Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / minijail / e58176c07895532d49b4cb9a660a4eeb644d4e2f^! / .
commite58176c07895532d49b4cb9a660a4eeb644d4e2f[log] [tgz]
authorElly Jones <ellyjones@chromium.org>Mon Jan 23 11:46:17 2012 -0500
committerGerrit <chrome-bot@google.com>Mon Jan 23 10:53:16 2012 -0800
treef5cdcce4a8de15526febd6b996beb4c6b69565c5
parenta1059630647ed53a77726d9031dda0eab48bc1a4 [diff]
[minijail] pid namespace implies vfs namespace

Make a pid namespace imply both a new vfs namespace and a /proc remount, since
if we don't remount /proc, the old pid namespace is still reachable through the
old mount there.

BUG=chromium-os:25303
TEST=security_Minijail0

Change-Id: I91887d3ed6bc0e958e249c3c158735bc04f20fcd
Signed-off-by: Elly Jones <ellyjones@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/14617
Reviewed-by: Kees Cook <keescook@chromium.org>

diff --git a/libminijail.c b/libminijail.c
index 708c68c..6fac5c2 100644
--- a/libminijail.c
+++ b/libminijail.c

@@ -1,4 +1,4 @@
-/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
+/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
@@ -187,6 +187,8 @@
 
 void API minijail_namespace_pids(struct minijail *j)
 {
+	j->flags.vfs = 1;
+	j->flags.readonly = 1;
 	j->flags.pids = 1;
 }
 

diff --git a/libminijail.h b/libminijail.h
index cf33107..aaba43f 100644
--- a/libminijail.h
+++ b/libminijail.h

@@ -1,4 +1,4 @@
-/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
+/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
@@ -49,6 +49,7 @@
 				const char *filter);
 void minijail_use_caps(struct minijail *j, uint64_t capmask);
 void minijail_namespace_vfs(struct minijail *j);
+/* Implies namespace_vfs and remount_readonly */
 void minijail_namespace_pids(struct minijail *j);
 void minijail_remount_readonly(struct minijail *j);
 void minijail_inherit_usergroups(struct minijail *j);

diff --git a/minijail0.1 b/minijail0.1
index 72f569c..d9c880a 100644
--- a/minijail0.1
+++ b/minijail0.1

@@ -1,4 +1,4 @@
-.TH MINIJAIL0 "1" "July 2011" "Chromium OS" "User Commands"
+.TH MINIJAIL0 "1" "January 2012" "Chromium OS" "User Commands"
 .SH NAME
 minijail0 \- sandbox a process
 .SH SYNOPSIS
@@ -42,7 +42,9 @@
 .TP
 \fB-p\fR
 Run inside a new PID namespace. This option will make it impossible for the
-program to see or affect processes that are not its descendants.
+program to see or affect processes that are not its descendants. This implies
+\fB-v\fR and \fB-r\fR, since otherwise the process can see outside its namespace
+by inspecting /proc.
 .TP
 \fB-r\fR
 Remount certain filesystems readonly. Currently this only remounts /proc. This

diff --git a/minijail0.c b/minijail0.c
index 0559f55..094cf23 100644
--- a/minijail0.c
+++ b/minijail0.c

@@ -1,4 +1,4 @@
-/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
+/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
@@ -80,7 +80,7 @@
 	       "  -g <group>: change gid to <group>\n"
 	       "  -h:         help (this message)\n"
 	       "  -H:         seccomp filter help message\n"
-	       "  -p:         use pid namespace\n"
+	       "  -p:         use pid namespace (implies -vr)\n"
 	       "  -r:         remount filesystems readonly (implies -v)\n"
 	       "  -s:         use seccomp\n"
 	       "  -S <file>:  set seccomp filters using <file>\n"