diff options
| author | Jorge Lucangeli Obes <jorgelo@google.com> | 2015-12-04 21:45:50 +0000 |
|---|---|---|
| committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2015-12-04 21:45:50 +0000 |
| commit | d7728b814333c62a52c213d0d89a3f345bb914eb (patch) | |
| tree | c257ae620169c5580c796e026ebdcd75a8b89c6c | |
| parent | d38f3997beb35a63652579289d0898fc71ccc86f (diff) | |
| parent | d16ac49c9866b94ea74dcdaff2a7ebc9d05246dc (diff) | |
| download | minijail-d7728b814333c62a52c213d0d89a3f345bb914eb.tar.gz | |
Merge "Allow setting supplementary GIDs directly."
| -rw-r--r-- | libminijail.c | 38 | ||||
| -rw-r--r-- | libminijail.h | 5 |
2 files changed, 40 insertions, 3 deletions
diff --git a/libminijail.c b/libminijail.c index 9e2c24e..00a4344 100644 --- a/libminijail.c +++ b/libminijail.c @@ -87,6 +87,8 @@ struct minijail { struct { int uid:1; int gid:1; + int usergroups:1; + int suppl_gids:1; int caps:1; int vfs:1; int enter_vfs:1; @@ -97,7 +99,6 @@ struct minijail { int userns:1; int seccomp:1; int remount_proc_ro:1; - int usergroups:1; int no_new_privs:1; int seccomp_filter:1; int log_seccomp_filter:1; @@ -112,6 +113,8 @@ struct minijail { gid_t gid; gid_t usergid; char *user; + size_t suppl_gid_count; + gid_t *suppl_gid_list; uint64_t caps; pid_t initpid; int mountns_fd; @@ -188,6 +191,28 @@ void API minijail_change_gid(struct minijail *j, gid_t gid) j->flags.gid = 1; } +int API minijail_set_supplementary_gids(struct minijail *j, size_t size, + const gid_t *list) +{ + if (j->flags.usergroups) + die("cannot inherit *and* set supplementary groups"); + + if (size == 0) + return -EINVAL; + + /* Copy the gid_t array. */ + j->suppl_gid_list = calloc(size, sizeof(gid_t)); + if (!j->suppl_gid_list) { + return -ENOMEM; + } + for (size_t i = 0; i < size; i++) { + j->suppl_gid_list[i] = list[i]; + } + j->suppl_gid_count = size; + j->flags.suppl_gids = 1; + return 0; +} + int API minijail_change_user(struct minijail *j, const char *user) { char *buf = NULL; @@ -962,12 +987,21 @@ static void write_pid_file(const struct minijail *j) void drop_ugid(const struct minijail *j) { + if (j->flags.usergroups && j->flags.suppl_gids) { + die("tried to inherit *and* set supplementary groups;" + " can only do one"); + } + if (j->flags.usergroups) { if (initgroups(j->user, j->usergid)) pdie("initgroups"); + } else if (j->flags.suppl_gids) { + if (setgroups(j->suppl_gid_count, j->suppl_gid_list)) { + pdie("setgroups"); + } } else { /* - * Only attempt to clear supplemental groups if we are changing + * Only attempt to clear supplementary groups if we are changing * users. */ if ((j->uid || j->gid) && setgroups(0, NULL)) diff --git a/libminijail.h b/libminijail.h index aceb69b..f5c6ec7 100644 --- a/libminijail.h +++ b/libminijail.h @@ -40,6 +40,9 @@ struct minijail *minijail_new(void); */ void minijail_change_uid(struct minijail *j, uid_t uid); void minijail_change_gid(struct minijail *j, gid_t gid); +/* Copies |list|. */ +int minijail_set_supplementary_gids(struct minijail *j, size_t size, + const gid_t *list); /* Stores user to change to and copies |user| for internal consistency. */ int minijail_change_user(struct minijail *j, const char *user); /* Does not take ownership of |group|. */ @@ -119,7 +122,7 @@ void minijail_mount_tmp(struct minijail *j); * of minijail_mount() calls. */ int minijail_mount(struct minijail *j, const char *src, const char *dest, - const char *type, unsigned long flags); + const char *type, unsigned long flags); /* * minijail_bind: bind-mounts @src into @j as @dest, optionally writeable |