[PATCH] minijail: Validate add_binding flag

[David Coles]

Previously if an invalid flag was specified (e.g. `writable`) then it
would be silently ignored.
---
minijail0.1 | 2 ++
minijail0_cli.c | 13 ++++++++++---
2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/minijail0.1 b/minijail0.1
index 0fbf38e..a18454e 100644
--- a/minijail0.1
+++ b/minijail0.1
@@ -18,6 +18,8 @@ The \fIsrc\fR path must be an absolute path.
If \fIdest\fR is not specified, it will default to \fIsrc\fR.
If the destination does not exist, it will be created as a file or directory
based on the \fIsrc\fR type (including missing parent directories).
+To create a writable bind-mount set \fIwritable\fR to \fB1\fR. If not specified
+it will default to \fB0\fR (read-only).
.TP
\fB-B <mask>\fR
Skip setting securebits in \fImask\fR when restricting capabilities (\fB-c\fR).
diff --git a/minijail0_cli.c b/minijail0_cli.c
index 807e567..20d83dd 100644
--- a/minijail0_cli.c
+++ b/minijail0_cli.c
@@ -139,9 +139,16 @@ static void add_binding(struct minijail *j, char *arg)
}
if (dest == NULL || dest[0] == '\0')
dest = src;
- if (flags == NULL || flags[0] == '\0')
- flags = "0";
- if (minijail_bind(j, src, dest, atoi(flags))) {
+ int writable;
+ if (flags == NULL || flags[0] == '\0' || !strcmp(flags, "0"))
+ writable = 0;
+ else if (!strcmp(flags, "1"))
+ writable = 1;
+ else {
+ fprintf(stderr, "Unknown binding flag: %s\n", flags);
+ exit(1);
+ }
+ if (minijail_bind(j, src, dest, writable)) {
fprintf(stderr, "minijail_bind failed.\n");
exit(1);
}
--
2.17.1

[David Coles]

From: David Coles <david...@sony.com>

[David...@sony.com]

This should have been sent from my Sony work email covered which is covered by Google CLA:

See https://github.com/dcoles/minijail/compare/validate-add-binding-flag.patch

David Coles
デイビッド·コールズ
CGEI - Sony Interactive Entertainment

________________________________________
From: mini...@chromium.org [mini...@chromium.org] on behalf of David Coles [coles...@gmail.com]
Sent: Thursday, June 13, 2019 4:31 PM
To: mini...@chromium.org
Cc: David Coles
Subject: [minijail] [PATCH] minijail: Validate add_binding flag

--
You received this message because you are subscribed to the Google Groups "minijail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to minijail+u...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/minijail/20190613233147.13694-1-coles.david%40gmail.com.

[Mike Frysinger]

sorry, we don't accept patches via the mailing list.  you'll want to submit them via Gerrit.

if you're unfamiliar with Gerrit, check out these docs:

https://source.android.com/setup/contribute/submit-patches

https://chromium.googlesource.com/chromiumos/docs/#making-changes-without-repo

-mike

[David Coles]

Thanks! Will repost them shortly.

[David...@sony.com]

https://android-review.googlesource.com/c/platform/external/minijail/+/983764

David Coles

デイビッド·コールズ

CGEI - Sony Interactive Entertainment

From: mini...@chromium.org [mini...@chromium.org] on behalf of David Coles [coles...@gmail.com]

Sent: Friday, June 14, 2019 9:21 AM
To: Mike Frysinger
Cc: mini...@chromium.org
Subject: Re: [minijail] [PATCH] minijail: Validate add_binding flag

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/minijail/CAO82Asi9ptud8SewhDgFmdKW45-uteX%3D_2NyniMN6r1xP4y82A%40mail.gmail.com.