Allow sandbox pivot root directory to be given on command-line.

This will be useful on Android, which doesn't have /var/empty. BUG=b:215305014 TEST=tools/dev_container tools/run_tests TEST=tools/dev_container tools/run_tests --target=vm:aarch64 Change-Id: I3ae013bc29940b223607ca10788c571883acd7ca Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3468676 Tested-by: kokoro <noreply+kokoro@google.com> Reviewed-by: Alexandre Courbot <acourbot@chromium.org> Commit-Queue: Andrew Walbran <qwandor@google.com>
2025-02-05 10:10:41 +00:00 · 2022-02-16 16:34:20 +00:00 · 2022-02-16 16:34:20 +00:00 · cdea9aef39
commit cdea9aef39
parent 516e536a11
3 changed files with 12 additions and 3 deletions
--- a/src/crosvm.rs
+++ b/src/crosvm.rs
@ -437,6 +437,7 @@ pub struct Config {
    #[cfg(feature = "direct")]
    pub pcie_rp: Vec<PathBuf>,
    pub rng: bool,
+    pub pivot_root: Option<PathBuf>,
 }

 impl Default for Config {
@ -549,6 +550,7 @@ impl Default for Config {
            #[cfg(feature = "direct")]
            pcie_rp: Vec::new(),
            rng: true,
+            pivot_root: None,
        }
    }
 }
--- a/src/linux/jail_helpers.rs
+++ b/src/linux/jail_helpers.rs
@ -111,11 +111,14 @@ pub(super) fn create_base_minijail(

 pub(super) fn simple_jail(cfg: &Config, policy: &str) -> Result<Option<Minijail>> {
    if cfg.sandbox {
-        let pivot_root: &str = option_env!("DEFAULT_PIVOT_ROOT").unwrap_or("/var/empty");
+        let default_pivot_root: &str = option_env!("DEFAULT_PIVOT_ROOT").unwrap_or("/var/empty");
        // A directory for a jailed device's pivot root.
-        let root_path = Path::new(pivot_root);
+        let root_path = cfg
+            .pivot_root
+            .as_deref()
+            .unwrap_or_else(|| Path::new(default_pivot_root));
        if !root_path.exists() {
-            bail!("{} doesn't exist, can't jail devices", pivot_root);
+            bail!("{:?} doesn't exist, can't jail devices", root_path);
        }
        let policy_path: PathBuf = cfg.seccomp_policy_dir.join(policy);
        let config = SandboxConfig {
--- a/src/main.rs
+++ b/src/main.rs
@ -2362,6 +2362,9 @@ fn set_argument(cfg: &mut Config, name: &str, value: Option<&str>) -> argument::

            cfg.pcie_rp.push(pcie_path);
        }
+        "pivot-root" => {
+            cfg.pivot_root = Some(PathBuf::from(value.unwrap()));
+        }
        "help" => return Err(argument::Error::PrintHelp),
        _ => unreachable!(),
    }
@ -2740,6 +2743,7 @@ iommu=on|off - indicates whether to enable virtio IOMMU for this device"),
                              align - whether to adjust addr and size to page boundaries implicitly"),
          #[cfg(feature = "direct")]
          Argument::value("pcie-root-port", "PATH", "Path to sysfs of host pcie root port"),
+          Argument::value("pivot-root", "PATH", "Path to empty directory to use for sandbox pivot root."),
          Argument::short_flag('h', "help", "Print help message.")];

    let mut cfg = Config::default();