f3ffa4db52
It's hard to resolve symlinks inside the sandbox because rootfs and mounts may be read-only, forcing us to create mount points inside lower layer of an overlay, **before** the volumes are mounted. Since the destination must already be resolved outside the sandbox when creating mounts, take this opportunity to rewrite the spec with paths resolved. "runsc boot" will use the "resolved" spec to load mounts. In addition, symlink traversals were disabled while mounting containers inside the sandbox. It haven't been able to write a good test for it. So I'm relying on manual tests for now. PiperOrigin-RevId: 217749904 Change-Id: I7ac434d5befd230db1488446cda03300cc0751a9 |
||
|---|---|---|
| .. | ||
| boot | ||
| cgroup | ||
| cmd | ||
| console | ||
| container | ||
| fsgofer | ||
| sandbox | ||
| specutils | ||
| test | ||
| tools/dockercfg | ||
| BUILD | ||
| main.go | ||