Gitiles
Code Review Sign In
gerrit.openfyde.cn / chromium.googlesource.com / chromiumos / platform / tremplin / refs/heads/factory-atlas-11907.B^! / .
commit2b61759681446cc86f8edf8441cc5d8ca84aea71[log] [tgz]
authorChirantan Ekbote <chirantan@chromium.org>Mon Feb 25 11:53:07 2019 -0800
committerchrome-bot <chrome-bot@chromium.org>Mon Feb 25 18:45:28 2019 -0800
treedb20e505ecab3a87d69feb6f3942fb7ba3be6b03
parente51874252cc4a5afc1b4c4d4f45b6d85be85347c [diff]
Map the chronos-access group into the container

The Downloads folder has permissions 0710, with the group set to
chronos-access (gid 1001).  This group is not mapped into the container,
which leads to the Downloads folder having the "nobody" group.  This
prevents the root user from inside the container from accessing the
files in the Downloads directory.

Create the chronos-access group inside the container and identity map in
gid 1001 so that the root user inside the container still has access to
the contents of Downloads.

BUG=chromium:925834
TEST=`sudo ls /mnt/chromeos/MyFiles/Downloads/foo.txt` works inside the
     container

Change-Id: I2cbbf381ffe8b1171e5517555e8dc897f7f2add3
Reviewed-on: https://chromium-review.googlesource.com/1487110
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>

diff --git a/src/chromiumos/tremplin/main.go b/src/chromiumos/tremplin/main.go
index 75ece2b..a054e7f 100644
--- a/src/chromiumos/tremplin/main.go
+++ b/src/chromiumos/tremplin/main.go

@@ -90,7 +90,7 @@
 		"config": {
 			"boot.autostart": "false",
 			"boot.host_shutdown_timeout": "9",
-			"raw.idmap": "both 1000 1000\nboth 655360 655360\ngid 665357 665357",
+			"raw.idmap": "both 1000 1000\nboth 655360 655360\ngid 665357 665357\ngid 1001 1001",
 			"security.syscalls.blacklist": "keyctl errno 38"
 		},
 		"devices": {

diff --git a/src/chromiumos/tremplin/tremplin.go b/src/chromiumos/tremplin/tremplin.go
index 6e10475..d90dcbb 100644
--- a/src/chromiumos/tremplin/tremplin.go
+++ b/src/chromiumos/tremplin/tremplin.go

@@ -35,6 +35,7 @@
 
 	lingerPath         = "/var/lib/systemd/linger"
 	primaryUserID      = 1000
+	chronosAccessID    = 1001
 	androidRootID      = 655360
 	androidEverybodyID = 665357
 )
@@ -740,12 +741,14 @@
 	}
 
 	pd.EnsureGroupExists("android-everybody", androidEverybodyID)
+	pd.EnsureGroupExists("chronos-access", chronosAccessID)
 
 	groups := []struct {
 		name     string
 		required bool
 	}{
 		{"android-everybody", true},
+		{"chronos-access", true},
 		{"audio", false},
 		{"cdrom", false},
 		{"dialout", false},