From 210c2520890ea48d551c0c9fffe890a7c60fb802 Mon Sep 17 00:00:00 2001
From: Nicolas Lacasse <nlacasse@google.com>
Date: Fri, 7 Sep 2018 10:15:34 -0700
Subject: runsc: Run sandbox process inside minimal chroot.

We construct a dir with the executable bind-mounted at /exe, and proc mounted
at /proc.  Runsc now executes the sandbox process inside this chroot, thus
limiting access to the host filesystem.  The mounts and chroot dir are removed
when the sandbox is destroyed.

Because this requires bind-mounts, we can only do the chroot if we have
CAP_SYS_ADMIN.

PiperOrigin-RevId: 211994001
Change-Id: Ia71c515e26085e0b69b833e71691830148bc70d1
---
 runsc/container/fs.go | 30 ++++--------------------------
 1 file changed, 4 insertions(+), 26 deletions(-)

(limited to 'runsc/container/fs.go')

diff --git a/runsc/container/fs.go b/runsc/container/fs.go
index fb352fc7c..a3c5772ba 100644
--- a/runsc/container/fs.go
+++ b/runsc/container/fs.go
@@ -77,11 +77,6 @@ func setupFS(spec *specs.Spec, conf *boot.Config, bundleDir string) error {
 		if m.Type != "bind" || !specutils.IsSupportedDevMount(m) {
 			continue
 		}
-		src := m.Source
-		srcfi, err := os.Stat(src)
-		if err != nil {
-			return fmt.Errorf("failed to stat() mount source: %v", err)
-		}
 
 		// It's possible that 'm.Destination' follows symlinks inside the
 		// container.
@@ -90,30 +85,13 @@ func setupFS(spec *specs.Spec, conf *boot.Config, bundleDir string) error {
 			return fmt.Errorf("failed to resolve symlinks: %v", err)
 		}
 
-		// Create mount point if it doesn't exits
-		if _, err := os.Stat(dst); os.IsNotExist(err) {
-			if srcfi.IsDir() {
-				if err := os.MkdirAll(dst, 0755); err != nil {
-					return fmt.Errorf("failed to make mount directory %q: %v", dst, err)
-				}
-			} else {
-				if err := os.MkdirAll(filepath.Dir(dst), 0755); err != nil {
-					return fmt.Errorf("failed to make mount directory for file %q: %v", filepath.Dir(dst), err)
-				}
-				f, err := os.OpenFile(dst, os.O_CREATE, 0755)
-				if err != nil {
-					return fmt.Errorf("failed to open mount file %q: %v", dst, err)
-				}
-				f.Close()
-			}
-		}
-
 		flags := optionsToFlags(m.Options)
 		flags |= syscall.MS_BIND
-		log.Infof("Mounting src: %q, dst: %q, flags: %#x", src, dst, flags)
-		if err := syscall.Mount(src, dst, m.Type, uintptr(flags), ""); err != nil {
-			return fmt.Errorf("failed to mount src: %q, dst: %q, flags: %#x, err: %v", src, dst, flags, err)
+		log.Infof("Mounting src: %q, dst: %q, flags: %#x", m.Source, dst, flags)
+		if err := specutils.Mount(m.Source, dst, m.Type, flags); err != nil {
+			return fmt.Errorf("failed to mount %v: %v", m, err)
 		}
+
 		// Make the mount a slave, so that for recursive bind mount, umount won't
 		// propagate to the source.
 		flags = syscall.MS_SLAVE | syscall.MS_REC
-- 
cgit v1.2.3