Google Git
Sign in
gfiber / vendor / google / minijail / 1912c5b5e88455e0a0c03fd375d232a498edd95d^! / .
commit1912c5b5e88455e0a0c03fd375d232a498edd95d[log] [tgz]
authorYu-Hsi Chiang <yuhsi@google.com>Mon Aug 31 18:59:49 2015 +0800
committerSamuel Tan <samueltan@google.com>Mon Oct 05 16:39:38 2015 -0700
tree07cae1ec063145a4ab7619f91caaf657fbf4d252
parent3cc05eab4d956e9bb919ebe7a2166c987ba1d5bf [diff]
minijail: Support multiple range uid/gid mappings.

Now minijail accept multiple ranges of contiguous uid/gid mappings that
is seperated by commas. The commas are replaced by newlines before
writing to map files.

BUG=chromium:517387
TEST=security_Minijail0 pass

Change-Id: I27d45480010b38e71b80837cc2299f180d77c4a1
Reviewed-on: https://chromium-review.googlesource.com/296270
Commit-Ready: Yu-hsi Chiang <yuhsi@google.com>
Tested-by: Yu-hsi Chiang <yuhsi@google.com>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>

diff --git a/libminijail.c b/libminijail.c
index 0a429c9..5378d84 100644
--- a/libminijail.c
+++ b/libminijail.c

@@ -311,6 +311,11 @@
 	j->uidmap = strdup(uidmap);
 	if (!j->uidmap)
 		return -ENOMEM;
+	char *ch;
+	for (ch = j->uidmap; *ch; ch++) {
+		if (*ch == ',')
+			*ch = '\n';
+	}
 	return 0;
 }
 
@@ -319,6 +324,11 @@
 	j->gidmap = strdup(gidmap);
 	if (!j->gidmap)
 		return -ENOMEM;
+	char *ch;
+	for (ch = j->gidmap; *ch; ch++) {
+		if (*ch == ',')
+			*ch = '\n';
+	}
 	return 0;
 }
 

diff --git a/minijail0.c b/minijail0.c
index 921eeb9..d199fab 100644
--- a/minijail0.c
+++ b/minijail0.c

@@ -78,7 +78,8 @@
 
 	printf("Usage: %s [-GhiInprsvtU] [-b <src>,<dest>[,<writeable>]] [-f <file>]"
 	       "[-c <caps>] [-C <dir>] [-g <group>] [-S <file>] [-u <user>] "
-	       "[-m <uid> <loweruid> <count>] [-M <gid> <lowergid> <count>] "
+	       "[-m \"<uid> <loweruid> <count>[,<uid> <loweruid> <count>]\"] "
+	       "[-M \"<gid> <lowergid> <count>[,<uid> <loweruid> <count>]\"] "
 	       "<program> [args...]\n"
 	       "  -b:         binds <src> to <dest> in chroot. Multiple "
 	       "instances allowed\n"
@@ -101,10 +102,10 @@
 
 	printf("\n"
 	       "  -m:         set the uid mapping of a user namespace (implies -pU).\n"
-	       "              Same arguments as newuidmap(1)\n"
+	       "              Same arguments as newuidmap(1), multiple mappings should be separated by ',' (comma).\n"
 	       "              Not compatible with -b without writable\n"
 	       "  -M:         set the gid mapping of a user namespace (implies -pU).\n"
-	       "              Same arguments as newgidmap(1)\n"
+	       "              Same arguments as newgidmap(1), multiple mappings should be separated by ',' (comma).\n"
 	       "              Not compatible with -b without writable\n"
 	       "  -n:         set no_new_privs\n"
 	       "  -p:         enter new pid namespace (implies -vr)\n"