Allow 'runsc do' to run without root

'--rootless' flag lets a non-root user execute 'runsc do'. The drawback is that the sandbox and gofer processes will run as root inside a user namespace that is mapped to the caller's user, intead of nobody. And network is defaulted to '--network=host' inside the root network namespace. On the bright side, it's very convenient for testing: runsc --rootless do ls runsc --rootless do curl www.google.com PiperOrigin-RevId: 252840970
author: Fabricio Voznika <fvoznika@google.com> 2019-06-12 09:40:50 -0700
committer: Shentubot <shentubot@google.com> 2019-06-12 09:41:50 -0700
commit: 356d1be140bb51f2a50d2c7fe24242cbfeedc9d6 (patch)
tree: 3685e89ffdf701c2e9aebb19023cf0606ca8593b /runsc/specutils/BUILD
parent: df110ad4fe571721a7eb4a5a1f9ce92584ef7809 (diff)
1 files changed, 1 insertions, 4 deletions
diff --git a/runsc/specutils/BUILD b/runsc/specutils/BUILD
index 15476de6f..0456e4c4f 100644
--- a/runsc/specutils/BUILD
+++ b/runsc/specutils/BUILD
@@ -10,10 +10,7 @@ go_library(
         "specutils.go",
     ],
     importpath = "gvisor.googlesource.com/gvisor/runsc/specutils",
-    visibility = [
-        "//runsc:__subpackages__",
-        "//test:__subpackages__",
-    ],
+    visibility = ["//:sandbox"],
     deps = [
         "//pkg/abi/linux",
         "//pkg/log",
author	Fabricio Voznika <fvoznika@google.com>	2019-06-12 09:40:50 -0700
committer	Shentubot <shentubot@google.com>	2019-06-12 09:41:50 -0700
commit	356d1be140bb51f2a50d2c7fe24242cbfeedc9d6 (patch)
tree	3685e89ffdf701c2e9aebb19023cf0606ca8593b /runsc/specutils/BUILD
parent	df110ad4fe571721a7eb4a5a1f9ce92584ef7809 (diff)