executor: make sure cwd created with correct user

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>

executor/containerdexecutor/executor.go

@@ -12,6 +12,8 @@ import (
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/cio"
 	containerdoci "github.com/containerd/containerd/oci"
+	"github.com/containerd/continuity/fs"
+	"github.com/docker/docker/pkg/idtools"
 	"github.com/moby/buildkit/cache"
 	"github.com/moby/buildkit/executor"
 	"github.com/moby/buildkit/executor/oci"
@@ -84,6 +86,22 @@ func (w containerdExecutor) Exec(ctx context.Context, meta executor.Meta, root c
 			lm.Unmount()
 			return err
 		}
+
+		identity := idtools.Identity{
+			UID: int(uid),
+			GID: int(gid),
+		}
+
+		newp, err := fs.RootPath(rootfsPath, meta.Cwd)
+		if err != nil {
+			lm.Unmount()
+			return errors.Wrapf(err, "working dir %s points to invalid target", newp)
+		}
+		if err := idtools.MkdirAllAndChown(newp, 0755, identity); err != nil {
+			lm.Unmount()
+			return errors.Wrapf(err, "failed to create working directory %s", newp)
+		}
+
 		lm.Unmount()
 	}
 

executor/runcexecutor/executor.go

@@ -197,6 +197,17 @@ func (w *runcExecutor) Exec(ctx context.Context, meta executor.Meta, root cache.
 		opts = append(opts, containerdoci.WithRootFSReadonly())
 	}
 
+	identity = idtools.Identity{
+		UID: int(uid),
+		GID: int(gid),
+	}
+	if w.idmap != nil {
+		identity, err = w.idmap.ToHost(identity)
+		if err != nil {
+			return err
+		}
+	}
+
 	if w.cgroupParent != "" {
 		var cgroupsPath string
 		lastSeparator := w.cgroupParent[len(w.cgroupParent)-1:]

frontend/dockerfile/dockerfile_test.go

@@ -106,6 +106,7 @@ var fileOpTests = []integration.Test{
 	testCopyRelative,
 	testTarContext,
 	testTarContextExternalDockerfile,
+	testWorkdirUser,
 }
 
 var opts []integration.TestOpt
@@ -711,6 +712,40 @@ COPY foo nomatch* /
 	require.Equal(t, "contents0", string(dt))
 }
 
+func testWorkdirUser(t *testing.T, sb integration.Sandbox) {
+	f := getFrontend(t, sb)
+	isFileOp := getFileOp(t, sb)
+
+	dockerfile := []byte(`
+FROM busybox
+RUN adduser -D user
+USER user
+WORKDIR /mydir
+RUN [ "$(stat -c "%U %G" /mydir)" == "user user" ]
+`)
+
+	dir, err := tmpdir(
+		fstest.CreateFile("Dockerfile", dockerfile, 0600),
+	)
+	require.NoError(t, err)
+	defer os.RemoveAll(dir)
+
+	c, err := client.New(context.TODO(), sb.Address())
+	require.NoError(t, err)
+	defer c.Close()
+
+	_, err = f.Solve(context.TODO(), c, client.SolveOpt{
+		FrontendAttrs: map[string]string{
+			"build-arg:BUILDKIT_DISABLE_FILEOP": strconv.FormatBool(!isFileOp),
+		},
+		LocalDirs: map[string]string{
+			builder.DefaultLocalNameDockerfile: dir,
+			builder.DefaultLocalNameContext:    dir,
+		},
+	}, nil)
+	require.NoError(t, err)
+}
+
 func testCopyChownCreateDest(t *testing.T, sb integration.Sandbox) {
 	f := getFrontend(t, sb)
 	isFileOp := getFileOp(t, sb)