From 0a9a40abcda602dc3403e2108e1348bf4e04051a Mon Sep 17 00:00:00 2001
From: Nicolas Lacasse <nlacasse@google.com>
Date: Tue, 4 Sep 2018 20:31:52 -0700
Subject: runsc: Run sandbox as user nobody.

When starting a sandbox without direct file or network access, we create an
empty user namespace and run the sandbox in there.  However, the root user in
that namespace is still mapped to the root user in the parent namespace.

This CL maps the "nobody" user from the parent namespace into the child
namespace, and runs the sandbox process as user "nobody" inside the new
namespace.

PiperOrigin-RevId: 211572223
Change-Id: I1b1f9b1a86c0b4e7e5ca7bc93be7d4887678bab6
---
 runsc/test/testutil/testutil.go | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

(limited to 'runsc/test')

diff --git a/runsc/test/testutil/testutil.go b/runsc/test/testutil/testutil.go
index 4429b981b..77bd56912 100644
--- a/runsc/test/testutil/testutil.go
+++ b/runsc/test/testutil/testutil.go
@@ -104,13 +104,14 @@ func FindFile(path string) (string, error) {
 // TestConfig return the default configuration to use in tests.
 func TestConfig() *boot.Config {
 	return &boot.Config{
-		Debug:          true,
-		LogFormat:      "text",
-		LogPackets:     true,
-		Network:        boot.NetworkNone,
-		Strace:         true,
-		MultiContainer: true,
-		FileAccess:     boot.FileAccessProxyExclusive,
+		Debug:                         true,
+		LogFormat:                     "text",
+		LogPackets:                    true,
+		Network:                       boot.NetworkNone,
+		Strace:                        true,
+		MultiContainer:                true,
+		FileAccess:                    boot.FileAccessProxyExclusive,
+		TestOnlyAllowRunAsCurrentUser: true,
 	}
 }
 
-- 
cgit v1.2.3