From 5f08f8fd8162fa2fc2ca7b862263081d8d07b206 Mon Sep 17 00:00:00 2001 From: Andrei Vagin Date: Tue, 22 Jan 2019 16:45:45 -0800 Subject: Don't bind-mount runsc into a sandbox mntns PiperOrigin-RevId: 230437407 Change-Id: Id9d8ceeb018aad2fe317407c78c6ee0f4b47aa2b --- runsc/cmd/boot.go | 1 - runsc/cmd/chroot.go | 8 -------- runsc/cmd/cmd.go | 9 +++------ runsc/cmd/exec.go | 6 ++---- runsc/container/container.go | 6 ++---- runsc/sandbox/sandbox.go | 5 +---- runsc/specutils/specutils.go | 10 ---------- runsc/test/root/chroot_test.go | 13 ++++--------- 8 files changed, 12 insertions(+), 46 deletions(-) (limited to 'runsc') diff --git a/runsc/cmd/boot.go b/runsc/cmd/boot.go index 7f87b2623..3039b389f 100644 --- a/runsc/cmd/boot.go +++ b/runsc/cmd/boot.go @@ -129,7 +129,6 @@ func (b *Boot) Execute(_ context.Context, f *flag.FlagSet, args ...interface{}) Fatalf("error setting up chroot: %v", err) } - specutils.ExePath = "/runsc" if !b.applyCaps { // Remove --setup-root arg to call myself. var args []string diff --git a/runsc/cmd/chroot.go b/runsc/cmd/chroot.go index ec539a11c..c1acbf26b 100644 --- a/runsc/cmd/chroot.go +++ b/runsc/cmd/chroot.go @@ -24,10 +24,6 @@ import ( "gvisor.googlesource.com/gvisor/runsc/specutils" ) -// chrootBinPath is the location inside the chroot where the runsc binary will -// be mounted. -const chrootBinPath = "/runsc" - // mountInChroot creates the destination mount point in the given chroot and // mounts the source. func mountInChroot(chroot, src, dst, typ string, flags uint32) error { @@ -70,10 +66,6 @@ func setUpChroot(pidns bool) error { } } - if err := mountInChroot(chroot, specutils.ExePath, chrootBinPath, "bind", syscall.MS_BIND|syscall.MS_RDONLY); err != nil { - return fmt.Errorf("error mounting runsc in chroot: %v", err) - } - if err := os.Chdir(chroot); err != nil { return fmt.Errorf("error changing working directory: %v", err) } diff --git a/runsc/cmd/cmd.go b/runsc/cmd/cmd.go index fbfc18fc9..208cf5304 100644 --- a/runsc/cmd/cmd.go +++ b/runsc/cmd/cmd.go @@ -80,13 +80,10 @@ func setCapsAndCallSelf(args []string, caps *specs.LinuxCapabilities) error { if err := applyCaps(caps); err != nil { return fmt.Errorf("applyCaps() failed: %v", err) } - binPath, err := specutils.BinPath() - if err != nil { - return err - } + binPath := specutils.ExePath log.Infof("Execve %q again, bye!", binPath) - err = syscall.Exec(binPath, args, []string{}) + err := syscall.Exec(binPath, args, []string{}) return fmt.Errorf("error executing %s: %v", binPath, err) } @@ -105,7 +102,7 @@ func callSelfAsNobody(args []string) error { return fmt.Errorf("error setting gid: %v", err) } - binPath := "/runsc" + binPath := specutils.ExePath log.Infof("Execve %q again, bye!", binPath) err := syscall.Exec(binPath, args, []string{}) diff --git a/runsc/cmd/exec.go b/runsc/cmd/exec.go index 13584d800..9e058ad97 100644 --- a/runsc/cmd/exec.go +++ b/runsc/cmd/exec.go @@ -186,10 +186,7 @@ func (ex *Exec) Execute(_ context.Context, f *flag.FlagSet, args ...interface{}) } func (ex *Exec) execAndWait(waitStatus *syscall.WaitStatus) subcommands.ExitStatus { - binPath, err := specutils.BinPath() - if err != nil { - Fatalf("getting bin path: %v", err) - } + binPath := specutils.ExePath var args []string // The command needs to write a pid file so that execAndWait can tell @@ -219,6 +216,7 @@ func (ex *Exec) execAndWait(waitStatus *syscall.WaitStatus) subcommands.ExitStat } cmd := exec.Command(binPath, args...) + cmd.Args[0] = "runsc-exec" // Exec stdio defaults to current process stdio. cmd.Stdin = os.Stdin diff --git a/runsc/container/container.go b/runsc/container/container.go index 2d4b85d9f..6d88dff7f 100644 --- a/runsc/container/container.go +++ b/runsc/container/container.go @@ -818,12 +818,10 @@ func (c *Container) createGoferProcess(spec *specs.Spec, conf *boot.Config, bund args = append(args, fmt.Sprintf("--io-fds=%d", nextFD)) } - binPath, err := specutils.BinPath() - if err != nil { - return nil, err - } + binPath := specutils.ExePath cmd := exec.Command(binPath, args...) cmd.ExtraFiles = goferEnds + cmd.Args[0] = "runsc-gofer" // Enter new namespaces to isolate from the rest of the system. Don't unshare // cgroup because gofer is added to a cgroup in the caller's namespace. diff --git a/runsc/sandbox/sandbox.go b/runsc/sandbox/sandbox.go index 53cb464d2..721a49141 100644 --- a/runsc/sandbox/sandbox.go +++ b/runsc/sandbox/sandbox.go @@ -292,10 +292,7 @@ func (s *Sandbox) createSandboxProcess(spec *specs.Spec, conf *boot.Config, bund // starts at 3 because 0, 1, and 2 are taken by stdin/out/err. nextFD := 3 - binPath, err := specutils.BinPath() - if err != nil { - return err - } + binPath := specutils.ExePath cmd := exec.Command(binPath, conf.ToFlags()...) cmd.SysProcAttr = &syscall.SysProcAttr{} diff --git a/runsc/specutils/specutils.go b/runsc/specutils/specutils.go index 7b0dcf231..4e7893ab4 100644 --- a/runsc/specutils/specutils.go +++ b/runsc/specutils/specutils.go @@ -315,16 +315,6 @@ func IsSupportedDevMount(m specs.Mount) bool { return true } -// BinPath returns the real path to self, resolving symbolink links. This is done -// to make the process name appears as 'runsc', instead of 'exe'. -func BinPath() (string, error) { - binPath, err := filepath.EvalSymlinks(ExePath) - if err != nil { - return "", fmt.Errorf(`error resolving %q symlink: %v`, ExePath, err) - } - return binPath, nil -} - const ( // ContainerdContainerTypeAnnotation is the OCI annotation set by // containerd to indicate whether the container to create should have diff --git a/runsc/test/root/chroot_test.go b/runsc/test/root/chroot_test.go index 04124703d..89f90c3e0 100644 --- a/runsc/test/root/chroot_test.go +++ b/runsc/test/root/chroot_test.go @@ -26,8 +26,6 @@ import ( "os" "os/exec" "path/filepath" - "reflect" - "sort" "strconv" "strings" "testing" @@ -73,16 +71,13 @@ func TestChroot(t *testing.T) { if err != nil { t.Fatalf("error listing %q: %v", chroot, err) } - if want, got := 2, len(fi); want != got { + if want, got := 1, len(fi); want != got { t.Fatalf("chroot dir got %d entries, want %d", got, want) } - // chroot dir is prepared by runsc and should contains only the executable - // and /proc. - files := []string{fi[0].Name(), fi[1].Name()} - sort.Strings(files) - if want := []string{"proc", "runsc"}; !reflect.DeepEqual(files, want) { - t.Errorf("chroot got children %v, want %v", files, want) + // chroot dir is prepared by runsc and should contains only /proc. + if fi[0].Name() != "proc" { + t.Errorf("chroot got children %v, want %v", fi[0].Name(), "proc") } d.CleanUp() -- cgit v1.2.3