From e4d3ca7263291b43cdc49c7553c62608be062cd9 Mon Sep 17 00:00:00 2001
From: Fabricio Voznika <fvoznika@google.com>
Date: Wed, 16 Jan 2019 12:47:21 -0800
Subject: Prevent internal tmpfs mount to override files in /tmp

Runsc wants to mount /tmp using internal tmpfs implementation for
performance. However, it risks hiding files that may exist under
/tmp in case it's present in the container. Now, it only mounts
over /tmp iff:
  - /tmp was not explicitly asked to be mounted
  - /tmp is empty

If any of this is not true, then /tmp maps to the container's
image /tmp.

Note: checkpoint doesn't have sentry FS mounted to check if /tmp
is empty. It simply looks for explicit mounts right now.
PiperOrigin-RevId: 229607856
Change-Id: I10b6dae7ac157ef578efc4dfceb089f3b94cde06
---
 test/syscalls/BUILD                  | 1 +
 test/syscalls/syscall_test_runner.go | 8 +++++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

(limited to 'test')

diff --git a/test/syscalls/BUILD b/test/syscalls/BUILD
index 674e4b5b1..c46ac77f7 100644
--- a/test/syscalls/BUILD
+++ b/test/syscalls/BUILD
@@ -538,6 +538,7 @@ go_binary(
         "//runsc/specutils",
         "//runsc/test/testutil",
         "//test/syscalls/gtest",
+        "@com_github_opencontainers_runtime-spec//specs-go:go_default_library",
         "@org_golang_x_sys//unix:go_default_library",
     ],
 )
diff --git a/test/syscalls/syscall_test_runner.go b/test/syscalls/syscall_test_runner.go
index 1f2ff9864..e5c2358a0 100644
--- a/test/syscalls/syscall_test_runner.go
+++ b/test/syscalls/syscall_test_runner.go
@@ -29,6 +29,7 @@ import (
 	"syscall"
 	"testing"
 
+	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"golang.org/x/sys/unix"
 	"gvisor.googlesource.com/gvisor/pkg/log"
 	"gvisor.googlesource.com/gvisor/runsc/specutils"
@@ -107,7 +108,12 @@ func runTestCaseRunsc(testBin string, tc gtest.TestCase, t *testing.T) {
 	// Mark the root as writeable, as some tests attempt to
 	// write to the rootfs, and expect EACCES, not EROFS.
 	spec.Root.Readonly = false
-	spec.Mounts = nil
+
+	// Forces '/tmp' to be mounted as tmpfs, otherwise test that rely on features
+	// available in gVisor's tmpfs and not gofers, may fail.
+	spec.Mounts = []specs.Mount{
+		{Destination: "/tmp", Type: "tmpfs"},
+	}
 
 	// Set environment variable that indicates we are
 	// running in gVisor and with the given platform.
-- 
cgit v1.2.3