summaryrefslogtreecommitdiffhomepage
path: root/runsc/cmd/cmd.go
diff options
context:
space:
mode:
authorFabricio Voznika <fvoznika@google.com>2018-06-08 09:58:29 -0700
committerShentubot <shentubot@google.com>2018-06-08 09:59:26 -0700
commit5c51bc51e43a0f1d1f06ae490b0d352d1b483766 (patch)
tree356f35ee9f4980879a0b1ae2f975fae1e041de18 /runsc/cmd/cmd.go
parent5c37097e34a513845d77bb8b7240f0074aa1c1e9 (diff)
Drop capabilities not needed by Gofer
PiperOrigin-RevId: 199808391 Change-Id: Ib37a4fb6193dc85c1f93bc16769d6aa41854b9d4
Diffstat (limited to 'runsc/cmd/cmd.go')
-rw-r--r--runsc/cmd/cmd.go26
1 files changed, 26 insertions, 0 deletions
diff --git a/runsc/cmd/cmd.go b/runsc/cmd/cmd.go
index 9f7fd6e25..940c8cd14 100644
--- a/runsc/cmd/cmd.go
+++ b/runsc/cmd/cmd.go
@@ -18,9 +18,13 @@ package cmd
import (
"fmt"
"os"
+ "runtime"
"strconv"
+ "syscall"
+ specs "github.com/opencontainers/runtime-spec/specs-go"
"gvisor.googlesource.com/gvisor/pkg/log"
+ "gvisor.googlesource.com/gvisor/runsc/specutils"
)
// Fatalf logs to stderr and exits with a failure status code.
@@ -64,3 +68,25 @@ func (i *intFlags) Set(s string) error {
*i = append(*i, fd)
return nil
}
+
+// setCapsAndCallSelf sets capabilities to the current thread and then execve's
+// itself again with the arguments specified in 'args' to restart the process
+// with the desired capabilities.
+func setCapsAndCallSelf(spec *specs.Spec, args []string, caps *specs.LinuxCapabilities) error {
+ // Keep thread locked while capabilities are changed.
+ runtime.LockOSThread()
+ defer runtime.UnlockOSThread()
+
+ if err := applyCaps(caps); err != nil {
+ return fmt.Errorf("applyCaps() failed: %v", err)
+ }
+ binPath, err := specutils.BinPath()
+ if err != nil {
+ return err
+ }
+
+ log.Infof("Capabilities applied: %+v", caps)
+ log.Infof("Execve %q again, bye!", binPath)
+ syscall.Exec(binPath, args, []string{})
+ panic("unreachable")
+}