diff --git a/libcontainer/cgroups/utils.go b/libcontainer/cgroups/utils.go index c7c460ac..f58e717f 100644 --- a/libcontainer/cgroups/utils.go +++ b/libcontainer/cgroups/utils.go @@ -59,6 +59,7 @@ func FindCgroupMountpointDir() (string, error) { type Mount struct { Mountpoint string + Root string Subsystems []string } @@ -89,7 +90,7 @@ func GetCgroupMounts() ([]Mount, error) { res := []Mount{} for _, mount := range mounts { if mount.Fstype == "cgroup" { - m := Mount{Mountpoint: mount.Mountpoint} + m := Mount{Mountpoint: mount.Mountpoint, Root: mount.Root} for _, opt := range strings.Split(mount.VfsOpts, ",") { if strings.HasPrefix(opt, cgroupNamePrefix) { diff --git a/libcontainer/integration/exec_test.go b/libcontainer/integration/exec_test.go index 88118638..ae7ecc41 100644 --- a/libcontainer/integration/exec_test.go +++ b/libcontainer/integration/exec_test.go @@ -819,3 +819,72 @@ func TestSeccompNoChown(t *testing.T) { t.Fatalf("running chown should result in an EPERM but got %q", s) } } + +func TestMountCgroupRO(t *testing.T) { + if testing.Short() { + return + } + rootfs, err := newRootfs() + ok(t, err) + defer remove(rootfs) + config := newTemplateConfig(rootfs) + + config.Mounts = append(config.Mounts, &configs.Mount{ + Destination: "/sys/fs/cgroup", + Device: "cgroup", + Flags: defaultMountFlags | syscall.MS_RDONLY, + }) + + buffers, exitCode, err := runContainer(config, "", "mount") + if err != nil { + t.Fatalf("%s: %s", buffers, err) + } + if exitCode != 0 { + t.Fatalf("exit code not 0. code %d stderr %q", exitCode, buffers.Stderr) + } + mountInfo := buffers.Stdout.String() + lines := strings.Split(mountInfo, "\n") + for _, l := range lines { + if !strings.HasPrefix(l, "cgroup") { + continue + } + if !strings.Contains(l, "ro,nosuid,nodev,noexec") { + t.Fatalf("Mode expected to contain 'ro,nosuid,nodev,noexec': %s", l) + } + } +} + +func TestMountCgroupRW(t *testing.T) { + t.Skip("This test is screwed because of dind") + if testing.Short() { + return + } + rootfs, err := newRootfs() + ok(t, err) + defer remove(rootfs) + config := newTemplateConfig(rootfs) + + config.Mounts = append(config.Mounts, &configs.Mount{ + Destination: "/sys/fs/cgroup", + Device: "cgroup", + Flags: defaultMountFlags, + }) + + buffers, exitCode, err := runContainer(config, "", "mount") + if err != nil { + t.Fatalf("%s: %s", buffers, err) + } + if exitCode != 0 { + t.Fatalf("exit code not 0. code %d stderr %q", exitCode, buffers.Stderr) + } + mountInfo := buffers.Stdout.String() + lines := strings.Split(mountInfo, "\n") + for _, l := range lines { + if !strings.HasPrefix(l, "cgroup") { + continue + } + if !strings.Contains(l, "rw,nosuid,nodev,noexec") { + t.Fatalf("Mode expected to contain 'rw,nosuid,nodev,noexec': %s", l) + } + } +} diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go index 8a9e38a2..a211d8de 100644 --- a/libcontainer/rootfs_linux.go +++ b/libcontainer/rootfs_linux.go @@ -180,18 +180,22 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string) error { if err != nil { return err } + relDir, err := filepath.Rel(mm.Root, dir) + if err != nil { + return err + } binds = append(binds, &configs.Mount{ Device: "bind", - Source: filepath.Join(mm.Mountpoint, dir), + Source: filepath.Join(mm.Mountpoint, relDir), Destination: filepath.Join(m.Destination, strings.Join(mm.Subsystems, ",")), Flags: syscall.MS_BIND | syscall.MS_REC | m.Flags, }) } tmpfs := &configs.Mount{ - Device: "tmpfs", Source: "tmpfs", + Device: "tmpfs", Destination: m.Destination, - Flags: syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NODEV, + Flags: defaultMountFlags, } if err := mountToRootfs(tmpfs, rootfs, mountLabel); err != nil { return err