From 1502a11ed0a1844a4465eb55d6a06cba3405ffcd Mon Sep 17 00:00:00 2001
From: Chirantan Ekbote <chirantan@chromium.org>
Date: Fri, 16 Nov 2018 11:39:02 -0800
Subject: plugin: Fix tmpfs mount options

Mounting a filesystem with the `exec` flag has required CAP_SYS_ADMIN in
the init namespace since February 2018.

BUG=b:80150167
TEST=run the plugin_adder test plugin

Change-Id: Ibf3fdf52314d15f0154742e1b6c11f73155d2d59
Signed-off-by: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1341102
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
---
 src/plugin/mod.rs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/plugin/mod.rs')

diff --git a/src/plugin/mod.rs b/src/plugin/mod.rs
index 0aa2ff4..d594a9a 100644
--- a/src/plugin/mod.rs
+++ b/src/plugin/mod.rs
@@ -19,7 +19,7 @@ use std::time::{Duration, Instant};
 
 use libc::{
     c_ulong, ioctl, socketpair, AF_UNIX, EAGAIN, EBADF, EDEADLK, EEXIST, EINTR, EINVAL, ENOENT,
-    EOVERFLOW, EPERM, FIOCLEX, MS_NODEV, MS_NOSUID, SIGCHLD, SOCK_SEQPACKET,
+    EOVERFLOW, EPERM, FIOCLEX, MS_NODEV, MS_NOEXEC, MS_NOSUID, SIGCHLD, SOCK_SEQPACKET,
 };
 
 use protobuf::ProtobufError;
@@ -252,7 +252,7 @@ fn create_plugin_jail(root: &Path, seccomp_policy: &Path) -> Result<Minijail> {
         Path::new("none"),
         Path::new("/"),
         "tmpfs",
-        (MS_NOSUID | MS_NODEV) as usize,
+        (MS_NOSUID | MS_NODEV | MS_NOEXEC) as usize,
         "size=67108864",
     )
     .map_err(Error::MountRoot)?;
-- 
cgit 1.4.1