summaryrefslogtreecommitdiffhomepage
path: root/runsc
diff options
context:
space:
mode:
authorFabricio Voznika <fvoznika@google.com>2019-01-03 14:09:47 -0800
committerShentubot <shentubot@google.com>2019-01-03 14:10:44 -0800
commitd033a76fa6e215cb302e5383dbd7b0120de4395d (patch)
tree7c35ba0d4d7384cbc0c90943dbad4282be338ba7 /runsc
parentb709997d78a9504d1d9a14eb2dffae327cd69238 (diff)
Apply chroot for --network=host too
PiperOrigin-RevId: 227747566 Change-Id: Ide9df4ac1391adcd1c56e08d6570e0d149d85bc4
Diffstat (limited to 'runsc')
-rw-r--r--runsc/sandbox/sandbox.go36
1 files changed, 19 insertions, 17 deletions
diff --git a/runsc/sandbox/sandbox.go b/runsc/sandbox/sandbox.go
index 195cd4d6f..d84995d04 100644
--- a/runsc/sandbox/sandbox.go
+++ b/runsc/sandbox/sandbox.go
@@ -529,25 +529,27 @@ func (s *Sandbox) createSandboxProcess(spec *specs.Spec, conf *boot.Config, bund
} else {
return fmt.Errorf("can't run sandbox process as user nobody since we don't have CAP_SETUID or CAP_SETGID")
}
+ }
- // If we have CAP_SYS_ADMIN, we can create an empty chroot and
- // bind-mount the executable inside it.
- if conf.TestOnlyAllowRunAsCurrentUserWithoutChroot {
- log.Warningf("Running sandbox in test mode without chroot. This is only safe in tests!")
- } else if specutils.HasCapabilities(capability.CAP_SYS_ADMIN, capability.CAP_SYS_CHROOT) {
- log.Infof("Sandbox will be started in minimal chroot")
- chroot, err := setUpChroot()
- if err != nil {
- return fmt.Errorf("error setting up chroot: %v", err)
- }
- s.Chroot = chroot // Remember path so it can cleaned up.
- cmd.SysProcAttr.Chroot = chroot
- cmd.Dir = "/"
- cmd.Args[0] = "/runsc"
- cmd.Path = "/runsc"
- } else {
- return fmt.Errorf("can't run sandbox process in minimal chroot since we don't have CAP_SYS_ADMIN and CAP_SYS_CHROOT")
+ // If we have CAP_SYS_ADMIN, we can create an empty chroot and
+ // bind-mount the executable inside it.
+ if conf.TestOnlyAllowRunAsCurrentUserWithoutChroot {
+ log.Warningf("Running sandbox in test mode without chroot. This is only safe in tests!")
+
+ } else if specutils.HasCapabilities(capability.CAP_SYS_ADMIN, capability.CAP_SYS_CHROOT) {
+ log.Infof("Sandbox will be started in minimal chroot")
+ chroot, err := setUpChroot()
+ if err != nil {
+ return fmt.Errorf("error setting up chroot: %v", err)
}
+ s.Chroot = chroot // Remember path so it can cleaned up.
+ cmd.SysProcAttr.Chroot = chroot
+ cmd.Dir = "/"
+ cmd.Args[0] = "/runsc"
+ cmd.Path = "/runsc"
+
+ } else {
+ return fmt.Errorf("can't run sandbox process in minimal chroot since we don't have CAP_SYS_ADMIN and CAP_SYS_CHROOT")
}
if s.Cgroup != nil {