commit c6dc29781fb191d26af755bc2c9436561c99ff88
author Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Thu Feb 06 01:07:18 2020 +0000
committer Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Thu Feb 06 01:07:18 2020 +0000
tree fc80a999c3ca5014a36190f7804c5cf3e4ac6770
parent 4a9d2901ebb203adc607e0ccac537718e317da30
parent cc5917c757d80e36cacf8b9ceb52617c33911b33

minijail0: add minimalistic-mountns-nodev profile am: cc5917c757

Change-Id: I4a3711aac8a8eb511b8ca52872986603b6e2eb0a

minijail0.1

diff --git a/minijail0.1 b/minijail0.1
index 642c48c..cab94ec 100644
--- a/minijail0.1
+++ b/minijail0.1
@@ -309,6 +309,10 @@
 \fBminimalistic-mountns\fR
 Set up a minimalistic mount namespace.  Equivalent to \fB-v -P /var/empty
 -b / -b /proc -b /dev/log -t -r --mount-dev\fR.
+.TP
+\fBminimalistic-mountns-nodev\fR
+Set up a minimalistic mount namespace with an empty /dev path.  Equivalent to
+\fB-v -P /var/empty -b/ -b/proc -t -r\fR.
 .SH IMPLEMENTATION
 This program is broken up into two parts: \fBminijail0\fR (the frontend) and a helper
 library called \fBlibminijailpreload\fR.  Some jailings can only be achieved

minijail0_cli.c

diff --git a/minijail0_cli.c b/minijail0_cli.c
index 277c222..f19a053 100644
--- a/minijail0_cli.c
+++ b/minijail0_cli.c
@@ -376,7 +376,8 @@
 {
 	/* Note: New profiles should be added in minijail0_cli_unittest.cc. */
 
-	if (!strcmp(profile, "minimalistic-mountns")) {
+	if (!strcmp(profile, "minimalistic-mountns") ||
+	    !strcmp(profile, "minimalistic-mountns-nodev")) {
 		minijail_namespace_vfs(j);
 		if (minijail_bind(j, "/", "/", 0)) {
 			fprintf(stderr, "minijail_bind(/) failed.\n");
@@ -386,11 +387,13 @@
 			fprintf(stderr, "minijail_bind(/proc) failed.\n");
 			exit(1);
 		}
-		if (minijail_bind(j, "/dev/log", "/dev/log", 0)) {
-			fprintf(stderr, "minijail_bind(/dev/log) failed.\n");
-			exit(1);
+		if (!strcmp(profile, "minimalistic-mountns")) {
+			if (minijail_bind(j, "/dev/log", "/dev/log", 0)) {
+				fprintf(stderr, "minijail_bind(/dev/log) failed.\n");
+				exit(1);
+			}
+			minijail_mount_dev(j);
 		}
-		minijail_mount_dev(j);
 		if (!*tmp_size) {
 			/* Avoid clobbering |tmp_size| if it was already set. */
 			*tmp_size = DEFAULT_TMP_SIZE;

minijail0_cli_unittest.cc

diff --git a/minijail0_cli_unittest.cc b/minijail0_cli_unittest.cc
index 0d6a07d..077f5f7 100644
--- a/minijail0_cli_unittest.cc
+++ b/minijail0_cli_unittest.cc
@@ -286,6 +286,7 @@
   // This should list all valid profiles.
   const std::vector<std::string> profiles = {
     "minimalistic-mountns",
+    "minimalistic-mountns-nodev",
   };
 
   for (const auto profile : profiles) {