Place the host UDS mounting behind --fsgofer-host-uds-allowed.

This commit allows the use of the `--fsgofer-host-uds-allowed` flag to enable mounting sockets and add the appropriate seccomp filters.
author: Robert Tonic <btonic@users.noreply.github.com> 2019-09-19 12:37:15 -0400
committer: Robert Tonic <btonic@users.noreply.github.com> 2019-09-19 12:37:15 -0400
commit: ac38a7ead0870118d27d570a8a98a90a7a225a12 (patch)
tree: 148be23cd23865cb8b586321d05389bf01c6d9a2 /runsc/main.go
parent: c2ae77a607b6e103545aa83e8f2c7c5bf649846f (diff)
1 files changed, 34 insertions, 32 deletions
diff --git a/runsc/main.go b/runsc/main.go
index c61583441..5eba949f6 100644
--- a/runsc/main.go
+++ b/runsc/main.go
@@ -63,17 +63,18 @@ var (
 	straceLogSize  = flag.Uint("strace-log-size", 1024, "default size (in bytes) to log data argument blobs")
 
 	// Flags that control sandbox runtime behavior.
-	platformName       = flag.String("platform", "ptrace", "specifies which platform to use: ptrace (default), kvm")
-	network            = flag.String("network", "sandbox", "specifies which network to use: sandbox (default), host, none. Using network inside the sandbox is more secure because it's isolated from the host network.")
-	gso                = flag.Bool("gso", true, "enable generic segmenation offload")
-	fileAccess         = flag.String("file-access", "exclusive", "specifies which filesystem to use for the root mount: exclusive (default), shared. Volume mounts are always shared.")
-	overlay            = flag.Bool("overlay", false, "wrap filesystem mounts with writable overlay. All modifications are stored in memory inside the sandbox.")
-	watchdogAction     = flag.String("watchdog-action", "log", "sets what action the watchdog takes when triggered: log (default), panic.")
-	panicSignal        = flag.Int("panic-signal", -1, "register signal handling that panics. Usually set to SIGUSR2(12) to troubleshoot hangs. -1 disables it.")
-	profile            = flag.Bool("profile", false, "prepares the sandbox to use Golang profiler. Note that enabling profiler loosens the seccomp protection added to the sandbox (DO NOT USE IN PRODUCTION).")
-	netRaw             = flag.Bool("net-raw", false, "enable raw sockets. When false, raw sockets are disabled by removing CAP_NET_RAW from containers (`runsc exec` will still be able to utilize raw sockets). Raw sockets allow malicious containers to craft packets and potentially attack the network.")
-	numNetworkChannels = flag.Int("num-network-channels", 1, "number of underlying channels(FDs) to use for network link endpoints.")
-	rootless           = flag.Bool("rootless", false, "it allows the sandbox to be started with a user that is not root. Sandbox and Gofer processes may run with same privileges as current user.")
+	platformName          = flag.String("platform", "ptrace", "specifies which platform to use: ptrace (default), kvm")
+	network               = flag.String("network", "sandbox", "specifies which network to use: sandbox (default), host, none. Using network inside the sandbox is more secure because it's isolated from the host network.")
+	gso                   = flag.Bool("gso", true, "enable generic segmenation offload")
+	fileAccess            = flag.String("file-access", "exclusive", "specifies which filesystem to use for the root mount: exclusive (default), shared. Volume mounts are always shared.")
+	fsGoferHostUDSAllowed = flag.Bool("fsgofer-host-uds-allowed", false, "Allow the gofer to mount Unix Domain Sockets.")
+	overlay               = flag.Bool("overlay", false, "wrap filesystem mounts with writable overlay. All modifications are stored in memory inside the sandbox.")
+	watchdogAction        = flag.String("watchdog-action", "log", "sets what action the watchdog takes when triggered: log (default), panic.")
+	panicSignal           = flag.Int("panic-signal", -1, "register signal handling that panics. Usually set to SIGUSR2(12) to troubleshoot hangs. -1 disables it.")
+	profile               = flag.Bool("profile", false, "prepares the sandbox to use Golang profiler. Note that enabling profiler loosens the seccomp protection added to the sandbox (DO NOT USE IN PRODUCTION).")
+	netRaw                = flag.Bool("net-raw", false, "enable raw sockets. When false, raw sockets are disabled by removing CAP_NET_RAW from containers (`runsc exec` will still be able to utilize raw sockets). Raw sockets allow malicious containers to craft packets and potentially attack the network.")
+	numNetworkChannels    = flag.Int("num-network-channels", 1, "number of underlying channels(FDs) to use for network link endpoints.")
+	rootless              = flag.Bool("rootless", false, "it allows the sandbox to be started with a user that is not root. Sandbox and Gofer processes may run with same privileges as current user.")
 
 	// Test flags, not to be used outside tests, ever.
 	testOnlyAllowRunAsCurrentUserWithoutChroot = flag.Bool("TESTONLY-unsafe-nonroot", false, "TEST ONLY; do not ever use! This skips many security measures that isolate the host from the sandbox.")
@@ -171,27 +172,28 @@ func main() {
 
 	// Create a new Config from the flags.
 	conf := &boot.Config{
-		RootDir:            *rootDir,
-		Debug:              *debug,
-		LogFilename:        *logFilename,
-		LogFormat:          *logFormat,
-		DebugLog:           *debugLog,
-		DebugLogFormat:     *debugLogFormat,
-		FileAccess:         fsAccess,
-		Overlay:            *overlay,
-		Network:            netType,
-		GSO:                *gso,
-		LogPackets:         *logPackets,
-		Platform:           platformType,
-		Strace:             *strace,
-		StraceLogSize:      *straceLogSize,
-		WatchdogAction:     wa,
-		PanicSignal:        *panicSignal,
-		ProfileEnable:      *profile,
-		EnableRaw:          *netRaw,
-		NumNetworkChannels: *numNetworkChannels,
-		Rootless:           *rootless,
-		AlsoLogToStderr:    *alsoLogToStderr,
+		RootDir:               *rootDir,
+		Debug:                 *debug,
+		LogFilename:           *logFilename,
+		LogFormat:             *logFormat,
+		DebugLog:              *debugLog,
+		DebugLogFormat:        *debugLogFormat,
+		FileAccess:            fsAccess,
+		FSGoferHostUDSAllowed: *fsGoferHostUDSAllowed,
+		Overlay:               *overlay,
+		Network:               netType,
+		GSO:                   *gso,
+		LogPackets:            *logPackets,
+		Platform:              platformType,
+		Strace:                *strace,
+		StraceLogSize:         *straceLogSize,
+		WatchdogAction:        wa,
+		PanicSignal:           *panicSignal,
+		ProfileEnable:         *profile,
+		EnableRaw:             *netRaw,
+		NumNetworkChannels:    *numNetworkChannels,
+		Rootless:              *rootless,
+		AlsoLogToStderr:       *alsoLogToStderr,
 
 		TestOnlyAllowRunAsCurrentUserWithoutChroot: *testOnlyAllowRunAsCurrentUserWithoutChroot,
 	}
author	Robert Tonic <btonic@users.noreply.github.com>	2019-09-19 12:37:15 -0400
committer	Robert Tonic <btonic@users.noreply.github.com>	2019-09-19 12:37:15 -0400
commit	ac38a7ead0870118d27d570a8a98a90a7a225a12 (patch)
tree	148be23cd23865cb8b586321d05389bf01c6d9a2 /runsc/main.go
parent	c2ae77a607b6e103545aa83e8f2c7c5bf649846f (diff)