extra conditionals for latest gvisor

gristlabs · Mar 17, 2022 · 134df27 · 134df27
1 parent 636eda2
commit 134df27
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 11 deletions.
diff --git a/runsc/cmd/gofer.go b/runsc/cmd/gofer.go
@@ -155,13 +155,15 @@ func (g *Gofer) Execute(_ context.Context, f *flag.FlagSet, args ...interface{})
 		Fatalf("failed to open /proc/self/fd: %v", err)
 	}
 
-	if err := unix.Chroot(root); err != nil {
-		Fatalf("failed to chroot to %q: %v", root, err)
-	}
-	if err := unix.Chdir("/"); err != nil {
-		Fatalf("changing working dir: %v", err)
-	}
-	log.Infof("Process chroot'd to %q", root)
+        if root != "/" {
+                if err := unix.Chroot(root); err != nil {
+                        Fatalf("failed to chroot to %q: %v", root, err)
+                }
+                if err := unix.Chdir("/"); err != nil {
+                        Fatalf("changing working dir: %v", err)
+                }
+                log.Infof("Process chroot'd to %q", root)
+        }
 
 	// Initialize filters.
 	if conf.FSGoferHostUDS {

diff --git a/runsc/cmd/run.go b/runsc/cmd/run.go
@@ -72,9 +72,11 @@ func (r *Run) Execute(_ context.Context, f *flag.FlagSet, args ...interface{}) s
 			return Errorf("sandbox network isn't supported with --rootless, use --network=none or --network=host")
 		}
 
-		if err := specutils.MaybeRunAsRoot(); err != nil {
-			return Errorf("Error executing inside namespace: %v", err)
-		}
+                if !conf.Unprivileged {
+                        if err := specutils.MaybeRunAsRoot(); err != nil {
+                                return Errorf("Error executing inside namespace: %v", err)
+                        }
+                }
 		// Execution will continue here if no more capabilities are needed...
 	}
 

diff --git a/runsc/sandbox/sandbox.go b/runsc/sandbox/sandbox.go
@@ -1308,7 +1308,7 @@ func (s *Sandbox) waitForStopped() error {
 // configureStdios change stdios ownership to give access to the sandbox
 // process. This may be skipped depending on the configuration.
 func (s *Sandbox) configureStdios(conf *config.Config, stdios []*os.File) error {
-	if conf.Rootless || conf.TestOnlyAllowRunAsCurrentUserWithoutChroot {
+	if conf.Unprivileged || conf.Rootless || conf.TestOnlyAllowRunAsCurrentUserWithoutChroot {
 		// Cannot change ownership without CAP_CHOWN.
 		return nil
 	}