authpolicy: Create separate minijail instances
Creates a separate minijail instance for each execution of a
process. By design, ProcessExecutor::Execute() can be called several
times for a given instance and this actually happens in practice, e.g.
when kinit is retried without KDC IP in krb5.conf. However, it is not
clear that the same minijail instance can be safely reused. In particular,
minijail_log_seccomp_filter_failures dies if a seccomp filter is already
set. While this issue could be fixed by making sure that the method is not
called a second time, it seems safer in general to create a new minijail
instance for every execution.
CQ-DEPEND=CL:455474
BUG=None
TEST=Compiled, ran tests.
Change-Id: I4efc9a154bb97ee3b09469b313ecfacbf0d8fda9
Reviewed-on: https://chromium-review.googlesource.com/453986
Commit-Ready: Lutz Justen <ljusten@chromium.org>
Tested-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Roman Sorokin <rsorokin@chromium.org>
3 files changed
