client: mount shared alloc dir as nobody (#20589)

In the Unveil filesystem isolation mode we were mounting the shared
alloc dir with the UID/GID of the user of the task dir being mounted
and 0710 filesystem permissions. This was causing the actual task dir
to become inaccessible to other tasks in the allocation (a race where
the last mounter wins). Instead mount the shared alloc dir as nobody
with 0777 filesystem permissions.

client/allocdir/task_dir.go

@@ -170,6 +170,11 @@ func (t *TaskDir) Build(fsi fsisolation.Mode, chroot map[string]string, username
 			return fmt.Errorf("Failed to lookup user: %v", err)
 		}
 
+		nobodyUID, nobodyGID, _, err := dynamic.LookupUser("nobody")
+		if err != nil {
+			return fmt.Errorf("Failed to lookup nobody user: %v", err)
+		}
+
 		// create the task unique directory under the client mounts path
 		parent := filepath.Dir(t.MountsAllocDir)
 		if err = os.MkdirAll(parent, fileMode710); err != nil {
@@ -179,10 +184,20 @@ func (t *TaskDir) Build(fsi fsisolation.Mode, chroot map[string]string, username
 			return fmt.Errorf("Failed to chown task mount directory: %v", err)
 		}
 
-		// create the task, alloc, and secrets mount points
-		mountDir(t.Dir, t.MountsTaskDir, uid, gid, fileMode710)
-		mountDir(filepath.Join(t.AllocDir, "/alloc"), t.MountsAllocDir, uid, gid, fileMode710)
-		mountDir(t.SecretsDir, t.MountsSecretsDir, uid, gid, fileMode710)
+		// create the taskdir mount point
+		if err = mountDir(t.Dir, t.MountsTaskDir, uid, gid, fileMode710); err != nil {
+			return fmt.Errorf("Failed to mount task dir: %v", err)
+		}
+
+		// create the allocdir mount point (owned by nobody)
+		if err = mountDir(filepath.Join(t.AllocDir, "/alloc"), t.MountsAllocDir, nobodyUID, nobodyGID, fileMode777); err != nil {
+			return fmt.Errorf("Failed to mount alloc dir: %v", err)
+		}
+
+		// create the secretsdir mount point
+		if err = mountDir(t.SecretsDir, t.MountsSecretsDir, uid, gid, fileMode710); err != nil {
+			return fmt.Errorf("Failed to mount secrets dir: %v", err)
+		}
 	}
 
 	return nil