From 64745f640c10f478c9c3f647fac594117027db9c Mon Sep 17 00:00:00 2001
From: Dmitry Vyukov <dvyukov@google.com>
Date: Tue, 12 Mar 2019 11:32:05 +0100
Subject: pkg/osutil: fix disabling of sandbox

If sandboxing is disabled don't unshare net namespace too.

Update #501
---
 pkg/osutil/osutil_linux.go | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

(limited to 'pkg/osutil/osutil_linux.go')

diff --git a/pkg/osutil/osutil_linux.go b/pkg/osutil/osutil_linux.go
index 1ec37d45f..35e5646fd 100644
--- a/pkg/osutil/osutil_linux.go
+++ b/pkg/osutil/osutil_linux.go
@@ -62,6 +62,10 @@ func removeImmutable(fname string) error {
 }
 
 func Sandbox(cmd *exec.Cmd, user, net bool) error {
+	enabled, uid, gid, err := initSandbox()
+	if err != nil || !enabled {
+		return err
+	}
 	if cmd.SysProcAttr == nil {
 		cmd.SysProcAttr = new(syscall.SysProcAttr)
 	}
@@ -70,15 +74,9 @@ func Sandbox(cmd *exec.Cmd, user, net bool) error {
 			syscall.CLONE_NEWNS | syscall.CLONE_NEWUTS | syscall.CLONE_NEWPID
 	}
 	if user {
-		enabled, uid, gid, err := initSandbox()
-		if err != nil {
-			return err
-		}
-		if enabled {
-			cmd.SysProcAttr.Credential = &syscall.Credential{
-				Uid: uid,
-				Gid: gid,
-			}
+		cmd.SysProcAttr.Credential = &syscall.Credential{
+			Uid: uid,
+			Gid: gid,
 		}
 	}
 	return nil
-- 
cgit mrf-deployment