From 7a97366e961ea0260e16fdcd03ef37a2abd898b2 Mon Sep 17 00:00:00 2001 From: Chirantan Ekbote Date: Fri, 16 Nov 2018 11:40:44 -0800 Subject: [PATCH] plugin: Fix uid and gid maps When minijail is given a uid/gid map but is not given a uid/gid to change to, it will default to setting the uid/gid inside the new user namespace to root. This works fine if crosvm is launched as root but fails miserably otherwise since we only map the current euid/egid into the user namespace (and so 0 is not a valid uid/gid). We would normally want to fix this by having minijail change its uid/gid to the current euid/egid. However, because of the way minijail is set up it only attempts to enter a new net namespace after exec-ing the program to be jailed. Entering a new net namespace requires CAP_SYS_ADMIN in the current namespace and this capability gets dropped the moment we switch to a non-root user. So to deal with this we map root inside the namespace to the crosvm user outside the namespace. This allows us to enter a new net namespace and we already tell minijail to drop all caps so the plugin will not have any caps when it actually runs. BUG=b:80150167 TEST=run plugin_adder Change-Id: I10c9e6bef859fd787dd6e17d5cf2ff3e552501fb Signed-off-by: Chirantan Ekbote Reviewed-on: https://chromium-review.googlesource.com/1341103 Commit-Ready: ChromeOS CL Exonerator Bot Reviewed-by: Dylan Reid --- src/plugin/mod.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/plugin/mod.rs b/src/plugin/mod.rs index d594a9a383..c83319788d 100644 --- a/src/plugin/mod.rs +++ b/src/plugin/mod.rs @@ -222,9 +222,9 @@ fn create_plugin_jail(root: &Path, seccomp_policy: &Path) -> Result { let mut j = Minijail::new().map_err(Error::CreateJail)?; j.namespace_pids(); j.namespace_user(); - j.uidmap(&format!("{0} {0} 1", geteuid())) + j.uidmap(&format!("0 {0} 1", geteuid())) .map_err(Error::SetUidMap)?; - j.gidmap(&format!("{0} {0} 1", getegid())) + j.gidmap(&format!("0 {0} 1", getegid())) .map_err(Error::SetGidMap)?; j.namespace_user_disable_setgroups(); // Don't need any capabilities.