diff options
Diffstat (limited to 'src/plugin/mod.rs')
-rw-r--r-- | src/plugin/mod.rs | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/src/plugin/mod.rs b/src/plugin/mod.rs index 32ea4bb..d886f0d 100644 --- a/src/plugin/mod.rs +++ b/src/plugin/mod.rs @@ -61,6 +61,7 @@ pub enum Error { DecodeRequest(ProtobufError), EncodeResponse(ProtobufError), Mount(io_jail::Error), + MountDev(io_jail::Error), MountLib(io_jail::Error), MountLib64(io_jail::Error), MountPlugin(io_jail::Error), @@ -129,6 +130,7 @@ impl fmt::Display for Error { Error::DecodeRequest(ref e) => write!(f, "failed to decode plugin request: {}", e), Error::EncodeResponse(ref e) => write!(f, "failed to encode plugin response: {}", e), Error::Mount(ref e) => write!(f, "failed to mount: {}", e), + Error::MountDev(ref e) => write!(f, "failed to mount: {}", e), Error::MountLib(ref e) => write!(f, "failed to mount: {}", e), Error::MountLib64(ref e) => write!(f, "failed to mount: {}", e), Error::MountPlugin(ref e) => write!(f, "failed to mount: {}", e), @@ -496,6 +498,15 @@ pub fn run_config(cfg: Config) -> Result<()> { let policy_path = cfg.seccomp_policy_dir.join("plugin.policy"); let mut jail = create_plugin_jail(root_path, &policy_path)?; + // Mount minimal set of devices (full, zero, urandom, etc). We can not use + // jail.mount_dev() here because crosvm may not be running with CAP_SYS_ADMIN. + let device_names = ["full", "null", "urandom", "zero"]; + for name in device_names.iter() { + let device = Path::new("/dev").join(&name); + jail.mount_bind(&device, &device, true) + .map_err(Error::MountDev)?; + } + for bind_mount in &cfg.plugin_mounts { jail.mount_bind(&bind_mount.src, &bind_mount.dst, bind_mount.writable) .map_err(Error::Mount)?; |