1d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi// Copyright (c) 2012 The Chromium OS Authors. All rights reserved. 2d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi// Use of this source code is governed by a BSD-style license that can be 3d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi// found in the LICENSE file. 4d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi 59ed0cab99f18acb3570a35e9408f24355f6b8324Alex Vakulenko#include "brillo/minijail/minijail.h" 6d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi 7d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi#include <sys/types.h> 8d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi#include <sys/wait.h> 9d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi 10d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghiusing std::vector; 11d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi 129ed0cab99f18acb3570a35e9408f24355f6b8324Alex Vakulenkonamespace brillo { 13d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi 14d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghistatic base::LazyInstance<Minijail> g_minijail = LAZY_INSTANCE_INITIALIZER; 15d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi 16d60f9ae535cffe4a6722133911357886bd478c12Utkarsh SanghiMinijail::Minijail() {} 17d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi 18d60f9ae535cffe4a6722133911357886bd478c12Utkarsh SanghiMinijail::~Minijail() {} 19d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi 20d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi// static 21f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli ObesMinijail* Minijail::GetInstance() { 22d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi return g_minijail.Pointer(); 23d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi} 24d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi 25f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obesstruct minijail* Minijail::New() { 26d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi return minijail_new(); 27d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi} 28d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi 29f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obesvoid Minijail::Destroy(struct minijail* jail) { 30d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi minijail_destroy(jail); 31d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi} 32d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi 334652ed42dbcd42c957c13c3f88136f237b13c2deJorge Lucangeli Obesvoid Minijail::DropRoot(struct minijail* jail, uid_t uid, gid_t gid) { 344652ed42dbcd42c957c13c3f88136f237b13c2deJorge Lucangeli Obes minijail_change_uid(jail, uid); 354652ed42dbcd42c957c13c3f88136f237b13c2deJorge Lucangeli Obes minijail_change_gid(jail, gid); 364652ed42dbcd42c957c13c3f88136f237b13c2deJorge Lucangeli Obes} 374652ed42dbcd42c957c13c3f88136f237b13c2deJorge Lucangeli Obes 38f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obesbool Minijail::DropRoot(struct minijail* jail, 39f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obes const char* user, 40f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obes const char* group) { 41ef8111e9f57523c64d514423407ca1bb8dab7f8dUtkarsh Sanghi // |user| and |group| are copied so the only reason either of these 42ef8111e9f57523c64d514423407ca1bb8dab7f8dUtkarsh Sanghi // calls can fail is ENOMEM. 43d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi return !minijail_change_user(jail, user) && 44ef8111e9f57523c64d514423407ca1bb8dab7f8dUtkarsh Sanghi !minijail_change_group(jail, group); 45d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi} 46d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi 474652ed42dbcd42c957c13c3f88136f237b13c2deJorge Lucangeli Obesvoid Minijail::EnterNewPidNamespace(struct minijail* jail) { 484652ed42dbcd42c957c13c3f88136f237b13c2deJorge Lucangeli Obes minijail_namespace_pids(jail); 494652ed42dbcd42c957c13c3f88136f237b13c2deJorge Lucangeli Obes} 504652ed42dbcd42c957c13c3f88136f237b13c2deJorge Lucangeli Obes 511c39f9f7bd911d1513073ffc62cda820d39d0b39Jorge Lucangeli Obesvoid Minijail::MountTmp(struct minijail* jail) { 521c39f9f7bd911d1513073ffc62cda820d39d0b39Jorge Lucangeli Obes minijail_mount_tmp(jail); 531c39f9f7bd911d1513073ffc62cda820d39d0b39Jorge Lucangeli Obes} 541c39f9f7bd911d1513073ffc62cda820d39d0b39Jorge Lucangeli Obes 55f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obesvoid Minijail::UseSeccompFilter(struct minijail* jail, const char* path) { 56ce64f4c77af030558239014d18392076a30f6218Utkarsh Sanghi minijail_no_new_privs(jail); 57ce64f4c77af030558239014d18392076a30f6218Utkarsh Sanghi minijail_use_seccomp_filter(jail); 58ce64f4c77af030558239014d18392076a30f6218Utkarsh Sanghi minijail_parse_seccomp_filters(jail, path); 59ce64f4c77af030558239014d18392076a30f6218Utkarsh Sanghi} 60ce64f4c77af030558239014d18392076a30f6218Utkarsh Sanghi 61f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obesvoid Minijail::UseCapabilities(struct minijail* jail, uint64_t capmask) { 62d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi minijail_use_caps(jail, capmask); 63d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi} 64d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi 657a8c2c1f3b25446cec0e7e897f74c9769f4fb6bePeter Qiuvoid Minijail::ResetSignalMask(struct minijail* jail) { 667a8c2c1f3b25446cec0e7e897f74c9769f4fb6bePeter Qiu minijail_reset_signal_mask(jail); 677a8c2c1f3b25446cec0e7e897f74c9769f4fb6bePeter Qiu} 687a8c2c1f3b25446cec0e7e897f74c9769f4fb6bePeter Qiu 69f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obesvoid Minijail::Enter(struct minijail* jail) { 70ce64f4c77af030558239014d18392076a30f6218Utkarsh Sanghi minijail_enter(jail); 71ce64f4c77af030558239014d18392076a30f6218Utkarsh Sanghi} 72ce64f4c77af030558239014d18392076a30f6218Utkarsh Sanghi 73f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obesbool Minijail::Run(struct minijail* jail, vector<char*> args, pid_t* pid) { 74d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi return minijail_run_pid(jail, args[0], args.data(), pid) == 0; 75d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi} 76d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi 77f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obesbool Minijail::RunSync(struct minijail* jail, vector<char*> args, int* status) { 78d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi pid_t pid; 79d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi if (Run(jail, args, &pid) && waitpid(pid, status, 0) == pid) { 80d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi return true; 81d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi } 82d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi 83d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi return false; 84d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi} 85d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi 86f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obesbool Minijail::RunPipe(struct minijail* jail, 87f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obes vector<char*> args, 88f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obes pid_t* pid, 89f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obes int* stdin) { 90378e75c7e1261afea968228aae1713df7ebc21a0Samuel Tan#if defined(__ANDROID__) 91378e75c7e1261afea968228aae1713df7ebc21a0Samuel Tan return minijail_run_pid_pipes_no_preload(jail, args[0], args.data(), pid, 92378e75c7e1261afea968228aae1713df7ebc21a0Samuel Tan stdin, NULL, NULL) == 0; 93378e75c7e1261afea968228aae1713df7ebc21a0Samuel Tan#else 94378e75c7e1261afea968228aae1713df7ebc21a0Samuel Tan return minijail_run_pid_pipes(jail, args[0], args.data(), pid, stdin, NULL, 95378e75c7e1261afea968228aae1713df7ebc21a0Samuel Tan NULL) == 0; 96378e75c7e1261afea968228aae1713df7ebc21a0Samuel Tan#endif // __ANDROID__ 97d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi} 98d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi 99f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obesbool Minijail::RunPipes(struct minijail* jail, 100f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obes vector<char*> args, 101f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obes pid_t* pid, 102f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obes int* stdin, 103f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obes int* stdout, 104f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obes int* stderr) { 105378e75c7e1261afea968228aae1713df7ebc21a0Samuel Tan#if defined(__ANDROID__) 106378e75c7e1261afea968228aae1713df7ebc21a0Samuel Tan return minijail_run_pid_pipes_no_preload(jail, args[0], args.data(), pid, 107378e75c7e1261afea968228aae1713df7ebc21a0Samuel Tan stdin, stdout, stderr) == 0; 108378e75c7e1261afea968228aae1713df7ebc21a0Samuel Tan#else 109378e75c7e1261afea968228aae1713df7ebc21a0Samuel Tan return minijail_run_pid_pipes(jail, args[0], args.data(), pid, stdin, stdout, 110378e75c7e1261afea968228aae1713df7ebc21a0Samuel Tan stderr) == 0; 111378e75c7e1261afea968228aae1713df7ebc21a0Samuel Tan#endif // __ANDROID__ 112d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi} 113d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi 114f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obesbool Minijail::RunAndDestroy(struct minijail* jail, 115f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obes vector<char*> args, 116f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obes pid_t* pid) { 117d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi bool res = Run(jail, args, pid); 118d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi Destroy(jail); 119d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi return res; 120d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi} 121d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi 122f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obesbool Minijail::RunSyncAndDestroy(struct minijail* jail, 123f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obes vector<char*> args, 124f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obes int* status) { 125d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi bool res = RunSync(jail, args, status); 126d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi Destroy(jail); 127d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi return res; 128d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi} 129d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi 130f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obesbool Minijail::RunPipeAndDestroy(struct minijail* jail, 131f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obes vector<char*> args, 132f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obes pid_t* pid, 133f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obes int* stdin) { 134d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi bool res = RunPipe(jail, args, pid, stdin); 135d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi Destroy(jail); 136d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi return res; 137d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi} 138d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi 139f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obesbool Minijail::RunPipesAndDestroy(struct minijail* jail, 140f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obes vector<char*> args, 141f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obes pid_t* pid, 142f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obes int* stdin, 143f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obes int* stdout, 144f6cf13d26d142b278af9d27f70fc8a356c91edb1Jorge Lucangeli Obes int* stderr) { 145d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi bool res = RunPipes(jail, args, pid, stdin, stdout, stderr); 146d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi Destroy(jail); 147d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi return res; 148d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi} 149d60f9ae535cffe4a6722133911357886bd478c12Utkarsh Sanghi 1509ed0cab99f18acb3570a35e9408f24355f6b8324Alex Vakulenko} // namespace brillo 151