diff options
author | Dmitry Torokhov <dtor@chromium.org> | 2019-01-30 23:02:25 -0800 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2019-02-16 04:14:51 -0800 |
commit | ea3302895784a020fc4fa4c70dbe5f68d79c3b86 (patch) | |
tree | 503739aa6fa07d22dcae93265622c4ec5b03fb4f /bit_field/bit_field_derive/bit_field_derive.rs | |
parent | fa70171dfcef8685faab2508f12514c05ea9453f (diff) | |
download | crosvm-ea3302895784a020fc4fa4c70dbe5f68d79c3b86.tar crosvm-ea3302895784a020fc4fa4c70dbe5f68d79c3b86.tar.gz crosvm-ea3302895784a020fc4fa4c70dbe5f68d79c3b86.tar.bz2 crosvm-ea3302895784a020fc4fa4c70dbe5f68d79c3b86.tar.lz crosvm-ea3302895784a020fc4fa4c70dbe5f68d79c3b86.tar.xz crosvm-ea3302895784a020fc4fa4c70dbe5f68d79c3b86.tar.zst crosvm-ea3302895784a020fc4fa4c70dbe5f68d79c3b86.zip |
crosvm: mount minimal set of devices in plugin jail
PluginVm uses /dev/urandom, so we need to mount it, along with /dev/zero, /dev/null, and /dev/full. Note that we are not using minijail's mount_dev() API because it will try to create tmpfs without using MS_NODEV flag and, since crovm may not have CAP_SYS_ADMIN capability, Chrome OS LSM will stop it. So we rely on the parent process to have minimal set of devices present and bind-mount those into the jail. BUG=b:117989168 TEST=cargo test --features=plugin Change-Id: I6d8ab122c56614a8f7dbfe3d0eb8ed33532dc6a7 Signed-off-by: Dmitry Torokhov <dtor@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1447551 Tested-by: kokoro <noreply+kokoro@google.com> Reviewed-by: Zach Reizner <zachr@chromium.org>
Diffstat (limited to 'bit_field/bit_field_derive/bit_field_derive.rs')
0 files changed, 0 insertions, 0 deletions