container: create PID namespace for runner

Takes care of killing all tasks when the runner dies.

1 files changed, 8 insertions, 1 deletions

diff --git a/src/runner/container/mod.rs b/src/runner/container/mod.rs
index 58823a6..9af6562 100644
--- a/src/runner/container/mod.rs
+++ b/src/runner/container/mod.rs
@@ -7,6 +7,7 @@ use std::process;
 
 use ipc_channel::ipc;
 use nix::{
+	mount::{self, MsFlags},
 	sched::CloneFlags,
 	sys::{signal, stat},
 	unistd::{self, Gid, Uid},
@@ -21,6 +22,11 @@ use crate::{
 #[derive(Debug, Deserialize, Serialize)]
 struct Request(runner::Task, ipc::IpcSender<Result<runner::TaskOutput>>);
 
+fn mount_proc() {
+	mount::mount::<_, _, _, str>(Some("proc"), "/proc", Some("proc"), MsFlags::empty(), None)
+		.expect("Failed to mount /proc");
+}
+
 fn setup_userns(uid: Uid, gid: Gid) {
 	std::fs::write("/proc/self/setgroups", "deny").expect("Failed to write /proc/self/setgroups");
 	std::fs::write("/proc/self/uid_map", &format!("0 {} 1", uid))
@@ -30,6 +36,7 @@ fn setup_userns(uid: Uid, gid: Gid) {
 }
 
 fn runner(uid: Uid, gid: Gid, channel: ipc::IpcReceiver<Request>) -> ! {
+	mount_proc();
 	setup_userns(uid, gid);
 
 	stat::umask(stat::Mode::from_bits_truncate(0o022));
@@ -71,7 +78,7 @@ impl ContainerRunner {
 		let (tx, rx) = ipc::channel().expect("IPC channel creation failed");
 
 		let (_, (tx, _rx)) = clone::spawn(
-			CloneFlags::CLONE_NEWUSER | CloneFlags::CLONE_NEWNS,
+			CloneFlags::CLONE_NEWUSER | CloneFlags::CLONE_NEWNS | CloneFlags::CLONE_NEWPID,
 			(tx, rx),
 			|(tx, rx)| {
 				drop(tx);