libminijail: Block child sync for all configuration.
Make the child process wait for the parent process to say
that configuration is complete if any configuration was
requested. Formerly, synchronization only occurred when
configuring user namespaces and cgroups, leading to races
when e.g. writing PID files or setting rlimits.
Bug: chromium:955547,chromium:955110
Test: manual: ran security.Minijail test in a loop
Change-Id: I8abcc042649a1742f344df4e8c0d58356eace78f
diff --git a/libminijail.c b/libminijail.c
index 482d6bd..ee9b9a0 100644
--- a/libminijail.c
+++ b/libminijail.c
@@ -2673,11 +2673,12 @@
}
/*
- * If we want to set up a new uid/gid map in the user namespace,
- * or if we need to add the child process to cgroups, create the pipe(2)
- * to sync between parent and child.
+ * If the parent process needs to configure the child's runtime
+ * environment after forking, create a pipe(2) to block the child until
+ * configuration is done.
*/
- if (j->flags.userns || j->flags.cgroups) {
+ if (j->flags.forward_signals || j->flags.pid_file || j->flags.cgroups ||
+ j->rlimit_count || j->flags.userns) {
sync_child = 1;
if (pipe(child_sync_pipe_fds))
return -EFAULT;
