diff options
| author | Chirantan Ekbote <chirantan@chromium.org> | 2020-02-20 15:53:06 +0900 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2020-02-21 05:55:24 +0000 |
| commit | c6b73e30c86cc42f8bb7069f1b01c1fcfa60aa25 (patch) | |
| tree | 7fcc62b737fecf887c1979fbcd26942c84ab36dd /src/linux.rs | |
| parent | 521646a401f8ce66cf26ed21abe5e18ac929fe33 (diff) | |
| download | crosvm-c6b73e30c86cc42f8bb7069f1b01c1fcfa60aa25.tar crosvm-c6b73e30c86cc42f8bb7069f1b01c1fcfa60aa25.tar.gz crosvm-c6b73e30c86cc42f8bb7069f1b01c1fcfa60aa25.tar.bz2 crosvm-c6b73e30c86cc42f8bb7069f1b01c1fcfa60aa25.tar.lz crosvm-c6b73e30c86cc42f8bb7069f1b01c1fcfa60aa25.tar.xz crosvm-c6b73e30c86cc42f8bb7069f1b01c1fcfa60aa25.tar.zst crosvm-c6b73e30c86cc42f8bb7069f1b01c1fcfa60aa25.zip | |
linux.rs: Refactor 9p device jail
Give the 9p device the same jail as the fs device. In particular it needs a higher max open file limit and should map the current euid/egid in its user namespace rather than always using the crosvm user. BUG=b:147258662 TEST=`tast run <dut> vm.Blogbench.p9` Change-Id: I12e7ba7b651da4bae1435e0598b62fe2c35ff1bf Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2065254 Tested-by: Chirantan Ekbote <chirantan@chromium.org> Tested-by: kokoro <noreply+kokoro@google.com> Auto-Submit: Chirantan Ekbote <chirantan@chromium.org> Reviewed-by: Daniel Verkamp <dverkamp@chromium.org> Commit-Queue: Chirantan Ekbote <chirantan@chromium.org>
Diffstat (limited to 'src/linux.rs')
| -rw-r--r-- | src/linux.rs | 47 |
1 files changed, 29 insertions, 18 deletions
diff --git a/src/linux.rs b/src/linux.rs index bf2c014..662dea5 100644 --- a/src/linux.rs +++ b/src/linux.rs @@ -825,25 +825,36 @@ fn create_fs_device( }) } -fn create_9p_device(cfg: &Config, src: &Path, tag: &str) -> DeviceResult { - let (jail, root) = match simple_jail(&cfg, "9p_device")? { - Some(mut jail) => { - // The shared directory becomes the root of the device's file system. - let root = Path::new("/"); - jail.mount_bind(src, root, true)?; +fn create_9p_device( + cfg: &Config, + uid_map: &str, + gid_map: &str, + src: &Path, + tag: &str, +) -> DeviceResult { + let max_open_files = get_max_open_files()?; + let (jail, root) = if cfg.sandbox { + let seccomp_policy = cfg.seccomp_policy_dir.join("9p_device"); + let config = SandboxConfig { + limit_caps: false, + uid_map: Some(uid_map), + gid_map: Some(gid_map), + log_failures: cfg.seccomp_log_failures, + seccomp_policy: &seccomp_policy, + }; - // We want bind mounts from the parent namespaces to propagate into the 9p server's - // namespace. - jail.set_remount_mode(libc::MS_SLAVE); + let mut jail = create_base_minijail(src, Some(max_open_files), Some(&config))?; + // We want bind mounts from the parent namespaces to propagate into the 9p server's + // namespace. + jail.set_remount_mode(libc::MS_SLAVE); - add_crosvm_user_to_jail(&mut jail, "p9")?; - (Some(jail), root) - } - None => { - // There's no bind mount so we tell the server to treat the source directory as the - // root. - (None, src) - } + // The shared directory becomes the root of the device's file system. + let root = Path::new("/"); + (Some(jail), root) + } else { + // There's no mount namespace so we tell the server to treat the source directory as the + // root. + (None, src) }; let dev = virtio::P9::new(root, tag).map_err(Error::P9DeviceNew)?; @@ -1093,7 +1104,7 @@ fn create_virtio_devices( let dev = match kind { SharedDirKind::FS => create_fs_device(cfg, uid_map, gid_map, src, tag, fs_cfg.clone())?, - SharedDirKind::P9 => create_9p_device(cfg, src, tag)?, + SharedDirKind::P9 => create_9p_device(cfg, uid_map, gid_map, src, tag)?, }; devs.push(dev); } |