Handle wrapped errors correctly in libcontainer/init_linux.go

Signed-off-by: Curd Becker <me@curd-becker.de>

Author: curdbecker

libcontainer/init_linux.go

@@ -314,7 +314,7 @@ func finalizeNamespace(config *initConfig) error {
 		switch {
 		case err == nil:
 			doChdir = false
-		case os.IsPermission(err):
+		case errors.Is(err, os.ErrPermission):
 			// If we hit an EPERM, we should attempt again after setting up user.
 			// This will allow us to successfully chdir if the container user has access
 			// to the directory, but the user running runc does not.
@@ -480,7 +480,12 @@ func setupUser(config *initConfig) error {
 		setgroups, err = io.ReadAll(setgroupsFile)
 		_ = setgroupsFile.Close()
 	}
-	if err != nil && !os.IsNotExist(err) {
+	// be sure to use check for wrapped errors, since pathrs-lite will always
+	// wrap os.ErrNotExist in procfs.errUnsafeProcfs
+	// see:
+	// https://github.com/opencontainers/runc/blob/59a5ff14a2c1f6beb74982a9c03e31c5fb49859d/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs/procfs_linux.go#L329C1-L330C1
+	// https://github.com/opencontainers/runc/blob/59a5ff14a2c1f6beb74982a9c03e31c5fb49859d/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs/procfs_lookup_linux.go#L93
+	if err != nil && !errors.Is(err, os.ErrNotExist) {
 		return err
 	}