Allow mounting of a tmpfs /tmp in the chroot
Added the -t option to minijail so a tmpfs can be used
in the chroot
BUG=chromium:356246
TEST=Tested with autotest security_Minijail0
CQ-DEPEND=CL:201147
Change-Id: I660629a8b8fa1c2bf4fc59d2499ff806aa280449
Reviewed-on: https://chromium-review.googlesource.com/201133
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Lee Campbell <leecam@chromium.org>
Commit-Queue: Lee Campbell <leecam@chromium.org>
diff --git a/libminijail.c b/libminijail.c
index fee657d..90fd4a7 100644
--- a/libminijail.c
+++ b/libminijail.c
@@ -85,6 +85,7 @@
int seccomp_filter:1;
int log_seccomp_filter:1;
int chroot:1;
+ int mount_tmp:1;
} flags;
uid_t uid;
gid_t gid;
@@ -286,6 +287,11 @@
return 0;
}
+void API minijail_mount_tmp(struct minijail *j)
+{
+ j->flags.mount_tmp = 1;
+}
+
int API minijail_bind(struct minijail *j, const char *src, const char *dest,
int writeable) {
struct binding *b;
@@ -576,6 +582,11 @@
return 0;
}
+int mount_tmp(void)
+{
+ return mount("none", "/tmp", "tmpfs", 0, "size=128M,mode=777");
+}
+
int remount_readonly(void)
{
const char *kProcPath = "/proc";
@@ -747,6 +758,9 @@
if (j->flags.chroot && enter_chroot(j))
pdie("chroot");
+ if (j->flags.chroot && j->flags.mount_tmp && mount_tmp())
+ pdie("mount_tmp");
+
if (j->flags.readonly && remount_readonly())
pdie("remount");