crosvm: mount minimal set of devices in plugin jail - crosvm

diff options

author	Dmitry Torokhov <dtor@chromium.org>	2019-01-30 23:02:25 -0800
committer	chrome-bot <chrome-bot@chromium.org>	2019-02-16 04:14:51 -0800
commit	ea3302895784a020fc4fa4c70dbe5f68d79c3b86 (patch)
tree	503739aa6fa07d22dcae93265622c4ec5b03fb4f /bit_field/bit_field_derive/bit_field_derive.rs
parent	fa70171dfcef8685faab2508f12514c05ea9453f (diff)
download	crosvm-ea3302895784a020fc4fa4c70dbe5f68d79c3b86.tar crosvm-ea3302895784a020fc4fa4c70dbe5f68d79c3b86.tar.gz crosvm-ea3302895784a020fc4fa4c70dbe5f68d79c3b86.tar.bz2 crosvm-ea3302895784a020fc4fa4c70dbe5f68d79c3b86.tar.lz crosvm-ea3302895784a020fc4fa4c70dbe5f68d79c3b86.tar.xz crosvm-ea3302895784a020fc4fa4c70dbe5f68d79c3b86.tar.zst crosvm-ea3302895784a020fc4fa4c70dbe5f68d79c3b86.zip

crosvm: mount minimal set of devices in plugin jail

PluginVm uses /dev/urandom, so we need to mount it, along with
/dev/zero, /dev/null, and /dev/full.

Note that we are not using minijail's mount_dev() API because it will
try to create tmpfs without using MS_NODEV flag and, since crovm may not
have CAP_SYS_ADMIN capability, Chrome OS LSM will stop it. So we rely on
the parent process to have minimal set of devices present and bind-mount
those into the jail.

BUG=b:117989168
TEST=cargo test --features=plugin

Change-Id: I6d8ab122c56614a8f7dbfe3d0eb8ed33532dc6a7
Signed-off-by: Dmitry Torokhov <dtor@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1447551
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Zach Reizner <zachr@chromium.org>

Diffstat (limited to 'bit_field/bit_field_derive/bit_field_derive.rs')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: