commit 2343d8319c9f9816e495f9359ba4420ef8b93de0
author Jorge Lucangeli Obes <jorgelo@chromium.org> Wed Apr 25 21:59:48 2012 -0700
committer Gerrit <chrome-bot@google.com> Thu Apr 26 08:40:28 2012 -0700
tree f6b1feff8335348d0b248028f21f336c53a8619d
parent fc8ab53c3ee4697b907a35ac54f26fb9477f6e7c

Temporarily disable setting seccomp filters in Minijail.

To make merging the BPF-based seccomp filter implementation easier,
turn off setting seccomp filters in Minijail. Add a flag ("-F") to
force setting seccomp filters.

BUG=chromium-os:27878
TEST=security_Minijail0 still passes.

Change-Id: I1948223f2292cf5c059bf50f69fd0b4e42ec39a2
Reviewed-on: https://gerrit.chromium.org/gerrit/21170
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Will Drewry <wad@chromium.org>

libminijail.c

diff --git a/libminijail.c b/libminijail.c
index 1451dcd..0080c49 100644
--- a/libminijail.c
+++ b/libminijail.c
@@ -184,6 +184,13 @@
 
 void API minijail_use_seccomp_filter(struct minijail *j)
 {
+	/* TODO(jorgelo): re-enable this when the seccomp BPF merge is done. */
+	j->flags.seccomp_filter = 0;
+}
+
+/* TODO(jorgelo): remove this when the seccomp BPF merge is done. */
+void API minijail_force_seccomp_filter(struct minijail *j)
+{
 	j->flags.seccomp_filter = 1;
 }
 

libminijail.h

diff --git a/libminijail.h b/libminijail.h
index e3828af..5753196 100644
--- a/libminijail.h
+++ b/libminijail.h
@@ -44,6 +44,7 @@
 int minijail_change_group(struct minijail *j, const char *group);
 void minijail_use_seccomp(struct minijail *j);
 void minijail_use_seccomp_filter(struct minijail *j);
+void minijail_force_seccomp_filter(struct minijail *j);
 void minijail_parse_seccomp_filters(struct minijail *j, const char *path);
 int minijail_add_seccomp_filter(struct minijail *j, int nr,
 				const char *filter);

minijail0.c

diff --git a/minijail0.c b/minijail0.c
index c9bb83f..524ac7f 100644
--- a/minijail0.c
+++ b/minijail0.c
@@ -86,7 +86,9 @@
 	       "  -S <file>:  set seccomp filters using <file>\n"
 	       "              E.g., -S /usr/share/filters/<prog>.$(uname -m)\n"
 	       "  -u <user>:  change uid to <user>\n"
-	       "  -v:         use vfs namespace\n", progn);
+	       "  -v:         use vfs namespace\n"
+	       "  -F:         no dry run, force setting seccomp filters\n",
+	       progn);
 }
 
 static void seccomp_filter_usage(const char *progn)
@@ -104,7 +106,9 @@
 	struct minijail *j = minijail_new();
 
 	int opt;
-	while ((opt = getopt(argc, argv, "u:g:sS:c:C:b:vrGhHp")) != -1) {
+	int use_seccomp_filter = 0;
+	int dry_run = 1;
+	while ((opt = getopt(argc, argv, "u:g:sS:c:C:b:vrGhHpF")) != -1) {
 		switch (opt) {
 		case 'u':
 			set_user(j, optarg);
@@ -118,6 +122,10 @@
 		case 'S':
 			minijail_parse_seccomp_filters(j, optarg);
 			minijail_use_seccomp_filter(j);
+			use_seccomp_filter = 1;
+			break;
+		case 'F':
+			dry_run = 0;
 			break;
 		case 'b':
 			add_binding(j, optarg);
@@ -149,6 +157,10 @@
 		}
 	}
 
+	/* TODO(jorgelo): remove this when the seccomp BPF merge is done. */
+	if (use_seccomp_filter && !dry_run)
+		minijail_force_seccomp_filter(j);
+
 	if (argc == optind) {
 		usage(argv[0]);
 		exit(1);