When reading the last of the output from a child process, ignore an EIO,
since we already got the HUP indication.
Avoid double-logging errors in our I/O loop when using isolation other
than chroot (spotted by @afbjorklund).
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1273
Approved by: rhatdan
Move the setting of capabilites and the seccomp filter to after we've
set the supplemental groups list and set our primary GID.
Set capabilities after we set the seccomp filter, because we won't be
able to set a filter if we're dropping CAP_SYS_ADMIN. Set them as the
very last thing before dropping to the runtime UID. Leave CAP_SETUID in
if we're going to become an unprivileged user, so that we'll be allowed
to switch UIDs -- the capability will be dropped then anyway.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1069
Approved by: rhatdan
Correctly handle setting capabilities: the Clear() and Apply() methods
on the Capabilities interface take a bitmask of capability kinds, not
specific capability types.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1069
Approved by: rhatdan
When running with chroot isolation, only create a new user namespace
when we have mappings to set.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #1069
Approved by: rhatdan
When ensuring that the target for a volume mount is present, be sure to
create any leading directories which are also not yet present.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #997
Approved by: rhatdan
When we're polling to handle stdio for a container, when we detect a HUP
on our stdin, read all that we can from stdin before closing it, instead
of reading only, at most, a single chunk of bytes.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #980
Approved by: rhatdan
Make the chroot() call before applying a seccomp filter, which might not
allow us to do it. Add more debugging messages.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #979
Approved by: rhatdan
In chroot isolation, when we attempt to mask a directory, use a
read-only bind mount of an empty directory instead of a read-only mount
of a fresh tmpfs with size=0, which is more likely to be be denied by
mandatory access controls.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #923
Approved by: rhatdan
The OOM score adjustment is an optional field in the runtime spec, so
only try to set it if it's set in the spec.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #906
Approved by: rhatdan
When using chroot isolation, if we're configured to raise any process
limits above their current values, do so in the grandparent process,
before it transfers execution to a child that it starts in a user
namespace, which won't have the privileges to do so.
The child can still lower resource limits and set limits to the values
that it inherited, so let it continue to do so.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #891
Approved by: rhatdan
Move the resource limits name map out of the setRlimits() function, and
use it to set up a reverse of the same map in init().
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #891
Approved by: rhatdan
When we're run by an unprivileged user, default to BUILDAH_ISOLATION=chroot.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #836
Approved by: rhatdan
Add an IsolationChroot that trades flexibility and isolation for being
able to do what it does in a host environment that's already isolated to
the point where we're not allowed to set up some of that isolation,
producing a result that leans more toward chroot(1) than runc(1) does.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #836
Approved by: rhatdan
Nalin Dahyabhai
Daniel J Walsh
TomSweeneyRedHat