Age | Commit message (Collapse) | Author |
|
The new -N option wasn't yet added to the manpage. It utilizes the new
cgroup namespace feature of v4.6+ Linux kernels.
BUG=none
TEST=man ./minijail0.1
Change-Id: I3417b209678f3cbb6442eac8839d17ae041a42da
Signed-off-by: Dylan Reid <dgreid@chromium.org>
|
|
Bug: None
Change-Id: I1837d7e0d05671b4d41e747660145790ad04e0c5
|
|
Add an API, minijail_mount_with_data, that allows the mount data string
to be set. This is needed for some mounts when entering a user
namespace and specifying uid=, gid=, or similar mount options.
BUG=b/27273730
TEST=mount proc with hidepid=2 check mount output to confirm
security_Minijail0 test case added.
Change-Id: Ieb48cc10ad4f6ed9968a89189392eb3cfb13af39
Signed-off-by: Dylan Reid <dgreid@chromium.org>
|
|
|
|
Add parentheses around macro arguments used beside operators.
Bug: 28705665
Change-Id: I7a5896f6aa8ef6f3b8192824cfa961ef69fd70b2
Test: build with clang-tidy
|
|
The cgroup namespacing feature was recently added to the linux kernel.
Allow jailed processes to be placed in to a new cgroup namespace. This
avoids leaking host info into the jailed process and allows for the
jailed process to use cgroups as it would if it was running outside of
any namespaces. Android needs this so its cgroup setting CTS tests can
pass and it can distribute its cpu shares between background and
foreground apps.
CQ-DEPEND=CL:356201
BUG=b/29259708
TEST=minijail0 -m '0 1000 100' -M '0 1000 100' -N /bin/bash
check that the cgroup namespace is different
check that a newly mounted cgroup FS is rooted at the parent's cgroup
Change-Id: I3aead23ec8273eae90184337c040054becf4f12b
Signed-off-by: Dylan Reid <dgreid@chromium.org>
|
|
Also fix a comment that was > 80 cols.
Bug: 28714771
Change-Id: I6c9f2f409bbbd499b9a6efb12b50a57861d6c871
|
|
Chrome OS toolchain generates "-:" instead of "-.o:" when reading the
source from stdin "-". This patch makes the code handle both cases and
fixes some missing quotes.
Bug: chromium:609385
Bug: 27954979
TEST=FEATURES=test emerge-link chromeos-minijail
Change-Id: I88b03d1c080308560f71b4d3f2e3b1522c8900e9
|
|
so ninja can regenerate these files when included header files
are updated.
Bug: 27954979
Change-Id: I7be71330a84be63a0717df4557c089a7b9dfc27c
|
|
Commit id c941736c92fa3a319221f65f6755659b2a5e0a20
removed support for _BSD_SOURCE in favor of _DEFAULT_SOURCE.
This commit introduces support for glibc >= 2.20.
_BSD_SOURCE is not ignored, glibc just emits a warning and then
defines _DEFAULT_SOURCE itself. The warning fails the build
because of -Werror.
Change-Id: I9a72ef419678ab1b76174c9481550af8954c2be4
See: https://sourceware.org/git/?p=glibc.git;a=commit;f=include/features.h;h=c941736c92fa3a319221f65f6755659b2a5e0a20
See: https://sourceware.org/git/?p=glibc.git;a=commit;f=include/features.h;h=ade40b10ff5fa59a318cf55b9d8414b758e8df78
Signed-off-by: Arthur Gautier <superbaloo@gmail.com>
|
|
Previous version did not compile with GCC.
Bug: None
Change-Id: I9f8b40e6e965a7573505cc7f3c1c650b37522926
|
|
Also add an example build target for an ASan-ified libminijail (useful
for debugging).
Bug: 28052772
Change-Id: Ib36a0303d635becaa8802dee56d486f11060ea47
|
|
Kernels 4.3+ define a new securebit (SECURE_NO_CAP_AMBIENT_RAISE),
so using the SECURE_ALL_BITS and SECURE_ALL_LOCKS masks from newer
kernel headers will return EPERM on older kernels. Detect this, and
retry with the right mask for older (2.6.26-4.2) kernels.
Also add a compile-time assert to make sure we identify these changes
sooner going forward.
Bug: 27632733
Change-Id: I6cf9c56fec222347575bd0d1147287aac6572e67
|
|
|
|
Change-Id: Iee493a21252ef952c6d34ded1443ad9bbeb960d7
|
|
|
|
I did not notice "unmount(2)" -- the syscall is "umount".
While in there, reword the comment to make it clearer.
Bug: None
Change-Id: I789a5a2c42a4973e8d90e3b61714fc84bd558df6
|
|
With -K (skip_private_remount) option, there could
be shared mount points under the oldroot.
So, unmounting oldroot triggers unmounting mount
points under the shared mount points, which will be
propagated to the original namespace and corresponding
mount points will be unmounted in those namespaces,
too.
To prevent such unexpected unmounting, this CL remove
mount points being unmounted from peer groups.
Bug: 27689605
TEST=Set up mount points; \
minijail0 -v -K -b /bin,/bin -P $CONTAINER -- \
/bin/true; \
Make sure shared mount points are untouched in \
the original namespace.
Change-Id: I3dbf7de2a63382c084e4d7e4c2675cc2a6f73c77
|
|
We're missing -I, -L, -n, and -U. Borrowed text mostly from the '-h'
usage output, as well as some code comments, and other man pages.
Also fixup one inconsistency in the -h usage output formatting.
Bug: None
TEST=`man ./minijail0.1`; `minijail0 -h`
Change-Id: Ie5a8313486490243d3382726aed82971aad9a466
Signed-off-by: Brian Norris <briannorris@google.com>
|
|
This is causing brillo_Minijail to fail in the lab. See b/27632733 for
details.
Bug: 27632845
Bug: 27632733
Change-Id: I8301961dc51c3692425f79856976c19669b0472f
|
|
This matches the order in 'minijail_preenter'.
Bug: 27304928
Change-Id: I99b421cb19ddf45f73f47748f81e1a09f8e40c48
|
|
Bug: None
TEST=strace -f minijail0 -v -K /bin/true |& grep mount
Change-Id: I96ec04c6acefa909a83f374d7db44ae78393a17c
|
|
Also update the minijail0.1 file.
Bug: 27304928
Change-Id: Id5c03fef3c7906e6fe53bad130d74c895f03f730
|
|
Also adds O_CLOEXEC to all open calls to be on the safe side. In the
future, we should look into doing some sanity checks before execve like
Chromium's sandbox does:
https://code.google.com/p/chromium/codesearch#chromium/src/sandbox/linux/services/credentials.cc&l=320
If we want to further prevent people from shooting themselves in the
foot, we could also check that no fds are open, except for duping
/dev/null over 0, 1, and 2.
TEST=Built and tested that an fd to / is not leaked.
Bug: None
Change-Id: I41993a6aec9ce48bd34d191c3949f313ba80ca73
|
|
cap_get_proc(3) uses the capget(2) system call. Don't call
cap_get_proc(3) if |flags.use_caps| is not set, to avoid
having the program call a capability-related syscall even
when capabilities are not being used.
Bug: 27366428
Change-Id: Ifb797bc5f1a43adf4f9fa2fff3ef7d6f4bd9c958
|
|
This follows the model used by 'drop_ugid' and 'set_seccomp_filter',
and allows for the section of code where these functions are used to
be significantly more legible.
Bug: 27366428
Change-Id: I72618340df65da20deca572ea8ff43a795423433
|
|
Android daemons such as adbd need to drop capabilities from their
bounding sets (to prevent processes they launch from gaining privileges
through file capabilities), but not from their runtime
(permitted|inheritable|effective) sets. Add support for this and rename
some capability-related code to make things clearer.
While in there, fix a comment in the Android makefile.
Bug: 27274137
Change-Id: I7cab7e3302bb34cd7859b9621906391104bf6b4e
|
|
Many people have found this script useful to bootstrap their seccomp
filter policies. Add it to the repo instead of keeping it elsewhere.
Bug: None
Change-Id: I1ec0c25eb52aac1542f710a5acdb7d2616d075d6
|
|
Make it clear that the -T option will prevent all checks on the target
executable.
Bug: 27207746
Change-Id: I80888678530ada6d66d9bee203ee34f03b77f880
|
|
Make punctuation and capitalization consistent:
-The help text for a flag is always capitalized, unless it starts
with the name of a system call.
-The help text for a flag always ends with a period.
Bug: None
Change-Id: I8e3dc8bd27b901df4c8e1d15df85352430655f2e
|
|
This removes the need for minijail0 to access the program file before
trying to launch it, which allows it to be used for running programs
that are only accessible within a mount namespace specified with the -V
option.
It would still be preferable if -V worked correctly on its own (like
how -b, -k, and -C already do), but this is a less intrusive and
simpler immediate fix.
TEST=Use minijail0 -V -T to run program in pivot_root'd mount namespace
Bug: 26947503
Change-Id: I923ca87683b7fd8a60530946fad58018cfcd5125
|
|
Bug: None
Change-Id: I588a62af0b533f301391a51ebb1d7654d86b30e7
|
|
This binary will be used by a new Brillo Autotest test.
Also tie the return value of the binary to the result of the checks =).
Bug: 25368607
Change-Id: Ia338cb8270916cafdbbfbbb8808b88759906327f
|
|
Bug: 26967770
Change-Id: I93e6a108803a62383c2e1b71879196e2b47c38ba
|
|
|
|
Tells debuggerd to attach to the process and send crash data
to logcat.
Bug: 26580739
Change-Id: I9df09f044e56cf250963d4e4cf5959642fe2ee2f
|
|
This is useful to test basic Minijail functionality and will be used by
future Autotest tests. The code is currently very similar to
'drop_privs.cpp', but I expect that to change in the future.
Bug: 25368607
Change-Id: I4db3359b07c3b37fa4ac9e24598a5d21623383d5
|
|
|
|
By the time we get to the removed lines, |mounts_head| will be valid
in the parent (Minijail) process, but |flags.chroot| and
|flags.pivot_root| will have been cleared by minijail_preexec().
The removed lines were then incorrectly aborting the process too early.
The flags *will* be set in the minijail struct used by the
child (jailed) process, so the bind mounts will happen correctly.
A follow-up CL will make sure |mounts_head| is never valid when
both flags are cleared, so that we can correctly check for this.
While in there, fix a comment and an info() message.
security_Minijail0 now passes.
Bug: 25368607
Change-Id: I5ac85ee62560ba8957bdab3fc84689ed06d106f0
|
|
The recently added #elif should be an #else.
Bug: None
TEST=emerge-link chromeos-minijail
Change-Id: I5fcbaa4e51c6cf111a61fb33b7a90c9aa37398ca
|
|
|
|
Bind mounts should be used with chroot or pivot_root. Print an error
and exit when that's not the case.
Clean up some comments and error messages while in there.
Bug: 26784268
Change-Id: I4e384a989e1aef5b2989c4f17e047a9ac7cadbc8
|
|
We're not currently using the 'minijail0' executable on Brillo or
Android, but given that upstream Minijail is in AOSP, it's useful to
be able to build all Minijail targets in a Brillo or Android checkout.
Make it an "optional" target so that it doesn't get included on regular
builds.
This requires fixing one case of assigning 'const char*' to 'char*',
setting an invalid PRELOADPATH variable, and disabling
'missing-field-initializers' warnings.
Bug: 26798535
Change-Id: I1fe61f5ac2687d3a185d971a699fa4237a4b6a10
|
|
Cgroups ended up being the only feature that doesn't have a flag.
Fix that, and fix some comments while we're there.
Bug: 26782393
Change-Id: I83e56b6d7fb4a5668ffecc2b597902ee663fdab6
|
|
Bug: 26776934
Change-Id: I54d62bb74e4359beca4852484a77a3a007f17c42
|
|
When putting together a new policy, it's useful to get a list
of all the invalid syscalls. Don't fail on invalid syscalls if
the user requested logging failures.
Bug: None
Change-Id: Ib2d9bbb3e41a1eeb44a41fd2ab32b50ab4efcddf
|
|
This adds an API that allows the jailed process to be added to a given
cgroup. This API can be called repeatedly to add the process to many
cgroups. The process will be added after fork but before it is exec'd.
BUG=b/26549867
TEST=set cgroups and inspect that pid is in tasks file
Change-Id: I87a9897c1dc741c726873e872eeae32692088979
Signed-off-by: Dylan Reid <dgreid@chromium.org>
|
|
Syncing the child and parent was only done so that the uid/gid maps
could be setup. Make this more general so that the next commit can add setting
of cgroups which also wants to happen after the child forks but before the
jailed process is run similar top uid/gid map setting.
BUG=b/26549867
TEST=security_Minijail0
Change-Id: I81d512f351cfe459cd7af4c55263504d22b929fa
Signed-off-by: Dylan Reid <dgreid@chromium.org>
|
|
Android/Brillo have 'linux/securebits.h' available.
Bug: None
Change-Id: I43ac60aa1cdafd7ff6d4579b335519e512c08f77
|
|
util.h gets included from more than one place on Chrome OS builds.
Change-Id: I021235738115782fc2966d51fe356364953db169
Signed-off-by: Dylan Reid <dgreid@chromium.org>
|