diff options
author | Fabricio Voznika <fvoznika@google.com> | 2018-06-08 09:58:29 -0700 |
---|---|---|
committer | Shentubot <shentubot@google.com> | 2018-06-08 09:59:26 -0700 |
commit | 5c51bc51e43a0f1d1f06ae490b0d352d1b483766 (patch) | |
tree | 356f35ee9f4980879a0b1ae2f975fae1e041de18 /runsc/cmd/cmd.go | |
parent | 5c37097e34a513845d77bb8b7240f0074aa1c1e9 (diff) |
Drop capabilities not needed by Gofer
PiperOrigin-RevId: 199808391
Change-Id: Ib37a4fb6193dc85c1f93bc16769d6aa41854b9d4
Diffstat (limited to 'runsc/cmd/cmd.go')
-rw-r--r-- | runsc/cmd/cmd.go | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/runsc/cmd/cmd.go b/runsc/cmd/cmd.go index 9f7fd6e25..940c8cd14 100644 --- a/runsc/cmd/cmd.go +++ b/runsc/cmd/cmd.go @@ -18,9 +18,13 @@ package cmd import ( "fmt" "os" + "runtime" "strconv" + "syscall" + specs "github.com/opencontainers/runtime-spec/specs-go" "gvisor.googlesource.com/gvisor/pkg/log" + "gvisor.googlesource.com/gvisor/runsc/specutils" ) // Fatalf logs to stderr and exits with a failure status code. @@ -64,3 +68,25 @@ func (i *intFlags) Set(s string) error { *i = append(*i, fd) return nil } + +// setCapsAndCallSelf sets capabilities to the current thread and then execve's +// itself again with the arguments specified in 'args' to restart the process +// with the desired capabilities. +func setCapsAndCallSelf(spec *specs.Spec, args []string, caps *specs.LinuxCapabilities) error { + // Keep thread locked while capabilities are changed. + runtime.LockOSThread() + defer runtime.UnlockOSThread() + + if err := applyCaps(caps); err != nil { + return fmt.Errorf("applyCaps() failed: %v", err) + } + binPath, err := specutils.BinPath() + if err != nil { + return err + } + + log.Infof("Capabilities applied: %+v", caps) + log.Infof("Execve %q again, bye!", binPath) + syscall.Exec(binPath, args, []string{}) + panic("unreachable") +} |