diff options
| author | Fabricio Voznika <fvoznika@google.com> | 2019-01-16 12:47:21 -0800 |
|---|---|---|
| committer | Shentubot <shentubot@google.com> | 2019-01-16 12:48:32 -0800 |
| commit | e4d3ca7263291b43cdc49c7553c62608be062cd9 (patch) | |
| tree | 47b8dee17087a36e1fc34c8acc48c798f2d2f383 /test | |
| parent | 92cf3764e032740f0c84a1b242c54b99f45a6bf0 (diff) | |
Prevent internal tmpfs mount to override files in /tmp
Runsc wants to mount /tmp using internal tmpfs implementation for
performance. However, it risks hiding files that may exist under
/tmp in case it's present in the container. Now, it only mounts
over /tmp iff:
- /tmp was not explicitly asked to be mounted
- /tmp is empty
If any of this is not true, then /tmp maps to the container's
image /tmp.
Note: checkpoint doesn't have sentry FS mounted to check if /tmp
is empty. It simply looks for explicit mounts right now.
PiperOrigin-RevId: 229607856
Change-Id: I10b6dae7ac157ef578efc4dfceb089f3b94cde06
Diffstat (limited to 'test')
| -rw-r--r-- | test/syscalls/BUILD | 1 | ||||
| -rw-r--r-- | test/syscalls/syscall_test_runner.go | 8 |
2 files changed, 8 insertions, 1 deletions
diff --git a/test/syscalls/BUILD b/test/syscalls/BUILD index 674e4b5b1..c46ac77f7 100644 --- a/test/syscalls/BUILD +++ b/test/syscalls/BUILD @@ -538,6 +538,7 @@ go_binary( "//runsc/specutils", "//runsc/test/testutil", "//test/syscalls/gtest", + "@com_github_opencontainers_runtime-spec//specs-go:go_default_library", "@org_golang_x_sys//unix:go_default_library", ], ) diff --git a/test/syscalls/syscall_test_runner.go b/test/syscalls/syscall_test_runner.go index 1f2ff9864..e5c2358a0 100644 --- a/test/syscalls/syscall_test_runner.go +++ b/test/syscalls/syscall_test_runner.go @@ -29,6 +29,7 @@ import ( "syscall" "testing" + specs "github.com/opencontainers/runtime-spec/specs-go" "golang.org/x/sys/unix" "gvisor.googlesource.com/gvisor/pkg/log" "gvisor.googlesource.com/gvisor/runsc/specutils" @@ -107,7 +108,12 @@ func runTestCaseRunsc(testBin string, tc gtest.TestCase, t *testing.T) { // Mark the root as writeable, as some tests attempt to // write to the rootfs, and expect EACCES, not EROFS. spec.Root.Readonly = false - spec.Mounts = nil + + // Forces '/tmp' to be mounted as tmpfs, otherwise test that rely on features + // available in gVisor's tmpfs and not gofers, may fail. + spec.Mounts = []specs.Mount{ + {Destination: "/tmp", Type: "tmpfs"}, + } // Set environment variable that indicates we are // running in gVisor and with the given platform. |