set +x on overlay fs dirs

We need to set +x on the overlay dirs or after dropping from root to a
non-root user an eperm will happen on exec or other file access

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>

cmd/ctr/run.go

@@ -113,6 +113,13 @@ func spec(id string, config *ocispec.ImageConfig, context *cli.Context) (*specs.
 				Effective:   capabilities,
 				Ambient:     capabilities,
 			},
+			Rlimits: []specs.LinuxRlimit{
+				{
+					Type: "RLIMIT_NOFILE",
+					Hard: uint64(1024),
+					Soft: uint64(1024),
+				},
+			},
 		},
 		Mounts: []specs.Mount{
 			{
@@ -311,7 +318,7 @@ var runCommand = cli.Command{
 		}
 		var imageConfig ocispec.Image
 		switch ic.MediaType {
-		case ocispec.MediaTypeImageConfig, "application/vnd.docker.container.image.v1+json":
+		case ocispec.MediaTypeImageConfig, images.MediaTypeDockerSchema2Config:
 			r, err := provider.Reader(ctx, ic.Digest)
 			if err != nil {
 				return err

linux/runtime.go

@@ -41,7 +41,7 @@ type Config struct {
 }
 
 func New(ic *plugin.InitContext) (interface{}, error) {
-	path := filepath.Join(ic.Root, runtimeName)
+	path := filepath.Join(ic.State, runtimeName)
 	if err := os.MkdirAll(path, 0700); err != nil {
 		return nil, err
 	}

snapshot/overlay/overlay.go

@@ -47,7 +47,6 @@ func NewSnapshotter(root string, ms storage.MetaStore) (snapshot.Snapshotter, er
 	if err := os.MkdirAll(root, 0700); err != nil {
 		return nil, err
 	}
-
 	if err := os.MkdirAll(filepath.Join(root, "snapshots"), 0700); err != nil {
 		return nil, err
 	}
@@ -189,7 +188,7 @@ func (o *Snapshotter) createActive(ctx context.Context, key, parent string, read
 		}
 	}()
 
-	if err = os.MkdirAll(filepath.Join(td, "fs"), 0700); err != nil {
+	if err = os.MkdirAll(filepath.Join(td, "fs"), 0711); err != nil {
 		return nil, err
 	}
 	if !readonly {