From 63d8f387fd24488c4152ce67b764147b4b98c261 Mon Sep 17 00:00:00 2001
From: Matthias Schiffer <mschiffer@universe-factory.net>
Date: Sat, 6 Feb 2021 23:46:28 +0100
Subject: runc: create mount namespace for each task

---
 src/runner/runc/init.rs | 18 ------------
 src/runner/runc/run.rs  | 75 +++++++++++++++++++++++++++++++++++++++++++------
 2 files changed, 66 insertions(+), 27 deletions(-)

diff --git a/src/runner/runc/init.rs b/src/runner/runc/init.rs
index 1786719..658b318 100644
--- a/src/runner/runc/init.rs
+++ b/src/runner/runc/init.rs
@@ -52,24 +52,6 @@ fn prepare_buildtmp() -> io::Result<()> {
 	}
 
 	DirBuilder::new().create("build/tmp/runc")?;
-	DirBuilder::new().create("build/tmp/runc/rootfs")?;
-
-	mount::mount::<_, _, str, str>(
-		Some("build/tmp/rootfs"),
-		"build/tmp/runc/rootfs",
-		None,
-		MsFlags::MS_BIND,
-		None,
-	)
-	.to_io_result()?;
-	mount::mount::<str, _, str, str>(
-		None,
-		"build/tmp/runc/rootfs",
-		None,
-		MsFlags::MS_BIND | MsFlags::MS_REMOUNT | MsFlags::MS_RDONLY,
-		None,
-	)
-	.to_io_result()?;
 
 	Ok(())
 }
diff --git a/src/runner/runc/run.rs b/src/runner/runc/run.rs
index 9261b7d..10acbe6 100644
--- a/src/runner/runc/run.rs
+++ b/src/runner/runc/run.rs
@@ -1,31 +1,88 @@
-use std::{io, process};
+use std::{fs::DirBuilder, io, process};
 
+use nix::{
+	mount::{self, MsFlags},
+	sched::{self, CloneFlags},
+};
 use serde::{Deserialize, Serialize};
 
-use crate::types::*;
+use crate::{types::*, util::ToIOResult};
+
 #[derive(Debug, Deserialize, Serialize)]
-pub struct Error;
+pub enum Error {
+	Code(i32),
+	String(String),
+}
+
+impl From<io::Error> for Error {
+	fn from(error: io::Error) -> Self {
+		match error.raw_os_error() {
+			Some(code) => Error::Code(code),
+			None => Error::String(error.to_string()),
+		}
+	}
+}
 
 impl From<Error> for io::Error {
-	fn from(_: Error) -> Self {
-		io::Error::new(io::ErrorKind::Other, "Failed to run task")
+	fn from(error: Error) -> Self {
+		match error {
+			Error::Code(code) => io::Error::from_raw_os_error(code),
+			Error::String(string) => io::Error::new(io::ErrorKind::Other, string),
+		}
 	}
 }
 
+fn init_task() -> Result<(), Error> {
+	sched::unshare(CloneFlags::CLONE_NEWNS).to_io_result()?;
+
+	mount::mount::<_, _, _, str>(
+		Some("runc"),
+		"build/tmp/runc",
+		Some("tmpfs"),
+		MsFlags::empty(),
+		None,
+	)
+	.to_io_result()?;
+
+	DirBuilder::new().create("build/tmp/runc/rootfs")?;
+
+	mount::mount::<_, _, str, str>(
+		Some("build/tmp/rootfs"),
+		"build/tmp/runc/rootfs",
+		None,
+		MsFlags::MS_BIND,
+		None,
+	)
+	.to_io_result()?;
+	mount::mount::<str, _, str, str>(
+		None,
+		"build/tmp/runc/rootfs",
+		None,
+		MsFlags::MS_BIND | MsFlags::MS_REMOUNT | MsFlags::MS_RDONLY,
+		None,
+	)
+	.to_io_result()?;
+
+	Ok(())
+}
+
 pub fn handle_task(task: TaskRef, task_def: Task) -> Result<(), Error> {
-	let result = process::Command::new("sh")
+	init_task()?;
+
+	let output = process::Command::new("sh")
 		.arg("-c")
 		.arg(task_def.run)
 		.current_dir("build/tmp/runc/rootfs")
-		.output();
-	if let Ok(output) = result {
+		.output()?;
+
+	if output.status.success() {
 		println!(
 			"{}:\n{}",
 			task,
 			String::from_utf8_lossy(output.stdout.as_slice()),
 		);
 	} else {
-		println!("{}:\n\t{:?}", task, result);
+		println!("{}:\n\t{:?}", task, output);
 	}
 
 	Ok(())
-- 
cgit v1.2.3