diff --git a/container/container.go b/container/container.go index 7f2d9b9..efbfc21 100644 --- a/container/container.go +++ b/container/container.go @@ -113,11 +113,6 @@ func (p *Container) Start() error { ctx, cancel := context.WithCancel(p.ctx) p.cancel = cancel - var cloneFlags uintptr = CLONE_NEWIPC | CLONE_NEWUTS | CLONE_NEWCGROUP - if !p.HostNet { - cloneFlags |= CLONE_NEWNET - } - // map to overflow id to work around ownership checks if p.Uid < 1 { p.Uid = OverflowUid() @@ -149,9 +144,10 @@ func (p *Container) Start() error { } p.cmd.Dir = "/" p.cmd.SysProcAttr = &SysProcAttr{ - Setsid: !p.RetainSession, - Pdeathsig: SIGKILL, - Cloneflags: cloneFlags | CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNS, + Setsid: !p.RetainSession, + Pdeathsig: SIGKILL, + Cloneflags: CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNS | + CLONE_NEWIPC | CLONE_NEWUTS | CLONE_NEWCGROUP, // remain privileged for setup AmbientCaps: []uintptr{CAP_SYS_ADMIN, CAP_SETPCAP}, @@ -161,6 +157,9 @@ func (p *Container) Start() error { if p.cmd.SysProcAttr.UseCgroupFD { p.cmd.SysProcAttr.CgroupFD = *p.Cgroup } + if !p.HostNet { + p.cmd.SysProcAttr.Cloneflags |= CLONE_NEWNET + } // place setup pipe before user supplied extra files, this is later restored by init if fd, e, err := Setup(&p.cmd.ExtraFiles); err != nil { diff --git a/container/container_test.go b/container/container_test.go index 62eeacf..91fa49b 100644 --- a/container/container_test.go +++ b/container/container_test.go @@ -61,6 +61,7 @@ var containerTestCases = []struct { {"custom rules", true, true, true, false, new(container.Ops), nil, 1, 31, []seccomp.NativeRule{{seccomp.ScmpSyscall(syscall.SYS_SETUID), seccomp.ScmpErrno(syscall.EPERM), nil}}, 0, seccomp.PresetExt}, + {"tmpfs", true, false, false, true, new(container.Ops). Tmpfs(hst.Tmp, 0, 0755), @@ -68,6 +69,7 @@ var containerTestCases = []struct { ent("/", hst.Tmp, "rw,nosuid,nodev,relatime", "tmpfs", "ephemeral", ignore), }, 9, 9, nil, 0, seccomp.PresetStrict}, + {"dev", true, true /* go test output is not a tty */, false, false, new(container.Ops). Dev("/dev").