Use root abstract socket namespace for exec
PiperOrigin-RevId: 211999211 Change-Id: I5968dd1a8313d3e49bb6e6614e130107495de41d
This commit is contained in:
parent
169e2efc5a
commit
f895cb4d8b
|
@ -106,6 +106,7 @@ func (proc *Proc) Exec(args *ExecArgs, waitStatus *uint32) error {
|
|||
MaxSymlinkTraversals: linux.MaxSymlinkTraversals,
|
||||
UTSNamespace: proc.Kernel.RootUTSNamespace(),
|
||||
IPCNamespace: proc.Kernel.RootIPCNamespace(),
|
||||
AbstractSocketNamespace: proc.Kernel.RootAbstractSocketNamespace(),
|
||||
}
|
||||
ctx := initArgs.NewContext(proc.Kernel)
|
||||
mounter := fs.FileOwnerFromContext(ctx)
|
||||
|
|
|
@ -101,6 +101,7 @@ type Kernel struct {
|
|||
vdso *loader.VDSO
|
||||
rootUTSNamespace *UTSNamespace
|
||||
rootIPCNamespace *IPCNamespace
|
||||
rootAbstractSocketNamespace *AbstractSocketNamespace
|
||||
|
||||
// mounts holds the state of the virtual filesystem. mounts is initially
|
||||
// nil, and must be set by calling Kernel.SetRootMountNamespace before
|
||||
|
@ -201,11 +202,14 @@ type InitKernelArgs struct {
|
|||
// Vdso holds the VDSO and its parameter page.
|
||||
Vdso *loader.VDSO
|
||||
|
||||
// RootUTSNamespace is the root UTS namepsace.
|
||||
// RootUTSNamespace is the root UTS namespace.
|
||||
RootUTSNamespace *UTSNamespace
|
||||
|
||||
// RootIPCNamespace is the root IPC namepsace.
|
||||
// RootIPCNamespace is the root IPC namespace.
|
||||
RootIPCNamespace *IPCNamespace
|
||||
|
||||
// RootAbstractSocketNamespace is the root Abstract Socket namespace.
|
||||
RootAbstractSocketNamespace *AbstractSocketNamespace
|
||||
}
|
||||
|
||||
// Init initialize the Kernel with no tasks.
|
||||
|
@ -231,6 +235,7 @@ func (k *Kernel) Init(args InitKernelArgs) error {
|
|||
k.rootUserNamespace = args.RootUserNamespace
|
||||
k.rootUTSNamespace = args.RootUTSNamespace
|
||||
k.rootIPCNamespace = args.RootIPCNamespace
|
||||
k.rootAbstractSocketNamespace = args.RootAbstractSocketNamespace
|
||||
k.networkStack = args.NetworkStack
|
||||
k.applicationCores = args.ApplicationCores
|
||||
if args.UseHostCores {
|
||||
|
@ -509,6 +514,9 @@ type CreateProcessArgs struct {
|
|||
// IPCNamespace is the initial IPC namespace.
|
||||
IPCNamespace *IPCNamespace
|
||||
|
||||
// AbstractSocketNamespace is the initial Abstract Socket namespace.
|
||||
AbstractSocketNamespace *AbstractSocketNamespace
|
||||
|
||||
// Root optionally contains the dirent that serves as the root for the
|
||||
// process. If nil, the mount namespace's root is used as the process'
|
||||
// root.
|
||||
|
@ -651,7 +659,7 @@ func (k *Kernel) CreateProcess(args CreateProcessArgs) (*ThreadGroup, error) {
|
|||
AllowedCPUMask: sched.NewFullCPUSet(k.applicationCores),
|
||||
UTSNamespace: args.UTSNamespace,
|
||||
IPCNamespace: args.IPCNamespace,
|
||||
AbstractSocketNamespace: NewAbstractSocketNamespace(), // FIXME
|
||||
AbstractSocketNamespace: args.AbstractSocketNamespace,
|
||||
}
|
||||
t, err := k.tasks.NewTask(config)
|
||||
if err != nil {
|
||||
|
@ -839,6 +847,11 @@ func (k *Kernel) RootIPCNamespace() *IPCNamespace {
|
|||
return k.rootIPCNamespace
|
||||
}
|
||||
|
||||
// RootAbstractSocketNamespace returns the root AbstractSocketNamespace.
|
||||
func (k *Kernel) RootAbstractSocketNamespace() *AbstractSocketNamespace {
|
||||
return k.rootAbstractSocketNamespace
|
||||
}
|
||||
|
||||
// RootMountNamespace returns the MountNamespace.
|
||||
func (k *Kernel) RootMountNamespace() *fs.MountNamespace {
|
||||
k.extMu.Lock()
|
||||
|
|
|
@ -143,6 +143,19 @@ func New(spec *specs.Spec, conf *Config, controllerFD int, ioFDs []int, console
|
|||
}
|
||||
tk.SetClocks(time.NewCalibratedClocks())
|
||||
|
||||
if err := enableStrace(conf); err != nil {
|
||||
return nil, fmt.Errorf("failed to enable strace: %v", err)
|
||||
}
|
||||
|
||||
// Create an empty network stack because the network namespace may be empty at
|
||||
// this point. Netns is configured before Run() is called. Netstack is
|
||||
// configured using a control uRPC message. Host network is configured inside
|
||||
// Run().
|
||||
networkStack, err := newEmptyNetworkStack(conf, k)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to create network: %v", err)
|
||||
}
|
||||
|
||||
// Create capabilities.
|
||||
caps, err := specutils.Capabilities(spec.Process.Capabilities)
|
||||
if err != nil {
|
||||
|
@ -163,26 +176,6 @@ func New(spec *specs.Spec, conf *Config, controllerFD int, ioFDs []int, console
|
|||
caps,
|
||||
auth.NewRootUserNamespace())
|
||||
|
||||
// Create user namespace.
|
||||
// TODO: Not clear what domain name should be here. It is
|
||||
// not configurable from runtime spec.
|
||||
utsns := kernel.NewUTSNamespace(spec.Hostname, "", creds.UserNamespace)
|
||||
|
||||
ipcns := kernel.NewIPCNamespace(creds.UserNamespace)
|
||||
|
||||
if err := enableStrace(conf); err != nil {
|
||||
return nil, fmt.Errorf("failed to enable strace: %v", err)
|
||||
}
|
||||
|
||||
// Create an empty network stack because the network namespace may be empty at
|
||||
// this point. Netns is configured before Run() is called. Netstack is
|
||||
// configured using a control uRPC message. Host network is configured inside
|
||||
// Run().
|
||||
networkStack, err := newEmptyNetworkStack(conf, k)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to create network: %v", err)
|
||||
}
|
||||
|
||||
// Initiate the Kernel object, which is required by the Context passed
|
||||
// to createVFS in order to mount (among other things) procfs.
|
||||
if err = k.Init(kernel.InitKernelArgs{
|
||||
|
@ -193,8 +186,9 @@ func New(spec *specs.Spec, conf *Config, controllerFD int, ioFDs []int, console
|
|||
// TODO: use number of logical processors from cgroups.
|
||||
ApplicationCores: uint(runtime.NumCPU()),
|
||||
Vdso: vdso,
|
||||
RootUTSNamespace: utsns,
|
||||
RootIPCNamespace: ipcns,
|
||||
RootUTSNamespace: kernel.NewUTSNamespace(spec.Hostname, "", creds.UserNamespace),
|
||||
RootIPCNamespace: kernel.NewIPCNamespace(creds.UserNamespace),
|
||||
RootAbstractSocketNamespace: kernel.NewAbstractSocketNamespace(),
|
||||
}); err != nil {
|
||||
return nil, fmt.Errorf("error initializing kernel: %v", err)
|
||||
}
|
||||
|
@ -244,7 +238,7 @@ func New(spec *specs.Spec, conf *Config, controllerFD int, ioFDs []int, console
|
|||
log.Infof("Panic signal set to %v(%d)", ps, conf.PanicSignal)
|
||||
}
|
||||
|
||||
procArgs, err := newProcess(spec, creds, utsns, ipcns, k)
|
||||
procArgs, err := newProcess(spec, creds, k)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to create root process: %v", err)
|
||||
}
|
||||
|
@ -265,7 +259,7 @@ func New(spec *specs.Spec, conf *Config, controllerFD int, ioFDs []int, console
|
|||
}
|
||||
|
||||
// newProcess creates a process that can be run with kernel.CreateProcess.
|
||||
func newProcess(spec *specs.Spec, creds *auth.Credentials, utsns *kernel.UTSNamespace, ipcns *kernel.IPCNamespace, k *kernel.Kernel) (kernel.CreateProcessArgs, error) {
|
||||
func newProcess(spec *specs.Spec, creds *auth.Credentials, k *kernel.Kernel) (kernel.CreateProcessArgs, error) {
|
||||
// Create initial limits.
|
||||
ls, err := createLimitSet(spec)
|
||||
if err != nil {
|
||||
|
@ -281,8 +275,9 @@ func newProcess(spec *specs.Spec, creds *auth.Credentials, utsns *kernel.UTSName
|
|||
Umask: 0022,
|
||||
Limits: ls,
|
||||
MaxSymlinkTraversals: linux.MaxSymlinkTraversals,
|
||||
UTSNamespace: utsns,
|
||||
IPCNamespace: ipcns,
|
||||
UTSNamespace: k.RootUTSNamespace(),
|
||||
IPCNamespace: k.RootIPCNamespace(),
|
||||
AbstractSocketNamespace: k.RootAbstractSocketNamespace(),
|
||||
}
|
||||
return procArgs, nil
|
||||
}
|
||||
|
@ -421,12 +416,7 @@ func (l *Loader) startContainer(k *kernel.Kernel, spec *specs.Spec, conf *Config
|
|||
// TODO New containers should be started in new PID namespaces
|
||||
// when indicated by the spec.
|
||||
|
||||
procArgs, err := newProcess(
|
||||
spec,
|
||||
creds,
|
||||
l.k.RootUTSNamespace(),
|
||||
l.k.RootIPCNamespace(),
|
||||
l.k)
|
||||
procArgs, err := newProcess(spec, creds, l.k)
|
||||
if err != nil {
|
||||
return 0, fmt.Errorf("failed to create new process: %v", err)
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue