commit 3b58ccb3072c5908c79d65339e886b344f49c5d1
author Alistair Delva <adelva@google.com> Mon Aug 24 13:54:16 2020 -0700
committer Treehugger Robot <treehugger-gerrit@google.com> Tue Aug 25 16:17:38 2020 +0000
tree 08c15f49f4cf704601b3b5a47af58481e57ee950
parent 0a032ae060cf6275b6d84820f9995d0f113fec9e

Workarounds for Android host glibc toolchain

When minijail is built against the Android host glibc toolchain, its
syscall and ioctl coverage becomes limited by the very old Linux C
headers the toolchain is using. Because crosvm jails subprocesses
that can load e.g. GL libraries or FUSE which may be built with much
newer glibc versions, we need support for some newer syscalls and
ioctls added to Linux.

Minijail will throw parse errors for any syscall or ioctl in .policy
files that it doesn't understand; and anyway, it wouldn't be meaningful
to strip these, as .policy files are inclusion (not exclusion) based.

This change isn't very nice, but it does unblock us from running crosvm
built by the Android host toolchain with sandboxing enabled.

Change-Id: Iab7f2e7abac0f5e154e300833b8d91d7b8500aff

gen_constants-inl.h

diff --git a/gen_constants-inl.h b/gen_constants-inl.h
index 1248254..686ec5e 100644
--- a/gen_constants-inl.h
+++ b/gen_constants-inl.h
@@ -1,6 +1,11 @@
+/* Copyright (c) 2014 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
 #if defined(__i386__) || defined(__x86_64__)
 #include <asm/prctl.h>
-#endif // __i386__ || __x86_64__
+#endif /* __i386__ || __x86_64__ */
 #include <errno.h>
 #include <fcntl.h>
 #include <linux/fd.h>
@@ -23,8 +28,45 @@
 
 #include "arch.h"
 
-// These defines use C structures that are not defined in the same headers which
-// cause our CPP logic to fail w/undefined identifiers.  Remove them to avoid
-// build errors on such broken systems.
+/* These defines use C structures that are not defined in the same headers which
+ * cause our CPP logic to fail w/undefined identifiers.  Remove them to avoid
+ * build errors on such broken systems.
+ */
 #undef BLKTRACESETUP
 #undef FS_IOC_FIEMAP
+
+/* The old glibc bundled with the Android host toolchain is missing some ioctl
+ * definitions used by minijail policy in crosvm and other projects. Locally
+ * define them below.
+ * This UAPI is taken from sanitized bionic headers.
+ */
+
+/* <linux/fs.h> */
+#if !defined(FS_IOC_FSGETXATTR) && !defined(FS_IOC_FSSETXATTR)
+struct fsxattr {
+	__u32 fsx_xflags;
+	__u32 fsx_extsize;
+	__u32 fsx_nextents;
+	__u32 fsx_projid;
+	__u32 fsx_cowextsize;
+	unsigned char fsx_pad[8];
+};
+#define FS_IOC_FSGETXATTR _IOR('X', 31, struct fsxattr)
+#define FS_IOC_FSSETXATTR _IOW('X', 32, struct fsxattr)
+#endif /* !FS_IOC_FSGETXATTR && !FS_IOC_FSSETXATTR */
+
+/* <linux/fscrypt.h> */
+#if !defined(FS_IOC_SET_ENCRYPTION_POLICY) &&                                  \
+    !defined(FS_IOC_GET_ENCRYPTION_POLICY)
+#define FSCRYPT_KEY_DESCRIPTOR_SIZE 8
+struct fscrypt_policy_v1 {
+	__u8 version;
+	__u8 contents_encryption_mode;
+	__u8 filenames_encryption_mode;
+	__u8 flags;
+	__u8 master_key_descriptor[FSCRYPT_KEY_DESCRIPTOR_SIZE];
+};
+#define fscrypt_policy fscrypt_policy_v1
+#define FS_IOC_SET_ENCRYPTION_POLICY _IOR('f', 19, struct fscrypt_policy)
+#define FS_IOC_GET_ENCRYPTION_POLICY _IOW('f', 21, struct fscrypt_policy)
+#endif /* !FS_IOC_SET_ENCRYPTION_POLICY && !FS_IOC_GET_ENCRYPTION_POLICY */