networking: use --enable-sandbox if available

if slirp4netns supports sandboxing, enable it. It automatically creates a new mount namespace where slirp4netns will run and have limited access to the host resources. It needs slirp4netns 0.4.1. Signed-off-by: Giuseppe Scrivano <[email protected]>
containers · Sep 16, 2019 · 7c3428d · 7c3428d · pcahyna · Sep 18, 2020
1 parent a1970e1
commit 7c3428d
Showing 1 changed file with 7 additions and 4 deletions.
diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go
@@ -127,13 +127,13 @@ type slirp4netnsCmd struct {
 	Args    slirp4netnsCmdArg `json:"arguments"`
 }
 
-func checkSlirpFlags(path string) (bool, bool, error) {
+func checkSlirpFlags(path string) (bool, bool, bool, error) {
 	cmd := exec.Command(path, "--help")
 	out, err := cmd.CombinedOutput()
 	if err != nil {
-		return false, false, err
+		return false, false, false, err
 	}
-	return strings.Contains(string(out), "--disable-host-loopback"), strings.Contains(string(out), "--mtu"), nil
+	return strings.Contains(string(out), "--disable-host-loopback"), strings.Contains(string(out), "--mtu"), strings.Contains(string(out), "--enable-sandbox"), nil
 }
 
 // Configure the network namespace for a rootless container
@@ -166,7 +166,7 @@ func (r *Runtime) setupRootlessNetNS(ctr *Container) (err error) {
 	if havePortMapping {
 		cmdArgs = append(cmdArgs, "--api-socket", apiSocket, fmt.Sprintf("%d", ctr.state.PID))
 	}
-	dhp, mtu, err := checkSlirpFlags(path)
+	dhp, mtu, sandbox, err := checkSlirpFlags(path)
 	if err != nil {
 		return errors.Wrapf(err, "error checking slirp4netns binary %s", path)
 	}
@@ -176,6 +176,9 @@ func (r *Runtime) setupRootlessNetNS(ctr *Container) (err error) {
 	if mtu {
 		cmdArgs = append(cmdArgs, "--mtu", "65520")
 	}
+	if sandbox {
+		cmdArgs = append(cmdArgs, "--enable-sandbox")
+	}
 	cmdArgs = append(cmdArgs, "-c", "-e", "3", "-r", "4", fmt.Sprintf("%d", ctr.state.PID), "tap0")
 
 	cmd := exec.Command(path, cmdArgs...)