Merge pull request #1085 from smira/sysfs-cgroup-rw-fix

Fix updating /sys/fs/cgroup mount to 'rw'
2019-07-18 14:38:51 -07:00 · 2019-07-18 14:38:51 -07:00 · fd2d8e6339
parent 14a3b815ac df52fc7f9c
commit fd2d8e6339
2 changed files with 45 additions and 5 deletions
--- a/client/client_test.go
+++ b/client/client_test.go
@ -101,6 +101,7 @@ func TestClientIntegration(t *testing.T) {

 	integration.Run(t, []integration.Test{
 		testSecurityMode,
+		testSecurityModeSysfs,
 		testSecurityModeErrors,
 	},
 		mirrors,
@ -481,6 +482,45 @@ func testSecurityMode(t *testing.T, sb integration.Sandbox) {
 	require.NoError(t, err)
 }

+func testSecurityModeSysfs(t *testing.T, sb integration.Sandbox) {
+	if sb.Rootless() {
+		t.SkipNow()
+	}
+
+	mode := llb.SecurityModeSandbox
+	var allowedEntitlements []entitlements.Entitlement
+	secMode := sb.Value("secmode")
+	if secMode == securitySandbox {
+		allowedEntitlements = []entitlements.Entitlement{}
+	} else {
+		mode = llb.SecurityModeInsecure
+		allowedEntitlements = []entitlements.Entitlement{entitlements.EntitlementSecurityInsecure}
+	}
+
+	c, err := New(context.TODO(), sb.Address())
+	require.NoError(t, err)
+	defer c.Close()
+
+	command := `mkdir /sys/fs/cgroup/cpuset/securitytest`
+	st := llb.Image("busybox:latest").
+		Run(llb.Shlex(command),
+			llb.Security(mode))
+
+	def, err := st.Marshal()
+	require.NoError(t, err)
+
+	_, err = c.Solve(context.TODO(), def, SolveOpt{
+		AllowedEntitlements: allowedEntitlements,
+	}, nil)
+
+	if secMode == securitySandbox {
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "exit code: 1")
+	} else {
+		require.NoError(t, err)
+	}
+}
+
 func testSecurityModeErrors(t *testing.T, sb integration.Sandbox) {

 	c, err := New(context.TODO(), sb.Address())
--- a/executor/oci/spec_unix.go
+++ b/executor/oci/spec_unix.go
@ -101,11 +101,11 @@ func GenerateSpec(ctx context.Context, meta executor.Meta, mounts []executor.Mou
 	}

 	if meta.SecurityMode == pb.SecurityMode_INSECURE {
-		//make sysfs rw mount for insecure mode.
-		for _, m := range s.Mounts {
-			if m.Type == "sysfs" {
-				m.Options = []string{"nosuid", "noexec", "nodev", "rw"}
-			}
+		if err = oci.WithWriteableCgroupfs(ctx, nil, c, s); err != nil {
+			return nil, nil, err
+		}
+		if err = oci.WithWriteableSysfs(ctx, nil, c, s); err != nil {
+			return nil, nil, err
 		}
 	}