Fds created via dup don't share file descriptor flags with the original
fd, which means that they don't have the FD_CLOEXEC flag set. Use
fcntl(F_DUPFD_CLOEXEC) so that this flag gets set for the duplicated fds
as well.
BUG=none
TEST=unit tests
Change-Id: Ib471cf40acac1eacf72969ba45247f50b349ed58
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2809687
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
The p9 crate API changed so that the new() function now returns a
result. Update the caller to match.
Additionally, the implementation also changed to use different syscalls
so update the seccomp filters to match.
BUG=b:162388795
TEST=Start a vm with a 9p mount and test the changed operations to make
sure they still work.
Cq-Depend: chromium:2494169
Change-Id: I7c4e1fd2fb192206402e895b09e519c3e769ae3c
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2494328
Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>
Commit-Queue: Chirantan Ekbote <chirantan@chromium.org>
Tested-by: Chirantan Ekbote <chirantan@chromium.org>
The build-time seccomp compiler for aarch64 complains that it doesn't
recognize open, epoll_wait, recv, mmap2, dup2, poll, mkdir, or stat.
I tried to propose a change to upstream minijail to make it aware of
these syscalls, but the calls are in various forms of deprecation
so upstream is doubting the sanity of the policy files.
I applied the following mapping: open->openat, epoll_wait->epoll_pwait,
recv->recvfrom, mmap2->mmap, dup2->dup3, poll->ppoll, mkdir->mkdirat,
and stat->statx. In many cases the new syscall was already present so I
just deleted the old one.
BUG=None
TEST=Ran compile_seccomp_policy.py with an unmodified minijail until
it stopped complaining. I don't have an arm device for runtime testing.
Wrote an app to emulate the execution of the first 400 syscall #s though
the bpf filter and verified that the list that matches the filter is the
same as the policy file.
Change-Id: I599aa549a1712b898eb6b73492872a9676e7215d
Signed-off-by: Matt Delco <delco@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2036218
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Minijail's policy compiler complains when there's multiple
unconditional rules for a syscall. In most cases the rules
are redundant to common_device.policy.
BUG=None
TEST=Ran compile_seccomp_policy.py until it stopped
complaining.
Change-Id: Ic43d1fd13f9c012641d71e526942229eb8b08ed4
Signed-off-by: Matt Delco <delco@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2034024
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
This allows us to use export a directory to a VM with the
'--shared-dir tag:/dir' crosvm command line flag without relying
on seneschal. The fs device's policy already does the same.
BUG=b:123309049
TEST=Start tot ARCVM, run 'mkdir /var/run/arc/arcvm && mount -t 9p
-o "trans=virtio,version=9p2000.L,cache=none,access=any"
host_generated /var/run/arc/arcvm && ls /var/run/arc/arcvm',
verify ls prints files.
Change-Id: I8f8b265fc8a7de159508afbee5114b6a3f084d01
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1995319
Tested-by: Yusuke Sato <yusukes@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Lepton Wu <lepton@chromium.org>
Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>
Commit-Queue: Yusuke Sato <yusukes@chromium.org>
Seccomp policy for ARM hosts was recently moved from aarch64 to arm to
accurately match the ABI used on the host. Move 9s policy to match this.
BUG=none
TEST=vm.Webserver on kevin succeeds
Change-Id: I97daa524edcd411618561ce07525738bc65457cb
Reviewed-on: https://chromium-review.googlesource.com/1180470
Commit-Ready: Stephen Barber <smbarber@chromium.org>
Tested-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Sonny Rao <sonnyrao@chromium.org>
Implement a new virtio_9p device to be used for sharing directories with
the VM.
BUG=chromium:703939
TEST=mount inside a VM and run `bonnie++ -r 256`
Append the shared directory to the crosvm command line:
--shared-dir /path/to/dir:test_9p
Then mount in the guest:
mkdir /tmp/9p
mount -t 9p -o trans=virtio test_9p /tmp/9p -oversion=9p2000.L
Or for a 9p root:
run --shared-dir /mnt/vm_root:/dev/root -p 'root=/dev/root ro rootflags=ro,trans=virtio,version=9p2000.L,cache=loose rootfstype=9p' vmlinux.bin
CQ-DEPEND=CL:1065170
Change-Id: I41fc21306ab5fa318a271f172d7057b767b29f31
Signed-off-by: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1065173
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
