I am working on locking down a new daemon, written in Rust, with
minijail0 and seccomp, and I am finding it a bit difficult.
The instructions here
https://chromium.googlesource.com/chromiumos/docs/+/master/sandboxing.md
are good, but I already knew most of the concepts. The difficult part is
debugging the minijail lockdown. I started by writing this:
F=
# F="$F -i" # fork and exit
F="$F -v" # VFS namespace
F="$F -r" # readonly /proc
# F="$F -p" # pid namespace --- loses ^Z and ^C
F="$F -l" # IPC namespace
F="$F -n" # no new privs
F="$F -d" # minimal /dev, implies -v --- loses ^Z
F="$F -b /usr/bin/memd,/usr/bin/memd" # bind mount
F="$F -P /var/empty" # pivot root
# F="$F -b /dev/chromeos-low-mem,/dev/chromeos-low-mem" # bind mount
# F="$F -b /var/log,/var/log" # bind mount
minijail0 $F -- /usr/bin/memd always-poll-fast
(most flags don't have a long version and I added comments to help)
Everything went well until I did the root pivot. At first minijail
count not find the executable (duh), so I bind-mounted it. Now memd
crashes, but quietly (normally it prints a panic message to the
console) and I only know it crashed from crash-reporter logs.
I am not sure why this happens. Shouldn't stdout and stderr survive
the pivot? Maybe I already lost them earlier, with some other flags?
Or maybe I should not bother pivotlng? The daemon only needs to
read/write a few files and I was going to bind-mount them as I
discovered them---but now they're hard to discover.
Do you have suggestions for debugging this?
Thanks!