Temporarily disable setting seccomp filters in Minijail.
To make merging the BPF-based seccomp filter implementation easier,
turn off setting seccomp filters in Minijail. Add a flag ("-F") to
force setting seccomp filters.
BUG=chromium-os:27878
TEST=security_Minijail0 still passes.
Change-Id: I1948223f2292cf5c059bf50f69fd0b4e42ec39a2
Reviewed-on: https://gerrit.chromium.org/gerrit/21170
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Will Drewry <wad@chromium.org>
diff --git a/libminijail.c b/libminijail.c
index 1451dcd..0080c49 100644
--- a/libminijail.c
+++ b/libminijail.c
@@ -184,6 +184,13 @@
void API minijail_use_seccomp_filter(struct minijail *j)
{
+ /* TODO(jorgelo): re-enable this when the seccomp BPF merge is done. */
+ j->flags.seccomp_filter = 0;
+}
+
+/* TODO(jorgelo): remove this when the seccomp BPF merge is done. */
+void API minijail_force_seccomp_filter(struct minijail *j)
+{
j->flags.seccomp_filter = 1;
}
diff --git a/libminijail.h b/libminijail.h
index e3828af..5753196 100644
--- a/libminijail.h
+++ b/libminijail.h
@@ -44,6 +44,7 @@
int minijail_change_group(struct minijail *j, const char *group);
void minijail_use_seccomp(struct minijail *j);
void minijail_use_seccomp_filter(struct minijail *j);
+void minijail_force_seccomp_filter(struct minijail *j);
void minijail_parse_seccomp_filters(struct minijail *j, const char *path);
int minijail_add_seccomp_filter(struct minijail *j, int nr,
const char *filter);
diff --git a/minijail0.c b/minijail0.c
index c9bb83f..524ac7f 100644
--- a/minijail0.c
+++ b/minijail0.c
@@ -86,7 +86,9 @@
" -S <file>: set seccomp filters using <file>\n"
" E.g., -S /usr/share/filters/<prog>.$(uname -m)\n"
" -u <user>: change uid to <user>\n"
- " -v: use vfs namespace\n", progn);
+ " -v: use vfs namespace\n"
+ " -F: no dry run, force setting seccomp filters\n",
+ progn);
}
static void seccomp_filter_usage(const char *progn)
@@ -104,7 +106,9 @@
struct minijail *j = minijail_new();
int opt;
- while ((opt = getopt(argc, argv, "u:g:sS:c:C:b:vrGhHp")) != -1) {
+ int use_seccomp_filter = 0;
+ int dry_run = 1;
+ while ((opt = getopt(argc, argv, "u:g:sS:c:C:b:vrGhHpF")) != -1) {
switch (opt) {
case 'u':
set_user(j, optarg);
@@ -118,6 +122,10 @@
case 'S':
minijail_parse_seccomp_filters(j, optarg);
minijail_use_seccomp_filter(j);
+ use_seccomp_filter = 1;
+ break;
+ case 'F':
+ dry_run = 0;
break;
case 'b':
add_binding(j, optarg);
@@ -149,6 +157,10 @@
}
}
+ /* TODO(jorgelo): remove this when the seccomp BPF merge is done. */
+ if (use_seccomp_filter && !dry_run)
+ minijail_force_seccomp_filter(j);
+
if (argc == optind) {
usage(argv[0]);
exit(1);