diff options
| author | Nicolas Lacasse <nlacasse@google.com> | 2019-04-08 11:55:31 -0700 |
|---|---|---|
| committer | Shentubot <shentubot@google.com> | 2019-04-08 11:56:38 -0700 |
| commit | 70906f1d2428ec6e616fe9dada4a41f4ef4024a9 (patch) | |
| tree | 1d6ce8d8f31f1c5f41d9f1d10fcc084c2b4a3ab3 /pkg/sentry/fs/ramfs/tree.go | |
| parent | fbe7ba466193e3689c276ffedea86714ce1f4d64 (diff) | |
Intermediate ram fs dirs should be writable.
We construct a ramfs tree of "scaffolding" directories for all mount points, so
that a directory exists that each mount point can be mounted over.
We were creating these directories without write permissions, which meant that
they were not wribable even when underlayed under a writable filesystem. They
should be writable.
PiperOrigin-RevId: 242507789
Change-Id: I86645e35417560d862442ff5962da211dbe9b731
Diffstat (limited to 'pkg/sentry/fs/ramfs/tree.go')
| -rw-r--r-- | pkg/sentry/fs/ramfs/tree.go | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/pkg/sentry/fs/ramfs/tree.go b/pkg/sentry/fs/ramfs/tree.go index f6d5ffdec..c1ac8a78b 100644 --- a/pkg/sentry/fs/ramfs/tree.go +++ b/pkg/sentry/fs/ramfs/tree.go @@ -28,6 +28,13 @@ import ( // MakeDirectoryTree constructs a ramfs tree of all directories containing // subdirs. Each element of subdir must be a clean path, and cannot be empty or // "/". +// +// All directories in the created tree will have full (read-write-execute) +// permissions, but note that file creation inside the directories is not +// actually supported because ramfs.Dir.CreateOpts == nil. However, these +// directory trees are normally "underlayed" under another filesystem (possibly +// the root), and file creation inside these directories in the overlay will be +// possible if the upper is writeable. func MakeDirectoryTree(ctx context.Context, msrc *fs.MountSource, subdirs []string) (*fs.Inode, error) { root := emptyDir(ctx, msrc) for _, subdir := range subdirs { @@ -58,9 +65,9 @@ func makeSubdir(ctx context.Context, msrc *fs.MountSource, root *Dir, subdir str } } -// emptyDir returns an empty *ramfs.Dir that is traversable but not writable. +// emptyDir returns an empty *ramfs.Dir with all permissions granted. func emptyDir(ctx context.Context, msrc *fs.MountSource) *fs.Inode { - dir := NewDir(ctx, make(map[string]*fs.Inode), fs.RootOwner, fs.FilePermsFromMode(0555)) + dir := NewDir(ctx, make(map[string]*fs.Inode), fs.RootOwner, fs.FilePermsFromMode(0777)) return fs.NewInode(dir, msrc, fs.StableAttr{ DeviceID: anon.PseudoDevice.DeviceID(), InodeID: anon.PseudoDevice.NextIno(), |