New issue
Advanced search Search tips

Issue 882954 link

Starred by 2 users
Status: Available
Owner: ----
Cc:
vapier@chromium.org
hashimoto@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 3
Type: Feature



Sign in to add a comment

add minijail flag for creating temporarily-writable paths for bind mounting

Project Member Reported by vapier@chromium.org, Sep 11 
a common idiom we see is:
  -P /var/empty
  -b /
  -k '/run,/run,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M'
  -b /run/dbus
  -b /run/foo

the -k /run usage is there only to get a writable directory in the read-only rootfs so that further -b mounts may be made under /run.  there is no need to keep /run writable after those bind mounts.

so we could add a flag like --bind-mount-base with the semantics:
- create a tmpfs mount with sane default perms (basically the -k option as written above)
- process all the mount requests
- remount the path read-only to prevent any further writes

so now people can do:
  -P /var/empty
  -b /
  --bind-mount-base /run
  -b /run/dbus
  -b /run/foo

Comment 1 by hashimoto@chromium.org, Sep 12

Cc: hashimoto@chromium.org
Sometimes it's also used for /var.

https://chromium.googlesource.com/chromiumos/third_party/tlsdate/+/7c67bde6c3e9b505975b2933a259db8c3b661a47/init/tlsdated.conf#58
  exec minijail0 -i \
    -p -v -r --uts -l \
    --profile minimalistic-mountns -b /dev/log ${RTC_ARG} \
    -k '/run,/run,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \
    -b /run/dbus,,1 -b /run/shill \
    -k '/var,/var,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \
    -b /var/cache/tlsdated,,1 \
    /usr/bin/tlsdated -v -- /usr/bin/tlsdate -v -C "${GOOGLE_CERTS}" -l

Sign in to add a comment