Fix sandbox chroot

Sandbox was setting chroot, but was not chaging the working dir. Added test to ensure this doesn't happen in the future. PiperOrigin-RevId: 215676270 Change-Id: I14352d3de64a4dcb90e50948119dc8328c9c15e1
author: Fabricio Voznika <fvoznika@google.com> 2018-10-03 20:43:18 -0700
committer: Shentubot <shentubot@google.com> 2018-10-03 20:44:20 -0700
commit: 3f46f2e5017106d1569f759b8d19aee6e9827c58 (patch)
tree: 8dfdc15d3af75e808944099ca2b0b85ea6ee12de /runsc/sandbox
parent: beac59b37a8b0ea834904870e5c236d2627947a2 (diff)
2 files changed, 2 insertions, 1 deletions
diff --git a/runsc/sandbox/chroot.go b/runsc/sandbox/chroot.go
index 30a4bae35..35b19a0b1 100644
--- a/runsc/sandbox/chroot.go
+++ b/runsc/sandbox/chroot.go
@@ -55,7 +55,7 @@ func setUpChroot() (string, error) {
 	log.Infof("Setting up sandbox chroot in %q", chroot)
 
 	// Mount /proc.
-	if err := mountInChroot(chroot, "proc", "/proc", "proc", 0); err != nil {
+	if err := mountInChroot(chroot, "proc", "/proc", "proc", syscall.MS_NOSUID|syscall.MS_NODEV|syscall.MS_NOEXEC); err != nil {
 		return "", fmt.Errorf("error mounting proc in chroot: %v", err)
 	}
 
diff --git a/runsc/sandbox/sandbox.go b/runsc/sandbox/sandbox.go
index 1ed1ab61d..847417a15 100644
--- a/runsc/sandbox/sandbox.go
+++ b/runsc/sandbox/sandbox.go
@@ -475,6 +475,7 @@ func (s *Sandbox) createSandboxProcess(spec *specs.Spec, conf *boot.Config, bund
 			}
 			s.Chroot = chroot // Remember path so it can cleaned up.
 			cmd.SysProcAttr.Chroot = chroot
+			cmd.Dir = "/"
 			cmd.Args[0] = "/runsc"
 			cmd.Path = "/runsc"
 		} else {
author	Fabricio Voznika <fvoznika@google.com>	2018-10-03 20:43:18 -0700
committer	Shentubot <shentubot@google.com>	2018-10-03 20:44:20 -0700
commit	3f46f2e5017106d1569f759b8d19aee6e9827c58 (patch)
tree	8dfdc15d3af75e808944099ca2b0b85ea6ee12de /runsc/sandbox
parent	beac59b37a8b0ea834904870e5c236d2627947a2 (diff)