diff options
| author | Chirantan Ekbote <chirantan@chromium.org> | 2017-08-23 13:45:28 -0700 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2017-10-02 17:27:21 -0700 |
| commit | 6eb67123f9be45c4b753a2bcd50f8a4400b6e579 (patch) | |
| tree | 9305f26a3481878cbb17a1729e66024c5d77e1cd /src/main.rs | |
| parent | bb493dd02b4dd9efde179f0c4372c006d308da5a (diff) | |
| download | crosvm-6eb67123f9be45c4b753a2bcd50f8a4400b6e579.tar crosvm-6eb67123f9be45c4b753a2bcd50f8a4400b6e579.tar.gz crosvm-6eb67123f9be45c4b753a2bcd50f8a4400b6e579.tar.bz2 crosvm-6eb67123f9be45c4b753a2bcd50f8a4400b6e579.tar.lz crosvm-6eb67123f9be45c4b753a2bcd50f8a4400b6e579.tar.xz crosvm-6eb67123f9be45c4b753a2bcd50f8a4400b6e579.tar.zst crosvm-6eb67123f9be45c4b753a2bcd50f8a4400b6e579.zip | |
Load seccomp files from standard location
All seccomp policy files get installed in /usr/share/policy on chrome
os. Load the virtio device seccomp policy files from there as well.
BUG=none
TEST=run crosvm under strace -e trace=open and verify that it is loading
the policy files from /usr/share/policy
Change-Id: I87fa3c57babfd256fb1ac1a827337a95e9c003ad
Signed-off-by: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/630059
Commit-Ready: Dylan Reid <dgreid@chromium.org>
Tested-by: Dylan Reid <dgreid@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
Diffstat (limited to 'src/main.rs')
| -rw-r--r-- | src/main.rs | 34 |
1 files changed, 25 insertions, 9 deletions
diff --git a/src/main.rs b/src/main.rs index e6da542..c6e8021 100644 --- a/src/main.rs +++ b/src/main.rs @@ -197,6 +197,7 @@ struct Config { disable_wayland: bool, socket_path: Option<PathBuf>, multiprocess: bool, + seccomp_policy_dir: Option<String>, cid: Option<u64>, } @@ -205,6 +206,8 @@ const CMDLINE_OFFSET: usize = 0x20000; const CMDLINE_MAX_SIZE: usize = KERNEL_START_OFFSET - CMDLINE_OFFSET; const BASE_DEV_MEMORY_PFN: u64 = 1u64 << 26; +static SECCOMP_POLICY_DIR: &'static str = "/usr/share/policy/crosvm"; + fn create_base_minijail(root: &Path, seccomp_policy: &Path) -> Result<Minijail> { // All child jails run in a new user namespace without any users mapped, // they run as nobody unless otherwise configured. @@ -254,6 +257,11 @@ fn wait_all_children() -> bool { } fn run_config(cfg: Config) -> Result<()> { + let seccomp_policy_dir = match cfg.seccomp_policy_dir { + Some(ref p) => PathBuf::from(p), + None => PathBuf::from(SECCOMP_POLICY_DIR), + }; + if cfg.multiprocess { // Printing something to the syslog before entering minijail so that libc's syslogger has a // chance to open files necessary for its operation, like `/etc/localtime`. After jailing, @@ -299,7 +307,8 @@ fn run_config(cfg: Config) -> Result<()> { .map_err(|e| Error::BlockDeviceNew(e))?); let jail = if cfg.multiprocess { let block_root_path = block_root.as_path().unwrap(); // Won't fail if new succeeded. - Some(create_base_minijail(block_root_path, Path::new("block_device.policy"))?) + let policy_path: PathBuf = seccomp_policy_dir.join("block_device.policy"); + Some(create_base_minijail(block_root_path, &policy_path)?) } else { None @@ -314,7 +323,8 @@ fn run_config(cfg: Config) -> Result<()> { let rng_box = Box::new(hw::virtio::Rng::new().map_err(Error::RngDeviceNew)?); let rng_jail = if cfg.multiprocess { let rng_root_path = rng_root.as_path().unwrap(); // Won't fail if new succeeded. - Some(create_base_minijail(rng_root_path, Path::new("rng_device.policy"))?) + let policy_path: PathBuf = seccomp_policy_dir.join("rng_device.policy"); + Some(create_base_minijail(rng_root_path, &policy_path)?) } else { None }; @@ -337,13 +347,13 @@ fn run_config(cfg: Config) -> Result<()> { let jail = if cfg.multiprocess { let net_root_path = net_root.as_path().unwrap(); // Won't fail if new succeeded. - let policy_path = if cfg.vhost_net { - Path::new("vhost_net_device.policy") + let policy_path: PathBuf = if cfg.vhost_net { + seccomp_policy_dir.join("vhost_net_device.policy") } else { - Path::new("net_device.policy") + seccomp_policy_dir.join("net_device.policy") }; - Some(create_base_minijail(net_root_path, policy_path)?) + Some(create_base_minijail(net_root_path, &policy_path)?) } else { None @@ -374,7 +384,8 @@ fn run_config(cfg: Config) -> Result<()> { let jail = if cfg.multiprocess { let wl_root_path = wl_root.as_path().unwrap(); // Won't fail if new succeeded. - let mut jail = create_base_minijail(wl_root_path, Path::new("wl_device.policy"))?; + let policy_path: PathBuf = seccomp_policy_dir.join("wl_device.policy"); + let mut jail = create_base_minijail(wl_root_path, &policy_path)?; // Map the jail's root uid/gid to the main processes effective uid/gid so that // the jailed device can access the wayland-0 socket with the same credentials // as the main process. @@ -399,9 +410,9 @@ fn run_config(cfg: Config) -> Result<()> { let jail = if cfg.multiprocess { let root_path = vsock_root.as_path().unwrap(); - let policy_path = Path::new("vhost_vsock_device.policy"); + let policy_path: PathBuf = seccomp_policy_dir.join("vhost_vsock_device.policy"); - Some(create_base_minijail(root_path, policy_path)?) + Some(create_base_minijail(root_path, &policy_path)?) } else { None }; @@ -871,6 +882,10 @@ fn set_argument(cfg: &mut Config, name: &str, value: Option<&str>) -> argument:: } })?); } + "seccomp_policy_dir" => { + // Value is Some because we are in this match so it's safe to unwrap. + cfg.seccomp_policy_dir = Some(value.unwrap().to_owned()); + }, "help" => return Err(argument::Error::PrintHelp), _ => unreachable!(), } @@ -908,6 +923,7 @@ fn run_vm(args: std::env::Args) { "Path to put the control socket. If PATH is a directory, a name will be generated."), Argument::short_flag('u', "multiprocess", "Run each device in a child process."), Argument::value("cid", "CID", "Context ID for virtual sockets"), + Argument::value("seccomp_policy_dir", "PATH", "Path to seccomp .policy files."), Argument::short_flag('h', "help", "Print help message.")]; let mut cfg = Config::default(); |