minijail: Allow skipping setting securebits when restricting caps
This change allows the user to optionally skip setting a subset of the
securebits that are automatically set when restricting caps.
Bug: 63069223
Test: $ gcc -static -xc -o securebits - << EOF
#include <stdio.h>
#include <sys/prctl.h>
int main()
{
printf("%x\n", prctl(PR_GET_SECUREBITS));
}
EOF
$ sudo ./minijail0 -c 1fffffffff --ambient ./securebits
2f
$ sudo ./minijail0 -c 1fffffffff --ambient -B 2f ./securebits
0
Change-Id: Ie247302bbbb35f04caa2066541a8c175f6c94976
diff --git a/libminijail.c b/libminijail.c
index 6381c30..4d61b0d 100644
--- a/libminijail.c
+++ b/libminijail.c
@@ -166,6 +166,7 @@
size_t cgroup_count;
struct minijail_rlimit rlimits[MAX_RLIMITS];
size_t rlimit_count;
+ uint64_t securebits_skip_mask;
};
/*
@@ -434,6 +435,12 @@
j->flags.new_session_keyring = 1;
}
+void API minijail_skip_setting_securebits(struct minijail *j,
+ uint64_t securebits_skip_mask)
+{
+ j->securebits_skip_mask = securebits_skip_mask;
+}
+
void API minijail_skip_remount_private(struct minijail *j)
{
j->flags.skip_remount_private = 1;
@@ -1726,7 +1733,7 @@
if (prctl(PR_SET_KEEPCAPS, 1))
pdie("prctl(PR_SET_KEEPCAPS) failed");
- if (lock_securebits() < 0) {
+ if (lock_securebits(j->securebits_skip_mask) < 0) {
pdie("locking securebits failed");
}
}