| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
| |
Change-Id: I6343e879ba75e8ac912590779c620bd0045e74d9
Reviewed-on: https://chromium-review.googlesource.com/634269
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Running crosvm in multiprocess mode includes setting up an io_jail for
each device and it can very often fail due to problems in the
enviroment, such as missing policy files or lack of privilege. The auto
generated debug error messages were not very good (based on initial user
feedback) and so this CL implements display to help make the errors more
understandable when they are printed.
BUG=None
TEST=./build_test
Change-Id: If51c00e60abb9b0d482515fa1e401f2fa6fb9e8f
Reviewed-on: https://chromium-review.googlesource.com/649950
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Jason Clinton <jclinton@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
parse_seccomp_filters in libminijail will unhelpfully abort() if the
path doesn't exist. Check that the policy file exists so that there's
a semi-useful error message.
BUG=none
TEST=crosvm run without seccomp policy in current directory; no abort
Change-Id: Ie1123e8cae3f6a27bbd5a3128161364401e8d4b2
Signed-off-by: Stephen Barber <smbarber@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/585829
Reviewed-by: Dylan Reid <dgreid@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This will be used by some device jails to get access to unix sockets
after being jailed.
TEST=None
BUG=None
Change-Id: I870bfb155b275769ccb3248b1441e7c0b8f20ad7
Reviewed-on: https://chromium-review.googlesource.com/558447
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
The FDs for stdin, stdout, and stderr shouldn't be left empty. Just
closing these FDs causes the next open() call from the jailed process to
reuse the 0, 1, or 2 FD. This confuses basic infrastructure like
println!.
Change-Id: I40ea471b4a011f2be5132e1a0ff50656ae2ec14a
Signed-off-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/549659
|
|
|
The io_jail is used to jail io processes run from crosvm. Under the hood
it mostly configures a minijail jail to run in. The minijail
restrictions are applied when iojail::enter is called. This closes
extra FDs and calls minijail_enter.
The minijail_run* functions are left out as we don't have a need to exec
foreign programs. libminijail will be used to jail separate processes
spawned from the main crosvm process.
The ability to close all open file descriptors is added. Minijail only
closes FDs after forking and before exec.
Change-Id: Ida7f52022c934e9e6edeb7b604cd6e6399860cb9
Signed-off-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/505100
Reviewed-by: Zach Reizner <zachr@chromium.org>
|