daemon: allow directory creation in /run/secrets

Since FileMode can have the directory bit set, allow a SecretStore
implementation to return secrets that are actually directories. This is
useful for creating directories and subdirectories of secrets.

Backport: moby#31632
Signed-off-by: Aleksa Sarai <asarai@suse.de>

Author: cyphar

daemon/container_operations_unix.go

@@ -195,8 +195,14 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
 		if secret == nil {
 			return fmt.Errorf("unable to get secret from secret store")
 		}
-		if err := ioutil.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil {
-			return errors.Wrap(err, "error injecting secret")
+		if s.File.Mode.IsDir() {
+			if err := os.Mkdir(fPath, s.File.Mode); err != nil {
+				return errors.Wrap(err, "error injecting secret dir")
+			}
+		} else {
+			if err := ioutil.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil {
+				return errors.Wrap(err, "error injecting secret")
+			}
 		}
 
 		uid, err := strconv.Atoi(s.File.UID)