1cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber/* 2cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber** 3cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber** Copyright 2015, The Android Open Source Project 4cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber** 5cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber** Licensed under the Apache License, Version 2.0 (the "License"); 6cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber** you may not use this file except in compliance with the License. 7cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber** You may obtain a copy of the License at 8cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber** 9cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber** http://www.apache.org/licenses/LICENSE-2.0 10cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber** 11cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber** Unless required by applicable law or agreed to in writing, software 12cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber** distributed under the License is distributed on an "AS IS" BASIS, 13cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber** See the License for the specific language governing permissions and 15cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber** limitations under the License. 16cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber*/ 17cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber 18cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber#include <cutils/log.h> 19cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber#include <libminijail.h> 20cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber 21cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber#include "minijail.h" 22bff07d0b22a5ee2d9f044f6cb5e4be1532017ab0Andreas Huber 23cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Hubernamespace android { 24f1d5aa162c02a16b7195a43a9bcea4d592600ac4James Dong 25cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber/* Must match location in Android.mk */ 26cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huberstatic const char kSeccompFilePath[] = "/system/etc/seccomp_policy/mediaextractor-seccomp.policy"; 27cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber 28cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huberint MiniJail() 29cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber{ 30cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber /* no seccomp policy for this architecture */ 31cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber if (access(kSeccompFilePath, R_OK) == -1) { 32cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber ALOGW("No seccomp filter defined for this architecture."); 33cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber return 0; 34cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber } 35cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber 36cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber struct minijail *jail = minijail_new(); 370da4dab0a45a2bc1d95cbc6ef6a4850ed2569584Andreas Huber if (jail == NULL) { 380da4dab0a45a2bc1d95cbc6ef6a4850ed2569584Andreas Huber ALOGW("Failed to create minijail."); 39cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber return -1; 40cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber } 41cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber 42bff07d0b22a5ee2d9f044f6cb5e4be1532017ab0Andreas Huber minijail_no_new_privs(jail); 43bff07d0b22a5ee2d9f044f6cb5e4be1532017ab0Andreas Huber minijail_log_seccomp_filter_failures(jail); 44cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber minijail_use_seccomp_filter(jail); 45cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber minijail_parse_seccomp_filters(jail, kSeccompFilePath); 46cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber minijail_enter(jail); 47cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber minijail_destroy(jail); 48cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber return 0; 49cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber} 50cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber} 51cda17c606b0fe3ccda4dc68a6d43882410ea2462Andreas Huber