summaryrefslogtreecommitdiffhomepage
path: root/runsc/cmd
diff options
context:
space:
mode:
authorNicolas Lacasse <nlacasse@google.com>2018-09-11 13:08:36 -0700
committerShentubot <shentubot@google.com>2018-09-11 13:09:46 -0700
commit6cc9b311af3633d244f526abed50c0d3b0ce06a1 (patch)
tree923f589f98d323f17dd2a635c2744564de43f210 /runsc/cmd
parentc44bc6612fc4554d0aa4e484a46cd1f6b6a7b5c5 (diff)
platform: Pass device fd into platform constructor.
We were previously openining the platform device (i.e. /dev/kvm) inside the platfrom constructor (i.e. kvm.New). This requires that we have RW access to the platform device when constructing the platform. However, now that the runsc sandbox process runs as user "nobody", it is not able to open the platform device. This CL changes the kvm constructor to take the platform device FD, rather than opening the device file itself. The device file is opened outside of the sandbox and passed to the sandbox process. PiperOrigin-RevId: 212505804 Change-Id: I427e1d9de5eb84c84f19d513356e1bb148a52910
Diffstat (limited to 'runsc/cmd')
-rw-r--r--runsc/cmd/boot.go6
1 files changed, 5 insertions, 1 deletions
diff --git a/runsc/cmd/boot.go b/runsc/cmd/boot.go
index d8c7b9cd3..035147cf1 100644
--- a/runsc/cmd/boot.go
+++ b/runsc/cmd/boot.go
@@ -42,6 +42,9 @@ type Boot struct {
// control server that is donated to this process.
controllerFD int
+ // deviceFD is the file descriptor for the platform device file.
+ deviceFD int
+
// ioFDs is the list of FDs used to connect to FS gofers.
ioFDs intFlags
@@ -74,6 +77,7 @@ func (b *Boot) SetFlags(f *flag.FlagSet) {
f.StringVar(&b.bundleDir, "bundle", "", "required path to the root of the bundle directory")
f.IntVar(&b.specFD, "spec-fd", -1, "required fd with the container spec")
f.IntVar(&b.controllerFD, "controller-fd", -1, "required FD of a stream socket for the control server that must be donated to this process")
+ f.IntVar(&b.deviceFD, "device-fd", -1, "FD for the platform device file")
f.Var(&b.ioFDs, "io-fds", "list of FDs to connect 9P clients. They must follow this order: root first, then mounts as defined in the spec")
f.BoolVar(&b.console, "console", false, "set to true if the sandbox should allow terminal ioctl(2) syscalls")
f.BoolVar(&b.applyCaps, "apply-caps", false, "if true, apply capabilities defined in the spec to the process")
@@ -134,7 +138,7 @@ func (b *Boot) Execute(_ context.Context, f *flag.FlagSet, args ...interface{})
}
// Create the loader.
- l, err := boot.New(spec, conf, b.controllerFD, b.ioFDs.GetArray(), b.console)
+ l, err := boot.New(spec, conf, b.controllerFD, b.deviceFD, b.ioFDs.GetArray(), b.console)
if err != nil {
Fatalf("error creating loader: %v", err)
}