diff options
| author | Dmitry Torokhov <dtor@chromium.org> | 2019-03-01 00:34:03 -0800 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2019-03-01 23:41:33 -0800 |
| commit | 1a6262bd97d100f455bb01a41c1f3784e3ca143e (patch) | |
| tree | dae85db473c5c1538aa0bee4d7aab23becf7c153 /src/main.rs | |
| parent | e32a6c9b930166a7e64cc9200abb4279eb097c56 (diff) | |
| download | crosvm-1a6262bd97d100f455bb01a41c1f3784e3ca143e.tar crosvm-1a6262bd97d100f455bb01a41c1f3784e3ca143e.tar.gz crosvm-1a6262bd97d100f455bb01a41c1f3784e3ca143e.tar.bz2 crosvm-1a6262bd97d100f455bb01a41c1f3784e3ca143e.tar.lz crosvm-1a6262bd97d100f455bb01a41c1f3784e3ca143e.tar.xz crosvm-1a6262bd97d100f455bb01a41c1f3784e3ca143e.tar.zst crosvm-1a6262bd97d100f455bb01a41c1f3784e3ca143e.zip | |
crosvm: allow mapping additional gids in plugin jail
Plugin needs to access to various services such as cras, cups, and so
on, and therefore we need to make sure their respective groups are
mapped in the plugin jail.
BUG=b:117989168
TEST=Start plugin via concierge_client and verify that additional
groups besides crosvm are visible in the jail.
Change-Id: Ic1151fcfca0ca75c9ae6a22828853bbe6c9fe16c
Reviewed-on: https://chromium-review.googlesource.com/1495723
Commit-Ready: Dmitry Torokhov <dtor@chromium.org>
Tested-by: Dmitry Torokhov <dtor@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Zach Reizner <zachr@chromium.org>
Diffstat (limited to 'src/main.rs')
| -rw-r--r-- | src/main.rs | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/src/main.rs b/src/main.rs index 70dbf4d..dec98d1 100644 --- a/src/main.rs +++ b/src/main.rs @@ -72,6 +72,13 @@ struct BindMount { writable: bool, } +#[allow(dead_code)] +struct GidMap { + inner: libc::gid_t, + outer: libc::gid_t, + count: u32, +} + const DEFAULT_TRACKPAD_WIDTH: u32 = 800; const DEFAULT_TRACKPAD_HEIGHT: u32 = 1280; @@ -102,6 +109,7 @@ pub struct Config { plugin: Option<PathBuf>, plugin_root: Option<PathBuf>, plugin_mounts: Vec<BindMount>, + plugin_gid_maps: Vec<GidMap>, disks: Vec<DiskOption>, host_ip: Option<net::Ipv4Addr>, netmask: Option<net::Ipv4Addr>, @@ -138,6 +146,7 @@ impl Default for Config { plugin: None, plugin_root: None, plugin_mounts: Vec::new(), + plugin_gid_maps: Vec::new(), disks: Vec::new(), host_ip: None, netmask: None, @@ -504,6 +513,45 @@ fn set_argument(cfg: &mut Config, name: &str, value: Option<&str>) -> argument:: cfg.plugin_mounts.push(BindMount { src, dst, writable }); } + "plugin-gid-map" => { + let components: Vec<&str> = value.unwrap().split(":").collect(); + if components.len() != 3 { + return Err(argument::Error::InvalidValue { + value: value.unwrap().to_owned(), + expected: + "`plugin-gid-map` must have exactly 3 components: <inner>:<outer>:<count>", + }); + } + + let inner: libc::gid_t = + components[0] + .parse() + .map_err(|_| argument::Error::InvalidValue { + value: components[0].to_owned(), + expected: "the <inner> component for `plugin-gid-map` is not valid gid", + })?; + + let outer: libc::gid_t = + components[1] + .parse() + .map_err(|_| argument::Error::InvalidValue { + value: components[1].to_owned(), + expected: "the <outer> component for `plugin-gid-map` is not valid gid", + })?; + + let count: u32 = components[2] + .parse() + .map_err(|_| argument::Error::InvalidValue { + value: components[2].to_owned(), + expected: "the <count> component for `plugin-gid-map` is not valid number", + })?; + + cfg.plugin_gid_maps.push(GidMap { + inner, + outer, + count, + }); + } "vhost-net" => cfg.vhost_net = true, "tap-fd" => { cfg.tap_fd.push( @@ -627,6 +675,8 @@ fn run_vm(args: std::env::Args) -> std::result::Result<(), ()> { Argument::value("plugin-root", "PATH", "Absolute path to a directory that will become root filesystem for the plugin process."), #[cfg(feature = "plugin")] Argument::value("plugin-mount", "PATH:PATH:BOOL", "Path to be mounted into the plugin's root filesystem. Can be given more than once."), + #[cfg(feature = "plugin")] + Argument::value("plugin-gid-map", "GID:GID:INT", "Supplemental GIDs that should be mapped in plugin jail. Can be given more than once."), Argument::flag("vhost-net", "Use vhost for networking."), Argument::value("tap-fd", "fd", |