diff options
| author | Daniel J Walsh <dwalsh@redhat.com> | 2018-08-16 06:41:15 -0400 |
|---|---|---|
| committer | Atomic Bot <atomic-devel@projectatomic.io> | 2018-08-16 17:12:36 +0000 |
| commit | d20f3a51463ce75d139dd830e19a173906b0b0cb (patch) | |
| tree | c4cb4fe0d68ac052149031c590823b033a92fa80 /vendor/github.com/projectatomic/buildah/chroot/run.go | |
| parent | c0abfaa7c38a8fc897a4c1f64392ace40a5a10c1 (diff) | |
| download | podman-d20f3a51463ce75d139dd830e19a173906b0b0cb.tar.gz podman-d20f3a51463ce75d139dd830e19a173906b0b0cb.tar.bz2 podman-d20f3a51463ce75d139dd830e19a173906b0b0cb.zip | |
switch projectatomic to containers
Need to get some small changes into libpod to pull back into buildah
to complete buildah transition.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1270
Approved by: mheon
Diffstat (limited to 'vendor/github.com/projectatomic/buildah/chroot/run.go')
| -rw-r--r-- | vendor/github.com/projectatomic/buildah/chroot/run.go | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/vendor/github.com/projectatomic/buildah/chroot/run.go b/vendor/github.com/projectatomic/buildah/chroot/run.go index 286f3c7ac..2cae5b9da 100644 --- a/vendor/github.com/projectatomic/buildah/chroot/run.go +++ b/vendor/github.com/projectatomic/buildah/chroot/run.go @@ -933,7 +933,7 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func( } logrus.Debugf("bind mounted %q to %q", "/dev", filepath.Join(spec.Root.Path, "/dev")) - // Bind /proc read-write. + // Bind /proc read-only. subProc := filepath.Join(spec.Root.Path, "/proc") if err := unix.Mount("/proc", subProc, "bind", procFlags, ""); err != nil { if os.IsNotExist(err) { @@ -1131,6 +1131,15 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func( } } + // Create an empty directory for to use for masking directories. + roEmptyDir := filepath.Join(bundlePath, "empty") + if len(spec.Linux.MaskedPaths) > 0 { + if err := os.Mkdir(roEmptyDir, 0700); err != nil { + return undoBinds, errors.Wrapf(err, "error creating empty directory %q", roEmptyDir) + } + removes = append(removes, roEmptyDir) + } + // Set up any masked paths that we need to. If we're running inside of // a container, some of these locations will already be read-only tmpfs // filesystems or bind mounted to os.DevNull. If we're not running @@ -1218,10 +1227,10 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func( } } } - // The target's a directory, so mount a read-only tmpfs on it. - roFlags := uintptr(syscall.MS_NOSUID | syscall.MS_NODEV | syscall.MS_NOEXEC | syscall.MS_RDONLY) + // The target's a directory, so read-only bind mount an empty directory on it. + roFlags := uintptr(syscall.MS_BIND | syscall.MS_NOSUID | syscall.MS_NODEV | syscall.MS_NOEXEC | syscall.MS_RDONLY) if !isReadOnly || (hasContent && isAccessible) { - if err = unix.Mount("none", target, "tmpfs", roFlags, "size=0"); err != nil { + if err = unix.Mount(roEmptyDir, target, "bind", roFlags, ""); err != nil { return undoBinds, errors.Wrapf(err, "error masking directory %q in mount namespace", target) } if err = unix.Statfs(target, &fs); err != nil { |