 02:04 ..
athos@pollux:/tmp/foo$ runc --version
runc version 1.3.0-0ubuntu2

$ docker run --tmpfs /my-tmp:exec --rm -it ubuntu:latest ls -al /my-tmp
total 4
drwxr-xr-x 2 root root 40 Nov 7 02:05 .
drwxr-xr-x 1 root root 4096 Nov 7 02:05 ..
$ runc --version
runc version 1.3.3-0ubuntu1~25.10.2

Workaround:

$ docker run --rm --tmpfs /my-tmp:exec,mode=1777 --rm -it ubuntu:latest ls -al /my-tmp
total 4
drwxrwxrwt 2 root root 40 Nov 7 02:07 .
drwxr-xr-x 1 root root 4096 Nov 7 02:07 ..
$ runc --version
runc version 1.3.3-0ubuntu1~25.10.2

or

$ docker run --rm --mount type=tmpfs,destination=/my-tmp,tmpfs-mode=1777 --rm -it ubuntu:latest ls -al /my-tmp
total 4
drwxrwxrwt 2 root root 40 Nov 7 02:11 .
drwxr-xr-x 1 root root 4096 Nov 7 02:11 ..

https://github.com/opencontainers/runc/pull/4973 has been merged upstream. It was backported in https://github.com/opencontainers/runc/pull/4975.

Next, we should apply https://github.com/opencontainers/runc/pull/4975.patch and make sure it fixes the regression.

Hello again!

I was able to reproduce the issue as well, and I applied the upstream patch. As you can see, the newly updated package (1.3.3-0ubuntu1~XX.YY.3) for all supported releases should fix the issue. I uploaded the packages in the security-proposed PPA (https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/), where you can also validate the fact that the regression is now solved.

I will issue the update of the package which will make it land on the archive on Monday, as well as a Security Notice.

Hello! The updates have been published and the USN has been released. Please confirm that this update fixed the issue, so we can retire the bug.

Thanks for your patience!

Looks good to me.

ubuntu@ip-172-31-41-182:/ephemeral/tmp$ dpkg-query -W -f='${Version}\n' runc
1.3.3-0ubuntu1~22.04.3
ubuntu@ip-172-31-41-182:/ephemeral/tmp$ docker run --tmpfs /my-tmp:exec --rm -it ubuntu:latest ls -al /my-tmp
total 0
drwxrwxrwt 2 root root 40 Nov 24 15:25 .
drwxr-xr-x 1 root root 12 Nov 24 15:25 ..