diff options
| author | gVisor bot <gvisor-bot@google.com> | 2021-03-23 18:13:16 +0000 |
|---|---|---|
| committer | gVisor bot <gvisor-bot@google.com> | 2021-03-23 18:13:16 +0000 |
| commit | 0fea1c57d9bc63416cc366720b2f53139468352f (patch) | |
| tree | b4928c3117c19fd663460b3b60572e3aadfcdc8d /runsc/cmd | |
| parent | b1017fd2c4d29b50b80ae4f93868f4f919859320 (diff) | |
| parent | beb11cec7669d029172751e5b4dfe21c0672a25a (diff) | |
Merge release-20210315.0-14-gbeb11cec7 (automated)
Diffstat (limited to 'runsc/cmd')
| -rw-r--r-- | runsc/cmd/gofer.go | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/runsc/cmd/gofer.go b/runsc/cmd/gofer.go index d703e4042..4cb0164dd 100644 --- a/runsc/cmd/gofer.go +++ b/runsc/cmd/gofer.go @@ -165,8 +165,8 @@ func (g *Gofer) Execute(_ context.Context, f *flag.FlagSet, args ...interface{}) // Start with root mount, then add any other additional mount as needed. ats := make([]p9.Attacher, 0, len(spec.Mounts)+1) ap, err := fsgofer.NewAttachPoint("/", fsgofer.Config{ - ROMount: spec.Root.Readonly || conf.Overlay, - EnableXattr: conf.Verity, + ROMount: spec.Root.Readonly || conf.Overlay, + EnableVerityXattr: conf.Verity, }) if err != nil { Fatalf("creating attach point: %v", err) @@ -178,9 +178,9 @@ func (g *Gofer) Execute(_ context.Context, f *flag.FlagSet, args ...interface{}) for _, m := range spec.Mounts { if specutils.Is9PMount(m) { cfg := fsgofer.Config{ - ROMount: isReadonlyMount(m.Options) || conf.Overlay, - HostUDS: conf.FSGoferHostUDS, - EnableXattr: conf.Verity, + ROMount: isReadonlyMount(m.Options) || conf.Overlay, + HostUDS: conf.FSGoferHostUDS, + EnableVerityXattr: conf.Verity, } ap, err := fsgofer.NewAttachPoint(m.Destination, cfg) if err != nil { @@ -203,6 +203,10 @@ func (g *Gofer) Execute(_ context.Context, f *flag.FlagSet, args ...interface{}) filter.InstallUDSFilters() } + if conf.Verity { + filter.InstallXattrFilters() + } + if err := filter.Install(); err != nil { Fatalf("installing seccomp filters: %v", err) } |