From 0abd2ca50660cd3e02404aa66da73408b60b4c1b Mon Sep 17 00:00:00 2001
From: Andrey Smirnov <smirnov.andrey@gmail.com>
Date: Thu, 18 Jul 2019 01:08:52 +0300
Subject: [PATCH 1/4] Fix updating /sys/fs/cgroup mount to 'rw'

There were two bugs: Mount was matched by Type which is actually
`cgroup`, not `sysfs`. And the second problem was that copy of the value
was modified, not value in the slice.

Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
---
 executor/oci/spec_unix.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/executor/oci/spec_unix.go b/executor/oci/spec_unix.go
index fb4f34a4..cfd102d9 100644
--- a/executor/oci/spec_unix.go
+++ b/executor/oci/spec_unix.go
@@ -102,9 +102,9 @@ func GenerateSpec(ctx context.Context, meta executor.Meta, mounts []executor.Mou
 
 	if meta.SecurityMode == pb.SecurityMode_INSECURE {
 		//make sysfs rw mount for insecure mode.
-		for _, m := range s.Mounts {
-			if m.Type == "sysfs" {
-				m.Options = []string{"nosuid", "noexec", "nodev", "rw"}
+		for i, m := range s.Mounts {
+			if m.Destination == "/sys/fs/cgroup" {
+				s.Mounts[i].Options = []string{"nosuid", "noexec", "nodev", "rw"}
 			}
 		}
 	}

From 5dbb31a2129e79603cd467e243db04ed985e8751 Mon Sep 17 00:00:00 2001
From: Andrey Smirnov <smirnov.andrey@gmail.com>
Date: Thu, 18 Jul 2019 17:34:59 +0300
Subject: [PATCH 2/4] Use oci.With helpers

Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
---
 executor/oci/spec_unix.go | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/executor/oci/spec_unix.go b/executor/oci/spec_unix.go
index cfd102d9..66a2c440 100644
--- a/executor/oci/spec_unix.go
+++ b/executor/oci/spec_unix.go
@@ -101,11 +101,11 @@ func GenerateSpec(ctx context.Context, meta executor.Meta, mounts []executor.Mou
 	}
 
 	if meta.SecurityMode == pb.SecurityMode_INSECURE {
-		//make sysfs rw mount for insecure mode.
-		for i, m := range s.Mounts {
-			if m.Destination == "/sys/fs/cgroup" {
-				s.Mounts[i].Options = []string{"nosuid", "noexec", "nodev", "rw"}
-			}
+		if err = oci.WithWriteableCgroupfs(ctx, nil, c, s); err != nil {
+			return nil, nil, err
+		}
+		if err = oci.WithWriteableSysfs(ctx, nil, c, s); err != nil {
+			return nil, nil, err
 		}
 	}
 

From fc9781a77c953cbc0b3a1e949e478263dcec379d Mon Sep 17 00:00:00 2001
From: Andrey Smirnov <smirnov.andrey@gmail.com>
Date: Thu, 18 Jul 2019 18:52:47 +0300
Subject: [PATCH 3/4] Add test for 'rw' sysfs/cgroup re-mount

Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
---
 client/client_test.go | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/client/client_test.go b/client/client_test.go
index 1de618f6..cfccf00e 100644
--- a/client/client_test.go
+++ b/client/client_test.go
@@ -101,6 +101,7 @@ func TestClientIntegration(t *testing.T) {
 
 	integration.Run(t, []integration.Test{
 		testSecurityMode,
+		testSecurityModeSysfs,
 		testSecurityModeErrors,
 	},
 		mirrors,
@@ -481,6 +482,41 @@ func testSecurityMode(t *testing.T, sb integration.Sandbox) {
 	require.NoError(t, err)
 }
 
+func testSecurityModeSysfs(t *testing.T, sb integration.Sandbox) {
+	mode := llb.SecurityModeSandbox
+	var allowedEntitlements []entitlements.Entitlement
+	secMode := sb.Value("secmode")
+	if secMode == securitySandbox {
+		allowedEntitlements = []entitlements.Entitlement{}
+	} else {
+		mode = llb.SecurityModeInsecure
+		allowedEntitlements = []entitlements.Entitlement{entitlements.EntitlementSecurityInsecure}
+	}
+
+	c, err := New(context.TODO(), sb.Address())
+	require.NoError(t, err)
+	defer c.Close()
+
+	command := `mkdir /sys/fs/cgroup/cpuset/securitytest`
+	st := llb.Image("busybox:latest").
+		Run(llb.Shlex(command),
+			llb.Security(mode))
+
+	def, err := st.Marshal()
+	require.NoError(t, err)
+
+	_, err = c.Solve(context.TODO(), def, SolveOpt{
+		AllowedEntitlements: allowedEntitlements,
+	}, nil)
+
+	if secMode == securitySandbox || sb.Rootless() {
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "exit code: 1")
+	} else {
+		require.NoError(t, err)
+	}
+}
+
 func testSecurityModeErrors(t *testing.T, sb integration.Sandbox) {
 
 	c, err := New(context.TODO(), sb.Address())

From df52fc7f9c18fa7ffd8f73e29ad36d9d50a372cb Mon Sep 17 00:00:00 2001
From: Andrey Smirnov <smirnov.andrey@gmail.com>
Date: Thu, 18 Jul 2019 22:50:53 +0300
Subject: [PATCH 4/4] Skip test in rootless mode

Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
---
 client/client_test.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/client/client_test.go b/client/client_test.go
index cfccf00e..fbf4560b 100644
--- a/client/client_test.go
+++ b/client/client_test.go
@@ -483,6 +483,10 @@ func testSecurityMode(t *testing.T, sb integration.Sandbox) {
 }
 
 func testSecurityModeSysfs(t *testing.T, sb integration.Sandbox) {
+	if sb.Rootless() {
+		t.SkipNow()
+	}
+
 	mode := llb.SecurityModeSandbox
 	var allowedEntitlements []entitlements.Entitlement
 	secMode := sb.Value("secmode")
@@ -509,7 +513,7 @@ func testSecurityModeSysfs(t *testing.T, sb integration.Sandbox) {
 		AllowedEntitlements: allowedEntitlements,
 	}, nil)
 
-	if secMode == securitySandbox || sb.Rootless() {
+	if secMode == securitySandbox {
 		require.Error(t, err)
 		require.Contains(t, err.Error(), "exit code: 1")
 	} else {