crosvm: move all sandbox-related options under one struct
Jailing a process currently requires to pass the whole VM configuration
structure, which is inconvenient as we will want to reuse our jail
functions from a different context, e.g. to start vhost device processes
without a whole VM.
Address this by moving all jail-related options under a struct that is
passed to jail-related functions. This allows us to replace the sandbox
boolean in the config structure by an Option, making sure that
jail-related members are not even visible if we disabled sandboxing
altogether. The jail configuration structure can also be reused from
other contexts.
BUG=b:217480043
BUG=b:218223240
TEST=`crosvm run` boots with and without the `--disable-sandbox` option.
Change-Id: Ic4b7db923fb1dbbafba0137d5cc53a9e7e800747
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3546579
Reviewed-by: Anton Romanov <romanton@google.com>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Alexandre Courbot <acourbot@chromium.org>
diff --git a/src/linux/mod.rs b/src/linux/mod.rs
index eb48dd1..d67cac3 100644
--- a/src/linux/mod.rs
+++ b/src/linux/mod.rs
@@ -204,7 +204,7 @@
.context("failed to set up mouse device")?;
devs.push(VirtioDeviceStub {
dev: Box::new(dev),
- jail: simple_jail(cfg, "input_device")?,
+ jail: simple_jail(&cfg.jail_config, "input_device")?,
});
event_devices.push(EventDevice::touchscreen(event_device_socket));
}
@@ -221,7 +221,7 @@
.context("failed to set up keyboard device")?;
devs.push(VirtioDeviceStub {
dev: Box::new(dev),
- jail: simple_jail(cfg, "input_device")?,
+ jail: simple_jail(&cfg.jail_config, "input_device")?,
});
event_devices.push(EventDevice::keyboard(event_device_socket));
}
@@ -569,7 +569,7 @@
)
.context("failed to create coiommu device")?;
- devices.push((Box::new(dev), simple_jail(cfg, "coiommu")?));
+ devices.push((Box::new(dev), simple_jail(&cfg.jail_config, "coiommu")?));
}
}
@@ -606,7 +606,7 @@
for ac97_param in &cfg.ac97_parameters {
let dev = Ac97Dev::try_new(vm.get_memory().clone(), ac97_param.clone())
.context("failed to create ac97 device")?;
- let jail = simple_jail(cfg, dev.minijail_policy())?;
+ let jail = simple_jail(&cfg.jail_config, dev.minijail_policy())?;
devices.push((Box::new(dev), jail));
}
@@ -614,7 +614,7 @@
if cfg.usb {
// Create xhci controller.
let usb_controller = Box::new(XhciController::new(vm.get_memory().clone(), usb_provider));
- devices.push((usb_controller, simple_jail(cfg, "xhci")?));
+ devices.push((usb_controller, simple_jail(&cfg.jail_config, "xhci")?));
}
for params in &cfg.stub_pci_devices {
@@ -1021,7 +1021,7 @@
Vcpu: VcpuArch + 'static,
V: VmArch + 'static,
{
- if cfg.sandbox {
+ if cfg.jail_config.is_some() {
// Printing something to the syslog before entering minijail so that libc's syslogger has a
// chance to open files necessary for its operation, like `/etc/localtime`. After jailing,
// access to those files will not be possible.
@@ -1122,7 +1122,7 @@
let battery = if cfg.battery_type.is_some() {
#[cfg_attr(not(feature = "power-monitor-powerd"), allow(clippy::manual_map))]
- let jail = match simple_jail(&cfg, "battery")? {
+ let jail = match simple_jail(&cfg.jail_config, "battery")? {
#[cfg_attr(not(feature = "power-monitor-powerd"), allow(unused_mut))]
Some(mut jail) => {
// Setup a bind mount to the system D-Bus socket if the powerd monitor is used.
@@ -1360,7 +1360,7 @@
&reset_evt,
&mut sys_allocator,
&cfg.serial_parameters,
- simple_jail(&cfg, "serial")?,
+ simple_jail(&cfg.jail_config, "serial")?,
battery,
vm,
ramoops_region,
@@ -1663,7 +1663,7 @@
.context("failed to add descriptor to wait context")?;
}
- if cfg.sandbox {
+ if cfg.jail_config.is_some() {
// Before starting VCPUs, in case we started with some capabilities, drop them all.
drop_capabilities().context("failed to drop process capabilities")?;
}