diff options
| author | Chirantan Ekbote <chirantan@chromium.org> | 2018-11-16 11:40:44 -0800 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2019-01-07 19:40:14 -0800 |
| commit | 7a97366e961ea0260e16fdcd03ef37a2abd898b2 (patch) | |
| tree | 8a9f90f238344535265704463dae20b2247e13c4 /src | |
| parent | 1502a11ed0a1844a4465eb55d6a06cba3405ffcd (diff) | |
| download | crosvm-7a97366e961ea0260e16fdcd03ef37a2abd898b2.tar crosvm-7a97366e961ea0260e16fdcd03ef37a2abd898b2.tar.gz crosvm-7a97366e961ea0260e16fdcd03ef37a2abd898b2.tar.bz2 crosvm-7a97366e961ea0260e16fdcd03ef37a2abd898b2.tar.lz crosvm-7a97366e961ea0260e16fdcd03ef37a2abd898b2.tar.xz crosvm-7a97366e961ea0260e16fdcd03ef37a2abd898b2.tar.zst crosvm-7a97366e961ea0260e16fdcd03ef37a2abd898b2.zip | |
plugin: Fix uid and gid maps
When minijail is given a uid/gid map but is not given a uid/gid to change to, it will default to setting the uid/gid inside the new user namespace to root. This works fine if crosvm is launched as root but fails miserably otherwise since we only map the current euid/egid into the user namespace (and so 0 is not a valid uid/gid). We would normally want to fix this by having minijail change its uid/gid to the current euid/egid. However, because of the way minijail is set up it only attempts to enter a new net namespace after exec-ing the program to be jailed. Entering a new net namespace requires CAP_SYS_ADMIN in the current namespace and this capability gets dropped the moment we switch to a non-root user. So to deal with this we map root inside the namespace to the crosvm user outside the namespace. This allows us to enter a new net namespace and we already tell minijail to drop all caps so the plugin will not have any caps when it actually runs. BUG=b:80150167 TEST=run plugin_adder Change-Id: I10c9e6bef859fd787dd6e17d5cf2ff3e552501fb Signed-off-by: Chirantan Ekbote <chirantan@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1341103 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Reviewed-by: Dylan Reid <dgreid@chromium.org>
Diffstat (limited to 'src')
| -rw-r--r-- | src/plugin/mod.rs | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/plugin/mod.rs b/src/plugin/mod.rs index d594a9a..c833197 100644 --- a/src/plugin/mod.rs +++ b/src/plugin/mod.rs @@ -222,9 +222,9 @@ fn create_plugin_jail(root: &Path, seccomp_policy: &Path) -> Result<Minijail> { let mut j = Minijail::new().map_err(Error::CreateJail)?; j.namespace_pids(); j.namespace_user(); - j.uidmap(&format!("{0} {0} 1", geteuid())) + j.uidmap(&format!("0 {0} 1", geteuid())) .map_err(Error::SetUidMap)?; - j.gidmap(&format!("{0} {0} 1", getegid())) + j.gidmap(&format!("0 {0} 1", getegid())) .map_err(Error::SetGidMap)?; j.namespace_user_disable_setgroups(); // Don't need any capabilities. |