From 2ef6fcc8be9ed308237bf57f54367d2dd512d52f Mon Sep 17 00:00:00 2001 From: xSmurf Date: Sun, 12 Jul 2015 04:01:30 +0000 Subject: [PATCH 1/3] Fixed adding of pwd ot binded argument files --- oz-daemon/launch.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/oz-daemon/launch.go b/oz-daemon/launch.go index 60558e7..fb7c81c 100644 --- a/oz-daemon/launch.go +++ b/oz-daemon/launch.go @@ -272,13 +272,13 @@ func (sbox *Sandbox) UnmountFile(file, binpath string, log *logging.Logger) erro func (sbox *Sandbox) whitelistArgumentFiles(binpath, pwd string, args []string, log *logging.Logger) { var files []string for _, fpath := range args { + if filepath.IsAbs(fpath) == false { + fpath = path.Join(pwd, fpath) + } + if !strings.HasPrefix(fpath, "/home/") { + continue + } if _, err := os.Stat(fpath); err == nil { - if filepath.IsAbs(fpath) == false { - fpath = path.Join(pwd, fpath) - } - if !strings.HasPrefix(fpath, "/home/") { - continue - } log.Notice("Adding file `%s` to sandbox `%s`.", fpath, sbox.profile.Name) files = append(files, fpath) } From 380757451c52cf2b79a04decb2c2c74604362f1e Mon Sep 17 00:00:00 2001 From: xSmurf Date: Sun, 12 Jul 2015 04:02:23 +0000 Subject: [PATCH 2/3] Cleanup --- oz-mount/mount.go | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/oz-mount/mount.go b/oz-mount/mount.go index 93afa5a..6cf71b6 100644 --- a/oz-mount/mount.go +++ b/oz-mount/mount.go @@ -1,13 +1,6 @@ // +build linux,!gccgo package mount -/* - As per the setns documentation, it is impossible to enter a - mount namespace from a multithreaded process. - One MUST insure that opening the namespace happens when the process - has only one thread. This is impossible from golang, as such we call - this C function as a constructor to ensure that it is executed - before the go scheduler launches other threads. -*/ + // extern int enter_mount_namespace(void); /* #include @@ -19,6 +12,15 @@ __attribute__((constructor)) void init(void) { */ import "C" +/* + As per the setns documentation, it is impossible to enter a + mount namespace from a multithreaded process. + One MUST insure that opening the namespace happens when the process + has only one thread. This is impossible from golang, as such we call + this C function as a constructor to ensure that it is executed + before the go scheduler launches other threads. +*/ + import ( "fmt" "os" From 2a1050004946798f490e71f36bd267f6566345cf Mon Sep 17 00:00:00 2001 From: xSmurf Date: Sun, 12 Jul 2015 04:02:39 +0000 Subject: [PATCH 3/3] Fixed passing of usefulldev --- oz-init/init.go | 2 +- oz-init/rootfs.go | 10 ++++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/oz-init/init.go b/oz-init/init.go index b72e4e7..0d181fc 100644 --- a/oz-init/init.go +++ b/oz-init/init.go @@ -514,7 +514,7 @@ func (st *initState) setupFilesystem(extra []oz.WhitelistItem) error { fs := fs.NewFilesystem(st.config, st.log) - if err := setupRootfs(fs); err != nil { + if err := setupRootfs(fs, st.config.UseFullDev); err != nil { return err } diff --git a/oz-init/rootfs.go b/oz-init/rootfs.go index a9c316f..18e84ba 100644 --- a/oz-init/rootfs.go +++ b/oz-init/rootfs.go @@ -72,7 +72,7 @@ func _makedev(x, y int) int { return (((x) << 8) | (y)) } -func setupRootfs(fsys *fs.Filesystem) error { +func setupRootfs(fsys *fs.Filesystem, useFullDev bool) error { if err := os.MkdirAll(fsys.Root(), 0755); err != nil { return fmt.Errorf("could not create rootfs path '%s': %v", fsys.Root(), err) } @@ -107,9 +107,11 @@ func setupRootfs(fsys *fs.Filesystem) error { return err } - for _, d := range basicDevices { - if err := fsys.CreateDevice(d.path, d.dev, d.mode); err != nil { - return err + if (!useFullDev) { + for _, d := range basicDevices { + if err := fsys.CreateDevice(d.path, d.dev, d.mode); err != nil { + return err + } } }