mirrors/crosvm
1
0
Fork 0
mirror of https://chromium.googlesource.com/crosvm/crosvm synced 2025-02-05 18:20:34 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Allow sandbox pivot root directory to be given on command-line.

Browse source 
This will be useful on Android, which doesn't have /var/empty.

BUG=b:215305014
TEST=tools/dev_container tools/run_tests
TEST=tools/dev_container tools/run_tests --target=vm:aarch64

Change-Id: I3ae013bc29940b223607ca10788c571883acd7ca
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3468676
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Alexandre Courbot <acourbot@chromium.org>
Commit-Queue: Andrew Walbran <qwandor@google.com>
This commit is contained in:
Andrew Walbran 2022-02-16 16:34:20 +00:00 committed by Commit Bot
parent 516e536a11
commit cdea9aef39
3 changed files with 12 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/crosvm.rs
View file

@ -437,6 +437,7 @@ pub struct Config {
#[cfg(feature = "direct")] #[cfg(feature = "direct")]
pub pcie_rp: Vec<PathBuf>, pub pcie_rp: Vec<PathBuf>,
pub rng: bool, pub rng: bool,
pub pivot_root: Option<PathBuf>,
} }
impl Default for Config { impl Default for Config {
@ -549,6 +550,7 @@ impl Default for Config {
#[cfg(feature = "direct")] #[cfg(feature = "direct")]
pcie_rp: Vec::new(), pcie_rp: Vec::new(),
rng: true, rng: true,
pivot_root: None,
} }
} }
} }

9
src/linux/jail_helpers.rs
View file

@ -111,11 +111,14 @@ pub(super) fn create_base_minijail(
pub(super) fn simple_jail(cfg: &Config, policy: &str) -> Result<Option<Minijail>> { pub(super) fn simple_jail(cfg: &Config, policy: &str) -> Result<Option<Minijail>> {
if cfg.sandbox { if cfg.sandbox {
let pivot_root: &str = option_env!("DEFAULT_PIVOT_ROOT").unwrap_or("/var/empty"); let default_pivot_root: &str = option_env!("DEFAULT_PIVOT_ROOT").unwrap_or("/var/empty");
// A directory for a jailed device's pivot root. // A directory for a jailed device's pivot root.
let root_path = Path::new(pivot_root); let root_path = cfg
.pivot_root
.as_deref()
.unwrap_or_else(|| Path::new(default_pivot_root));
if !root_path.exists() { if !root_path.exists() {
bail!("{} doesn't exist, can't jail devices", pivot_root); bail!("{:?} doesn't exist, can't jail devices", root_path);
} }
let policy_path: PathBuf = cfg.seccomp_policy_dir.join(policy); let policy_path: PathBuf = cfg.seccomp_policy_dir.join(policy);
let config = SandboxConfig { let config = SandboxConfig {

4
src/main.rs
View file

@ -2362,6 +2362,9 @@ fn set_argument(cfg: &mut Config, name: &str, value: Option<&str>) -> argument::
cfg.pcie_rp.push(pcie_path); cfg.pcie_rp.push(pcie_path);
} }
"pivot-root" => {
cfg.pivot_root = Some(PathBuf::from(value.unwrap()));
}
"help" => return Err(argument::Error::PrintHelp), "help" => return Err(argument::Error::PrintHelp),
_ => unreachable!(), _ => unreachable!(),
} }
@ -2740,6 +2743,7 @@ iommu=on|off - indicates whether to enable virtio IOMMU for this device"),
align - whether to adjust addr and size to page boundaries implicitly"), align - whether to adjust addr and size to page boundaries implicitly"),
#[cfg(feature = "direct")] #[cfg(feature = "direct")]
Argument::value("pcie-root-port", "PATH", "Path to sysfs of host pcie root port"), Argument::value("pcie-root-port", "PATH", "Path to sysfs of host pcie root port"),
Argument::value("pivot-root", "PATH", "Path to empty directory to use for sandbox pivot root."),
Argument::short_flag('h', "help", "Print help message.")]; Argument::short_flag('h', "help", "Print help message.")];
let mut cfg = Config::default(); let mut cfg = Config::default();