container: improve clone flags readability

Signed-off-by: Ophestra <cat@gensokyo.uk>

container/container.go

@@ -113,11 +113,6 @@ func (p *Container) Start() error {
 	ctx, cancel := context.WithCancel(p.ctx)
 	p.cancel = cancel
 
-	var cloneFlags uintptr = CLONE_NEWIPC | CLONE_NEWUTS | CLONE_NEWCGROUP
-	if !p.HostNet {
-		cloneFlags |= CLONE_NEWNET
-	}
-
 	// map to overflow id to work around ownership checks
 	if p.Uid < 1 {
 		p.Uid = OverflowUid()
@@ -151,7 +146,8 @@ func (p *Container) Start() error {
 	p.cmd.SysProcAttr = &SysProcAttr{
 		Setsid:    !p.RetainSession,
 		Pdeathsig: SIGKILL,
-		Cloneflags: cloneFlags | CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNS,
+		Cloneflags: CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNS |
+			CLONE_NEWIPC | CLONE_NEWUTS | CLONE_NEWCGROUP,
 
 		// remain privileged for setup
 		AmbientCaps: []uintptr{CAP_SYS_ADMIN, CAP_SETPCAP},
@@ -161,6 +157,9 @@ func (p *Container) Start() error {
 	if p.cmd.SysProcAttr.UseCgroupFD {
 		p.cmd.SysProcAttr.CgroupFD = *p.Cgroup
 	}
+	if !p.HostNet {
+		p.cmd.SysProcAttr.Cloneflags |= CLONE_NEWNET
+	}
 
 	// place setup pipe before user supplied extra files, this is later restored by init
 	if fd, e, err := Setup(&p.cmd.ExtraFiles); err != nil {

container/container_test.go

@@ -61,6 +61,7 @@ var containerTestCases = []struct {
 	{"custom rules", true, true, true, false,
 		new(container.Ops), nil,
 		1, 31, []seccomp.NativeRule{{seccomp.ScmpSyscall(syscall.SYS_SETUID), seccomp.ScmpErrno(syscall.EPERM), nil}}, 0, seccomp.PresetExt},
+
 	{"tmpfs", true, false, false, true,
 		new(container.Ops).
 			Tmpfs(hst.Tmp, 0, 0755),
@@ -68,6 +69,7 @@ var containerTestCases = []struct {
 			ent("/", hst.Tmp, "rw,nosuid,nodev,relatime", "tmpfs", "ephemeral", ignore),
 		},
 		9, 9, nil, 0, seccomp.PresetStrict},
+
 	{"dev", true, true /* go test output is not a tty */, false, false,
 		new(container.Ops).
 			Dev("/dev").