diff options
author | Jorge Lucangeli Obes <jorgelo@google.com> | 2016-09-23 15:21:57 -0400 |
---|---|---|
committer | Jorge Lucangeli Obes <jorgelo@google.com> | 2016-09-23 15:35:23 -0400 |
commit | 200299c81d043606bf1290408251c01d46c51baf (patch) | |
tree | 248188b98b73e415fbaf8770ebb2d8fd05b32814 /libminijail.h | |
parent | 85683d1c6ff3c8f84e23399893eda9ab2a6e15b4 (diff) | |
download | minijail-200299c81d043606bf1290408251c01d46c51baf.tar.gz |
Allow entering a user namespace with a default gid mapping.
https://android-review.googlesource.com/253910 added functionality to
enter a user namespace with a default uid mapping. This CL completes
that with a default gid mapping.
This is useful when using user namespaces to gain root inside a
namespace. Note that setting the gid map as a non-root user requires
disabling the setgroups(2) system call by writing "deny" to
/proc/[pid]/setgroups.
Eventually we might expose disabling setgroups(2) as a command-line
option, but there's no need to do it now.
Bug: 30691131
Test: Using minijail0:
$ ./minijail0 -m /usr/bin/id
uid=0(root) gid=65534(nogroup) groups=0(root),65534(nogroup)
$ ./minijail0 -m -M /usr/bin/id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
Change-Id: I8f91bc43516a47df7bbf12a121cf658e89861aa0
Diffstat (limited to 'libminijail.h')
-rw-r--r-- | libminijail.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/libminijail.h b/libminijail.h index 98d5009..ae829d9 100644 --- a/libminijail.h +++ b/libminijail.h @@ -75,6 +75,7 @@ void minijail_namespace_cgroups(struct minijail *j); */ void minijail_namespace_pids(struct minijail *j); void minijail_namespace_user(struct minijail *j); +void minijail_namespace_user_disable_setgroups(struct minijail *j); int minijail_uidmap(struct minijail *j, const char *uidmap); int minijail_gidmap(struct minijail *j, const char *gidmap); void minijail_remount_proc_readonly(struct minijail *j); |