From 3f46f2e5017106d1569f759b8d19aee6e9827c58 Mon Sep 17 00:00:00 2001
From: Fabricio Voznika <fvoznika@google.com>
Date: Wed, 3 Oct 2018 20:43:18 -0700
Subject: Fix sandbox chroot

Sandbox was setting chroot, but was not chaging the working
dir. Added test to ensure this doesn't happen in the future.

PiperOrigin-RevId: 215676270
Change-Id: I14352d3de64a4dcb90e50948119dc8328c9c15e1
---
 runsc/sandbox/chroot.go  | 2 +-
 runsc/sandbox/sandbox.go | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

(limited to 'runsc/sandbox')

diff --git a/runsc/sandbox/chroot.go b/runsc/sandbox/chroot.go
index 30a4bae35..35b19a0b1 100644
--- a/runsc/sandbox/chroot.go
+++ b/runsc/sandbox/chroot.go
@@ -55,7 +55,7 @@ func setUpChroot() (string, error) {
 	log.Infof("Setting up sandbox chroot in %q", chroot)
 
 	// Mount /proc.
-	if err := mountInChroot(chroot, "proc", "/proc", "proc", 0); err != nil {
+	if err := mountInChroot(chroot, "proc", "/proc", "proc", syscall.MS_NOSUID|syscall.MS_NODEV|syscall.MS_NOEXEC); err != nil {
 		return "", fmt.Errorf("error mounting proc in chroot: %v", err)
 	}
 
diff --git a/runsc/sandbox/sandbox.go b/runsc/sandbox/sandbox.go
index 1ed1ab61d..847417a15 100644
--- a/runsc/sandbox/sandbox.go
+++ b/runsc/sandbox/sandbox.go
@@ -475,6 +475,7 @@ func (s *Sandbox) createSandboxProcess(spec *specs.Spec, conf *boot.Config, bund
 			}
 			s.Chroot = chroot // Remember path so it can cleaned up.
 			cmd.SysProcAttr.Chroot = chroot
+			cmd.Dir = "/"
 			cmd.Args[0] = "/runsc"
 			cmd.Path = "/runsc"
 		} else {
-- 
cgit v1.2.3