Configure sandbox as superuser

Container user might not have enough priviledge to walk directories and
mount filesystems. Instead, create superuser to perform these steps of
the configuration.

PiperOrigin-RevId: 197953667
Change-Id: I643650ab654e665408e2af1b8e2f2aa12d58d4fb

1 files changed, 27 insertions, 21 deletions

diff --git a/runsc/boot/loader.go b/runsc/boot/loader.go
index 566f2eb46..76edbb905 100644
--- a/runsc/boot/loader.go
+++ b/runsc/boot/loader.go
@@ -137,9 +137,6 @@ func New(spec *specs.Spec, conf *Config, controllerFD int, ioFDs []int, console
 		extraKGIDs,
 		caps,
 		auth.NewRootUserNamespace())
-	if err != nil {
-		return nil, fmt.Errorf("error creating credentials: %v", err)
-	}
 
 	// Create user namespace.
 	// TODO: Not clear what domain name should be here.  It is
@@ -159,22 +156,6 @@ func New(spec *specs.Spec, conf *Config, controllerFD int, ioFDs []int, console
 		return nil, fmt.Errorf("error getting executable path: %v", err)
 	}
 
-	// Create the process arguments.
-	procArgs := kernel.CreateProcessArgs{
-		Filename:         exec,
-		Argv:             spec.Process.Args,
-		Envv:             spec.Process.Env,
-		WorkingDirectory: spec.Process.Cwd,
-		Credentials:      creds,
-		// Creating the FDMap requires that we have kernel.Kernel.fdMapUids, so
-		// it must wait until we have a Kernel.
-		Umask:                uint(syscall.Umask(0)),
-		Limits:               ls,
-		MaxSymlinkTraversals: linux.MaxSymlinkTraversals,
-		UTSNamespace:         utsns,
-		IPCNamespace:         ipcns,
-	}
-
 	// Create an empty network stack because the network namespace may be empty at
 	// this point. Netns is configured before Run() is called. Netstack is
 	// configured using a control uRPC message. Host network is configured inside
@@ -219,14 +200,39 @@ func New(spec *specs.Spec, conf *Config, controllerFD int, ioFDs []int, console
 		return nil, fmt.Errorf("error creating control server: %v", err)
 	}
 
+	// Create the process arguments.
+	procArgs := kernel.CreateProcessArgs{
+		Filename:         exec,
+		Argv:             spec.Process.Args,
+		Envv:             spec.Process.Env,
+		WorkingDirectory: spec.Process.Cwd,
+		Credentials:      creds,
+		// Creating the FDMap requires that we have kernel.Kernel.fdMapUids, so
+		// it must wait until we have a Kernel.
+		Umask:                uint(syscall.Umask(0)),
+		Limits:               ls,
+		MaxSymlinkTraversals: linux.MaxSymlinkTraversals,
+		UTSNamespace:         utsns,
+		IPCNamespace:         ipcns,
+	}
 	ctx := procArgs.NewContext(k)
 
+	// Use root user to configure mounts. The current user might not have
+	// permission to do so.
+	rootProcArgs := kernel.CreateProcessArgs{
+		WorkingDirectory:     "/",
+		Credentials:          auth.NewRootCredentials(creds.UserNamespace),
+		Umask:                uint(syscall.Umask(0022)),
+		MaxSymlinkTraversals: linux.MaxSymlinkTraversals,
+	}
+	rootCtx := rootProcArgs.NewContext(k)
+
 	// Create the virtual filesystem.
-	mm, err := createMountNamespace(ctx, spec, conf, ioFDs)
+	mns, err := createMountNamespace(ctx, rootCtx, spec, conf, ioFDs)
 	if err != nil {
 		return nil, fmt.Errorf("error creating mounts: %v", err)
 	}
-	k.SetRootMountNamespace(mm)
+	k.SetRootMountNamespace(mns)
 
 	// Create the FD map, which will set stdin, stdout, and stderr.  If console
 	// is true, then ioctl calls will be passed through to the host fd.