libminijail: add seccomp_filter support to LD_PRELOAD + cleanup
This changes adds seccomp_filter support to minijail properly
instead of requiring expanded scope needed for execve(2)ing the
child process.
Now the policy for cat(1) can be as small as follows.
minijail-cat.policy:
read: fd == 3
write: fd == 1 || fd == 2
fstat64: 1
open: flags == 0x8000
close: 1
munmap: 1
exit_group: 1
Some additional code was moved around as a side effect of cleaning
this up. I can split it out if desirable.
BUG=chromium-os:19459
TEST=Manual tests (for now)
# minijail0 -S minijail-dash-cat.policy -- /sbin/minijail-0 -S minijail-cat.policy -- /bin/cat /proc/self/seccomp_filter
...
emits the policy for cat at the top with inherited: 0 and the original policy below as inherited.
...
# minijail0 -S minijail-cat.policy -- /bin/cat /proc/self/seccomp_filter
Mode: 13
Enabled: 1
Inherited: 0
252 (sys_exit_group): 1
197 (sys_fstat64): 1
91 (sys_munmap): 1
6 (sys_close): 1
5 (sys_open): flags == 0x8000
4 (sys_write): fd == 1 || fd == 2
3 (sys_read): fd == 3
Change-Id: I34a81f3c1764e4f949f8c2a26d42e51e125b4aae
Reviewed-on: http://gerrit.chromium.org/gerrit/7893
Reviewed-by: Elly Jones <ellyjones@chromium.org>
Tested-by: Will Drewry <wad@chromium.org>
2 files changed