Make the gofer process enter namespaces
This is done to further isolate the gofer from the host. PiperOrigin-RevId: 216790991 Change-Id: Ia265b77e4e50f815d08f743a05669f9d75ad7a6f
This commit is contained in:
parent
3bc5e6482b
commit
f074f0c2c7
|
@ -726,11 +726,21 @@ func (c *Container) createGoferProcess(spec *specs.Spec, conf *boot.Config, bund
|
||||||
cmd := exec.Command(binPath, args...)
|
cmd := exec.Command(binPath, args...)
|
||||||
cmd.ExtraFiles = goferEnds
|
cmd.ExtraFiles = goferEnds
|
||||||
|
|
||||||
|
// Enter new namespaces to isolate from the rest of the system. Don't unshare
|
||||||
|
// cgroup because gofer is added to a cgroup in the caller's namespace.
|
||||||
|
nss := []specs.LinuxNamespace{
|
||||||
|
{Type: specs.IPCNamespace},
|
||||||
|
{Type: specs.MountNamespace},
|
||||||
|
{Type: specs.NetworkNamespace},
|
||||||
|
{Type: specs.PIDNamespace},
|
||||||
|
{Type: specs.UTSNamespace},
|
||||||
|
}
|
||||||
|
|
||||||
// Setup any uid/gid mappings, and create or join the configured user
|
// Setup any uid/gid mappings, and create or join the configured user
|
||||||
// namespace so the gofer's view of the filesystem aligns with the
|
// namespace so the gofer's view of the filesystem aligns with the
|
||||||
// users in the sandbox.
|
// users in the sandbox.
|
||||||
|
nss = append(nss, specutils.FilterNS([]specs.LinuxNamespaceType{specs.UserNamespace}, spec)...)
|
||||||
specutils.SetUIDGIDMappings(cmd, spec)
|
specutils.SetUIDGIDMappings(cmd, spec)
|
||||||
nss := specutils.FilterNS([]specs.LinuxNamespaceType{specs.UserNamespace}, spec)
|
|
||||||
|
|
||||||
// Start the gofer in the given namespace.
|
// Start the gofer in the given namespace.
|
||||||
log.Debugf("Starting gofer: %s %v", binPath, args)
|
log.Debugf("Starting gofer: %s %v", binPath, args)
|
||||||
|
|
|
@ -408,12 +408,14 @@ func (s *Sandbox) createSandboxProcess(spec *specs.Spec, conf *boot.Config, bund
|
||||||
cmd.SysProcAttr.Setsid = true
|
cmd.SysProcAttr.Setsid = true
|
||||||
|
|
||||||
// nss is the set of namespaces to join or create before starting the sandbox
|
// nss is the set of namespaces to join or create before starting the sandbox
|
||||||
// process. IPC and UTS namespaces from the host are not used as they
|
// process. Mount, IPC and UTS namespaces from the host are not used as they
|
||||||
// are virtualized inside the sandbox. Be paranoid and run inside an empty
|
// are virtualized inside the sandbox. Be paranoid and run inside an empty
|
||||||
// namespace for these.
|
// namespace for these. Don't unshare cgroup because sandbox is added to a
|
||||||
log.Infof("Sandbox will be started in new IPC and UTS namespaces")
|
// cgroup in the caller's namespace.
|
||||||
|
log.Infof("Sandbox will be started in new mount, IPC and UTS namespaces")
|
||||||
nss := []specs.LinuxNamespace{
|
nss := []specs.LinuxNamespace{
|
||||||
{Type: specs.IPCNamespace},
|
{Type: specs.IPCNamespace},
|
||||||
|
{Type: specs.MountNamespace},
|
||||||
{Type: specs.UTSNamespace},
|
{Type: specs.UTSNamespace},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -426,9 +428,6 @@ func (s *Sandbox) createSandboxProcess(spec *specs.Spec, conf *boot.Config, bund
|
||||||
nss = append(nss, specs.LinuxNamespace{Type: specs.PIDNamespace})
|
nss = append(nss, specs.LinuxNamespace{Type: specs.PIDNamespace})
|
||||||
}
|
}
|
||||||
|
|
||||||
log.Infof("Sandbox will be started in new mount namespace")
|
|
||||||
nss = append(nss, specs.LinuxNamespace{Type: specs.MountNamespace})
|
|
||||||
|
|
||||||
// Joins the network namespace if network is enabled. the sandbox talks
|
// Joins the network namespace if network is enabled. the sandbox talks
|
||||||
// directly to the host network, which may have been configured in the
|
// directly to the host network, which may have been configured in the
|
||||||
// namespace.
|
// namespace.
|
||||||
|
@ -440,9 +439,9 @@ func (s *Sandbox) createSandboxProcess(spec *specs.Spec, conf *boot.Config, bund
|
||||||
nss = append(nss, specs.LinuxNamespace{Type: specs.NetworkNamespace})
|
nss = append(nss, specs.LinuxNamespace{Type: specs.NetworkNamespace})
|
||||||
}
|
}
|
||||||
|
|
||||||
// User namespace depends on the following options:
|
// User namespace depends on the network type. Host network requires to run
|
||||||
// - Host network/filesystem: requires to run inside the user namespace
|
// inside the user namespace specified in the spec or the current namespace
|
||||||
// specified in the spec or the current namespace if none is configured.
|
// if none is configured.
|
||||||
if conf.Network == boot.NetworkHost {
|
if conf.Network == boot.NetworkHost {
|
||||||
if userns, ok := specutils.GetNS(specs.UserNamespace, spec); ok {
|
if userns, ok := specutils.GetNS(specs.UserNamespace, spec); ok {
|
||||||
log.Infof("Sandbox will be started in container's user namespace: %+v", userns)
|
log.Infof("Sandbox will be started in container's user namespace: %+v", userns)
|
||||||
|
|
Loading…
Reference in New Issue