minijail: Validate add_binding flag am: 87ec5cddd1
am: bcc8d19def
Change-Id: I6c167cff3a02f6c42e891d41e4a1cfb516d19a66
diff --git a/minijail0.1 b/minijail0.1
index 0fbf38e..a18454e 100644
--- a/minijail0.1
+++ b/minijail0.1
@@ -18,6 +18,8 @@
If \fIdest\fR is not specified, it will default to \fIsrc\fR.
If the destination does not exist, it will be created as a file or directory
based on the \fIsrc\fR type (including missing parent directories).
+To create a writable bind-mount set \fIwritable\fR to \fB1\fR. If not specified
+it will default to \fB0\fR (read-only).
.TP
\fB-B <mask>\fR
Skip setting securebits in \fImask\fR when restricting capabilities (\fB-c\fR).
diff --git a/minijail0_cli.c b/minijail0_cli.c
index 807e567..b0b6518 100644
--- a/minijail0_cli.c
+++ b/minijail0_cli.c
@@ -139,9 +139,16 @@
}
if (dest == NULL || dest[0] == '\0')
dest = src;
- if (flags == NULL || flags[0] == '\0')
- flags = "0";
- if (minijail_bind(j, src, dest, atoi(flags))) {
+ int writable;
+ if (flags == NULL || flags[0] == '\0' || !strcmp(flags, "0"))
+ writable = 0;
+ else if (!strcmp(flags, "1"))
+ writable = 1;
+ else {
+ fprintf(stderr, "Bad value for <writable>: %s\n", flags);
+ exit(1);
+ }
+ if (minijail_bind(j, src, dest, writable)) {
fprintf(stderr, "minijail_bind failed.\n");
exit(1);
}
diff --git a/minijail0_cli_unittest.cc b/minijail0_cli_unittest.cc
index a00541a..0d6a07d 100644
--- a/minijail0_cli_unittest.cc
+++ b/minijail0_cli_unittest.cc
@@ -405,6 +405,10 @@
// Missing mount namespace/etc...
argv = {"-b", "/", "/bin/sh"};
ASSERT_EXIT(parse_args_(argv), testing::ExitedWithCode(1), "");
+
+ // Bad value for <writable>.
+ argv = {"-b", "/,,writable", "/bin/sh"};
+ ASSERT_EXIT(parse_args_(argv), testing::ExitedWithCode(1), "");
}
// Valid calls to the mount option.