diff options
| author | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2020-02-06 01:07:18 +0000 |
|---|---|---|
| committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2020-02-06 01:07:18 +0000 |
| commit | c6dc29781fb191d26af755bc2c9436561c99ff88 (patch) | |
| tree | fc80a999c3ca5014a36190f7804c5cf3e4ac6770 | |
| parent | 4a9d2901ebb203adc607e0ccac537718e317da30 (diff) | |
| parent | cc5917c757d80e36cacf8b9ceb52617c33911b33 (diff) | |
| download | minijail-c6dc29781fb191d26af755bc2c9436561c99ff88.tar.gz | |
minijail0: add minimalistic-mountns-nodev profile am: cc5917c757
Change-Id: I4a3711aac8a8eb511b8ca52872986603b6e2eb0a
| -rw-r--r-- | minijail0.1 | 4 | ||||
| -rw-r--r-- | minijail0_cli.c | 13 | ||||
| -rw-r--r-- | minijail0_cli_unittest.cc | 1 |
3 files changed, 13 insertions, 5 deletions
diff --git a/minijail0.1 b/minijail0.1 index 642c48c..cab94ec 100644 --- a/minijail0.1 +++ b/minijail0.1 @@ -309,6 +309,10 @@ The following sandboxing profiles are supported: \fBminimalistic-mountns\fR Set up a minimalistic mount namespace. Equivalent to \fB-v -P /var/empty -b / -b /proc -b /dev/log -t -r --mount-dev\fR. +.TP +\fBminimalistic-mountns-nodev\fR +Set up a minimalistic mount namespace with an empty /dev path. Equivalent to +\fB-v -P /var/empty -b/ -b/proc -t -r\fR. .SH IMPLEMENTATION This program is broken up into two parts: \fBminijail0\fR (the frontend) and a helper library called \fBlibminijailpreload\fR. Some jailings can only be achieved diff --git a/minijail0_cli.c b/minijail0_cli.c index 277c222..f19a053 100644 --- a/minijail0_cli.c +++ b/minijail0_cli.c @@ -376,7 +376,8 @@ static void use_profile(struct minijail *j, const char *profile, { /* Note: New profiles should be added in minijail0_cli_unittest.cc. */ - if (!strcmp(profile, "minimalistic-mountns")) { + if (!strcmp(profile, "minimalistic-mountns") || + !strcmp(profile, "minimalistic-mountns-nodev")) { minijail_namespace_vfs(j); if (minijail_bind(j, "/", "/", 0)) { fprintf(stderr, "minijail_bind(/) failed.\n"); @@ -386,11 +387,13 @@ static void use_profile(struct minijail *j, const char *profile, fprintf(stderr, "minijail_bind(/proc) failed.\n"); exit(1); } - if (minijail_bind(j, "/dev/log", "/dev/log", 0)) { - fprintf(stderr, "minijail_bind(/dev/log) failed.\n"); - exit(1); + if (!strcmp(profile, "minimalistic-mountns")) { + if (minijail_bind(j, "/dev/log", "/dev/log", 0)) { + fprintf(stderr, "minijail_bind(/dev/log) failed.\n"); + exit(1); + } + minijail_mount_dev(j); } - minijail_mount_dev(j); if (!*tmp_size) { /* Avoid clobbering |tmp_size| if it was already set. */ *tmp_size = DEFAULT_TMP_SIZE; diff --git a/minijail0_cli_unittest.cc b/minijail0_cli_unittest.cc index 0d6a07d..077f5f7 100644 --- a/minijail0_cli_unittest.cc +++ b/minijail0_cli_unittest.cc @@ -286,6 +286,7 @@ TEST_F(CliTest, valid_profile) { // This should list all valid profiles. const std::vector<std::string> profiles = { "minimalistic-mountns", + "minimalistic-mountns-nodev", }; for (const auto profile : profiles) { |