minijail returns error when implicit -v flag is missing with some flags (e.g. --profile=minimalistic-mountns) |
||
Issue descriptionThe "--profile minimalistic-mountns" help description says it implies the "-v" flag. However, the following does not work: minijail0 -Kslave --profile minimalistic-mountns /bin/true Can't skip marking mounts as MS_PRIVATE without mount namespaces. but adding in the implicit "-v" flag does: minijail0 -Kslave -v --profile minimalistic-mountns /bin/true Briefly scanning the code, it looks like the path for parsing the "--profile" option does not set "mount_ns", which is checked to see if the mount namespace is enabled. There also appear to be other paths that implicitly enable mount namespace, but I haven't tested how those behave: minijail0 -h | grep '\-v' -P <dir>: pivot_root(2) to <dir> (implies -v). --mount-dev, Create a new /dev with a minimal set of device nodes (implies -v). -p: Enter new pid namespace (implies -vr). -r: Remount /proc read-only (implies -v). -t[size]: Mount tmpfs at /tmp (implies -v). -v: Enter new mount namespace.
,
Jan 11
Yeah, that should fix this specific case, but what about the additional implied "-v" options from other flags? (I made a quick local change that set mount_ns by reading j->flags.vfs as the source of truth, but that breaks the last invalid_binding test since the bind code path ends up forcing minijail_namespace_vfs.)
,
Jan 12
yes, those other flags should set mount_ns=1 too our struct minijail design has been to keep it an opaque structure so only libminijail.c code knows its contents. we don't really have a way of inspecting it from other modules like minijail_cli. which is prob for the best even if it means a bit more pain here.
,
Jan 12
Ok, so the preferred solution would be to set mount_ns for each flag that implicitly sets it rather than add something like "bool minijail_get_namespace_vfs()" to the libminijail api?
,
Jan 12
currently, yes. if we went the accessor route, we'd want to add accessors for all the fields, and it doesn't seem like we've had enough requests for that yet. |
||
►
Sign in to add a comment |
||
Comment 1 by vapier@chromium.org
, Jan 11Status: Available (was: Untriaged)
Summary: minijail returns error when implicit -v flag is missing even though --profile=minimalistic-mountns was specified (was: minijail returns error when implicit flag is missing)