Resolve mount paths while setting up root fs mount

It's hard to resolve symlinks inside the sandbox because rootfs and mounts
may be read-only, forcing us to create mount points inside lower layer of an
overlay, **before** the volumes are mounted.

Since the destination must already be resolved outside the sandbox when creating
mounts, take this opportunity to rewrite the spec with paths resolved.
"runsc boot" will use the "resolved" spec to load mounts. In addition, symlink
traversals were disabled while mounting containers inside the sandbox.

It haven't been able to write a good test for it. So I'm relying on manual tests
for now.

PiperOrigin-RevId: 217749904
Change-Id: I7ac434d5befd230db1488446cda03300cc0751a9

1 files changed, 23 insertions, 0 deletions

diff --git a/runsc/specutils/specutils.go b/runsc/specutils/specutils.go
index 6b3e52021..b29802fde 100644
--- a/runsc/specutils/specutils.go
+++ b/runsc/specutils/specutils.go
@@ -170,6 +170,29 @@ func ReadSpecFromFile(bundleDir string, specFile *os.File) (*specs.Spec, error)
 	return &spec, nil
 }
 
+// OpenCleanSpec opens spec file that has destination mount paths resolved to
+// their absolute location.
+func OpenCleanSpec(bundleDir string) (*os.File, error) {
+	f, err := os.Open(filepath.Join(bundleDir, "config.clean.json"))
+	if err != nil {
+		return nil, err
+	}
+	if _, err := f.Seek(0, os.SEEK_SET); err != nil {
+		f.Close()
+		return nil, fmt.Errorf("error seeking to beginning of file %q: %v", f.Name(), err)
+	}
+	return f, nil
+}
+
+// WriteCleanSpec writes a spec file that has destination mount paths resolved.
+func WriteCleanSpec(bundleDir string, spec *specs.Spec) error {
+	bytes, err := json.Marshal(spec)
+	if err != nil {
+		return err
+	}
+	return ioutil.WriteFile(filepath.Join(bundleDir, "config.clean.json"), bytes, 0755)
+}
+
 // Capabilities takes in spec and returns a TaskCapabilities corresponding to
 // the spec.
 func Capabilities(specCaps *specs.LinuxCapabilities) (*auth.TaskCapabilities, error) {