diff options
author | Fabricio Voznika <fvoznika@google.com> | 2019-01-03 14:09:47 -0800 |
---|---|---|
committer | Shentubot <shentubot@google.com> | 2019-01-03 14:10:44 -0800 |
commit | d033a76fa6e215cb302e5383dbd7b0120de4395d (patch) | |
tree | 7c35ba0d4d7384cbc0c90943dbad4282be338ba7 /runsc | |
parent | b709997d78a9504d1d9a14eb2dffae327cd69238 (diff) |
Apply chroot for --network=host too
PiperOrigin-RevId: 227747566
Change-Id: Ide9df4ac1391adcd1c56e08d6570e0d149d85bc4
Diffstat (limited to 'runsc')
-rw-r--r-- | runsc/sandbox/sandbox.go | 36 |
1 files changed, 19 insertions, 17 deletions
diff --git a/runsc/sandbox/sandbox.go b/runsc/sandbox/sandbox.go index 195cd4d6f..d84995d04 100644 --- a/runsc/sandbox/sandbox.go +++ b/runsc/sandbox/sandbox.go @@ -529,25 +529,27 @@ func (s *Sandbox) createSandboxProcess(spec *specs.Spec, conf *boot.Config, bund } else { return fmt.Errorf("can't run sandbox process as user nobody since we don't have CAP_SETUID or CAP_SETGID") } + } - // If we have CAP_SYS_ADMIN, we can create an empty chroot and - // bind-mount the executable inside it. - if conf.TestOnlyAllowRunAsCurrentUserWithoutChroot { - log.Warningf("Running sandbox in test mode without chroot. This is only safe in tests!") - } else if specutils.HasCapabilities(capability.CAP_SYS_ADMIN, capability.CAP_SYS_CHROOT) { - log.Infof("Sandbox will be started in minimal chroot") - chroot, err := setUpChroot() - if err != nil { - return fmt.Errorf("error setting up chroot: %v", err) - } - s.Chroot = chroot // Remember path so it can cleaned up. - cmd.SysProcAttr.Chroot = chroot - cmd.Dir = "/" - cmd.Args[0] = "/runsc" - cmd.Path = "/runsc" - } else { - return fmt.Errorf("can't run sandbox process in minimal chroot since we don't have CAP_SYS_ADMIN and CAP_SYS_CHROOT") + // If we have CAP_SYS_ADMIN, we can create an empty chroot and + // bind-mount the executable inside it. + if conf.TestOnlyAllowRunAsCurrentUserWithoutChroot { + log.Warningf("Running sandbox in test mode without chroot. This is only safe in tests!") + + } else if specutils.HasCapabilities(capability.CAP_SYS_ADMIN, capability.CAP_SYS_CHROOT) { + log.Infof("Sandbox will be started in minimal chroot") + chroot, err := setUpChroot() + if err != nil { + return fmt.Errorf("error setting up chroot: %v", err) } + s.Chroot = chroot // Remember path so it can cleaned up. + cmd.SysProcAttr.Chroot = chroot + cmd.Dir = "/" + cmd.Args[0] = "/runsc" + cmd.Path = "/runsc" + + } else { + return fmt.Errorf("can't run sandbox process in minimal chroot since we don't have CAP_SYS_ADMIN and CAP_SYS_CHROOT") } if s.Cgroup != nil { |