summaryrefslogtreecommitdiffhomepage
path: root/runsc/specutils/BUILD
AgeCommit message (Collapse)Author
2018-09-04runsc: Run sandbox as user nobody.Nicolas Lacasse
When starting a sandbox without direct file or network access, we create an empty user namespace and run the sandbox in there. However, the root user in that namespace is still mapped to the root user in the parent namespace. This CL maps the "nobody" user from the parent namespace into the child namespace, and runs the sandbox process as user "nobody" inside the new namespace. PiperOrigin-RevId: 211572223 Change-Id: I1b1f9b1a86c0b4e7e5ca7bc93be7d4887678bab6
2018-08-27Put fsgofer inside chrootFabricio Voznika
Now each container gets its own dedicated gofer that is chroot'd to the rootfs path. This is done to add an extra layer of security in case the gofer gets compromised. PiperOrigin-RevId: 210396476 Change-Id: Iba21360a59dfe90875d61000db103f8609157ca0
2018-07-31Use backoff package for retry logicFabricio Voznika
PiperOrigin-RevId: 206834838 Change-Id: I9a44c6fa5f4766a01f86e90810f025cefecdf2d4
2018-06-28Error out if spec is invalidFabricio Voznika
Closes #66 PiperOrigin-RevId: 202496258 Change-Id: Ib9287c5bf1279ffba1db21ebd9e6b59305cddf34
2018-05-03Return error when child exits earlyFabricio Voznika
PiperOrigin-RevId: 195365050 Change-Id: I8754dc7a3fc2975d422cae453762a455478a8e6a
2018-04-28Check in gVisor.Googler
PiperOrigin-RevId: 194583126 Change-Id: Ica1d8821a90f74e7e745962d71801c598c652463
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-12 02:17:49 +0000