github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-15 22:53:43 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #2375 from sameo/upstream/topic/process-cwd

Browse Source 
agent: Create the process CWD when it does not exist
This commit is contained in:
Chelsea Mafrica 2021-08-04 11:35:11 -07:00 committed by GitHub
commit eac05ad6d6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 15 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/agent/rustjail/src/container.rs
View File

@ -561,7 +561,7 @@ fn do_init_child(cwfd: RawFd) -> Result<()> {
}
if to_new.contains(CloneFlags::CLONE_NEWNS) {
mount::finish_rootfs(cfd_log, &spec)?;
mount::finish_rootfs(cfd_log, &spec, &oci_process)?;
}
if !oci_process.cwd.is_empty() {

17
src/agent/rustjail/src/mount.rs
View File

@ -13,7 +13,7 @@ use nix::mount::{MntFlags, MsFlags};
use nix::sys::stat::{self, Mode, SFlag};
use nix::unistd::{self, Gid, Uid};
use nix::NixPath;
use oci::{LinuxDevice, Mount, Spec};
use oci::{LinuxDevice, Mount, Process, Spec};
use std::collections::{HashMap, HashSet};
use std::fs::{self, OpenOptions};
use std::mem::MaybeUninit;
@ -902,10 +902,21 @@ fn bind_dev(dev: &LinuxDevice) -> Result<()> {
Ok(())
}
pub fn finish_rootfs(cfd_log: RawFd, spec: &Spec) -> Result<()> {
pub fn finish_rootfs(cfd_log: RawFd, spec: &Spec, process: &Process) -> Result<()> {
let olddir = unistd::getcwd()?;
log_child!(cfd_log, "old cwd: {}", olddir.to_str().unwrap());
unistd::chdir("/")?;
if !process.cwd.is_empty() {
// Although the process.cwd string can be unclean/malicious (../../dev, etc),
// we are running on our own mount namespace and we just chrooted into the
// container's root. It's safe to create CWD from there.
log_child!(cfd_log, "Creating CWD {}", process.cwd.as_str());
// Unconditionally try to create CWD, create_dir_all will not fail if
// it already exists.
fs::create_dir_all(process.cwd.as_str())?;
}
if spec.linux.is_some() {
let linux = spec.linux.as_ref().unwrap();
@ -1211,7 +1222,7 @@ mod tests {
options: vec!["ro".to_string(), "shared".to_string()],
}];
let ret = finish_rootfs(stdout_fd, &spec);
let ret = finish_rootfs(stdout_fd, &spec, &oci::Process::default());
assert!(ret.is_ok(), "Should pass. Got: {:?}", ret);
}