diff options
| author | Dmitry Vyukov <dvyukov@google.com> | 2018-08-08 13:08:13 +0200 |
|---|---|---|
| committer | Dmitry Vyukov <dvyukov@google.com> | 2018-08-08 15:02:25 +0200 |
| commit | 91e4f273d689fc81fe54ee42cf79e81016ba4c04 (patch) | |
| tree | 5479e4f1431d0c1ae907ef2c6fad0f4096d463c8 /pkg/csource | |
| parent | c00da3df66e3212ca3b6ab2a623e9fe5fe6d9e7f (diff) | |
pkg/csource: don't do checkpoint/reset net with setuid sandbox
Missing part of
"executor: don't checkpoint/reset net namespace with setuid sandbox"
Diffstat (limited to 'pkg/csource')
| -rw-r--r-- | pkg/csource/options.go | 45 |
1 files changed, 26 insertions, 19 deletions
diff --git a/pkg/csource/options.go b/pkg/csource/options.go index ce95108e1..a43774bf6 100644 --- a/pkg/csource/options.go +++ b/pkg/csource/options.go @@ -53,9 +53,28 @@ func (opts Options) Check(OS string) error { // Collide requires threaded. return errors.New("Collide without Threaded") } - if !opts.Repeat && opts.Procs > 1 { - // This does not affect generated code. - return errors.New("Procs>1 without Repeat") + if !opts.Repeat { + if opts.Procs > 1 { + // This does not affect generated code. + return errors.New("Procs>1 without Repeat") + } + if opts.ResetNet { + return errors.New("ResetNet without Repeat") + } + if opts.RepeatTimes > 1 { + return errors.New("RepeatTimes without Repeat") + } + } + if opts.Sandbox == "" { + if opts.EnableTun { + return errors.New("EnableTun without sandbox") + } + if opts.EnableCgroups { + return errors.New("EnableCgroups without sandbox") + } + if opts.EnableNetdev { + return errors.New("EnableNetdev without sandbox") + } } if opts.Sandbox == sandboxNamespace && !opts.UseTmpDir { // This is borken and never worked. @@ -63,27 +82,12 @@ func (opts Options) Check(OS string) error { // which will fail if procs>1 and on second run of the program. return errors.New("Sandbox=namespace without UseTmpDir") } - if opts.EnableTun && opts.Sandbox == "" { - return errors.New("EnableTun without sandbox") - } - if opts.EnableCgroups && opts.Sandbox == "" { - return errors.New("EnableCgroups without sandbox") - } if opts.EnableCgroups && !opts.UseTmpDir { return errors.New("EnableCgroups without UseTmpDir") } - if opts.EnableNetdev && opts.Sandbox == "" { - return errors.New("EnableNetdev without sandbox") - } - if opts.ResetNet && opts.Sandbox == "" { + if opts.ResetNet && (opts.Sandbox == "" || opts.Sandbox == sandboxSetuid) { return errors.New("ResetNet without sandbox") } - if opts.ResetNet && !opts.Repeat { - return errors.New("ResetNet without Repeat") - } - if !opts.Repeat && opts.RepeatTimes != 0 && opts.RepeatTimes != 1 { - return errors.New("RepeatTimes without Repeat") - } return opts.checkLinuxOnly(OS) } @@ -133,6 +137,9 @@ func DefaultOpts(cfg *mgrconfig.Config) Options { opts.EnableNetdev = false opts.ResetNet = false } + if cfg.Sandbox == "" || cfg.Sandbox == "setuid" { + opts.ResetNet = false + } if err := opts.Check(cfg.TargetOS); err != nil { panic(fmt.Sprintf("DefaultOpts created bad opts: %v", err)) } |