From 1c5b6d9bd26ba090610d05366df90d4fee91c677 Mon Sep 17 00:00:00 2001 From: "chris.zn" Date: Tue, 30 Apr 2019 23:35:36 +0800 Subject: Use different pidns among different containers The different containers in a sandbox used only one pid namespace before. This results in that a container can see the processes in another container in the same sandbox. This patch use different pid namespace for different containers. Signed-off-by: chris.zn --- pkg/sentry/control/proc.go | 8 ++++++-- pkg/sentry/kernel/kernel.go | 14 ++++++++++---- 2 files changed, 16 insertions(+), 6 deletions(-) (limited to 'pkg') diff --git a/pkg/sentry/control/proc.go b/pkg/sentry/control/proc.go index 60e6c9285..3f9772b87 100644 --- a/pkg/sentry/control/proc.go +++ b/pkg/sentry/control/proc.go @@ -92,6 +92,9 @@ type ExecArgs struct { // ContainerID is the container for the process being executed. ContainerID string + + // PIDNamespace is the pid namespace for the process being executed. + PIDNamespace *kernel.PIDNamespace } // String prints the arguments as a string. @@ -162,6 +165,7 @@ func (proc *Proc) execAsync(args *ExecArgs) (*kernel.ThreadGroup, kernel.ThreadI IPCNamespace: proc.Kernel.RootIPCNamespace(), AbstractSocketNamespace: proc.Kernel.RootAbstractSocketNamespace(), ContainerID: args.ContainerID, + PIDNamespace: args.PIDNamespace, } if initArgs.Root != nil { // initArgs must hold a reference on Root, which will be @@ -341,7 +345,7 @@ func Processes(k *kernel.Kernel, containerID string, out *[]*Process) error { ts := k.TaskSet() now := k.RealtimeClock().Now() for _, tg := range ts.Root.ThreadGroups() { - pid := ts.Root.IDOfThreadGroup(tg) + pid := tg.PIDNamespace().IDOfThreadGroup(tg) // If tg has already been reaped ignore it. if pid == 0 { continue @@ -352,7 +356,7 @@ func Processes(k *kernel.Kernel, containerID string, out *[]*Process) error { ppid := kernel.ThreadID(0) if p := tg.Leader().Parent(); p != nil { - ppid = ts.Root.IDOfThreadGroup(p.ThreadGroup()) + ppid = p.PIDNamespace().IDOfThreadGroup(p.ThreadGroup()) } *out = append(*out, &Process{ UID: tg.Leader().Credentials().EffectiveKUID, diff --git a/pkg/sentry/kernel/kernel.go b/pkg/sentry/kernel/kernel.go index 38b49cba2..70f5a3f0b 100644 --- a/pkg/sentry/kernel/kernel.go +++ b/pkg/sentry/kernel/kernel.go @@ -622,6 +622,9 @@ type CreateProcessArgs struct { // IPCNamespace is the initial IPC namespace. IPCNamespace *IPCNamespace + // PIDNamespace is the initial PID Namespace. + PIDNamespace *PIDNamespace + // AbstractSocketNamespace is the initial Abstract Socket namespace. AbstractSocketNamespace *AbstractSocketNamespace @@ -668,9 +671,7 @@ func (ctx *createProcessContext) Value(key interface{}) interface{} { case CtxKernel: return ctx.k case CtxPIDNamespace: - // "The new task ... is in the root PID namespace." - - // Kernel.CreateProcess - return ctx.k.tasks.Root + return ctx.args.PIDNamespace case CtxUTSNamespace: return ctx.args.UTSNamespace case CtxIPCNamespace: @@ -745,7 +746,7 @@ func (k *Kernel) CreateProcess(args CreateProcessArgs) (*ThreadGroup, ThreadID, mounts.IncRef() } - tg := k.newThreadGroup(mounts, k.tasks.Root, NewSignalHandlers(), linux.SIGCHLD, args.Limits, k.monotonicClock) + tg := k.newThreadGroup(mounts, args.PIDNamespace, NewSignalHandlers(), linux.SIGCHLD, args.Limits, k.monotonicClock) ctx := args.NewContext(k) // Grab the root directory. @@ -1018,6 +1019,11 @@ func (k *Kernel) RootIPCNamespace() *IPCNamespace { return k.rootIPCNamespace } +// RootPIDNamespace returns the root PIDNamespace. +func (k *Kernel) RootPIDNamespace() *PIDNamespace { + return k.tasks.Root +} + // RootAbstractSocketNamespace returns the root AbstractSocketNamespace. func (k *Kernel) RootAbstractSocketNamespace() *AbstractSocketNamespace { return k.rootAbstractSocketNamespace -- cgit v1.2.3