diff options
author | Fabricio Voznika <fvoznika@google.com> | 2019-06-12 09:40:50 -0700 |
---|---|---|
committer | Shentubot <shentubot@google.com> | 2019-06-12 09:41:50 -0700 |
commit | 356d1be140bb51f2a50d2c7fe24242cbfeedc9d6 (patch) | |
tree | 3685e89ffdf701c2e9aebb19023cf0606ca8593b /runsc/boot/config.go | |
parent | df110ad4fe571721a7eb4a5a1f9ce92584ef7809 (diff) |
Allow 'runsc do' to run without root
'--rootless' flag lets a non-root user execute 'runsc do'.
The drawback is that the sandbox and gofer processes will
run as root inside a user namespace that is mapped to the
caller's user, intead of nobody. And network is defaulted
to '--network=host' inside the root network namespace. On
the bright side, it's very convenient for testing:
runsc --rootless do ls
runsc --rootless do curl www.google.com
PiperOrigin-RevId: 252840970
Diffstat (limited to 'runsc/boot/config.go')
-rw-r--r-- | runsc/boot/config.go | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/runsc/boot/config.go b/runsc/boot/config.go index 8564c502d..6112b6c0a 100644 --- a/runsc/boot/config.go +++ b/runsc/boot/config.go @@ -226,6 +226,12 @@ type Config struct { // to the same underlying network device. This allows netstack to better // scale for high throughput use cases. NumNetworkChannels int + + // Rootless allows the sandbox to be started with a user that is not root. + // Defense is depth measures are weaker with rootless. Specifically, the + // sandbox and Gofer process run as root inside a user namespace with root + // mapped to the caller's user. + Rootless bool } // ToFlags returns a slice of flags that correspond to the given Config. @@ -250,6 +256,7 @@ func (c *Config) ToFlags() []string { "--profile=" + strconv.FormatBool(c.ProfileEnable), "--net-raw=" + strconv.FormatBool(c.EnableRaw), "--num-network-channels=" + strconv.Itoa(c.NumNetworkChannels), + "--rootless=" + strconv.FormatBool(c.Rootless), } if c.TestOnlyAllowRunAsCurrentUserWithoutChroot { // Only include if set since it is never to be used by users. |