diff options
author | David Tolnay <dtolnay@chromium.org> | 2019-03-01 16:54:25 -0800 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2019-03-02 17:41:26 -0800 |
commit | 48c4829540b04fb1a6f9ea0343f6c68b8c72606e (patch) | |
tree | e5b50baa861314f002286af697a55aa0f4e0967f /src/linux.rs | |
parent | 25a86d99cca821e18a8af28403b415a530e17c38 (diff) | |
download | crosvm-48c4829540b04fb1a6f9ea0343f6c68b8c72606e.tar crosvm-48c4829540b04fb1a6f9ea0343f6c68b8c72606e.tar.gz crosvm-48c4829540b04fb1a6f9ea0343f6c68b8c72606e.tar.bz2 crosvm-48c4829540b04fb1a6f9ea0343f6c68b8c72606e.tar.lz crosvm-48c4829540b04fb1a6f9ea0343f6c68b8c72606e.tar.xz crosvm-48c4829540b04fb1a6f9ea0343f6c68b8c72606e.tar.zst crosvm-48c4829540b04fb1a6f9ea0343f6c68b8c72606e.zip |
setup: Factor out code for adding crosvm uid and gid to jail
The same logic will be needed for the TPM device in a later CL. BUG=none TEST=cargo check TEST=cargo check --features gpu Change-Id: I1497a5eab51752db80b4b457834e45d669af69b7 Reviewed-on: https://chromium-review.googlesource.com/1497731 Commit-Ready: David Tolnay <dtolnay@chromium.org> Tested-by: David Tolnay <dtolnay@chromium.org> Tested-by: kokoro <noreply+kokoro@google.com> Reviewed-by: Dylan Reid <dgreid@chromium.org>
Diffstat (limited to 'src/linux.rs')
-rw-r--r-- | src/linux.rs | 82 |
1 files changed, 36 insertions, 46 deletions
diff --git a/src/linux.rs b/src/linux.rs index 3724985..6d09cbf 100644 --- a/src/linux.rs +++ b/src/linux.rs @@ -511,29 +511,7 @@ fn create_devices( jail.mount_bind(wayland_socket_path.as_path(), jailed_wayland_path, true) .unwrap(); - // Set the uid/gid for the jailed process, and give a basic id map. This - // is required for the above bind mount to work. - let crosvm_user_group = CStr::from_bytes_with_nul(b"crosvm\0").unwrap(); - let crosvm_uid = match get_user_id(&crosvm_user_group) { - Ok(u) => u, - Err(e) => { - warn!("falling back to current user id for gpu: {}", e); - geteuid() - } - }; - let crosvm_gid = match get_group_id(&crosvm_user_group) { - Ok(u) => u, - Err(e) => { - warn!("falling back to current group id for gpu: {}", e); - getegid() - } - }; - jail.change_uid(crosvm_uid); - jail.change_gid(crosvm_gid); - jail.uidmap(&format!("{0} {0} 1", crosvm_uid)) - .map_err(Error::SettingUidMap)?; - jail.gidmap(&format!("{0} {0} 1", crosvm_gid)) - .map_err(Error::SettingGidMap)?; + add_crosvm_user_to_jail(&mut jail, "gpu")?; Some(jail) } @@ -587,29 +565,7 @@ fn create_devices( jail.mount_bind(wayland_socket_dir, jailed_wayland_dir, true) .unwrap(); - // Set the uid/gid for the jailed process, and give a basic id map. This - // is required for the above bind mount to work. - let crosvm_user_group = CStr::from_bytes_with_nul(b"crosvm\0").unwrap(); - let crosvm_uid = match get_user_id(&crosvm_user_group) { - Ok(u) => u, - Err(e) => { - warn!("falling back to current user id for Wayland: {}", e); - geteuid() - } - }; - let crosvm_gid = match get_group_id(&crosvm_user_group) { - Ok(u) => u, - Err(e) => { - warn!("falling back to current group id for Wayland: {}", e); - getegid() - } - }; - jail.change_uid(crosvm_uid); - jail.change_gid(crosvm_gid); - jail.uidmap(&format!("{0} {0} 1", crosvm_uid)) - .map_err(Error::SettingUidMap)?; - jail.gidmap(&format!("{0} {0} 1", crosvm_gid)) - .map_err(Error::SettingGidMap)?; + add_crosvm_user_to_jail(&mut jail, "Wayland")?; Some(jail) } @@ -709,6 +665,40 @@ fn create_devices( Ok(pci_devices) } +// Set the uid/gid for the jailed process and give a basic id map. This is +// required for bind mounts to work. +fn add_crosvm_user_to_jail( + jail: &mut Minijail, + feature: &str, +) -> std::result::Result<(), Box<Error>> { + let crosvm_user_group = CStr::from_bytes_with_nul(b"crosvm\0").unwrap(); + + let crosvm_uid = match get_user_id(&crosvm_user_group) { + Ok(u) => u, + Err(e) => { + warn!("falling back to current user id for {}: {}", feature, e); + geteuid() + } + }; + + let crosvm_gid = match get_group_id(&crosvm_user_group) { + Ok(u) => u, + Err(e) => { + warn!("falling back to current group id for {}: {}", feature, e); + getegid() + } + }; + + jail.change_uid(crosvm_uid); + jail.change_gid(crosvm_gid); + jail.uidmap(&format!("{0} {0} 1", crosvm_uid)) + .map_err(Error::SettingUidMap)?; + jail.gidmap(&format!("{0} {0} 1", crosvm_gid)) + .map_err(Error::SettingGidMap)?; + + Ok(()) +} + fn raw_fd_from_path(path: &PathBuf) -> std::result::Result<RawFd, Box<Error>> { if !path.is_file() { return Err(Box::new(Error::InvalidFdPath)); |