cli: support minijail_set_supplementary_gids() am: 8d7174bc21 am: 0864773bdb am: bc484f2d51

Change-Id: I37b56fe3deaa810aa3908cb7b2859172c6fbe663
diff --git a/minijail0.1 b/minijail0.1
index cab94ec..820d3ca 100644
--- a/minijail0.1
+++ b/minijail0.1
@@ -59,15 +59,19 @@
 \fB-f <file>\fR
 Write the pid of the jailed process to \fIfile\fR.
 .TP
-\fB-g <group>\fR
-Change groups to \fIgroup\fR, which may be either a group name or a numeric
-group ID.
+\fB-g <group|gid>
+Change groups to the specified \fIgroup\fR name, or numeric group ID \fIgid\fR.
 .TP
 \fB-G\fR
 Inherit all the supplementary groups of the user specified with \fB-u\fR. It
 is an error to use this option without having specified a \fBuser name\fR to
 \fB-u\fR.
 .TP
+\fB--add-suppl-group <group|gid>\fR
+Add the specified \fIgroup\fR name, or numeric group ID \fIgid\fR,
+to the process' supplementary groups list. Can be specified
+multiple times to add several groups. Incompatible with -y and -G.
+.TP
 \fB-h\fR
 Print a help message.
 .TP
@@ -241,9 +245,8 @@
 \fIlibminijailpreload.so\fR to setup hooks, but will fail on actually
 statically-linked binaries.
 .TP
-\fB-u <user>\fR
-Change users to \fIuser\fR, which may be either a user name or a numeric user
-ID.
+\fB-u <user|uid>\fR
+Change users to the specified \fIuser\fR name, or numeric user ID \fIuid\fR.
 .TP
 \fB-U\fR
 Enter a new user namespace (implies \fB-p\fR).
diff --git a/minijail0_cli.c b/minijail0_cli.c
index f19a053..c8b700b 100644
--- a/minijail0_cli.c
+++ b/minijail0_cli.c
@@ -72,6 +72,41 @@
 	}
 }
 
+/*
+ * Helper function used by --add-suppl-group (possibly more than once),
+ * to build the supplementary gids array.
+ */
+static void suppl_group_add(size_t *suppl_gids_count, gid_t **suppl_gids,
+                            char *arg) {
+	char *end = NULL;
+	int groupid = strtod(arg, &end);
+	gid_t gid;
+	if (!*end && *arg) {
+		/* A gid number has been specified, proceed. */
+		gid = groupid;
+	} else if (lookup_group(arg, &gid)) {
+		/*
+		 * A group name has been specified,
+		 * but doesn't exist: we bail out.
+		 */
+		fprintf(stderr, "Bad group: '%s'\n", arg);
+		exit(1);
+	}
+
+	/*
+	 * From here, gid is guaranteed to be set and valid,
+	 * we add it to our supplementary gids array.
+	 */
+	*suppl_gids = realloc(*suppl_gids,
+			      sizeof(gid_t) * ++(*suppl_gids_count));
+	if (!suppl_gids) {
+		fprintf(stderr, "failed to allocate memory.\n");
+		exit(1);
+	}
+
+	(*suppl_gids)[*suppl_gids_count - 1] = gid;
+}
+
 static void skip_securebits(struct minijail *j, const char *arg)
 {
 	uint64_t securebits_skip_mask;
@@ -496,10 +531,13 @@
 	       "  -e[file]:     Enter new network namespace, or existing one if |file| is provided.\n"
 	       "  -f <file>:    Write the pid of the jailed process to <file>.\n"
 	       "  -g <group>:   Change gid to <group>.\n"
-	       "  -G:           Inherit supplementary groups from uid.\n"
-	       "                Not compatible with -y.\n"
-	       "  -y:           Keep uid's supplementary groups.\n"
-	       "                Not compatible with -G.\n"
+	       "  -G:           Inherit supplementary groups from new uid.\n"
+	       "                Not compatible with -y or --add-suppl-group.\n"
+	       "  -y:           Keep original uid's supplementary groups.\n"
+	       "                Not compatible with -G or --add-suppl-group.\n"
+	       "  --add-suppl-group <g>:Add <g> to the proccess' supplementary groups,\n"
+	       "                can be specified multiple times to add several groups.\n"
+	       "                Not compatible with -y or -G.\n"
 	       "  -h:           Help (this message).\n"
 	       "  -H:           Seccomp filter help message.\n"
 	       "  -i:           Exit immediately after fork(2). The jailed process will run\n"
@@ -592,6 +630,8 @@
 	bool use_uid = false, use_gid = false;
 	uid_t uid = 0;
 	gid_t gid = 0;
+	gid_t *suppl_gids = NULL;
+	size_t suppl_gids_count = 0;
 	char *uidmap = NULL, *gidmap = NULL;
 	int set_uidmap = 0, set_gidmap = 0;
 	size_t tmp_size = 0;
@@ -610,6 +650,7 @@
 		{"profile", required_argument, 0, 131},
 		{"preload-library", required_argument, 0, 132},
 		{"seccomp-bpf-binary", required_argument, 0, 133},
+		{"add-suppl-group", required_argument, 0, 134},
 		{0, 0, 0, 0},
 	};
 	/* clang-format on */
@@ -863,6 +904,10 @@
 			filter_path = optarg;
 			use_seccomp_filter_binary = 1;
 			break;
+		case 134:
+			suppl_group_add(&suppl_gids_count, &suppl_gids,
+			                optarg);
+			break;
 		default:
 			usage(argv[0]);
 			exit(opt == 'h' ? 0 : 1);
@@ -925,6 +970,16 @@
 	}
 
 	/*
+	 * Proceed in setting the supplementary gids specified on the
+	 * cmdline options.
+	 */
+	if (suppl_gids_count) {
+		minijail_set_supplementary_gids(j, suppl_gids_count,
+		                                suppl_gids);
+		free(suppl_gids);
+	}
+
+	/*
 	 * We parse seccomp filters here to make sure we've collected all
 	 * cmdline options.
 	 */
diff --git a/minijail0_cli_unittest.cc b/minijail0_cli_unittest.cc
index 077f5f7..a9d739b 100644
--- a/minijail0_cli_unittest.cc
+++ b/minijail0_cli_unittest.cc
@@ -158,6 +158,36 @@
               "-g provided multiple times");
 }
 
+// Valid calls to the add-suppl-group option.
+TEST_F(CliTest, valid_add_supp_group) {
+  std::vector<std::string> argv = {"--add-suppl-group", "", "/bin/sh"};
+
+  argv[1] = kValidGroup;
+  ASSERT_TRUE(parse_args_(argv));
+
+  argv[1] = kValidGid;
+  ASSERT_TRUE(parse_args_(argv));
+
+  std::vector<std::string> argv2 = {"--add-suppl-group", "",
+                                    "--add-suppl-group", "", "/bin/sh"};
+  argv[1] = kValidGroup;
+  argv[2] = kValidGid;
+  ASSERT_TRUE(parse_args_(argv));
+}
+
+// Invalid calls to the add-suppl-group option.
+TEST_F(CliTest, invalid_add_supp_group) {
+  std::vector<std::string> argv = {"--add-suppl-group", "", "/bin/sh"};
+
+  ASSERT_EXIT(parse_args_(argv), testing::ExitedWithCode(1), "");
+
+  argv[1] = "j;lX:J*Pj;oijfs;jdlkjC;j";
+  ASSERT_EXIT(parse_args_(argv), testing::ExitedWithCode(1), "");
+
+  argv[1] = "1000x";
+  ASSERT_EXIT(parse_args_(argv), testing::ExitedWithCode(1), "");
+}
+
 // Valid calls to the skip securebits option.
 TEST_F(CliTest, valid_skip_securebits) {
   // An empty string is the same as 0.