runsc: set UID and GID if gofer is executed in a new user namespace

Otherwise, we will not have capabilities in the user namespace. And this patch adds the noexec option for mounts. https://github.com/google/gvisor/issues/145 PiperOrigin-RevId: 242706519 Change-Id: I1b78b77d6969bd18038c71616e8eb7111b71207c
author: Andrei Vagin <avagin@google.com> 2019-04-09 11:30:35 -0700
committer: Shentubot <shentubot@google.com> 2019-04-09 11:31:57 -0700
commit: 93b3c9b76c16104cbb5cc55b6f2339cb43c356b5 (patch)
tree: 419f3e209fecb5d9a6de8991531a7465918d9a36 /runsc/container/container.go
parent: eaac2806ffadbb3db6317e58c61b855b1350f0aa (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/runsc/container/container.go b/runsc/container/container.go
index 687b89935..cc0c1ee25 100644
--- a/runsc/container/container.go
+++ b/runsc/container/container.go
@@ -866,8 +866,13 @@ func (c *Container) createGoferProcess(spec *specs.Spec, conf *boot.Config, bund
 	// Setup any uid/gid mappings, and create or join the configured user
 	// namespace so the gofer's view of the filesystem aligns with the
 	// users in the sandbox.
-	nss = append(nss, specutils.FilterNS([]specs.LinuxNamespaceType{specs.UserNamespace}, spec)...)
+	userNS := specutils.FilterNS([]specs.LinuxNamespaceType{specs.UserNamespace}, spec)
+	nss = append(nss, userNS...)
 	specutils.SetUIDGIDMappings(cmd, spec)
+	if len(userNS) != 0 {
+		// We need to set UID and GID to have capabilities in a new user namespace.
+		cmd.SysProcAttr.Credential = &syscall.Credential{Uid: 0, Gid: 0}
+	}
 
 	// Start the gofer in the given namespace.
 	log.Debugf("Starting gofer: %s %v", binPath, args)
author	Andrei Vagin <avagin@google.com>	2019-04-09 11:30:35 -0700
committer	Shentubot <shentubot@google.com>	2019-04-09 11:31:57 -0700
commit	93b3c9b76c16104cbb5cc55b6f2339cb43c356b5 (patch)
tree	419f3e209fecb5d9a6de8991531a7465918d9a36 /runsc/container/container.go
parent	eaac2806ffadbb3db6317e58c61b855b1350f0aa (diff)