summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorAndrei Vagin <avagin@google.com>2019-01-22 16:45:45 -0800
committerShentubot <shentubot@google.com>2019-01-22 16:46:42 -0800
commit5f08f8fd8162fa2fc2ca7b862263081d8d07b206 (patch)
treedf94de296220411b976f5730f71f6495ea1dc650
parentceb3dcfb72fe050bb0d90a7285cd1b56d1b4dfeb (diff)
Don't bind-mount runsc into a sandbox mntns
PiperOrigin-RevId: 230437407 Change-Id: Id9d8ceeb018aad2fe317407c78c6ee0f4b47aa2b
-rw-r--r--runsc/cmd/boot.go1
-rw-r--r--runsc/cmd/chroot.go8
-rw-r--r--runsc/cmd/cmd.go9
-rw-r--r--runsc/cmd/exec.go6
-rw-r--r--runsc/container/container.go6
-rw-r--r--runsc/sandbox/sandbox.go5
-rw-r--r--runsc/specutils/specutils.go10
-rw-r--r--runsc/test/root/chroot_test.go13
8 files changed, 12 insertions, 46 deletions
diff --git a/runsc/cmd/boot.go b/runsc/cmd/boot.go
index 7f87b2623..3039b389f 100644
--- a/runsc/cmd/boot.go
+++ b/runsc/cmd/boot.go
@@ -129,7 +129,6 @@ func (b *Boot) Execute(_ context.Context, f *flag.FlagSet, args ...interface{})
Fatalf("error setting up chroot: %v", err)
}
- specutils.ExePath = "/runsc"
if !b.applyCaps {
// Remove --setup-root arg to call myself.
var args []string
diff --git a/runsc/cmd/chroot.go b/runsc/cmd/chroot.go
index ec539a11c..c1acbf26b 100644
--- a/runsc/cmd/chroot.go
+++ b/runsc/cmd/chroot.go
@@ -24,10 +24,6 @@ import (
"gvisor.googlesource.com/gvisor/runsc/specutils"
)
-// chrootBinPath is the location inside the chroot where the runsc binary will
-// be mounted.
-const chrootBinPath = "/runsc"
-
// mountInChroot creates the destination mount point in the given chroot and
// mounts the source.
func mountInChroot(chroot, src, dst, typ string, flags uint32) error {
@@ -70,10 +66,6 @@ func setUpChroot(pidns bool) error {
}
}
- if err := mountInChroot(chroot, specutils.ExePath, chrootBinPath, "bind", syscall.MS_BIND|syscall.MS_RDONLY); err != nil {
- return fmt.Errorf("error mounting runsc in chroot: %v", err)
- }
-
if err := os.Chdir(chroot); err != nil {
return fmt.Errorf("error changing working directory: %v", err)
}
diff --git a/runsc/cmd/cmd.go b/runsc/cmd/cmd.go
index fbfc18fc9..208cf5304 100644
--- a/runsc/cmd/cmd.go
+++ b/runsc/cmd/cmd.go
@@ -80,13 +80,10 @@ func setCapsAndCallSelf(args []string, caps *specs.LinuxCapabilities) error {
if err := applyCaps(caps); err != nil {
return fmt.Errorf("applyCaps() failed: %v", err)
}
- binPath, err := specutils.BinPath()
- if err != nil {
- return err
- }
+ binPath := specutils.ExePath
log.Infof("Execve %q again, bye!", binPath)
- err = syscall.Exec(binPath, args, []string{})
+ err := syscall.Exec(binPath, args, []string{})
return fmt.Errorf("error executing %s: %v", binPath, err)
}
@@ -105,7 +102,7 @@ func callSelfAsNobody(args []string) error {
return fmt.Errorf("error setting gid: %v", err)
}
- binPath := "/runsc"
+ binPath := specutils.ExePath
log.Infof("Execve %q again, bye!", binPath)
err := syscall.Exec(binPath, args, []string{})
diff --git a/runsc/cmd/exec.go b/runsc/cmd/exec.go
index 13584d800..9e058ad97 100644
--- a/runsc/cmd/exec.go
+++ b/runsc/cmd/exec.go
@@ -186,10 +186,7 @@ func (ex *Exec) Execute(_ context.Context, f *flag.FlagSet, args ...interface{})
}
func (ex *Exec) execAndWait(waitStatus *syscall.WaitStatus) subcommands.ExitStatus {
- binPath, err := specutils.BinPath()
- if err != nil {
- Fatalf("getting bin path: %v", err)
- }
+ binPath := specutils.ExePath
var args []string
// The command needs to write a pid file so that execAndWait can tell
@@ -219,6 +216,7 @@ func (ex *Exec) execAndWait(waitStatus *syscall.WaitStatus) subcommands.ExitStat
}
cmd := exec.Command(binPath, args...)
+ cmd.Args[0] = "runsc-exec"
// Exec stdio defaults to current process stdio.
cmd.Stdin = os.Stdin
diff --git a/runsc/container/container.go b/runsc/container/container.go
index 2d4b85d9f..6d88dff7f 100644
--- a/runsc/container/container.go
+++ b/runsc/container/container.go
@@ -818,12 +818,10 @@ func (c *Container) createGoferProcess(spec *specs.Spec, conf *boot.Config, bund
args = append(args, fmt.Sprintf("--io-fds=%d", nextFD))
}
- binPath, err := specutils.BinPath()
- if err != nil {
- return nil, err
- }
+ binPath := specutils.ExePath
cmd := exec.Command(binPath, args...)
cmd.ExtraFiles = goferEnds
+ cmd.Args[0] = "runsc-gofer"
// Enter new namespaces to isolate from the rest of the system. Don't unshare
// cgroup because gofer is added to a cgroup in the caller's namespace.
diff --git a/runsc/sandbox/sandbox.go b/runsc/sandbox/sandbox.go
index 53cb464d2..721a49141 100644
--- a/runsc/sandbox/sandbox.go
+++ b/runsc/sandbox/sandbox.go
@@ -292,10 +292,7 @@ func (s *Sandbox) createSandboxProcess(spec *specs.Spec, conf *boot.Config, bund
// starts at 3 because 0, 1, and 2 are taken by stdin/out/err.
nextFD := 3
- binPath, err := specutils.BinPath()
- if err != nil {
- return err
- }
+ binPath := specutils.ExePath
cmd := exec.Command(binPath, conf.ToFlags()...)
cmd.SysProcAttr = &syscall.SysProcAttr{}
diff --git a/runsc/specutils/specutils.go b/runsc/specutils/specutils.go
index 7b0dcf231..4e7893ab4 100644
--- a/runsc/specutils/specutils.go
+++ b/runsc/specutils/specutils.go
@@ -315,16 +315,6 @@ func IsSupportedDevMount(m specs.Mount) bool {
return true
}
-// BinPath returns the real path to self, resolving symbolink links. This is done
-// to make the process name appears as 'runsc', instead of 'exe'.
-func BinPath() (string, error) {
- binPath, err := filepath.EvalSymlinks(ExePath)
- if err != nil {
- return "", fmt.Errorf(`error resolving %q symlink: %v`, ExePath, err)
- }
- return binPath, nil
-}
-
const (
// ContainerdContainerTypeAnnotation is the OCI annotation set by
// containerd to indicate whether the container to create should have
diff --git a/runsc/test/root/chroot_test.go b/runsc/test/root/chroot_test.go
index 04124703d..89f90c3e0 100644
--- a/runsc/test/root/chroot_test.go
+++ b/runsc/test/root/chroot_test.go
@@ -26,8 +26,6 @@ import (
"os"
"os/exec"
"path/filepath"
- "reflect"
- "sort"
"strconv"
"strings"
"testing"
@@ -73,16 +71,13 @@ func TestChroot(t *testing.T) {
if err != nil {
t.Fatalf("error listing %q: %v", chroot, err)
}
- if want, got := 2, len(fi); want != got {
+ if want, got := 1, len(fi); want != got {
t.Fatalf("chroot dir got %d entries, want %d", got, want)
}
- // chroot dir is prepared by runsc and should contains only the executable
- // and /proc.
- files := []string{fi[0].Name(), fi[1].Name()}
- sort.Strings(files)
- if want := []string{"proc", "runsc"}; !reflect.DeepEqual(files, want) {
- t.Errorf("chroot got children %v, want %v", files, want)
+ // chroot dir is prepared by runsc and should contains only /proc.
+ if fi[0].Name() != "proc" {
+ t.Errorf("chroot got children %v, want %v", fi[0].Name(), "proc")
}
d.CleanUp()