| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, the code was tracking resources like file descriptors in
local variables, which could leak when exiting via error paths.
Improve this by introducing a struct to hold state. With this in
place, we can also break out the code to grab file descriptors to pass
back to the caller into a wrapper function, thus simplifying
minijail_run_internal. Furthermore, additional resources (such as
allocated child environments, which are subject of a subsequent code
change) can now be added in a straightforward way.
No (intended) functional changes.
BUG=chromium:1050997
TEST=Builds and passes unit tests and security.Minijail* tast tests.
Change-Id: Ic80cbc92c428b3d0346768cd594e98faf7cc60a2
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This avoids "leaking" duplicated file descriptors in the child process.
This also allows the child process to signal the end of its processing
by closing its stdout and stderr. This can now be reliably detected by
the parent process, if needed.
Bug: chromium:1009857
Test: Unit tests pass
Change-Id: Ie1cd4ff9e95f18e423df007f88bfff34456346f3
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have been unable to uprev Minijail in Chrome OS since this CL
landed. Even after
https://android-review.googlesource.com/c/platform/external/minijail/+/1108653,
this CL reliably breaks the arc.Boot Tast test. Revert temporarily to
allow a Minijail uprev required for bug fixes.
Bug: crbug.com/985467
Test: Build, deploy on Chrome OS, arc.Boot passes.
This reverts commit 64cf3cbb6e8c3d656304944c8c8f327b6ec71aaa.
Change-Id: I022ee376b4a09f57a0511d7d9bfd48959b04406b
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Using pivot-roots with bindmounts causes the kernel to keep some
mountflags of the source directory (nosuid, noexec, nodev) that have to
be specified during the RO-remount, otherwise the mount will fail with EPERM.
This was already previously covered by obtaining the source mount flags in
`setup_mount_destination`. This function failed to provide those flags if the
estination folder is already existing (mounting destination '/').
This commit moves the logic to determine the mountflags of a given
mountpoint into a dedicated function and properly handles vfs->mount
flag translation.
Test: All tests pass
Bug: crbug.com/971656
Change-Id: I7468b63e26fd43f45175ac54c952f726ff93a434
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Detect at runtime whether SECCOMP_RET_LOG is available and use that for
logging.
Bug: chromium:934859
Test: New unit tests.
Test: On 4.14 device, minijail0 -S -L test/seccomp.policy -- /bin/true.
Test: audit.log shows failing syscall, binary exits successfully.
Test: On <4.14 device, behaves as before.
Change-Id: Ic9da1b5dae2b4b1df50e9d3e6f18c816e93bff87
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The existing code first decides whether to set SECBIT_KEEP_CAPS
individually via PR_SET_KEEPCAPS, then updates it again via
PR_SET_SECUREBITS. This change untangles that logic into a single
function.
Bug: None
TEST=Builds and passes tests.
Change-Id: I78bb0d78ade8deabffdaddf71f01edce67b222bb
|
| |
|
|
|
|
|
|
|
|
| |
This change avoids setting PR_SET_KEEPCAPS if the bit is locked and we
are using ambient capabilities. This allows using minijail from an
already-minijailed process.
Bug: 112030238
Test: make tests
Change-Id: Iafd5d2409dcb526048b84edfc8b8f29f30d0dd4c
|
| |
|
|
|
|
|
|
|
|
|
| |
This change makes all bindmounts copy the mount flags from the source
path if a remount is issued. It also fixes a bug where ro mounts could
never become rw.
Bug: 111325710
Test: make tests
Test: Repro scenario in https://crbug.com/862171
Change-Id: Ia87ea2933f1ab1b8a9fd2efd6f832c51a5a8f7a2
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we're asked to skip setting *and* locking the SECURE_NOROOT
securebit, also skip dropping the bounding set. If the caller wants to
regain all capabilities when executing a set-user-ID-root program,
allow them to do so. The default behavior (i.e. the behavior without
|securebits_skip_mask| set) will still put the jailed process tree in a
capabilities-only environment.
This will allow giving powerd on Chrome OS some capabilities without
breaking other things.
Bug: 78629772
Test: New unit tests.
Test: Ad-hoc with fork+exec program + setuid program + -B 0x3
Test: Setuid program is able to keep all caps.
Change-Id: I36f79a42666720a65d88ec48454b56695f25b64b
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently if you want to bind mount a single subdir, you have to make
sure to create the full parent directory chain. For example, if you
want /var/lib/timezone/ but not the rest of /var, you have to do:
-k none,/var,tmpfs
-k none,/var/lib,tmpfs
-b /var/lib/timezone/
For every additional subdir, you need to add another -k option just to
do an [effective] mkdir with a tmpfs mount.
The current -k/-b behavior is to run mkdir if the target doesn't already
exist, but only for the final target. Lets extend it to also create any
missing parent paths, so now only the base path needs to be writable:
-k none,/var,tmpfs
-b /var/lib/timezone/
Bug: None
Test: `minijail0 --profile minimalistic-mountns -k none,/var,tmpfs -b /var/lib/timezone /bin/date` works
Change-Id: I7f36bcb445ce40ed66a9403a4ee1c1fe3f9e5ea8
|
| |
|
|
|
|
|
|
|
|
|
| |
This project was started as a BSD licensed work, and it remained that
way even after the AOSP move, so make sure new files correctly reflect
that too. Otherwise we end up with half the files using BSD and the
other half using Apache which is annoying.
Bug: None
Test: grepped for "apache" in all the files
Change-Id: I7cc7c890b42a1ded7552e1852246eaf86ca8428c
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change uses whatever was passed into the -u/-g flags as the user to change
in the user namespace. This is used to fix an issue where calling open(2) on a
file on the tmpfs created by minijail would return EOVERFLOW[1]. An easy way to
reproduce is running this on a 4.8 kernel (or Ubuntu Xenial, which has this
change backported):
$ ./minijail0 -T static -Ut -- /bin/bash -c 'touch /tmp/foo'
This change allows a non-zero uid/gid to be mapped to the current user when
entering a namespace, to avoid the above issue.
1: More information about the bug here:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1659087
Bug: None
Test: make tests
Test: ./minijail0 -T static -Ut -u 1000 -g 1000 -M -m -- \
/bin/bash -c 'touch /tmp/foo'
Change-Id: I393daaf8c2b2355e33c75a908345bb03f1980271
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If you try to pass a bogus path like -b /asdf,/asdf, minijail doesn't
mind and goes ahead and creates the destination (which also creates
the source), and then does a bind mount. We should instead abort --
if you really want to bind mount a new directory or file, the daemon
should explicitly create the path correctly.
For the -k option, we were stating the pseudo source which could lead
to bad behavior. e.g. If there was a file in the cwd named "none" or
"proc", we'd stat() it, and then change the destination setup logic.
The current behavior is also a little idiosyncratic: if the source
and dest are the same, there's no error, but if you try to mount to
a different path (-b /asdf,/foo), it'll fail. Or if you try to use
a chroot/pivot root, it'll fail.
We now enforce absolute paths for sources with the -b & -k options.
This shouldn't be a problem in general, and it makes the behavior a
bit more consistent.
Bug: None
Test: unittests pass
Test: betty VM boots and cheets_StartAndroid passes
Change-Id: I26310ba45b8e463533485de879a19e578d66b0e6
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change allows the user to optionally skip setting a subset of the
securebits that are automatically set when restricting caps.
Bug: 63069223
Test: $ gcc -static -xc -o securebits - << EOF
#include <stdio.h>
#include <sys/prctl.h>
int main()
{
printf("%x\n", prctl(PR_GET_SECUREBITS));
}
EOF
$ sudo ./minijail0 -c 1fffffffff --ambient ./securebits
2f
$ sudo ./minijail0 -c 1fffffffff --ambient -B 2f ./securebits
0
Change-Id: Ie247302bbbb35f04caa2066541a8c175f6c94976
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Credit to Brian McGillion for the initial implementation (in
https://android-review.googlesource.com/#/c/302756/).
Current support allows callers to also set ambient capabilities when
using regular capabilities. A follow-up CL will clean up the preloading
situation wrt ambient capabilities.
Bug: 32066154
Test: Use 'drop_privs' executable, check that it gets ambient caps.
Change-Id: If493fb5886fe9798436a749b7ebdbc04f00000b6
|
|
|
-Extract helper functions that don't take a 'struct minijail' into a
separate file. Document this in a new HACKING file.
-Add support for long cmdline options in minijail0.c.
Bug: 32066154
Test: Unit tests on Linux and Android.
Change-Id: I246ff7f9459792e64e5be5b9c9ea650e3f1d2c58
|
