diff options
author | Nicolas Lacasse <nlacasse@google.com> | 2019-07-23 14:35:50 -0700 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2019-07-23 14:37:07 -0700 |
commit | 04cbb13ce9b151cf906f42e3f18ce3a875f01f63 (patch) | |
tree | 3c68885355ff140b59f5aee4b149911bcb72c439 /pkg/sentry/control | |
parent | 57745994384ee1ff94fc7bed4f814ba75e39d48e (diff) |
Give each container a distinct MountNamespace.
This keeps all container filesystem completely separate from eachother
(including from the root container filesystem), and allows us to get rid of the
"__runsc_containers__" directory.
It also simplifies container startup/teardown as we don't have to muck around
in the root container's filesystem.
PiperOrigin-RevId: 259613346
Diffstat (limited to 'pkg/sentry/control')
-rw-r--r-- | pkg/sentry/control/proc.go | 22 |
1 files changed, 19 insertions, 3 deletions
diff --git a/pkg/sentry/control/proc.go b/pkg/sentry/control/proc.go index 6ae60c5cb..60e6c9285 100644 --- a/pkg/sentry/control/proc.go +++ b/pkg/sentry/control/proc.go @@ -54,6 +54,12 @@ type ExecArgs struct { // Envv is a list of environment variables. Envv []string `json:"envv"` + // MountNamespace is the mount namespace to execute the new process in. + // A reference on MountNamespace must be held for the lifetime of the + // ExecArgs. If MountNamespace is nil, it will default to the kernel's + // root MountNamespace. + MountNamespace *fs.MountNamespace + // Root defines the root directory for the new process. A reference on // Root must be held for the lifetime of the ExecArgs. If Root is nil, // it will default to the VFS root. @@ -145,6 +151,7 @@ func (proc *Proc) execAsync(args *ExecArgs) (*kernel.ThreadGroup, kernel.ThreadI Argv: args.Argv, Envv: args.Envv, WorkingDirectory: args.WorkingDirectory, + MountNamespace: args.MountNamespace, Root: args.Root, Credentials: creds, FDTable: fdTable, @@ -157,16 +164,25 @@ func (proc *Proc) execAsync(args *ExecArgs) (*kernel.ThreadGroup, kernel.ThreadI ContainerID: args.ContainerID, } if initArgs.Root != nil { - // initArgs must hold a reference on Root. This ref is dropped - // in CreateProcess. + // initArgs must hold a reference on Root, which will be + // donated to the new process in CreateProcess. initArgs.Root.IncRef() } + if initArgs.MountNamespace != nil { + // initArgs must hold a reference on MountNamespace, which will + // be donated to the new process in CreateProcess. + initArgs.MountNamespace.IncRef() + } ctx := initArgs.NewContext(proc.Kernel) if initArgs.Filename == "" { // Get the full path to the filename from the PATH env variable. paths := fs.GetPath(initArgs.Envv) - f, err := proc.Kernel.RootMountNamespace().ResolveExecutablePath(ctx, initArgs.WorkingDirectory, initArgs.Argv[0], paths) + mns := initArgs.MountNamespace + if mns == nil { + mns = proc.Kernel.RootMountNamespace() + } + f, err := mns.ResolveExecutablePath(ctx, initArgs.WorkingDirectory, initArgs.Argv[0], paths) if err != nil { return nil, 0, nil, fmt.Errorf("error finding executable %q in PATH %v: %v", initArgs.Argv[0], paths, err) } |