Merge pull request #988 from AkihiroSuda/fix-no-process-sandbox

executor/oci: remove /proc masks for NoProcessSandBox mode
2019-05-08 10:09:14 -07:00 · 2019-05-08 10:09:14 -07:00 · 95660b215e
parent 6422157090 38d16c97cf
commit 95660b215e
1 changed files with 17 additions and 0 deletions
--- a/executor/oci/spec_unix.go
+++ b/executor/oci/spec_unix.go
@ -95,6 +95,23 @@ func GenerateSpec(ctx context.Context, meta executor.Meta, mounts []executor.Mou
 		Options:     []string{"ro", "nosuid", "noexec", "nodev"},
 	})

+	if processMode == NoProcessSandbox {
+		var maskedPaths []string
+		for _, s := range s.Linux.MaskedPaths {
+			if !hasPrefix(s, "/proc") {
+				maskedPaths = append(maskedPaths, s)
+			}
+		}
+		s.Linux.MaskedPaths = maskedPaths
+		var readonlyPaths []string
+		for _, s := range s.Linux.ReadonlyPaths {
+			if !hasPrefix(s, "/proc") {
+				readonlyPaths = append(readonlyPaths, s)
+			}
+		}
+		s.Linux.ReadonlyPaths = readonlyPaths
+	}
+
 	if meta.SecurityMode == pb.SecurityMode_INSECURE {
 		//make sysfs rw mount for insecure mode.
 		for _, m := range s.Mounts {