summaryrefslogtreecommitdiffhomepage
path: root/pkg
diff options
context:
space:
mode:
authorNicolas Lacasse <nlacasse@google.com>2019-07-23 14:35:50 -0700
committergVisor bot <gvisor-bot@google.com>2019-07-23 14:37:07 -0700
commit04cbb13ce9b151cf906f42e3f18ce3a875f01f63 (patch)
tree3c68885355ff140b59f5aee4b149911bcb72c439 /pkg
parent57745994384ee1ff94fc7bed4f814ba75e39d48e (diff)
Give each container a distinct MountNamespace.
This keeps all container filesystem completely separate from eachother (including from the root container filesystem), and allows us to get rid of the "__runsc_containers__" directory. It also simplifies container startup/teardown as we don't have to muck around in the root container's filesystem. PiperOrigin-RevId: 259613346
Diffstat (limited to 'pkg')
-rw-r--r--pkg/sentry/control/proc.go22
1 files changed, 19 insertions, 3 deletions
diff --git a/pkg/sentry/control/proc.go b/pkg/sentry/control/proc.go
index 6ae60c5cb..60e6c9285 100644
--- a/pkg/sentry/control/proc.go
+++ b/pkg/sentry/control/proc.go
@@ -54,6 +54,12 @@ type ExecArgs struct {
// Envv is a list of environment variables.
Envv []string `json:"envv"`
+ // MountNamespace is the mount namespace to execute the new process in.
+ // A reference on MountNamespace must be held for the lifetime of the
+ // ExecArgs. If MountNamespace is nil, it will default to the kernel's
+ // root MountNamespace.
+ MountNamespace *fs.MountNamespace
+
// Root defines the root directory for the new process. A reference on
// Root must be held for the lifetime of the ExecArgs. If Root is nil,
// it will default to the VFS root.
@@ -145,6 +151,7 @@ func (proc *Proc) execAsync(args *ExecArgs) (*kernel.ThreadGroup, kernel.ThreadI
Argv: args.Argv,
Envv: args.Envv,
WorkingDirectory: args.WorkingDirectory,
+ MountNamespace: args.MountNamespace,
Root: args.Root,
Credentials: creds,
FDTable: fdTable,
@@ -157,16 +164,25 @@ func (proc *Proc) execAsync(args *ExecArgs) (*kernel.ThreadGroup, kernel.ThreadI
ContainerID: args.ContainerID,
}
if initArgs.Root != nil {
- // initArgs must hold a reference on Root. This ref is dropped
- // in CreateProcess.
+ // initArgs must hold a reference on Root, which will be
+ // donated to the new process in CreateProcess.
initArgs.Root.IncRef()
}
+ if initArgs.MountNamespace != nil {
+ // initArgs must hold a reference on MountNamespace, which will
+ // be donated to the new process in CreateProcess.
+ initArgs.MountNamespace.IncRef()
+ }
ctx := initArgs.NewContext(proc.Kernel)
if initArgs.Filename == "" {
// Get the full path to the filename from the PATH env variable.
paths := fs.GetPath(initArgs.Envv)
- f, err := proc.Kernel.RootMountNamespace().ResolveExecutablePath(ctx, initArgs.WorkingDirectory, initArgs.Argv[0], paths)
+ mns := initArgs.MountNamespace
+ if mns == nil {
+ mns = proc.Kernel.RootMountNamespace()
+ }
+ f, err := mns.ResolveExecutablePath(ctx, initArgs.WorkingDirectory, initArgs.Argv[0], paths)
if err != nil {
return nil, 0, nil, fmt.Errorf("error finding executable %q in PATH %v: %v", initArgs.Argv[0], paths, err)
}