networking: use --enable-sandbox if available

if slirp4netns supports sandboxing, enable it. It automatically creates a new mount namespace where slirp4netns will run and have limited access to the host resources. It needs slirp4netns 0.4.1. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-09-16 16:40:41 +02:00 · 2019-09-16 16:40:41 +02:00 · 7c3428de26
parent a1970e1915
commit 7c3428de26
1 changed files with 7 additions and 4 deletions
--- a/libpod/networking_linux.go
+++ b/libpod/networking_linux.go
@ -127,13 +127,13 @@ type slirp4netnsCmd struct {
 	Args    slirp4netnsCmdArg `json:"arguments"`
 }
-func checkSlirpFlags(path string) (bool, bool, error) {
+func checkSlirpFlags(path string) (bool, bool, bool, error) {
 	cmd := exec.Command(path, "--help")
 	out, err := cmd.CombinedOutput()
 	if err != nil {
-		return false, false, err
+		return false, false, false, err
 	}
-	return strings.Contains(string(out), "--disable-host-loopback"), strings.Contains(string(out), "--mtu"), nil
+	return strings.Contains(string(out), "--disable-host-loopback"), strings.Contains(string(out), "--mtu"), strings.Contains(string(out), "--enable-sandbox"), nil
 }
 // Configure the network namespace for a rootless container
@ -166,7 +166,7 @@ func (r *Runtime) setupRootlessNetNS(ctr *Container) (err error) {
 	if havePortMapping {
 		cmdArgs = append(cmdArgs, "--api-socket", apiSocket, fmt.Sprintf("%d", ctr.state.PID))
 	}
-	dhp, mtu, err := checkSlirpFlags(path)
+	dhp, mtu, sandbox, err := checkSlirpFlags(path)
 	if err != nil {
 		return errors.Wrapf(err, "error checking slirp4netns binary %s", path)
 	}
@ -176,6 +176,9 @@ func (r *Runtime) setupRootlessNetNS(ctr *Container) (err error) {
 	if mtu {
 		cmdArgs = append(cmdArgs, "--mtu", "65520")
 	}
 	if sandbox {
 		cmdArgs = append(cmdArgs, "--enable-sandbox")
 	}
 	cmdArgs = append(cmdArgs, "-c", "-e", "3", "-r", "4", fmt.Sprintf("%d", ctr.state.PID), "tap0")
 	cmd := exec.Command(path, cmdArgs...)