| commit | 2337f80306755f8577adb7ac7bd5a5ee4f035e02 | [log] [tgz] |
|---|---|---|
| author | Jorge Lucangeli Obes <[email protected]> | Thu Jul 18 14:46:03 2019 -0400 |
| committer | Jorge Lucangeli Obes <[email protected]> | Thu Jul 18 14:46:03 2019 -0400 |
| tree | 15deb040c1cf81aac7d474ba3a63d1bbb23d93bb | |
| parent | 52f6adabb6f44761cc23a226cc396bd5c664641c [diff] |
Preserve namespace file descriptors.
The code in libminijail.c will attempt to close file descriptors (if
instructed to do so) before minijail_enter() attempts to enter the
required namespaces. This is problematic because minijail_enter() will
then fail to call nsenter(2) because the namespace file descriptor has
been closed.
We could move the call to close_open_fds() after minijail_enter() but
this would require every user of Minijail to include the syscalls made
by close_open_fds() in their seccomp policy. Instead, preserve the file
descriptors used to enter mount and network namespaces. It's not really
a problem for these to end up in the child, since
/proc/<pid>/ns/{mnt,net} in the child will give access to the same
resource.
Bug: https://crbug.com/985467
Test: Unit tests pass.
Test: With https://chromium-review.googlesource.com/c/chromiumos/platform2/+/1614745,
Test: Chrome OS can start a guest session.
Change-Id: I2ecf41c148deb5650ebb00f5f35d78f314865c6a
The Minijail homepage and main repo is https://android.googlesource.com/platform/external/minijail/.
There might be other copies floating around, but this is the official one!
Minijail is a sandboxing and containment tool used in Chrome OS and Android. It provides an executable that can be used to launch and sandbox other programs, and a library that can be used by code to sandbox itself.
You're one git clone away from happiness.
$ git clone https://android.googlesource.com/platform/external/minijail $ cd minijail
Releases are tagged as linux-vXX: https://android.googlesource.com/platform/external/minijail/+refs
See the HACKING.md document for more details.
See the RELEASE.md document for more details.
We've got a couple of contact points.
The following talk serves as a good introduction to Minijail and how it can be used.
The Chromium OS project has a comprehensive sandboxing document that is largely based on Minijail.
After you play with the simple examples below, you should check that out.
# id uid=0(root) gid=0(root) groups=0(root),128(pkcs11) # minijail0 -u jorgelo -g 5000 /usr/bin/id uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)
# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status Name: cat ... CapInh: 0000000000003000 CapPrm: 0000000000003000 CapEff: 0000000000003000 CapBnd: 0000000000003000