Setting a flag to indicate whether fs isolation is indeed happening

hashicorp · Jun 12, 2016 · f795e21 · f795e21
1 parent 12f3da9
commit f795e21
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 26 deletions.
diff --git a/client/driver/executor/executor.go b/client/driver/executor/executor.go
@@ -176,11 +176,12 @@ type UniversalExecutor struct {
 	ctx     *ExecutorContext
 	command *ExecCommand
 
-	pids          map[int]*nomadPid
-	pidLock       sync.RWMutex
-	taskDir       string
-	exitState     *ProcessState
-	processExited chan interface{}
+	pids                map[int]*nomadPid
+	pidLock             sync.RWMutex
+	taskDir             string
+	exitState           *ProcessState
+	processExited       chan interface{}
+	fsIsolationEnforced bool
 
 	lre         *logging.FileRotator
 	lro         *logging.FileRotator
@@ -244,26 +245,11 @@ func (e *UniversalExecutor) LaunchCmd(command *ExecCommand, ctx *ExecutorContext
 	}
 
 	e.ctx.TaskEnv.Build()
-	// Look up the binary path and make it executable
-	absPath, err := e.lookupBin(ctx.TaskEnv.ReplaceEnv(command.Cmd))
-	if err != nil {
-		return nil, err
-	}
-
-	if err := e.makeExecutable(absPath); err != nil {
-		return nil, err
-	}
-
-	e.cmd.Path = absPath
 	// configuring the chroot, cgroup and enters the plugin process in the
 	// chroot
 	if err := e.configureIsolation(); err != nil {
 		return nil, err
 	}
-	// Set the commands arguments
-	e.cmd.Args = append([]string{e.cmd.Path}, ctx.TaskEnv.ParseAndReplace(command.Args)...)
-	e.cmd.Env = ctx.TaskEnv.EnvList()
-
 	// Apply ourselves into the cgroup. The executor MUST be in the cgroup
 	// before the user task is started, otherwise we are subject to a fork
 	// attack in which a process escapes isolation by immediately forking.
@@ -278,6 +264,32 @@ func (e *UniversalExecutor) LaunchCmd(command *ExecCommand, ctx *ExecutorContext
 	e.cmd.Stdout = e.lro
 	e.cmd.Stderr = e.lre
 
+	// Look up the binary path and make it executable
+	absPath, err := e.lookupBin(ctx.TaskEnv.ReplaceEnv(command.Cmd))
+	if err != nil {
+		return nil, err
+	}
+
+	if err := e.makeExecutable(absPath); err != nil {
+		return nil, err
+	}
+
+	path := absPath
+
+	// Determine the path to run as it may have to be relative to the chroot.
+	if e.fsIsolationEnforced {
+		rel, err := filepath.Rel(e.taskDir, path)
+		if err != nil {
+			return nil, err
+		}
+		path = rel
+	}
+
+	// Set the commands arguments
+	e.cmd.Path = path
+	e.cmd.Args = append([]string{e.cmd.Path}, ctx.TaskEnv.ParseAndReplace(command.Args)...)
+	e.cmd.Env = ctx.TaskEnv.EnvList()
+
 	// Start the process
 	if err := e.cmd.Start(); err != nil {
 		return nil, err

diff --git a/client/driver/executor/executor_linux.go b/client/driver/executor/executor_linux.go
@@ -247,12 +247,7 @@ func (e *UniversalExecutor) configureChroot() error {
 		return err
 	}
 
-	rel, err := filepath.Rel(e.taskDir, e.cmd.Path)
-	if err != nil {
-		return err
-	}
-	e.cmd.Path = rel
-
+	e.fsIsolationEnforced = true
 	return nil
 }