Google Git
Sign in
android / platform / external / minijail / b7803c810f4602319f4ebb73ee7da67543975466^! / .
commitb7803c810f4602319f4ebb73ee7da67543975466[log] [tgz]
authorMike Frysinger <vapier@google.com>Thu Aug 23 15:43:15 2018 -0400
committerTreehugger Robot <treehugger-gerrit@google.com>Thu Aug 30 00:10:27 2018 +0000
treef5cfb8e9e8444f4fe8e1ac682cf98555dc133d55
parentaeab0e125494572f1426b85f0a4e94cfb973f333 [diff]
minijail0: change default mount settings for tmpfs mounts

The default tmpfs mount settings are mode=1777 and size=50% (of total RAM)
which is way too unsafe for defaults.  Considering how users of minijail
use tmpfs (to get a small writable directory mount to do bind mounts under
it), we should change the default to something much more sane like mode=755
and size=10M.  This also matches the usage in CrOS.

If people want to use other settings for tmpfs, they can specify them
explicitly instead.

Bug: chromium:873216
Change-Id: I73ac540500ecff86e8f8d2d7b82e6efb52dc2518

diff --git a/libminijail.c b/libminijail.c
index 07b5f23..5ffe950 100644
--- a/libminijail.c
+++ b/libminijail.c

@@ -726,6 +726,19 @@
 	m->type = strdup(type);
 	if (!m->type)
 		goto error;
+
+	if (!data || !data[0]) {
+		/*
+		 * Set up secure defaults for certain filesystems.  Adding this
+		 * fs-specific logic here kind of sucks, but considering how
+		 * people use these in practice, it's probably OK.  If they want
+		 * the kernel defaults, they can pass data="" instead of NULL.
+		 */
+		if (!strcmp(type, "tmpfs")) {
+			/* tmpfs defaults to mode=1777 and size=50%. */
+			data = "mode=0755,size=10M";
+		}
+	}
 	if (data) {
 		m->data = strdup(data);
 		if (!m->data)

diff --git a/libminijail.h b/libminijail.h
index 03c93c4..1b14cef 100644
--- a/libminijail.h
+++ b/libminijail.h

@@ -206,6 +206,8 @@
  * This may be called multiple times; all mounts will be applied in the order
  * of minijail_mount() calls.
  * If @flags is 0, then MS_NODEV | MS_NOEXEC | MS_NOSUID will be used instead.
+ * If @data is NULL or "", and @type is tmpfs, then "mode=0755,size=10M" will
+ * be used instead.
  */
 int minijail_mount_with_data(struct minijail *j, const char *src,
 			     const char *dest, const char *type,

diff --git a/minijail0.1 b/minijail0.1
index 8ed568b..8cb1f20 100644
--- a/minijail0.1
+++ b/minijail0.1

@@ -93,7 +93,9 @@
 
 The \fIdata\fR field is optional and is a comma delimited string (see
 \fBmount\fR(2) for details).  It is passed directly to the kernel, so all
-fields here are filesystem specific.
+fields here are filesystem specific.  For \fItmpfs\fR, if no data is specified,
+we will default to \fImode=0755,size=10M\fR.  If you want other settings, you
+will need to specify them explicitly yourself.
 
 If the mount is not a pseudo filesystem (e.g. proc or sysfs), \fIsrc\fR path
 must be an absolute path (e.g. \fI/dev/sda1\fR and not \fIsda1\fR).