diff options
author | Nicolas Lacasse <nlacasse@google.com> | 2018-09-10 09:59:03 -0700 |
---|---|---|
committer | Shentubot <shentubot@google.com> | 2018-09-10 10:00:16 -0700 |
commit | e198f9ab02874caeef65f16c0546af1e52e9a7d3 (patch) | |
tree | d09db056604c97bd439c9ffdc99b12d795d969fd /runsc/sandbox | |
parent | 0c0c942327468e605f5b71cd6ffa75dda6e24fdc (diff) |
runsc: Chmod all mounted files to 777 inside chroot.
Inside the chroot, we run as user nobody, so all mounted files and directories
must be accessible to all users.
PiperOrigin-RevId: 212284805
Change-Id: I705e0dbbf15e01e04e0c7f378a99daffe6866807
Diffstat (limited to 'runsc/sandbox')
-rw-r--r-- | runsc/sandbox/chroot.go | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/runsc/sandbox/chroot.go b/runsc/sandbox/chroot.go index a77a186c2..f35d9c72d 100644 --- a/runsc/sandbox/chroot.go +++ b/runsc/sandbox/chroot.go @@ -36,7 +36,16 @@ func mountInChroot(chroot, src, dst, typ string, flags uint32) error { chrootDst := filepath.Join(chroot, dst) log.Infof("Mounting %q at %q", src, chrootDst) - return specutils.Mount(src, chrootDst, typ, flags) + if err := specutils.Mount(src, chrootDst, typ, flags); err != nil { + return fmt.Errorf("error mounting %q at %q: %v", src, chrootDst, err) + } + + // Make sure the mount is accessible to all users, since we will be + // running as nobody inside the chroot. + if err := os.Chmod(chrootDst, 0777); err != nil { + return fmt.Errorf("Chmod(%q) failed: %v", chroot, err) + } + return nil } // setUpChroot creates an empty directory with runsc mounted at /runsc, proc |