summaryrefslogtreecommitdiffhomepage
path: root/runsc/cmd/boot.go
diff options
context:
space:
mode:
authorFabricio Voznika <fvoznika@google.com>2018-06-08 09:58:29 -0700
committerShentubot <shentubot@google.com>2018-06-08 09:59:26 -0700
commit5c51bc51e43a0f1d1f06ae490b0d352d1b483766 (patch)
tree356f35ee9f4980879a0b1ae2f975fae1e041de18 /runsc/cmd/boot.go
parent5c37097e34a513845d77bb8b7240f0074aa1c1e9 (diff)
Drop capabilities not needed by Gofer
PiperOrigin-RevId: 199808391 Change-Id: Ib37a4fb6193dc85c1f93bc16769d6aa41854b9d4
Diffstat (limited to 'runsc/cmd/boot.go')
-rw-r--r--runsc/cmd/boot.go53
1 files changed, 20 insertions, 33 deletions
diff --git a/runsc/cmd/boot.go b/runsc/cmd/boot.go
index 3bdc2ced0..34dd8b3c0 100644
--- a/runsc/cmd/boot.go
+++ b/runsc/cmd/boot.go
@@ -16,7 +16,6 @@ package cmd
import (
"os"
- "runtime"
"runtime/debug"
"strings"
"syscall"
@@ -24,7 +23,6 @@ import (
"context"
"flag"
"github.com/google/subcommands"
- specs "github.com/opencontainers/runtime-spec/specs-go"
"gvisor.googlesource.com/gvisor/pkg/log"
"gvisor.googlesource.com/gvisor/runsc/boot"
"gvisor.googlesource.com/gvisor/runsc/specutils"
@@ -106,8 +104,26 @@ func (b *Boot) Execute(_ context.Context, f *flag.FlagSet, args ...interface{})
waitStatus := args[1].(*syscall.WaitStatus)
if b.applyCaps {
- setCapsAndCallSelf(conf, spec)
- Fatalf("setCapsAndCallSelf must never return")
+ caps := spec.Process.Capabilities
+ if conf.Platform == boot.PlatformPtrace {
+ // Ptrace platform requires extra capabilities.
+ const c = "CAP_SYS_PTRACE"
+ caps.Bounding = append(caps.Bounding, c)
+ caps.Effective = append(caps.Effective, c)
+ caps.Permitted = append(caps.Permitted, c)
+ }
+
+ // Remove --apply-caps arg to call myself.
+ var args []string
+ for _, arg := range os.Args {
+ if !strings.Contains(arg, "apply-caps") {
+ args = append(args, arg)
+ }
+ }
+ if err := setCapsAndCallSelf(spec, args, caps); err != nil {
+ Fatalf("%v", err)
+ }
+ panic("setCapsAndCallSelf must never return success")
}
// Create the loader.
@@ -130,32 +146,3 @@ func (b *Boot) Execute(_ context.Context, f *flag.FlagSet, args ...interface{})
*waitStatus = syscall.WaitStatus(ws.Status())
return subcommands.ExitSuccess
}
-
-// setCapsAndCallSelf sets capabilities to the current thread and then execve's
-// itself again with the same arguments except '--apply-caps' to restart the
-// whole process with the desired capabilities.
-func setCapsAndCallSelf(conf *boot.Config, spec *specs.Spec) {
- // Keep thread locked while capabilities are changed.
- runtime.LockOSThread()
- defer runtime.UnlockOSThread()
-
- if err := boot.ApplyCaps(conf, spec.Process.Capabilities); err != nil {
- Fatalf("ApplyCaps, err: %v", err)
- }
- binPath, err := specutils.BinPath()
- if err != nil {
- Fatalf("%v", err)
- }
-
- // Remove --apply-caps arg to call myself.
- var args []string
- for _, arg := range os.Args {
- if !strings.Contains(arg, "apply-caps") {
- args = append(args, arg)
- }
- }
-
- log.Infof("Execve 'boot' again, bye!")
- log.Infof("%s %v", binPath, args)
- syscall.Exec(binPath, args, []string{})
-}