Add MountNamespace to task.

This allows tasks to have distinct mount namespace, instead of all sharing the
kernel's root mount namespace.

Currently, the only way for a task to get a different mount namespace than the
kernel's root is by explicitly setting a different MountNamespace in
CreateProcessArgs, and nothing does this (yet).

In a follow-up CL, we will set CreateProcessArgs.MountNamespace when creating a
new container inside runsc.

Note that "MountNamespace" is a poor term for this thing. It's more like a
distinct VFS tree. When we get around to adding real mount namespaces, this
will need a better naem.

PiperOrigin-RevId: 254009310

1 files changed, 2 insertions, 2 deletions

diff --git a/pkg/sentry/kernel/task.go b/pkg/sentry/kernel/task.go
index e883696f9..7ed589a02 100644
--- a/pkg/sentry/kernel/task.go
+++ b/pkg/sentry/kernel/task.go
@@ -665,7 +665,7 @@ func (t *Task) SyscallRestartBlock() SyscallRestartBlock {
 // Preconditions: The caller must be running on the task goroutine, or t.mu
 // must be locked.
 func (t *Task) IsChrooted() bool {
-	realRoot := t.k.mounts.Root()
+	realRoot := t.tg.mounts.Root()
 	defer realRoot.DecRef()
 	root := t.fsc.RootDirectory()
 	if root != nil {
@@ -710,7 +710,7 @@ func (t *Task) WithMuLocked(f func(*Task)) {
 // MountNamespace returns t's MountNamespace. MountNamespace does not take an
 // additional reference on the returned MountNamespace.
 func (t *Task) MountNamespace() *fs.MountNamespace {
-	return t.k.mounts
+	return t.tg.mounts
 }
 
 // AbstractSockets returns t's AbstractSocketNamespace.