add an option to set up a minimal /dev
(high level design)
This will unmount the outside /dev to help remove access to existing
device nodes, and then set up a small tmpfs over /dev with a minimal
set of safe/common nodes. Most daemons do not need more than these.
(low level details)
In order to support common use cases like passing in one or two extra
device nodes (e.g. /dev/log), we cannot mess with /dev directly. We
create a temporary directory, create all our nodes in there, then add
any bind mounts into /dev to that path. Then just before we chroot
or pivot, we move the mount from its temp location to the final /dev.
Bug: chromium:680859
Test: `sudo ./minijail0 -rvpd /bin/ls -l /dev/` shows reduced # of files
Test: `sudo ./minijail0 -rvpd /bin/grep /dev /proc/mounts` shows only one /dev mount
Test: `sudo ./minijail0 -rvpd -C / -b /dev/log,/dev/log /bin/logger asdf` allows logging to work
Test: `sudo ./minijail0 -rvpd -C /var/empty -b /,/ -b /dev/mixer,/dev/mixer /bin/ls -l /dev/` shows /dev/mixer
Change-Id: Ie91869971baffde0b86c5d244c584e45099abe7e
diff --git a/libminijail.h b/libminijail.h
index 3903fd2..46dc311 100644
--- a/libminijail.h
+++ b/libminijail.h
@@ -184,6 +184,13 @@
void minijail_mount_tmp_size(struct minijail *j, size_t size);
/*
+ * minijail_mount_dev: enables mounting of a tmpfs filesystem on /dev.
+ * It will then be seeded with a basic set of device nodes. For the exact
+ * list, consult the minijail(0) man page.
+ */
+void minijail_mount_dev(struct minijail *j);
+
+/*
* minijail_mount_with_data: when entering minijail @j,
* mounts @src at @dst with @flags and @data.
* @j minijail to bind inside