summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry/control
diff options
context:
space:
mode:
authorchris.zn <chris.zn@antfin.com>2019-04-30 23:35:36 +0800
committerchris.zn <chris.zn@antfin.com>2019-07-24 13:38:23 +0800
commit1c5b6d9bd26ba090610d05366df90d4fee91c677 (patch)
tree964de3a578b4100c5a445ba798cd24f20873c6de /pkg/sentry/control
parent7e38d643334647fb79c7cc8be35745699de264e6 (diff)
Use different pidns among different containers
The different containers in a sandbox used only one pid namespace before. This results in that a container can see the processes in another container in the same sandbox. This patch use different pid namespace for different containers. Signed-off-by: chris.zn <chris.zn@antfin.com>
Diffstat (limited to 'pkg/sentry/control')
-rw-r--r--pkg/sentry/control/proc.go8
1 files changed, 6 insertions, 2 deletions
diff --git a/pkg/sentry/control/proc.go b/pkg/sentry/control/proc.go
index 60e6c9285..3f9772b87 100644
--- a/pkg/sentry/control/proc.go
+++ b/pkg/sentry/control/proc.go
@@ -92,6 +92,9 @@ type ExecArgs struct {
// ContainerID is the container for the process being executed.
ContainerID string
+
+ // PIDNamespace is the pid namespace for the process being executed.
+ PIDNamespace *kernel.PIDNamespace
}
// String prints the arguments as a string.
@@ -162,6 +165,7 @@ func (proc *Proc) execAsync(args *ExecArgs) (*kernel.ThreadGroup, kernel.ThreadI
IPCNamespace: proc.Kernel.RootIPCNamespace(),
AbstractSocketNamespace: proc.Kernel.RootAbstractSocketNamespace(),
ContainerID: args.ContainerID,
+ PIDNamespace: args.PIDNamespace,
}
if initArgs.Root != nil {
// initArgs must hold a reference on Root, which will be
@@ -341,7 +345,7 @@ func Processes(k *kernel.Kernel, containerID string, out *[]*Process) error {
ts := k.TaskSet()
now := k.RealtimeClock().Now()
for _, tg := range ts.Root.ThreadGroups() {
- pid := ts.Root.IDOfThreadGroup(tg)
+ pid := tg.PIDNamespace().IDOfThreadGroup(tg)
// If tg has already been reaped ignore it.
if pid == 0 {
continue
@@ -352,7 +356,7 @@ func Processes(k *kernel.Kernel, containerID string, out *[]*Process) error {
ppid := kernel.ThreadID(0)
if p := tg.Leader().Parent(); p != nil {
- ppid = ts.Root.IDOfThreadGroup(p.ThreadGroup())
+ ppid = p.PIDNamespace().IDOfThreadGroup(p.ThreadGroup())
}
*out = append(*out, &Process{
UID: tg.Leader().Credentials().EffectiveKUID,