runsc: Run sandbox process inside minimal chroot.

We construct a dir with the executable bind-mounted at /exe, and proc mounted at /proc. Runsc now executes the sandbox process inside this chroot, thus limiting access to the host filesystem. The mounts and chroot dir are removed when the sandbox is destroyed. Because this requires bind-mounts, we can only do the chroot if we have CAP_SYS_ADMIN. PiperOrigin-RevId: 211994001 Change-Id: Ia71c515e26085e0b69b833e71691830148bc70d1
author: Nicolas Lacasse <nlacasse@google.com> 2018-09-07 10:15:34 -0700
committer: Shentubot <shentubot@google.com> 2018-09-07 10:16:39 -0700
commit: 210c2520890ea48d551c0c9fffe890a7c60fb802 (patch)
tree: 4f431b5737cd9e6a7c8c33e459242c3404eab7c0 /runsc/specutils/namespace.go
parent: 590d8320992d74e54e2c095c68c49abc2b23dcbe (diff)
1 files changed, 12 insertions, 0 deletions
diff --git a/runsc/specutils/namespace.go b/runsc/specutils/namespace.go
index 356943a65..48a199a77 100644
--- a/runsc/specutils/namespace.go
+++ b/runsc/specutils/namespace.go
@@ -216,3 +216,15 @@ func CanSetUIDGID() bool {
 	return caps.Get(capability.EFFECTIVE, capability.CAP_SETUID) &&
 		caps.Get(capability.EFFECTIVE, capability.CAP_SETGID)
 }
+
+// HasCapSysAdmin returns true if the user has CAP_SYS_ADMIN capability.
+func HasCapSysAdmin() bool {
+	caps, err := capability.NewPid2(os.Getpid())
+	if err != nil {
+		return false
+	}
+	if err := caps.Load(); err != nil {
+		return false
+	}
+	return caps.Get(capability.EFFECTIVE, capability.CAP_SYS_ADMIN)
+}
author	Nicolas Lacasse <nlacasse@google.com>	2018-09-07 10:15:34 -0700
committer	Shentubot <shentubot@google.com>	2018-09-07 10:16:39 -0700
commit	210c2520890ea48d551c0c9fffe890a7c60fb802 (patch)
tree	4f431b5737cd9e6a7c8c33e459242c3404eab7c0 /runsc/specutils/namespace.go
parent	590d8320992d74e54e2c095c68c49abc2b23dcbe (diff)