Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / minijail / 6b190c0ff461b707357d5fdab1155e31845c48cb^! / . / libminijail.c
commit6b190c0ff461b707357d5fdab1155e31845c48cb[log] [tgz]
authorMike Frysinger <vapier@google.com>Wed Jan 04 17:18:42 2017 -0500
committerMike Frysinger <vapier@google.com>Tue Jan 10 10:15:31 2017 -0500
tree45fde318eec69df1e7450ee81514bcf03106b5f7
parent13807cb12a9afce34c2ecf664036df6be83f656e [diff] [blame]
ignore missing /proc/<pid>/setgroups files

When running on older kernels that lack setgroups, the write failure
causes minijail to abort.  Short of having every caller detect the
kernel support and selectively calling disable_setgroups, ignore the
write failure directly when it's ENOENT.

Bug: None
Test: running on newer kernels works, as does older kernels

Change-Id: I424cb749fec0f76cc4278a8a7581b168fbe50485

diff --git a/libminijail.c b/libminijail.c
index 7f41b33..ecd078b 100644
--- a/libminijail.c
+++ b/libminijail.c

@@ -1293,9 +1293,17 @@
 {
 	if (j->uidmap && write_proc_file(j->initpid, j->uidmap, "uid_map") != 0)
 		kill_child_and_die(j, "failed to write uid_map");
-	if (j->gidmap && j->flags.disable_setgroups &&
-	    write_proc_file(j->initpid, "deny", "setgroups") != 0)
-		kill_child_and_die(j, "failed to disable setgroups(2)");
+	if (j->gidmap && j->flags.disable_setgroups) {
+		/* Older kernels might not have the /proc/<pid>/setgroups files. */
+		int ret = write_proc_file(j->initpid, "deny", "setgroups");
+		if (ret < 0) {
+			if (ret == -ENOENT) {
+				/* See http://man7.org/linux/man-pages/man7/user_namespaces.7.html. */
+				warn("could not disable setgroups(2)");
+			} else
+				kill_child_and_die(j, "failed to disable setgroups(2)");
+		}
+	}
 	if (j->gidmap && write_proc_file(j->initpid, j->gidmap, "gid_map") != 0)
 		kill_child_and_die(j, "failed to write gid_map");
 }