diff options
author | Fabricio Voznika <fvoznika@google.com> | 2018-06-08 09:58:29 -0700 |
---|---|---|
committer | Shentubot <shentubot@google.com> | 2018-06-08 09:59:26 -0700 |
commit | 5c51bc51e43a0f1d1f06ae490b0d352d1b483766 (patch) | |
tree | 356f35ee9f4980879a0b1ae2f975fae1e041de18 /runsc/cmd/boot.go | |
parent | 5c37097e34a513845d77bb8b7240f0074aa1c1e9 (diff) |
Drop capabilities not needed by Gofer
PiperOrigin-RevId: 199808391
Change-Id: Ib37a4fb6193dc85c1f93bc16769d6aa41854b9d4
Diffstat (limited to 'runsc/cmd/boot.go')
-rw-r--r-- | runsc/cmd/boot.go | 53 |
1 files changed, 20 insertions, 33 deletions
diff --git a/runsc/cmd/boot.go b/runsc/cmd/boot.go index 3bdc2ced0..34dd8b3c0 100644 --- a/runsc/cmd/boot.go +++ b/runsc/cmd/boot.go @@ -16,7 +16,6 @@ package cmd import ( "os" - "runtime" "runtime/debug" "strings" "syscall" @@ -24,7 +23,6 @@ import ( "context" "flag" "github.com/google/subcommands" - specs "github.com/opencontainers/runtime-spec/specs-go" "gvisor.googlesource.com/gvisor/pkg/log" "gvisor.googlesource.com/gvisor/runsc/boot" "gvisor.googlesource.com/gvisor/runsc/specutils" @@ -106,8 +104,26 @@ func (b *Boot) Execute(_ context.Context, f *flag.FlagSet, args ...interface{}) waitStatus := args[1].(*syscall.WaitStatus) if b.applyCaps { - setCapsAndCallSelf(conf, spec) - Fatalf("setCapsAndCallSelf must never return") + caps := spec.Process.Capabilities + if conf.Platform == boot.PlatformPtrace { + // Ptrace platform requires extra capabilities. + const c = "CAP_SYS_PTRACE" + caps.Bounding = append(caps.Bounding, c) + caps.Effective = append(caps.Effective, c) + caps.Permitted = append(caps.Permitted, c) + } + + // Remove --apply-caps arg to call myself. + var args []string + for _, arg := range os.Args { + if !strings.Contains(arg, "apply-caps") { + args = append(args, arg) + } + } + if err := setCapsAndCallSelf(spec, args, caps); err != nil { + Fatalf("%v", err) + } + panic("setCapsAndCallSelf must never return success") } // Create the loader. @@ -130,32 +146,3 @@ func (b *Boot) Execute(_ context.Context, f *flag.FlagSet, args ...interface{}) *waitStatus = syscall.WaitStatus(ws.Status()) return subcommands.ExitSuccess } - -// setCapsAndCallSelf sets capabilities to the current thread and then execve's -// itself again with the same arguments except '--apply-caps' to restart the -// whole process with the desired capabilities. -func setCapsAndCallSelf(conf *boot.Config, spec *specs.Spec) { - // Keep thread locked while capabilities are changed. - runtime.LockOSThread() - defer runtime.UnlockOSThread() - - if err := boot.ApplyCaps(conf, spec.Process.Capabilities); err != nil { - Fatalf("ApplyCaps, err: %v", err) - } - binPath, err := specutils.BinPath() - if err != nil { - Fatalf("%v", err) - } - - // Remove --apply-caps arg to call myself. - var args []string - for _, arg := range os.Args { - if !strings.Contains(arg, "apply-caps") { - args = append(args, arg) - } - } - - log.Infof("Execve 'boot' again, bye!") - log.Infof("%s %v", binPath, args) - syscall.Exec(binPath, args, []string{}) -} |