diff options
| author | Fabricio Voznika <fvoznika@google.com> | 2018-06-08 09:58:29 -0700 |
|---|---|---|
| committer | Shentubot <shentubot@google.com> | 2018-06-08 09:59:26 -0700 |
| commit | 5c51bc51e43a0f1d1f06ae490b0d352d1b483766 (patch) | |
| tree | 356f35ee9f4980879a0b1ae2f975fae1e041de18 /runsc/sandbox | |
| parent | 5c37097e34a513845d77bb8b7240f0074aa1c1e9 (diff) | |
Drop capabilities not needed by Gofer
PiperOrigin-RevId: 199808391
Change-Id: Ib37a4fb6193dc85c1f93bc16769d6aa41854b9d4
Diffstat (limited to 'runsc/sandbox')
| -rw-r--r-- | runsc/sandbox/sandbox.go | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/runsc/sandbox/sandbox.go b/runsc/sandbox/sandbox.go index 2a434cfb7..48388aa7f 100644 --- a/runsc/sandbox/sandbox.go +++ b/runsc/sandbox/sandbox.go @@ -295,23 +295,23 @@ func (s *Sandbox) createSandboxProcess(spec *specs.Spec, conf *boot.Config, bund // process. IPC and UTS namespaces from the host are not used as they // are virtualized inside the sandbox. Be paranoid and run inside an empty // namespace for these. - log.Infof("Sandbox will be started in empty IPC and UTS namespaces") + log.Infof("Sandbox will be started in new IPC and UTS namespaces") nss := []specs.LinuxNamespace{ {Type: specs.IPCNamespace}, {Type: specs.UTSNamespace}, } if conf.Platform == boot.PlatformPtrace { - // TODO: Also set an empty PID namespace so that we limit + // TODO: Also set a new PID namespace so that we limit // access to other host processes. log.Infof("Sandbox will be started in the current PID namespace") } else { - log.Infof("Sandbox will be started in empty PID namespace") + log.Infof("Sandbox will be started in a new PID namespace") nss = append(nss, specs.LinuxNamespace{Type: specs.PIDNamespace}) } if conf.FileAccess == boot.FileAccessProxy { - log.Infof("Sandbox will be started in empty mount namespace") + log.Infof("Sandbox will be started in new mount namespace") nss = append(nss, specs.LinuxNamespace{Type: specs.MountNamespace}) } else { log.Infof("Sandbox will be started in the current mount namespace") @@ -324,7 +324,7 @@ func (s *Sandbox) createSandboxProcess(spec *specs.Spec, conf *boot.Config, bund log.Infof("Sandbox will be started in the container's network namespace: %+v", ns) nss = append(nss, ns) } else { - log.Infof("Sandbox will be started in empty network namespace") + log.Infof("Sandbox will be started in new network namespace") nss = append(nss, specs.LinuxNamespace{Type: specs.NetworkNamespace}) } @@ -347,7 +347,7 @@ func (s *Sandbox) createSandboxProcess(spec *specs.Spec, conf *boot.Config, bund cmd.Args = append(cmd.Args, "--apply-caps=true") } else { - log.Infof("Sandbox will be started in empty user namespace") + log.Infof("Sandbox will be started in new user namespace") nss = append(nss, specs.LinuxNamespace{Type: specs.UserNamespace}) } |