From 0a307d00726af987793204ef84ac89df064257e6 Mon Sep 17 00:00:00 2001 From: Fabricio Voznika Date: Mon, 4 May 2020 11:41:38 -0700 Subject: Mount VSFS2 filesystem using root credentials PiperOrigin-RevId: 309787938 --- runsc/boot/loader_test.go | 7 ++----- runsc/boot/vfs.go | 15 +++++---------- 2 files changed, 7 insertions(+), 15 deletions(-) diff --git a/runsc/boot/loader_test.go b/runsc/boot/loader_test.go index 55d27a632..7a30fea70 100644 --- a/runsc/boot/loader_test.go +++ b/runsc/boot/loader_test.go @@ -438,7 +438,6 @@ func createMountTestcases(vfs2 bool) []*CreateMountTestcase { // Test that MountNamespace can be created with various specs. func TestCreateMountNamespace(t *testing.T) { - for _, tc := range createMountTestcases(false /* vfs2 */) { t.Run(tc.name, func(t *testing.T) { conf := testConfig() @@ -476,7 +475,6 @@ func TestCreateMountNamespace(t *testing.T) { // Test that MountNamespace can be created with various specs. func TestCreateMountNamespaceVFS2(t *testing.T) { - for _, tc := range createMountTestcases(true /* vfs2 */) { t.Run(tc.name, func(t *testing.T) { defer resetSyscallTable() @@ -485,6 +483,7 @@ func TestCreateMountNamespaceVFS2(t *testing.T) { spec.Mounts = tc.spec.Mounts spec.Root = tc.spec.Root + t.Logf("Using root: %q", spec.Root.Path) l, loaderCleanup, err := createLoader(true /* VFS2 Enabled */, spec) if err != nil { t.Fatalf("failed to create loader: %v", err) @@ -497,7 +496,7 @@ func TestCreateMountNamespaceVFS2(t *testing.T) { t.Fatalf("failed process hints: %v", err) } - ctx := l.rootProcArgs.NewContext(l.k) + ctx := l.k.SupervisorContext() mns, err := mntr.setupVFS2(ctx, l.conf, &l.rootProcArgs) if err != nil { t.Fatalf("failed to setupVFS2: %v", err) @@ -506,7 +505,6 @@ func TestCreateMountNamespaceVFS2(t *testing.T) { root := mns.Root() defer root.DecRef() for _, p := range tc.expectedPaths { - target := &vfs.PathOperation{ Root: root, Start: root, @@ -518,7 +516,6 @@ func TestCreateMountNamespaceVFS2(t *testing.T) { } else { d.DecRef() } - } }) } diff --git a/runsc/boot/vfs.go b/runsc/boot/vfs.go index 448fc4459..d1397ed2c 100644 --- a/runsc/boot/vfs.go +++ b/runsc/boot/vfs.go @@ -166,30 +166,28 @@ func (c *containerMounter) setupVFS2(ctx context.Context, conf *Config, procArgs // Create context with root credentials to mount the filesystem (the current // user may not be privileged enough). + rootCreds := auth.NewRootCredentials(procArgs.Credentials.UserNamespace) rootProcArgs := *procArgs rootProcArgs.WorkingDirectory = "/" - rootProcArgs.Credentials = auth.NewRootCredentials(procArgs.Credentials.UserNamespace) + rootProcArgs.Credentials = rootCreds rootProcArgs.Umask = 0022 rootProcArgs.MaxSymlinkTraversals = linux.MaxSymlinkTraversals rootCtx := procArgs.NewContext(c.k) - creds := procArgs.Credentials - if err := registerFilesystems(rootCtx, c.k.VFS(), creds); err != nil { + if err := registerFilesystems(rootCtx, c.k.VFS(), rootCreds); err != nil { return nil, fmt.Errorf("register filesystems: %w", err) } - mns, err := c.createMountNamespaceVFS2(ctx, conf, creds) + mns, err := c.createMountNamespaceVFS2(rootCtx, conf, rootCreds) if err != nil { return nil, fmt.Errorf("creating mount namespace: %w", err) } - rootProcArgs.MountNamespaceVFS2 = mns // Mount submounts. - if err := c.mountSubmountsVFS2(rootCtx, conf, mns, creds); err != nil { + if err := c.mountSubmountsVFS2(rootCtx, conf, mns, rootCreds); err != nil { return nil, fmt.Errorf("mounting submounts vfs2: %w", err) } - return mns, nil } @@ -318,7 +316,6 @@ func p9MountOptionsVFS2(fd int, fa FileAccessType) []string { } func (c *containerMounter) makeSyntheticMount(ctx context.Context, currentPath string, root vfs.VirtualDentry, creds *auth.Credentials) error { - target := &vfs.PathOperation{ Root: root, Start: root, @@ -327,12 +324,10 @@ func (c *containerMounter) makeSyntheticMount(ctx context.Context, currentPath s _, err := c.k.VFS().StatAt(ctx, creds, target, &vfs.StatOptions{}) switch { - case err == syserror.ENOENT: if err := c.makeSyntheticMount(ctx, path.Dir(currentPath), root, creds); err != nil { return err } - mkdirOpts := &vfs.MkdirOptions{Mode: 0777, ForSyntheticMountpoint: true} if err := c.k.VFS().MkdirAt(ctx, creds, target, mkdirOpts); err != nil { return fmt.Errorf("failed to makedir for mount %+v: %w", target, err) -- cgit v1.2.3