From a81a4402a265aec6715172cd3502ee7eebbf64aa Mon Sep 17 00:00:00 2001
From: Fabricio Voznika <fvoznika@google.com>
Date: Fri, 24 Aug 2018 10:16:38 -0700
Subject: Add option to panic gofer if writes are attempted over RO mounts

This is used when '--overlay=true' to guarantee writes are not sent to gofer.

PiperOrigin-RevId: 210116288
Change-Id: I7616008c4c0e8d3668e07a205207f46e2144bf30
---
 runsc/sandbox/sandbox.go | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'runsc/sandbox')

diff --git a/runsc/sandbox/sandbox.go b/runsc/sandbox/sandbox.go
index e5d1f791d..7789608f8 100644
--- a/runsc/sandbox/sandbox.go
+++ b/runsc/sandbox/sandbox.go
@@ -345,6 +345,10 @@ func (s *Sandbox) createGoferProcess(spec *specs.Spec, conf *boot.Config, bundle
 	setUIDGIDMappings(cmd, spec)
 	nss := filterNS([]specs.LinuxNamespaceType{specs.UserNamespace}, spec)
 
+	if conf.Overlay {
+		args = append(args, "--panic-on-write=true")
+	}
+
 	// Start the gofer in the given namespace.
 	log.Debugf("Starting gofer: %s %v", binPath, args)
 	if err := startInNS(cmd, nss); err != nil {
-- 
cgit v1.2.3