From 0a307d00726af987793204ef84ac89df064257e6 Mon Sep 17 00:00:00 2001 From: Fabricio Voznika Date: Mon, 4 May 2020 11:41:38 -0700 Subject: Mount VSFS2 filesystem using root credentials PiperOrigin-RevId: 309787938 --- runsc/boot/vfs.go | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) (limited to 'runsc/boot/vfs.go') diff --git a/runsc/boot/vfs.go b/runsc/boot/vfs.go index 448fc4459..d1397ed2c 100644 --- a/runsc/boot/vfs.go +++ b/runsc/boot/vfs.go @@ -166,30 +166,28 @@ func (c *containerMounter) setupVFS2(ctx context.Context, conf *Config, procArgs // Create context with root credentials to mount the filesystem (the current // user may not be privileged enough). + rootCreds := auth.NewRootCredentials(procArgs.Credentials.UserNamespace) rootProcArgs := *procArgs rootProcArgs.WorkingDirectory = "/" - rootProcArgs.Credentials = auth.NewRootCredentials(procArgs.Credentials.UserNamespace) + rootProcArgs.Credentials = rootCreds rootProcArgs.Umask = 0022 rootProcArgs.MaxSymlinkTraversals = linux.MaxSymlinkTraversals rootCtx := procArgs.NewContext(c.k) - creds := procArgs.Credentials - if err := registerFilesystems(rootCtx, c.k.VFS(), creds); err != nil { + if err := registerFilesystems(rootCtx, c.k.VFS(), rootCreds); err != nil { return nil, fmt.Errorf("register filesystems: %w", err) } - mns, err := c.createMountNamespaceVFS2(ctx, conf, creds) + mns, err := c.createMountNamespaceVFS2(rootCtx, conf, rootCreds) if err != nil { return nil, fmt.Errorf("creating mount namespace: %w", err) } - rootProcArgs.MountNamespaceVFS2 = mns // Mount submounts. - if err := c.mountSubmountsVFS2(rootCtx, conf, mns, creds); err != nil { + if err := c.mountSubmountsVFS2(rootCtx, conf, mns, rootCreds); err != nil { return nil, fmt.Errorf("mounting submounts vfs2: %w", err) } - return mns, nil } @@ -318,7 +316,6 @@ func p9MountOptionsVFS2(fd int, fa FileAccessType) []string { } func (c *containerMounter) makeSyntheticMount(ctx context.Context, currentPath string, root vfs.VirtualDentry, creds *auth.Credentials) error { - target := &vfs.PathOperation{ Root: root, Start: root, @@ -327,12 +324,10 @@ func (c *containerMounter) makeSyntheticMount(ctx context.Context, currentPath s _, err := c.k.VFS().StatAt(ctx, creds, target, &vfs.StatOptions{}) switch { - case err == syserror.ENOENT: if err := c.makeSyntheticMount(ctx, path.Dir(currentPath), root, creds); err != nil { return err } - mkdirOpts := &vfs.MkdirOptions{Mode: 0777, ForSyntheticMountpoint: true} if err := c.k.VFS().MkdirAt(ctx, creds, target, mkdirOpts); err != nil { return fmt.Errorf("failed to makedir for mount %+v: %w", target, err) -- cgit v1.2.3