| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
lookup_group uses getgrnam_r to lookup a group's gid, and
lookup_user uses getpwnam_r to lookup a user's uid.
Those 2 functions can return ERANGE if the passed buffer is
too small to hold the group (or user) information. Fix the
code logic by using sysconf(_SC_GETGR_R_SIZE_MAX) and
sysconf(_SC_GETPW_R_SIZE_MAX) only as hints for the minimal
buffer size to use instead of the max size.
When ERANGE is returned, retry with a buffer twice as big,
until we get valid data, up to 1 MiB.
Change-Id: Id91232e0faffa47356d80d487442d73bc907af98
|
| |
|
|
|
|
|
|
|
|
| |
Make sure to pass error codes back to callers and include them in
diagnostics printed by minijail0.
Bug: chromium:1055067
Test: Compiles and passes tests.
Change-Id: Ic07c5917e7826dd7cf2bfbd3483ad97ad199b670
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, the code was tracking resources like file descriptors in
local variables, which could leak when exiting via error paths.
Improve this by introducing a struct to hold state. With this in
place, we can also break out the code to grab file descriptors to pass
back to the caller into a wrapper function, thus simplifying
minijail_run_internal. Furthermore, additional resources (such as
allocated child environments, which are subject of a subsequent code
change) can now be added in a straightforward way.
No (intended) functional changes.
BUG=chromium:1050997
TEST=Builds and passes unit tests and security.Minijail* tast tests.
Change-Id: Ic80cbc92c428b3d0346768cd594e98faf7cc60a2
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This avoids "leaking" duplicated file descriptors in the child process.
This also allows the child process to signal the end of its processing
by closing its stdout and stderr. This can now be reliably detected by
the parent process, if needed.
Bug: chromium:1009857
Test: Unit tests pass
Change-Id: Ie1cd4ff9e95f18e423df007f88bfff34456346f3
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have been unable to uprev Minijail in Chrome OS since this CL
landed. Even after
https://android-review.googlesource.com/c/platform/external/minijail/+/1108653,
this CL reliably breaks the arc.Boot Tast test. Revert temporarily to
allow a Minijail uprev required for bug fixes.
Bug: crbug.com/985467
Test: Build, deploy on Chrome OS, arc.Boot passes.
This reverts commit 64cf3cbb6e8c3d656304944c8c8f327b6ec71aaa.
Change-Id: I022ee376b4a09f57a0511d7d9bfd48959b04406b
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This CL is itself a fix for
https://android-review.googlesource.com/c/platform/external/minijail/+/978609,
which has prevented Minijail uprevs on Chrome OS since it landed.
Revert this and 64cf3cb to allow uprev'ing Minijail on Chrome OS.
Bug: None
Test: Build, deploy on Chrome OS with revert of 64cf3cb.
Test: arc.Boot passes.
This reverts commit 9299cae12e4098b8ae5a32e9326a7a44b2b4de37.
Change-Id: I18b1dcb6539a0fa677918ad427ce004c629c4cdc
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://android-review.googlesource.com/c/platform/external/minijail/+/978609
attempted to fix the case of failing to obtain mount flags from mount
destinations that already existed, but in the process created (or
exposed) a bug. Parts of the code would assume that relative source
paths would refer to pseudo filesystems (like "proc" or "devpts"), but
other parts of the code would assume they referred to valid relative
paths and, for example, call statvfs(2) on them, which would fail
and incorrectly fail the entire function.
Fix by only trying to obtain mount flags when the source is *not*
assumed to be a pseudo fs, and reorganize the code to only have to do
this check once.
Bug: crbug.com/985467
Test: Unit tests pass.
Test: Deploy on Chrome OS, integration tests pass.
Change-Id: I328cdc8b2cefad7a773b599d29191c404ebc54f0
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Using pivot-roots with bindmounts causes the kernel to keep some
mountflags of the source directory (nosuid, noexec, nodev) that have to
be specified during the RO-remount, otherwise the mount will fail with EPERM.
This was already previously covered by obtaining the source mount flags in
`setup_mount_destination`. This function failed to provide those flags if the
estination folder is already existing (mounting destination '/').
This commit moves the logic to determine the mountflags of a given
mountpoint into a dedicated function and properly handles vfs->mount
flag translation.
Test: All tests pass
Bug: crbug.com/971656
Change-Id: I7468b63e26fd43f45175ac54c952f726ff93a434
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Detect at runtime whether SECCOMP_RET_LOG is available and use that for
logging.
Bug: chromium:934859
Test: New unit tests.
Test: On 4.14 device, minijail0 -S -L test/seccomp.policy -- /bin/true.
Test: audit.log shows failing syscall, binary exits successfully.
Test: On <4.14 device, behaves as before.
Change-Id: Ic9da1b5dae2b4b1df50e9d3e6f18c816e93bff87
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Xiyuan correctly points out that writing a pidfile by using rename(2)
doesn't work e.g. on cgroupfs. Given that we routinely write pids to
cgroupfs, revert this commit. The sync issues that this CL was supposed
to fix are covered by
https://android-review.googlesource.com/c/platform/external/minijail/+/950197.
Bug: crbug.com/970215
Test: Without the revert:
Test: 'minijail0 -f /sys/fs/cgroup/freezer/tasks -- /bin/true' fails.
Test: With the revert:
Test: 'minijail0 -f /sys/fs/cgroup/freezer/tasks -- /bin/true' succeeds.
This reverts commit 255a8e2879edb49f395f819e2f8590b40a8284ed.
Change-Id: I545c67a8b241a48466bab348b4e3f778600da7ab
|
| |
|
|
|
|
|
|
|
|
|
| |
We were seeing races in tests where the pidfile was being opened
before the actual writing had taken place. Fix this by using the
classic writing to a temp file and renaming.
Bug: chromium:949357
Test: Existing unit tests.
Change-Id: Ib218f75731eaa22f348fd8eca6549ef638c255f7
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The existing code first decides whether to set SECBIT_KEEP_CAPS
individually via PR_SET_KEEPCAPS, then updates it again via
PR_SET_SECUREBITS. This change untangles that logic into a single
function.
Bug: None
TEST=Builds and passes tests.
Change-Id: I78bb0d78ade8deabffdaddf71f01edce67b222bb
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The header has been available for a long while, so it is no longer
necessary to pretend that we can compile without it. Point in case -
compilation with HAVE_SECUIREBITS_H was broken due to unprotected
SECBIT_ references already.
Bug: None
TEST=Compiles.
Change-Id: I91e5587447178f36d5e1b0cd773bfc468fda276d
|
| |
|
|
|
|
| |
Bug: None
Test: Unit tests.
Change-Id: Ie02081d3043cea4438b3615af29a6876b6cfbc20
|
| |
|
|
|
|
|
|
|
|
| |
This change avoids setting PR_SET_KEEPCAPS if the bit is locked and we
are using ambient capabilities. This allows using minijail from an
already-minijailed process.
Bug: 112030238
Test: make tests
Change-Id: Iafd5d2409dcb526048b84edfc8b8f29f30d0dd4c
|
| |
|
|
|
|
|
|
|
|
|
| |
This change makes all bindmounts copy the mount flags from the source
path if a remount is issued. It also fixes a bug where ro mounts could
never become rw.
Bug: 111325710
Test: make tests
Test: Repro scenario in https://crbug.com/862171
Change-Id: Ia87ea2933f1ab1b8a9fd2efd6f832c51a5a8f7a2
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we're asked to skip setting *and* locking the SECURE_NOROOT
securebit, also skip dropping the bounding set. If the caller wants to
regain all capabilities when executing a set-user-ID-root program,
allow them to do so. The default behavior (i.e. the behavior without
|securebits_skip_mask| set) will still put the jailed process tree in a
capabilities-only environment.
This will allow giving powerd on Chrome OS some capabilities without
breaking other things.
Bug: 78629772
Test: New unit tests.
Test: Ad-hoc with fork+exec program + setuid program + -B 0x3
Test: Setuid program is able to keep all caps.
Change-Id: I36f79a42666720a65d88ec48454b56695f25b64b
|
| |
|
|
|
|
|
|
|
| |
Other functions already do that. This makes it much easier to
understand the reason of a mount_one() failure.
Bug: None
Test: system_unittest still pass
Change-Id: Id57732a4cc40f89063dbfab6154a0fd872b255b0
|
| |
|
|
|
|
|
|
|
| |
Currently -1 is always returned on failure, and the caller treats
it as EPERM, which is not always relevant.
Bug: None
Test: system_unittest passes
Change-Id: I33b4e4b376e35bdacb94eff950109bce4e916328
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently if you want to bind mount a single subdir, you have to make
sure to create the full parent directory chain. For example, if you
want /var/lib/timezone/ but not the rest of /var, you have to do:
-k none,/var,tmpfs
-k none,/var/lib,tmpfs
-b /var/lib/timezone/
For every additional subdir, you need to add another -k option just to
do an [effective] mkdir with a tmpfs mount.
The current -k/-b behavior is to run mkdir if the target doesn't already
exist, but only for the final target. Lets extend it to also create any
missing parent paths, so now only the base path needs to be writable:
-k none,/var,tmpfs
-b /var/lib/timezone/
Bug: None
Test: `minijail0 --profile minimalistic-mountns -k none,/var,tmpfs -b /var/lib/timezone /bin/date` works
Change-Id: I7f36bcb445ce40ed66a9403a4ee1c1fe3f9e5ea8
|
| |
|
|
|
|
|
|
|
|
|
| |
This project was started as a BSD licensed work, and it remained that
way even after the AOSP move, so make sure new files correctly reflect
that too. Otherwise we end up with half the files using BSD and the
other half using Apache which is annoying.
Bug: None
Test: grepped for "apache" in all the files
Change-Id: I7cc7c890b42a1ded7552e1852246eaf86ca8428c
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change uses whatever was passed into the -u/-g flags as the user to change
in the user namespace. This is used to fix an issue where calling open(2) on a
file on the tmpfs created by minijail would return EOVERFLOW[1]. An easy way to
reproduce is running this on a 4.8 kernel (or Ubuntu Xenial, which has this
change backported):
$ ./minijail0 -T static -Ut -- /bin/bash -c 'touch /tmp/foo'
This change allows a non-zero uid/gid to be mapped to the current user when
entering a namespace, to avoid the above issue.
1: More information about the bug here:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1659087
Bug: None
Test: make tests
Test: ./minijail0 -T static -Ut -u 1000 -g 1000 -M -m -- \
/bin/bash -c 'touch /tmp/foo'
Change-Id: I393daaf8c2b2355e33c75a908345bb03f1980271
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If you try to pass a bogus path like -b /asdf,/asdf, minijail doesn't
mind and goes ahead and creates the destination (which also creates
the source), and then does a bind mount. We should instead abort --
if you really want to bind mount a new directory or file, the daemon
should explicitly create the path correctly.
For the -k option, we were stating the pseudo source which could lead
to bad behavior. e.g. If there was a file in the cwd named "none" or
"proc", we'd stat() it, and then change the destination setup logic.
The current behavior is also a little idiosyncratic: if the source
and dest are the same, there's no error, but if you try to mount to
a different path (-b /asdf,/foo), it'll fail. Or if you try to use
a chroot/pivot root, it'll fail.
We now enforce absolute paths for sources with the -b & -k options.
This shouldn't be a problem in general, and it makes the behavior a
bit more consistent.
Bug: None
Test: unittests pass
Test: betty VM boots and cheets_StartAndroid passes
Change-Id: I26310ba45b8e463533485de879a19e578d66b0e6
|
| |
|
|
|
|
|
|
| |
Not a lot here, but better than nothing!
Bug: None
Test: system_unittest passes
Change-Id: I33015ad2193bde8b09be82af65c106da2716262b
|
| |
|
|
|
|
|
|
|
|
|
| |
uint64_t isn't the right type when running on a 32 bit machine.
BUG=none
TEST=check caps can be dropped on a 32 bit userspace machine like kevin.
minijail0 -u wpa -g wpa -c 3000 -i -t -- /bin/ls
Change-Id: I1ec55dc653fe206a1641f0a971ab2b20c42a2d9c
Signed-off-by: Dylan Reid <dgreid@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change allows the user to optionally skip setting a subset of the
securebits that are automatically set when restricting caps.
Bug: 63069223
Test: $ gcc -static -xc -o securebits - << EOF
#include <stdio.h>
#include <sys/prctl.h>
int main()
{
printf("%x\n", prctl(PR_GET_SECUREBITS));
}
EOF
$ sudo ./minijail0 -c 1fffffffff --ambient ./securebits
2f
$ sudo ./minijail0 -c 1fffffffff --ambient -B 2f ./securebits
0
Change-Id: Ie247302bbbb35f04caa2066541a8c175f6c94976
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Credit to Brian McGillion for the initial implementation (in
https://android-review.googlesource.com/#/c/302756/).
Current support allows callers to also set ambient capabilities when
using regular capabilities. A follow-up CL will clean up the preloading
situation wrt ambient capabilities.
Bug: 32066154
Test: Use 'drop_privs' executable, check that it gets ambient caps.
Change-Id: If493fb5886fe9798436a749b7ebdbc04f00000b6
|
|
|
-Extract helper functions that don't take a 'struct minijail' into a
separate file. Document this in a new HACKING file.
-Add support for long cmdline options in minijail0.c.
Bug: 32066154
Test: Unit tests on Linux and Android.
Change-Id: I246ff7f9459792e64e5be5b9c9ea650e3f1d2c58
|
