Mount systemd cgroups properly

d28af8a2 · kaiyou · 4de32274 · d28af8a2
Commit d28af8a2 authored 2 years ago by kaiyou
--- a/pkg/selfcontain/defaults.go
+++ b/pkg/selfcontain/defaults.go
@@ -52,6 +52,18 @@ var defaultMounts = []*configs.Mount{
 		Device:      "proc",
 		Flags:       unix.MS_NOEXEC | unix.MS_NOSUID | unix.MS_NODEV,
 	},
+	{
+		Source:      "sysfs",
+		Destination: "/sys",
+		Device:      "sysfs",
+		Flags:       unix.MS_NOEXEC | unix.MS_NOSUID | unix.MS_NODEV,
+	},
+	{
+		Source:      "cgroup",
+		Destination: "/sys/fs/cgroup",
+		Device:      "cgroup",
+		Flags:       unix.MS_NOEXEC | unix.MS_NOSUID | unix.MS_NODEV,
+	},
 	{
 		Source:      "tmpfs",
 		Destination: "/dev",
@@ -66,6 +78,13 @@ var defaultMounts = []*configs.Mount{
 		Flags:       unix.MS_NOSUID | unix.MS_NOEXEC,
 		Data:        "newinstance,ptmxmode=0666,mode=0620,gid=5",
 	},
+	{
+		Source:      "tmpfs",
+		Destination: "/tmp",
+		Device:      "tmpfs",
+		Flags:       unix.MS_NOSUID | unix.MS_STRICTATIME,
+		Data:        "mode=755",
+	},
 }

 // Restrict capabilities to strictly required capabilities
@@ -110,14 +129,6 @@ func makeConfig(name string, newRoot string, self string) *configs.Config {
 	for _, device := range allowedDevices {
 		deviceRules = append(deviceRules, &device.Rule)
 	}
-	// Unshare all namespace types except uid
-	namespaces := []configs.Namespace{}
-	for _, namespace := range configs.NamespaceTypes() {
-		if namespace == configs.NEWUSER {
-			continue
-		}
-		namespaces = append(namespaces, configs.Namespace{Type: namespace})
-	}
 	// Finally returns the configuration
 	return &configs.Config{
 		Rootfs:   newRoot,
@@ -129,11 +140,18 @@ func makeConfig(name string, newRoot string, self string) *configs.Config {
 			Permitted:   capabilities,
 			Ambient:     capabilities,
 		},
-		Namespaces: configs.Namespaces(namespaces),
-		Devices:    allowedDevices,
+		Namespaces: []configs.Namespace{
+			{Type: configs.NEWNS},
+			{Type: configs.NEWUTS},
+			{Type: configs.NEWIPC},
+			{Type: configs.NEWPID},
+			{Type: configs.NEWNET},
+			{Type: configs.NEWCGROUP},
+		},
+		Devices: allowedDevices,
 		Cgroups: &configs.Cgroup{
-			Name:   name,
-			Parent: "system",
+			Name:    name,
+			Systemd: true,
 			Resources: &configs.Resources{
 				MemorySwappiness: nil,
 				Devices:          deviceRules,