[minijail] pid namespace implies vfs namespace
Make a pid namespace imply both a new vfs namespace and a /proc remount, since
if we don't remount /proc, the old pid namespace is still reachable through the
old mount there.
BUG=chromium-os:25303
TEST=security_Minijail0
Change-Id: I91887d3ed6bc0e958e249c3c158735bc04f20fcd
Signed-off-by: Elly Jones <ellyjones@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/14617
Reviewed-by: Kees Cook <keescook@chromium.org>
diff --git a/libminijail.c b/libminijail.c
index 708c68c..6fac5c2 100644
--- a/libminijail.c
+++ b/libminijail.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
+/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*/
@@ -187,6 +187,8 @@
void API minijail_namespace_pids(struct minijail *j)
{
+ j->flags.vfs = 1;
+ j->flags.readonly = 1;
j->flags.pids = 1;
}
diff --git a/libminijail.h b/libminijail.h
index cf33107..aaba43f 100644
--- a/libminijail.h
+++ b/libminijail.h
@@ -1,4 +1,4 @@
-/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
+/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*/
@@ -49,6 +49,7 @@
const char *filter);
void minijail_use_caps(struct minijail *j, uint64_t capmask);
void minijail_namespace_vfs(struct minijail *j);
+/* Implies namespace_vfs and remount_readonly */
void minijail_namespace_pids(struct minijail *j);
void minijail_remount_readonly(struct minijail *j);
void minijail_inherit_usergroups(struct minijail *j);
diff --git a/minijail0.1 b/minijail0.1
index 72f569c..d9c880a 100644
--- a/minijail0.1
+++ b/minijail0.1
@@ -1,4 +1,4 @@
-.TH MINIJAIL0 "1" "July 2011" "Chromium OS" "User Commands"
+.TH MINIJAIL0 "1" "January 2012" "Chromium OS" "User Commands"
.SH NAME
minijail0 \- sandbox a process
.SH SYNOPSIS
@@ -42,7 +42,9 @@
.TP
\fB-p\fR
Run inside a new PID namespace. This option will make it impossible for the
-program to see or affect processes that are not its descendants.
+program to see or affect processes that are not its descendants. This implies
+\fB-v\fR and \fB-r\fR, since otherwise the process can see outside its namespace
+by inspecting /proc.
.TP
\fB-r\fR
Remount certain filesystems readonly. Currently this only remounts /proc. This
diff --git a/minijail0.c b/minijail0.c
index 0559f55..094cf23 100644
--- a/minijail0.c
+++ b/minijail0.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
+/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*/
@@ -80,7 +80,7 @@
" -g <group>: change gid to <group>\n"
" -h: help (this message)\n"
" -H: seccomp filter help message\n"
- " -p: use pid namespace\n"
+ " -p: use pid namespace (implies -vr)\n"
" -r: remount filesystems readonly (implies -v)\n"
" -s: use seccomp\n"
" -S <file>: set seccomp filters using <file>\n"