pkg/osutil: fix disabling of sandbox

If sandboxing is disabled don't unshare net namespace too. Update #501
author: Dmitry Vyukov <dvyukov@google.com> 2019-03-12 11:32:05 +0100
committer: Dmitry Vyukov <dvyukov@google.com> 2019-03-17 18:06:44 +0100
commit: 64745f640c10f478c9c3f647fac594117027db9c (patch)
tree: ca570216982714c8662884310c79e76a8932f701 /pkg/osutil/osutil_linux.go
parent: be406549069f6cb0503bfc5debe551f18a7262d4 (diff)
1 files changed, 7 insertions, 9 deletions
diff --git a/pkg/osutil/osutil_linux.go b/pkg/osutil/osutil_linux.go
index 1ec37d45f..35e5646fd 100644
--- a/pkg/osutil/osutil_linux.go
+++ b/pkg/osutil/osutil_linux.go
@@ -62,6 +62,10 @@ func removeImmutable(fname string) error {
 }
 
 func Sandbox(cmd *exec.Cmd, user, net bool) error {
+	enabled, uid, gid, err := initSandbox()
+	if err != nil || !enabled {
+		return err
+	}
 	if cmd.SysProcAttr == nil {
 		cmd.SysProcAttr = new(syscall.SysProcAttr)
 	}
@@ -70,15 +74,9 @@ func Sandbox(cmd *exec.Cmd, user, net bool) error {
 			syscall.CLONE_NEWNS | syscall.CLONE_NEWUTS | syscall.CLONE_NEWPID
 	}
 	if user {
-		enabled, uid, gid, err := initSandbox()
-		if err != nil {
-			return err
-		}
-		if enabled {
-			cmd.SysProcAttr.Credential = &syscall.Credential{
-				Uid: uid,
-				Gid: gid,
-			}
+		cmd.SysProcAttr.Credential = &syscall.Credential{
+			Uid: uid,
+			Gid: gid,
 		}
 	}
 	return nil
author	Dmitry Vyukov <dvyukov@google.com>	2019-03-12 11:32:05 +0100
committer	Dmitry Vyukov <dvyukov@google.com>	2019-03-17 18:06:44 +0100
commit	64745f640c10f478c9c3f647fac594117027db9c (patch)
tree	ca570216982714c8662884310c79e76a8932f701 /pkg/osutil/osutil_linux.go
parent	be406549069f6cb0503bfc5debe551f18a7262d4 (diff)