Call setgroups(2) only once when changing users.
The guard for calling setgroups(0, NULL) was checking j->uid and
j->gid, which are not cleared by minijail_preexec(). This was causing
setgroups(2) to be called twice, once by 'minijail0' and once by the
sandboxed process. The guard should check j->flags.uid and
j->flags.gid, which do get cleared. Note that every other if guard in
this function is checking j->flags.
Bug: 33259997
Test: Add logging, setgroups(2) only gets called once.
Change-Id: I5c6c4ec7fc8778ea7c3f8bcc8aaca1d2514d3447
1 file changed