diff options
| author | Fabricio Voznika <fvoznika@google.com> | 2019-01-16 12:47:21 -0800 |
|---|---|---|
| committer | Shentubot <shentubot@google.com> | 2019-01-16 12:48:32 -0800 |
| commit | e4d3ca7263291b43cdc49c7553c62608be062cd9 (patch) | |
| tree | 47b8dee17087a36e1fc34c8acc48c798f2d2f383 /runsc/boot/loader_test.go | |
| parent | 92cf3764e032740f0c84a1b242c54b99f45a6bf0 (diff) | |
Prevent internal tmpfs mount to override files in /tmp
Runsc wants to mount /tmp using internal tmpfs implementation for
performance. However, it risks hiding files that may exist under
/tmp in case it's present in the container. Now, it only mounts
over /tmp iff:
- /tmp was not explicitly asked to be mounted
- /tmp is empty
If any of this is not true, then /tmp maps to the container's
image /tmp.
Note: checkpoint doesn't have sentry FS mounted to check if /tmp
is empty. It simply looks for explicit mounts right now.
PiperOrigin-RevId: 229607856
Change-Id: I10b6dae7ac157ef578efc4dfceb089f3b94cde06
Diffstat (limited to 'runsc/boot/loader_test.go')
| -rw-r--r-- | runsc/boot/loader_test.go | 21 |
1 files changed, 13 insertions, 8 deletions
diff --git a/runsc/boot/loader_test.go b/runsc/boot/loader_test.go index 0ed3002e0..4fcc0faea 100644 --- a/runsc/boot/loader_test.go +++ b/runsc/boot/loader_test.go @@ -398,16 +398,21 @@ func TestCreateMountNamespace(t *testing.T) { } defer cleanup() - mm, err := createMountNamespace(ctx, ctx, &tc.spec, conf, []int{sandEnd}) - if err != nil { + // setupRootContainerFS needs to find root from the context after the + // namespace is created. + var mns *fs.MountNamespace + setMountNS := func(m *fs.MountNamespace) { + mns = m + ctx.(*contexttest.TestContext).RegisterValue(fs.CtxRoot, mns.Root()) + } + if err := setupRootContainerFS(ctx, ctx, &tc.spec, conf, []int{sandEnd}, setMountNS); err != nil { t.Fatalf("createMountNamespace test case %q failed: %v", tc.name, err) } - defer mm.DecRef() - root := mm.Root() + root := mns.Root() defer root.DecRef() for _, p := range tc.expectedPaths { maxTraversals := uint(0) - if d, err := mm.FindInode(ctx, root, root, p, &maxTraversals); err != nil { + if d, err := mns.FindInode(ctx, root, root, p, &maxTraversals); err != nil { t.Errorf("expected path %v to exist with spec %v, but got error %v", p, tc.spec, err) } else { d.DecRef() @@ -570,13 +575,13 @@ func TestRestoreEnvironment(t *testing.T) { }, "tmpfs": { { - Dev: "none", - }, - { Dev: "none", Flags: fs.MountSourceFlags{NoAtime: true}, Data: "uid=1022", }, + { + Dev: "none", + }, }, "devtmpfs": { { |