diff options
| author | Chirantan Ekbote <chirantan@chromium.org> | 2020-01-24 12:16:58 +0900 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2020-02-04 13:33:06 +0000 |
| commit | 055de38fcf1159c7b3ce3e05b8ec0fcf07f635dc (patch) | |
| tree | cfb71b2cf12d63a358fd5c346111d5dcc9c0f4f4 | |
| parent | df2bfe30f3c1712427efb1ceab2841cfaafa64fd (diff) | |
| download | crosvm-055de38fcf1159c7b3ce3e05b8ec0fcf07f635dc.tar crosvm-055de38fcf1159c7b3ce3e05b8ec0fcf07f635dc.tar.gz crosvm-055de38fcf1159c7b3ce3e05b8ec0fcf07f635dc.tar.bz2 crosvm-055de38fcf1159c7b3ce3e05b8ec0fcf07f635dc.tar.lz crosvm-055de38fcf1159c7b3ce3e05b8ec0fcf07f635dc.tar.xz crosvm-055de38fcf1159c7b3ce3e05b8ec0fcf07f635dc.tar.zst crosvm-055de38fcf1159c7b3ce3e05b8ec0fcf07f635dc.zip | |
Allow mounts to propagate into 9p device jail
Allow mounts from the parent namespace to propagate into the mount namespace of the 9p device process. BUG=none TEST=none Change-Id: Iff455c8967949bd3e0f2990c947d45bbbc541d45 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2018305 Reviewed-by: Yusuke Sato <yusukes@chromium.org> Reviewed-by: Stephen Barber <smbarber@chromium.org> Tested-by: Yusuke Sato <yusukes@chromium.org> Tested-by: kokoro <noreply+kokoro@google.com> Tested-by: Chirantan Ekbote <chirantan@chromium.org> Commit-Queue: Chirantan Ekbote <chirantan@chromium.org>
| -rw-r--r-- | io_jail/src/lib.rs | 5 | ||||
| -rw-r--r-- | io_jail/src/libminijail.rs | 2 | ||||
| -rw-r--r-- | src/linux.rs | 4 |
3 files changed, 9 insertions, 2 deletions
diff --git a/io_jail/src/lib.rs b/io_jail/src/lib.rs index dce8e61..16212c6 100644 --- a/io_jail/src/lib.rs +++ b/io_jail/src/lib.rs @@ -14,7 +14,7 @@ use std::ffi::CString; use std::fmt::{self, Display}; use std::fs; use std::io; -use std::os::raw::c_ushort; +use std::os::raw::{c_ulong, c_ushort}; use std::os::unix::io::{AsRawFd, RawFd}; use std::path::{Path, PathBuf}; use std::ptr::{null, null_mut}; @@ -398,6 +398,9 @@ impl Minijail { libminijail::minijail_remount_proc_readonly(self.jail); } } + pub fn set_remount_mode(&mut self, mode: c_ulong) { + unsafe { libminijail::minijail_remount_mode(self.jail, mode) } + } pub fn uidmap(&mut self, uid_map: &str) -> Result<()> { let map_cstring = CString::new(uid_map).map_err(|_| Error::StrToCString(uid_map.to_owned()))?; diff --git a/io_jail/src/libminijail.rs b/io_jail/src/libminijail.rs index 737474b..595bcc0 100644 --- a/io_jail/src/libminijail.rs +++ b/io_jail/src/libminijail.rs @@ -38,7 +38,7 @@ extern "C" { pub fn minijail_new_session_keyring(j: *mut minijail); pub fn minijail_skip_setting_securebits(j: *mut minijail, securebits_skip_mask: u64); pub fn minijail_skip_remount_private(j: *mut minijail); - pub fn minijail_remount_mode(j: *mut minijail, mode: c_long); + pub fn minijail_remount_mode(j: *mut minijail, mode: c_ulong); pub fn minijail_namespace_ipc(j: *mut minijail); pub fn minijail_namespace_uts(j: *mut minijail); pub fn minijail_namespace_set_hostname(j: *mut minijail, name: *const c_char) -> c_int; diff --git a/src/linux.rs b/src/linux.rs index a26e7bb..84edf5c 100644 --- a/src/linux.rs +++ b/src/linux.rs @@ -825,6 +825,10 @@ fn create_9p_device(cfg: &Config, src: &Path, tag: &str) -> DeviceResult { let root = Path::new("/"); jail.mount_bind(src, root, true)?; + // We want bind mounts from the parent namespaces to propagate into the 9p server's + // namespace. + jail.set_remount_mode(libc::MS_SLAVE); + add_crosvm_user_to_jail(&mut jail, "p9")?; (Some(jail), root) } |