Merge pull request #12902 from shayonj:s/export-gofer-helpers

PiperOrigin-RevId: 897959963

Author: gvisor-bot

runsc/cmd/BUILD

@@ -35,7 +35,6 @@ go_library(
     srcs = [
         "boot.go",
         "boot_impl.go",
-        "capability.go",
         "checkpoint.go",
         "checkpoint_impl.go",
         "chroot.go",
@@ -113,6 +112,7 @@ go_library(
         "//pkg/urpc",
         "//runsc/boot",
         "//runsc/cmd/metricserver/metricservercmd",
+        "//runsc/cmd/sandboxsetup",
         "//runsc/cmd/util",
         "//runsc/config",
         "//runsc/console",
@@ -165,6 +165,7 @@ go_test(
         "//pkg/sentry/control",
         "//pkg/sentry/kernel/auth",
         "//pkg/test/testutil",
+        "//runsc/cmd/sandboxsetup",
         "//runsc/cmd/util",
         "//runsc/config",
         "//runsc/container",

runsc/cmd/boot.go

@@ -18,7 +18,6 @@ import (
 	"context"
 	"fmt"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"runtime"
 	"runtime/debug"
@@ -44,6 +43,7 @@ import (
 	"gvisor.dev/gvisor/pkg/sentry/syscalls/linux"
 	"gvisor.dev/gvisor/pkg/tcpip/nftables"
 	"gvisor.dev/gvisor/runsc/boot"
+	"gvisor.dev/gvisor/runsc/cmd/sandboxsetup"
 	"gvisor.dev/gvisor/runsc/cmd/util"
 	"gvisor.dev/gvisor/runsc/config"
 	"gvisor.dev/gvisor/runsc/flag"
@@ -96,14 +96,14 @@ type Boot struct {
 	deviceFD int
 
 	// ioFDs is the list of FDs used to connect to FS gofers.
-	ioFDs intFlags
+	ioFDs sandboxsetup.IntFlags
 
 	// devIoFD is the FD to connect to dev gofer.
 	devIoFD int
 
 	// goferFilestoreFDs are FDs to the regular files that will back the tmpfs or
 	// overlayfs mount for certain gofer mounts.
-	goferFilestoreFDs intFlags
+	goferFilestoreFDs sandboxsetup.IntFlags
 
 	// goferMountConfs contains information about how the gofer mounts have been
 	// configured. The first entry is for rootfs and the following entries are
@@ -112,7 +112,7 @@ type Boot struct {
 
 	// stdioFDs are the fds for stdin, stdout, and stderr. They must be
 	// provided in that order.
-	stdioFDs intFlags
+	stdioFDs sandboxsetup.IntFlags
 
 	// passFDs are mappings of user-supplied host to guest file descriptors.
 	passFDs fdMappings
@@ -152,11 +152,11 @@ type Boot struct {
 
 	podInitConfigFD int
 
-	sinkFDs intFlags
+	sinkFDs sandboxsetup.IntFlags
 
-	saveFDs intFlags
+	saveFDs sandboxsetup.IntFlags
 
-	fsRestoreFDs intFlags
+	fsRestoreFDs sandboxsetup.IntFlags
 
 	// attached is set to true to kill the sandbox process when the parent process
 	// terminates. This flag is set when the command execve's itself because
@@ -385,7 +385,7 @@ func (b *Boot) Execute(_ context.Context, f *flag.FlagSet, args ...any) subcomma
 			// /proc is umounted from a forked process, because the
 			// current one is going to re-execute itself without
 			// capabilities.
-			cmd, w := execProcUmounter()
+			cmd, w := sandboxsetup.ExecProcUmounter()
 			defer cmd.Wait()
 			defer w.Close()
 			if b.procMountSyncFD != -1 {
@@ -402,13 +402,13 @@ func (b *Boot) Execute(_ context.Context, f *flag.FlagSet, args ...any) subcomma
 
 			if !b.applyCaps {
 				// Remove the args that have already been done before calling self.
-				args := prepareArgs(b.Name(), f, argOverride)
+				args := sandboxsetup.PrepareArgs(b.Name(), f, argOverride)
 
 				// Note that we've already read the spec from the spec FD, and
 				// we will read it again after the exec call. This works
 				// because the ReadSpecFromFile function seeks to the beginning
 				// of the file before reading.
-				util.Fatalf("callSelfAsNobody(%v): %v", args, callSelfAsNobody(args))
+				util.Fatalf("callSelfAsNobody(%v): %v", args, sandboxsetup.CallSelfAsNobody(args))
 
 				// This prevents the specFile finalizer from running and closed
 				// the specFD, which we have passed to ourselves when
@@ -467,13 +467,13 @@ func (b *Boot) Execute(_ context.Context, f *flag.FlagSet, args ...any) subcomma
 		argOverride["apply-caps"] = "false"
 
 		// Remove the args that have already been done before calling self.
-		args := prepareArgs(b.Name(), f, argOverride)
+		args := sandboxsetup.PrepareArgs(b.Name(), f, argOverride)
 
 		// Note that we've already read the spec from the spec FD, and
 		// we will read it again after the exec call. This works
 		// because the ReadSpecFromFile function seeks to the beginning
 		// of the file before reading.
-		util.Fatalf("setCapsAndCallSelf(%v, %v): %v", args, caps, setCapsAndCallSelf(args, caps))
+		util.Fatalf("setCapsAndCallSelf(%v, %v): %v", args, caps, sandboxsetup.SetCapsAndCallSelf(args, caps))
 
 		// This prevents the specFile finalizer from running and closed
 		// the specFD, which we have passed to ourselves when
@@ -609,7 +609,7 @@ func (b *Boot) Execute(_ context.Context, f *flag.FlagSet, args ...any) subcomma
 			// Call validateOpenFDs() before umounting /proc.
 			validateOpenFDs(bootArgs.PassFDs)
 			// Umount /proc right before installing seccomp filters.
-			umountProc(b.procMountSyncFD)
+			sandboxsetup.UmountProc(b.procMountSyncFD)
 		}
 	}
 
@@ -671,84 +671,6 @@ func (b *Boot) Execute(_ context.Context, f *flag.FlagSet, args ...any) subcomma
 	return subcommands.ExitSuccess
 }
 
-// prepareArgs returns the args that can be used to re-execute the current
-// program. It manipulates the flags of the subcommands.Command identified by
-// subCmdName and fSet is the flag.FlagSet of this subcommand. It applies the
-// flags specified by override map. In case of conflict, flag is overridden.
-//
-// Postcondition: prepareArgs() takes ownership of override map.
-func prepareArgs(subCmdName string, fSet *flag.FlagSet, override map[string]string) []string {
-	var args []string
-	// Add all args up until (and including) the sub command.
-	for _, arg := range os.Args {
-		args = append(args, arg)
-		if arg == subCmdName {
-			break
-		}
-	}
-	// Set sub command flags. Iterate through all the explicitly set flags.
-	fSet.Visit(func(gf *flag.Flag) {
-		// If a conflict is found with override, then prefer override flag.
-		if ov, ok := override[gf.Name]; ok {
-			args = append(args, fmt.Sprintf("--%s=%s", gf.Name, ov))
-			delete(override, gf.Name)
-			return
-		}
-		// Otherwise pass through the original flag.
-		args = append(args, fmt.Sprintf("--%s=%s", gf.Name, gf.Value))
-	})
-	// Apply remaining override flags (that didn't conflict above).
-	for of, ov := range override {
-		args = append(args, fmt.Sprintf("--%s=%s", of, ov))
-	}
-	// Add the non-flag arguments at the end.
-	args = append(args, fSet.Args()...)
-	return args
-}
-
-// execProcUmounter execute a child process that umounts /proc when the
-// returned pipe is closed.
-func execProcUmounter() (*exec.Cmd, *os.File) {
-	r, w, err := os.Pipe()
-	if err != nil {
-		util.Fatalf("error creating a pipe: %v", err)
-	}
-	defer r.Close()
-
-	cmd := exec.Command(specutils.ExePath)
-	cmd.Args = append(cmd.Args, "umount", "--sync-fd=3", "/proc")
-	cmd.ExtraFiles = append(cmd.ExtraFiles, r)
-	cmd.Stdin = os.Stdin
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	if err := cmd.Start(); err != nil {
-		util.Fatalf("error executing umounter: %v", err)
-	}
-	return cmd, w
-}
-
-// umountProc writes to syncFD signalling the process started by
-// execProcUmounter() to umount /proc.
-func umountProc(syncFD int) {
-	syncFile := os.NewFile(uintptr(syncFD), "procfs umount sync FD")
-	buf := make([]byte, 1)
-	if w, err := syncFile.Write(buf); err != nil || w != 1 {
-		util.Fatalf("unable to write into the proc umounter descriptor: %v", err)
-	}
-	syncFile.Close()
-
-	var waitStatus unix.WaitStatus
-	if _, err := unix.Wait4(0, &waitStatus, 0, nil); err != nil {
-		util.Fatalf("error waiting for the proc umounter process: %v", err)
-	}
-	if !waitStatus.Exited() || waitStatus.ExitStatus() != 0 {
-		util.Fatalf("the proc umounter process failed: %v", waitStatus)
-	}
-	if err := unix.Access("/proc/self", unix.F_OK); err != unix.ENOENT {
-		util.Fatalf("/proc is still accessible")
-	}
-}
-
 // validateOpenFDs checks that the sandbox process does not have any open
 // directory FDs.
 func validateOpenFDs(passFDs []boot.FDMapping) {

runsc/cmd/capability_test.go

@@ -25,6 +25,7 @@ import (
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"gvisor.dev/gvisor/pkg/log"
 	"gvisor.dev/gvisor/pkg/test/testutil"
+	"gvisor.dev/gvisor/runsc/cmd/sandboxsetup"
 	"gvisor.dev/gvisor/runsc/config"
 	"gvisor.dev/gvisor/runsc/container"
 	"gvisor.dev/gvisor/runsc/specutils"
@@ -47,7 +48,7 @@ func checkProcessCaps(pid int, wantCaps *specs.LinuxCapabilities) error {
 	}
 	fmt.Printf("Capabilities (PID: %d): %v\n", pid, curCaps)
 
-	for _, c := range allCapTypes {
+	for _, c := range sandboxsetup.AllCapTypes {
 		if err := checkCaps(c, curCaps, wantCaps); err != nil {
 			return err
 		}
@@ -56,8 +57,8 @@ func checkProcessCaps(pid int, wantCaps *specs.LinuxCapabilities) error {
 }
 
 func checkCaps(which capability.CapType, curCaps capability.Capabilities, wantCaps *specs.LinuxCapabilities) error {
-	wantNames := getCaps(which, wantCaps)
-	for name, c := range capFromName {
+	wantNames := sandboxsetup.GetCaps(which, wantCaps)
+	for name, c := range sandboxsetup.CapFromName {
 		want := slices.Contains(wantNames, name)
 		got := curCaps.Get(which, c)
 		if want != got {

runsc/cmd/chroot.go

@@ -25,6 +25,7 @@ import (
 	"golang.org/x/sys/unix"
 	"gvisor.dev/gvisor/pkg/abi/tpu"
 	"gvisor.dev/gvisor/pkg/log"
+	"gvisor.dev/gvisor/runsc/cmd/sandboxsetup"
 	"gvisor.dev/gvisor/runsc/cmd/util"
 	"gvisor.dev/gvisor/runsc/config"
 	"gvisor.dev/gvisor/runsc/specutils"
@@ -42,46 +43,6 @@ func mountInChroot(chroot, src, dst, typ string, flags uint32) error {
 	return nil
 }
 
-func pivotRoot(root string) error {
-	if err := os.Chdir(root); err != nil {
-		return fmt.Errorf("error changing working directory: %v", err)
-	}
-	// pivot_root(new_root, put_old) moves the root filesystem (old_root)
-	// of the calling process to the directory put_old and makes new_root
-	// the new root filesystem of the calling process.
-	//
-	// pivot_root(".", ".") makes a mount of the working directory the new
-	// root filesystem, so it will be moved in "/" and then the old_root
-	// will be moved to "/" too. The parent mount of the old_root will be
-	// new_root, so after umounting the old_root, we will see only
-	// the new_root in "/".
-	if err := unix.PivotRoot(".", "."); err != nil {
-		return fmt.Errorf("pivot_root failed, make sure that the root mount has a parent: %v", err)
-	}
-
-	if err := unix.Unmount(".", unix.MNT_DETACH); err != nil {
-		return fmt.Errorf("error umounting the old root file system: %v", err)
-	}
-	return nil
-}
-
-func copyFile(dst, src string) error {
-	in, err := os.Open(src)
-	if err != nil {
-		return err
-	}
-	defer in.Close()
-
-	out, err := os.Create(dst)
-	if err != nil {
-		return err
-	}
-	defer out.Close()
-
-	_, err = out.ReadFrom(in)
-	return err
-}
-
 // setupMinimalProcfs creates a minimal procfs-like tree at `${chroot}/proc`.
 func setupMinimalProcfs(chroot string) error {
 	// We can't always directly mount procfs because it may be obstructed
@@ -135,7 +96,7 @@ func setupMinimalProcfs(chroot string) error {
 		"/proc/sys/vm/mmap_min_addr",
 		"/proc/sys/kernel/cap_last_cap",
 	} {
-		if err := copyFile(filepath.Join(chroot, f), f); err != nil {
+		if err := sandboxsetup.CopyFile(filepath.Join(chroot, f), f); err != nil {
 			return fmt.Errorf("failed to copy %q -> %q: %w", f, filepath.Join(chroot, f), err)
 		}
 	}
@@ -175,7 +136,7 @@ func setUpChroot(spec *specs.Spec, conf *config.Config) error {
 		return fmt.Errorf("error creating /etc in chroot: %v", err)
 	}
 
-	if err := copyFile(filepath.Join(chroot, "etc/localtime"), "/etc/localtime"); err != nil {
+	if err := sandboxsetup.CopyFile(filepath.Join(chroot, "etc/localtime"), "/etc/localtime"); err != nil {
 		log.Warningf("Failed to copy /etc/localtime: %v. UTC timezone will be used.", err)
 	}
 
@@ -191,7 +152,7 @@ func setUpChroot(spec *specs.Spec, conf *config.Config) error {
 		return fmt.Errorf("error remounting chroot in read-only: %v", err)
 	}
 
-	return pivotRoot(chroot)
+	return sandboxsetup.PivotRoot(chroot)
 }
 
 func tpuProxyUpdateChroot(hostRoot, chroot string, spec *specs.Spec, conf *config.Config) error {