diff options
author | Dmitry Torokhov <dtor@chromium.org> | 2019-03-06 10:56:51 -0800 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2019-03-08 21:20:23 -0800 |
commit | 710060744866cde8cada39caa8461a7194e4869b (patch) | |
tree | 75e7590ddb729c2780f94f605f219e80c4220b5e /src/plugin | |
parent | 766f8108b39ab55fcb05bf8de249ea6170536599 (diff) | |
download | crosvm-710060744866cde8cada39caa8461a7194e4869b.tar crosvm-710060744866cde8cada39caa8461a7194e4869b.tar.gz crosvm-710060744866cde8cada39caa8461a7194e4869b.tar.bz2 crosvm-710060744866cde8cada39caa8461a7194e4869b.tar.lz crosvm-710060744866cde8cada39caa8461a7194e4869b.tar.xz crosvm-710060744866cde8cada39caa8461a7194e4869b.tar.zst crosvm-710060744866cde8cada39caa8461a7194e4869b.zip |
Drop capabilities before spawning any vcpu thread
In case crosvm starts with elevated capabilities (for example, we need to start with CAP_SETGID to be able to map additional gids into plugin jail), we should drop them before spawning VCPU threads. BUG=b:117989168 TEST=Start plugin via concierge_client and verify the process does not have any effective or permitted privileges. tast run [] 'vm.*' Change-Id: Ia1e80bfe19b296936d77fe9ffeda361211b41eed Reviewed-on: https://chromium-review.googlesource.com/1506296 Commit-Ready: Dmitry Torokhov <dtor@chromium.org> Tested-by: Dmitry Torokhov <dtor@chromium.org> Tested-by: kokoro <noreply+kokoro@google.com> Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>
Diffstat (limited to 'src/plugin')
-rw-r--r-- | src/plugin/mod.rs | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/src/plugin/mod.rs b/src/plugin/mod.rs index 787c73f..b79176e 100644 --- a/src/plugin/mod.rs +++ b/src/plugin/mod.rs @@ -28,9 +28,9 @@ use io_jail::{self, Minijail}; use kvm::{Datamatch, IoeventAddress, Kvm, Vcpu, VcpuExit, Vm}; use net_util::{Error as TapError, Tap, TapT}; use sys_util::{ - block_signal, clear_signal, getegid, geteuid, register_signal_handler, validate_raw_fd, - Error as SysError, EventFd, GuestMemory, Killable, MmapError, PollContext, PollToken, - Result as SysResult, SignalFd, SignalFdError, SIGRTMIN, + block_signal, clear_signal, drop_capabilities, getegid, geteuid, register_signal_handler, + validate_raw_fd, Error as SysError, EventFd, GuestMemory, Killable, MmapError, PollContext, + PollToken, Result as SysResult, SignalFd, SignalFdError, SIGRTMIN, }; use Config; @@ -59,6 +59,7 @@ pub enum Error { CreateVcpuSocket(SysError), CreateVm(SysError), DecodeRequest(ProtobufError), + DropCapabilities(SysError), EncodeResponse(ProtobufError), Mount(io_jail::Error), MountDev(io_jail::Error), @@ -124,6 +125,7 @@ impl Display for Error { CreateVcpuSocket(e) => write!(f, "error creating vcpu request socket: {}", e), CreateVm(e) => write!(f, "error creating vm: {}", e), DecodeRequest(e) => write!(f, "failed to decode plugin request: {}", e), + DropCapabilities(e) => write!(f, "failed to drop process capabilities: {}", e), EncodeResponse(e) => write!(f, "failed to encode plugin response: {}", e), Mount(e) | MountDev(e) | MountLib(e) | MountLib64(e) | MountPlugin(e) | MountPluginLib(e) | MountRoot(e) => write!(f, "failed to mount: {}", e), @@ -544,7 +546,11 @@ pub fn run_config(cfg: Config) -> Result<()> { let mut vm = Vm::new(&kvm, mem).map_err(Error::CreateVm)?; vm.create_irq_chip().map_err(Error::CreateIrqChip)?; vm.create_pit().map_err(Error::CreatePIT)?; + let mut plugin = Process::new(vcpu_count, plugin_path, &plugin_args, jail)?; + // Now that the jail for the plugin has been created and we had a chance to adjust gids there, + // we can drop all our capabilities in case we had any. + drop_capabilities().map_err(Error::DropCapabilities)?; let mut res = Ok(()); // If Some, we will exit after enough time is passed to shutdown cleanly. |