From b44699c5299bb0fc1b16d25a9ac2250cf0a7446d Mon Sep 17 00:00:00 2001 From: Shijiang Wei Date: Mon, 28 Jan 2019 17:19:18 -0800 Subject: check isRootNS by ns inode Signed-off-by: Shijiang Wei Change-Id: I032f834edae5c716fb2d3538285eec07aa11a902 PiperOrigin-RevId: 231318438 --- runsc/sandbox/network.go | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) (limited to 'runsc') diff --git a/runsc/sandbox/network.go b/runsc/sandbox/network.go index 8ec320d09..ec0a252d1 100644 --- a/runsc/sandbox/network.go +++ b/runsc/sandbox/network.go @@ -121,16 +121,17 @@ func joinNetNS(nsPath string) (func(), error) { } // isRootNS determines whether we are running in the root net namespace. -// -// TODO: Find a better way to detect root network. -func isRootNS(ifaces []net.Interface) bool { - for _, iface := range ifaces { - if iface.Name == "docker0" { - return true - } +// /proc/sys/net/core/rmem_default only exists in root network namespace. +func isRootNS() (bool, error) { + err := syscall.Access("/proc/sys/net/core/rmem_default", syscall.F_OK) + switch err { + case nil: + return true, nil + case syscall.ENOENT: + return false, nil + default: + return false, fmt.Errorf("failed to access /proc/sys/net/core/rmem_default: %v", err) } - return false - } // createInterfacesAndRoutesFromNS scrapes the interface and routes from the @@ -150,8 +151,13 @@ func createInterfacesAndRoutesFromNS(conn *urpc.Client, nsPath string) error { return fmt.Errorf("querying interfaces: %v", err) } - if isRootNS(ifaces) { - return fmt.Errorf("cannot run in with network enabled in root network namespace") + isRoot, err := isRootNS() + if err != nil { + return err + } + if isRoot { + + return fmt.Errorf("cannot run with network enabled in root network namespace") } // Collect addresses and routes from the interfaces. -- cgit v1.2.3