summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorFabricio Voznika <fvoznika@google.com>2018-10-11 17:44:50 -0700
committerShentubot <shentubot@google.com>2018-10-11 17:45:51 -0700
commitf074f0c2c77c4aec24700a49ebcbca1a7f2285e0 (patch)
tree6c76d302edcf4ebe935170a14766e915f1607a8b
parent3bc5e6482b110a03651abcfb02c93eef8a7ee90f (diff)
Make the gofer process enter namespaces
This is done to further isolate the gofer from the host. PiperOrigin-RevId: 216790991 Change-Id: Ia265b77e4e50f815d08f743a05669f9d75ad7a6f
-rw-r--r--runsc/container/container.go12
-rw-r--r--runsc/sandbox/sandbox.go17
2 files changed, 19 insertions, 10 deletions
diff --git a/runsc/container/container.go b/runsc/container/container.go
index 10108db5a..37e607bed 100644
--- a/runsc/container/container.go
+++ b/runsc/container/container.go
@@ -726,11 +726,21 @@ func (c *Container) createGoferProcess(spec *specs.Spec, conf *boot.Config, bund
cmd := exec.Command(binPath, args...)
cmd.ExtraFiles = goferEnds
+ // Enter new namespaces to isolate from the rest of the system. Don't unshare
+ // cgroup because gofer is added to a cgroup in the caller's namespace.
+ nss := []specs.LinuxNamespace{
+ {Type: specs.IPCNamespace},
+ {Type: specs.MountNamespace},
+ {Type: specs.NetworkNamespace},
+ {Type: specs.PIDNamespace},
+ {Type: specs.UTSNamespace},
+ }
+
// Setup any uid/gid mappings, and create or join the configured user
// namespace so the gofer's view of the filesystem aligns with the
// users in the sandbox.
+ nss = append(nss, specutils.FilterNS([]specs.LinuxNamespaceType{specs.UserNamespace}, spec)...)
specutils.SetUIDGIDMappings(cmd, spec)
- nss := specutils.FilterNS([]specs.LinuxNamespaceType{specs.UserNamespace}, spec)
// Start the gofer in the given namespace.
log.Debugf("Starting gofer: %s %v", binPath, args)
diff --git a/runsc/sandbox/sandbox.go b/runsc/sandbox/sandbox.go
index 39c855db9..6c1b39be7 100644
--- a/runsc/sandbox/sandbox.go
+++ b/runsc/sandbox/sandbox.go
@@ -408,12 +408,14 @@ func (s *Sandbox) createSandboxProcess(spec *specs.Spec, conf *boot.Config, bund
cmd.SysProcAttr.Setsid = true
// nss is the set of namespaces to join or create before starting the sandbox
- // process. IPC and UTS namespaces from the host are not used as they
+ // process. Mount, IPC and UTS namespaces from the host are not used as they
// are virtualized inside the sandbox. Be paranoid and run inside an empty
- // namespace for these.
- log.Infof("Sandbox will be started in new IPC and UTS namespaces")
+ // namespace for these. Don't unshare cgroup because sandbox is added to a
+ // cgroup in the caller's namespace.
+ log.Infof("Sandbox will be started in new mount, IPC and UTS namespaces")
nss := []specs.LinuxNamespace{
{Type: specs.IPCNamespace},
+ {Type: specs.MountNamespace},
{Type: specs.UTSNamespace},
}
@@ -426,9 +428,6 @@ func (s *Sandbox) createSandboxProcess(spec *specs.Spec, conf *boot.Config, bund
nss = append(nss, specs.LinuxNamespace{Type: specs.PIDNamespace})
}
- log.Infof("Sandbox will be started in new mount namespace")
- nss = append(nss, specs.LinuxNamespace{Type: specs.MountNamespace})
-
// Joins the network namespace if network is enabled. the sandbox talks
// directly to the host network, which may have been configured in the
// namespace.
@@ -440,9 +439,9 @@ func (s *Sandbox) createSandboxProcess(spec *specs.Spec, conf *boot.Config, bund
nss = append(nss, specs.LinuxNamespace{Type: specs.NetworkNamespace})
}
- // User namespace depends on the following options:
- // - Host network/filesystem: requires to run inside the user namespace
- // specified in the spec or the current namespace if none is configured.
+ // User namespace depends on the network type. Host network requires to run
+ // inside the user namespace specified in the spec or the current namespace
+ // if none is configured.
if conf.Network == boot.NetworkHost {
if userns, ok := specutils.GetNS(specs.UserNamespace, spec); ok {
log.Infof("Sandbox will be started in container's user namespace: %+v", userns)