Ayush Ranjan 039acda6e4 Preserve sandbox process env vars only for --TESTONLY-unsafe-nonroot. ...

Earlier setCapsAndCallSelf() and callSelfAsNobody() were unconditionally
clearing the sandbox process's env vars. But in some cases we want to preserve
it. For example, when running runsc-race, we want to set GLIBC_TUNABLES for the
sandbox process. Note that runsc-race requires --TESTONLY-unsafe-nonroot=true.

Right now, when --TESTONLY-unsafe-nonroot is set, boot process does not end up
calling setCapsAndCallSelf() or callSelfAsNobody(). So the env vars are
retained as desired. But with directfs, those methods are called in spite of
--TESTONLY-unsafe-nonroot. So this change is required to preserve env vars with
--directfs && --TESTONLY-unsafe-nonroot.

This change also adds a test to verify that the sandbox process is running with
no leaked environment variables.

PiperOrigin-RevId: 533170470

2023-05-18 10:24:09 -07:00

..

BUILD

Add portforward command to runsc

2023-03-30 14:16:19 -07:00

cgroup_test.go

Ignore systemd "scope already exists" errors.

2022-08-30 15:53:26 -07:00

chroot_test.go

Make root_test and containerd tests work on BuildKite on COS.

2022-06-24 15:12:55 -07:00

crictl_test.go

convert uses of interface{} to any

2022-11-08 13:14:06 -08:00

main_test.go

Add systemd-cgroup support to runsc.

2022-03-17 15:03:44 -07:00

oom_score_adj_test.go

runsc: Fix the data race

2021-12-23 13:03:58 -08:00

portforward_test.go

Enable portforward test after fix.

2023-04-24 10:42:03 -07:00

root.go

Reformat codebase.

2022-05-17 17:48:35 -07:00

runsc_test.go

Preserve sandbox process env vars only for --TESTONLY-unsafe-nonroot.

2023-05-18 10:24:09 -07:00