go
/
gvisor
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Start a sandbox process in a new userns only if CAP_SETUID is set 

In addition, it fixes a race condition in TestMultiContainerGoferStop.
There are two scripts copy the same set of files into the same directory
and sometime one of this command fails with EXIST.

PiperOrigin-RevId: 230011247
Change-Id: I9289f72e65dc407cdcd0e6cd632a509e01f43e9c
This commit is contained in:
Andrei Vagin 2019-01-18 16:07:28 -08:00 committed by Shentubot
parent c063a1350f
commit c0a981629c
2 changed files with 9 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
runsc/container/multi_container_test.go
View File

@ -739,11 +739,6 @@ func TestMultiContainerGoferStop(t *testing.T) {
t.Fatal("error finding test_app:", err) t.Fatal("error finding test_app:", err)
} }
dir, err := ioutil.TempDir(testutil.TmpDir(), "gofer-stop-test")
if err != nil {
t.Fatal("ioutil.TempDir failed:", err)
}
// Setup containers. Root container just reaps children, while the others // Setup containers. Root container just reaps children, while the others
// perform some IOs. Children are executed in 3 batches of 10. Within the // perform some IOs. Children are executed in 3 batches of 10. Within the
// batch there is overlap between containers starting and being destroyed. In // batch there is overlap between containers starting and being destroyed. In
@ -751,6 +746,12 @@ func TestMultiContainerGoferStop(t *testing.T) {
cmds := [][]string{{app, "reaper"}} cmds := [][]string{{app, "reaper"}}
const batchSize = 10 const batchSize = 10
for i := 0; i < 3*batchSize; i++ { for i := 0; i < 3*batchSize; i++ {
dir, err := ioutil.TempDir(testutil.TmpDir(), "gofer-stop-test")
if err != nil {
t.Fatal("ioutil.TempDir failed:", err)
}
defer os.RemoveAll(dir)
cmd := "find /bin -type f | head | xargs -I SRC cp SRC " + dir cmd := "find /bin -type f | head | xargs -I SRC cp SRC " + dir
cmds = append(cmds, []string{"sh", "-c", cmd}) cmds = append(cmds, []string{"sh", "-c", cmd})
} }

6
runsc/sandbox/sandbox.go
View File

@ -500,15 +500,15 @@ func (s *Sandbox) createSandboxProcess(spec *specs.Spec, conf *boot.Config, bund
return fmt.Errorf("can't run sandbox process in minimal chroot since we don't have CAP_SYS_ADMIN") return fmt.Errorf("can't run sandbox process in minimal chroot since we don't have CAP_SYS_ADMIN")
} }
} else { } else {
log.Infof("Sandbox will be started in new user namespace")
nss = append(nss, specs.LinuxNamespace{Type: specs.UserNamespace})
// If we have CAP_SETUID and CAP_SETGID, then we can also run // If we have CAP_SETUID and CAP_SETGID, then we can also run
// as user nobody. // as user nobody.
if conf.TestOnlyAllowRunAsCurrentUserWithoutChroot { if conf.TestOnlyAllowRunAsCurrentUserWithoutChroot {
log.Warningf("Running sandbox in test mode as current user (uid=%d gid=%d). This is only safe in tests!", os.Getuid(), os.Getgid()) log.Warningf("Running sandbox in test mode as current user (uid=%d gid=%d). This is only safe in tests!", os.Getuid(), os.Getgid())
log.Warningf("Running sandbox in test mode without chroot. This is only safe in tests!") log.Warningf("Running sandbox in test mode without chroot. This is only safe in tests!")
} else if specutils.HasCapabilities(capability.CAP_SETUID, capability.CAP_SETGID) { } else if specutils.HasCapabilities(capability.CAP_SETUID, capability.CAP_SETGID) {
log.Infof("Sandbox will be started in new user namespace")
nss = append(nss, specs.LinuxNamespace{Type: specs.UserNamespace})
// Map nobody in the new namespace to nobody in the parent namespace. // Map nobody in the new namespace to nobody in the parent namespace.
// //
// A sandbox process will construct an empty // A sandbox process will construct an empty