diff options
author | Chirantan Ekbote <chirantan@chromium.org> | 2018-01-24 13:47:58 -0800 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2018-01-25 16:34:25 -0800 |
commit | 0ba70d8d3c69a4fa8853d317e2dc1f45dd25acd8 (patch) | |
tree | 671b831c655b60d877399fb3021dc72d94c47480 /src/linux.rs | |
parent | 91fcad35c5a09cdb9379824be4edc84ca09f411d (diff) | |
download | crosvm-0ba70d8d3c69a4fa8853d317e2dc1f45dd25acd8.tar crosvm-0ba70d8d3c69a4fa8853d317e2dc1f45dd25acd8.tar.gz crosvm-0ba70d8d3c69a4fa8853d317e2dc1f45dd25acd8.tar.bz2 crosvm-0ba70d8d3c69a4fa8853d317e2dc1f45dd25acd8.tar.lz crosvm-0ba70d8d3c69a4fa8853d317e2dc1f45dd25acd8.tar.xz crosvm-0ba70d8d3c69a4fa8853d317e2dc1f45dd25acd8.tar.zst crosvm-0ba70d8d3c69a4fa8853d317e2dc1f45dd25acd8.zip |
Change the group for the wayland process to crosvm
Now that the crosvm user is part of the wayland group, we don't need to explicitly set the group of the wayland process to wayland. This also allows to drop CAP_SETUID and CAP_SETGID from the set of capabilities granted to crosvm. BUG=chromium:786663 TEST=Start a VM with graphics through crosvm CQ-DEPEND=CL:885264 Change-Id: If0675f60a13314d35baca4657a637fd8c3998668 Signed-off-by: Chirantan Ekbote <chirantan@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/885245 Reviewed-by: Dylan Reid <dgreid@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org>
Diffstat (limited to 'src/linux.rs')
-rw-r--r-- | src/linux.rs | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/src/linux.rs b/src/linux.rs index 6446972..b22c043 100644 --- a/src/linux.rs +++ b/src/linux.rs @@ -409,11 +409,6 @@ fn setup_mmio_bus(cfg: &Config, // Set the uid/gid for the jailed process, and give a basic id map. This // is required for the above bind mount to work. - let wayland_group = cfg.wayland_group.as_ref().map(|s| s.as_str()).unwrap_or("wayland"); - let wayland_cstr = CString::new(wayland_group).unwrap(); - let wayland_gid = get_group_id(&wayland_cstr) - .map_err(Error::GetWaylandGroup)?; - let crosvm_user_group = CStr::from_bytes_with_nul(b"crosvm\0").unwrap(); let crosvm_uid = match get_user_id(&crosvm_user_group) { Ok(u) => u, @@ -422,11 +417,18 @@ fn setup_mmio_bus(cfg: &Config, geteuid() } }; + let crosvm_gid = match get_group_id(&crosvm_user_group) { + Ok(u) => u, + Err(e) => { + warn!("falling back to current group id for Wayland: {:?}", e); + getegid() + } + }; jail.change_uid(crosvm_uid); - jail.change_gid(wayland_gid); + jail.change_gid(crosvm_gid); jail.uidmap(&format!("{0} {0} 1", crosvm_uid)) .map_err(Error::SettingUidMap)?; - jail.gidmap(&format!("{0} {0} 1", wayland_gid)) + jail.gidmap(&format!("{0} {0} 1", crosvm_gid)) .map_err(Error::SettingGidMap)?; Some(jail) |