From b62591e6a813ec19a1fd74943584c4fead81f670 Mon Sep 17 00:00:00 2001 From: Michael Pratt Date: Mon, 17 Dec 2018 17:34:09 -0800 Subject: Expose internal testing flag Never to used outside of runsc tests! PiperOrigin-RevId: 225919013 Change-Id: Ib3b14aa2a2564b5246fb3f8933d95e01027ed186 --- runsc/boot/config.go | 7 ++++++- runsc/main.go | 3 +++ runsc/test/testutil/BUILD | 5 +---- 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/runsc/boot/config.go b/runsc/boot/config.go index b98e38ae9..e00d44df9 100644 --- a/runsc/boot/config.go +++ b/runsc/boot/config.go @@ -218,7 +218,7 @@ type Config struct { // ToFlags returns a slice of flags that correspond to the given Config. func (c *Config) ToFlags() []string { - return []string{ + f := []string{ "--root=" + c.RootDir, "--debug=" + strconv.FormatBool(c.Debug), "--log=" + c.LogFilename, @@ -237,4 +237,9 @@ func (c *Config) ToFlags() []string { "--panic-signal=" + strconv.Itoa(c.PanicSignal), "--trace-signal=" + strconv.Itoa(c.TraceSignal), } + if c.TestOnlyAllowRunAsCurrentUserWithoutChroot { + // Only include if set since it is never to be used by users. + f = append(f, "-TESTONLY-unsafe-nonroot=true") + } + return f } diff --git a/runsc/main.go b/runsc/main.go index 013b250f7..a6ea0e9fa 100644 --- a/runsc/main.go +++ b/runsc/main.go @@ -64,6 +64,8 @@ var ( watchdogAction = flag.String("watchdog-action", "log", "sets what action the watchdog takes when triggered: log (default), panic.") panicSignal = flag.Int("panic-signal", -1, "register signal handling that panics. Usually set to SIGUSR2(12) to troubleshoot hangs. -1 disables it. This takes precendence over -trace-signal.") traceSignal = flag.Int("trace-signal", -1, "register signal handling that logs a traceback of all goroutines. Usually set to SIGUSR2(12) to troubleshoot hangs. -1 disables it.") + + testOnlyAllowRunAsCurrentUserWithoutChroot = flag.Bool("TESTONLY-unsafe-nonroot", false, "TEST ONLY; do not ever use! This skips many security measures that isolate the host from the sandbox.") ) // gitRevision is set during linking. @@ -146,6 +148,7 @@ func main() { WatchdogAction: wa, PanicSignal: *panicSignal, TraceSignal: *traceSignal, + TestOnlyAllowRunAsCurrentUserWithoutChroot: *testOnlyAllowRunAsCurrentUserWithoutChroot, } if len(*straceSyscalls) != 0 { conf.StraceSyscalls = strings.Split(*straceSyscalls, ",") diff --git a/runsc/test/testutil/BUILD b/runsc/test/testutil/BUILD index 826b7bf0b..8c3919320 100644 --- a/runsc/test/testutil/BUILD +++ b/runsc/test/testutil/BUILD @@ -11,10 +11,7 @@ go_library( "testutil_race.go", ], importpath = "gvisor.googlesource.com/gvisor/runsc/test/testutil", - visibility = [ - "//runsc:__subpackages__", - "//test:__subpackages__", - ], + visibility = ["//:sandbox"], deps = [ "//runsc/boot", "//runsc/specutils", -- cgit v1.2.3