summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorMichael Pratt <mpratt@google.com>2018-12-17 17:34:09 -0800
committerShentubot <shentubot@google.com>2018-12-17 17:35:06 -0800
commitb62591e6a813ec19a1fd74943584c4fead81f670 (patch)
tree33401c563bd3a8539b919b2d5fac3d5224d934e1
parente9c4f69f36308b370579c954badc7ad90146d6e7 (diff)
Expose internal testing flag
Never to used outside of runsc tests! PiperOrigin-RevId: 225919013 Change-Id: Ib3b14aa2a2564b5246fb3f8933d95e01027ed186
-rw-r--r--runsc/boot/config.go7
-rw-r--r--runsc/main.go3
-rw-r--r--runsc/test/testutil/BUILD5
3 files changed, 10 insertions, 5 deletions
diff --git a/runsc/boot/config.go b/runsc/boot/config.go
index b98e38ae9..e00d44df9 100644
--- a/runsc/boot/config.go
+++ b/runsc/boot/config.go
@@ -218,7 +218,7 @@ type Config struct {
// ToFlags returns a slice of flags that correspond to the given Config.
func (c *Config) ToFlags() []string {
- return []string{
+ f := []string{
"--root=" + c.RootDir,
"--debug=" + strconv.FormatBool(c.Debug),
"--log=" + c.LogFilename,
@@ -237,4 +237,9 @@ func (c *Config) ToFlags() []string {
"--panic-signal=" + strconv.Itoa(c.PanicSignal),
"--trace-signal=" + strconv.Itoa(c.TraceSignal),
}
+ if c.TestOnlyAllowRunAsCurrentUserWithoutChroot {
+ // Only include if set since it is never to be used by users.
+ f = append(f, "-TESTONLY-unsafe-nonroot=true")
+ }
+ return f
}
diff --git a/runsc/main.go b/runsc/main.go
index 013b250f7..a6ea0e9fa 100644
--- a/runsc/main.go
+++ b/runsc/main.go
@@ -64,6 +64,8 @@ var (
watchdogAction = flag.String("watchdog-action", "log", "sets what action the watchdog takes when triggered: log (default), panic.")
panicSignal = flag.Int("panic-signal", -1, "register signal handling that panics. Usually set to SIGUSR2(12) to troubleshoot hangs. -1 disables it. This takes precendence over -trace-signal.")
traceSignal = flag.Int("trace-signal", -1, "register signal handling that logs a traceback of all goroutines. Usually set to SIGUSR2(12) to troubleshoot hangs. -1 disables it.")
+
+ testOnlyAllowRunAsCurrentUserWithoutChroot = flag.Bool("TESTONLY-unsafe-nonroot", false, "TEST ONLY; do not ever use! This skips many security measures that isolate the host from the sandbox.")
)
// gitRevision is set during linking.
@@ -146,6 +148,7 @@ func main() {
WatchdogAction: wa,
PanicSignal: *panicSignal,
TraceSignal: *traceSignal,
+ TestOnlyAllowRunAsCurrentUserWithoutChroot: *testOnlyAllowRunAsCurrentUserWithoutChroot,
}
if len(*straceSyscalls) != 0 {
conf.StraceSyscalls = strings.Split(*straceSyscalls, ",")
diff --git a/runsc/test/testutil/BUILD b/runsc/test/testutil/BUILD
index 826b7bf0b..8c3919320 100644
--- a/runsc/test/testutil/BUILD
+++ b/runsc/test/testutil/BUILD
@@ -11,10 +11,7 @@ go_library(
"testutil_race.go",
],
importpath = "gvisor.googlesource.com/gvisor/runsc/test/testutil",
- visibility = [
- "//runsc:__subpackages__",
- "//test:__subpackages__",
- ],
+ visibility = ["//:sandbox"],
deps = [
"//runsc/boot",
"//runsc/specutils",