[minijail] pid namespace implies vfs namespace Make a pid namespace imply both a new vfs namespace and a /proc remount, since if we don't remount /proc, the old pid namespace is still reachable through the old mount there. BUG=chromium-os:25303 TEST=security_Minijail0 Change-Id: I91887d3ed6bc0e958e249c3c158735bc04f20fcd Signed-off-by: Elly Jones <ellyjones@chromium.org> Reviewed-on: https://gerrit.chromium.org/gerrit/14617 Reviewed-by: Kees Cook <keescook@chromium.org>

commit: e58176c07895532d49b4cb9a660a4eeb644d4e2f [log] [tgz]
author: Elly Jones <ellyjones@chromium.org> Mon Jan 23 11:46:17 2012 -0500
committer: Gerrit <chrome-bot@google.com> Mon Jan 23 10:53:16 2012 -0800
tree: f5cdcce4a8de15526febd6b996beb4c6b69565c5
parent: a1059630647ed53a77726d9031dda0eab48bc1a4 [diff] [blame]
diff --git a/libminijail.c b/libminijail.c
index 708c68c..6fac5c2 100644
--- a/libminijail.c
+++ b/libminijail.c

@@ -1,4 +1,4 @@
-/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
+/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
@@ -187,6 +187,8 @@
 
 void API minijail_namespace_pids(struct minijail *j)
 {
+	j->flags.vfs = 1;
+	j->flags.readonly = 1;
 	j->flags.pids = 1;
 }
commit	e58176c07895532d49b4cb9a660a4eeb644d4e2f	[log] [tgz]
author	Elly Jones <ellyjones@chromium.org>	Mon Jan 23 11:46:17 2012 -0500
committer	Gerrit <chrome-bot@google.com>	Mon Jan 23 10:53:16 2012 -0800
tree	f5cdcce4a8de15526febd6b996beb4c6b69565c5
parent	a1059630647ed53a77726d9031dda0eab48bc1a4 [diff] [blame]