16f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes// Copyright (C) 2015 The Android Open Source Project 26f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes// 36f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes// Licensed under the Apache License, Version 2.0 (the "License"); 46f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes// you may not use this file except in compliance with the License. 56f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes// You may obtain a copy of the License at 66f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes// 76f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes// http://www.apache.org/licenses/LICENSE-2.0 86f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes// 96f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes// Unless required by applicable law or agreed to in writing, software 106f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes// distributed under the License is distributed on an "AS IS" BASIS, 116f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 126f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes// See the License for the specific language governing permissions and 136f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes// limitations under the License. 146f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes 156f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes#include <sys/types.h> 166f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes#include <sys/capability.h> 176f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes#include <unistd.h> 186f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes 196f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes#include <libminijail.h> 206f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes 21ce7e7c349d84f9eb5059ebe8a3914117f8b59f2bElliott Hughes#include <android-base/logging.h> 22404d2bb02680f9f433dbe9c71f87bf1f003bf495Mike Frysinger#include <android-base/macros.h> 236f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes 246f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obesgid_t groups[] = { 1001, 1002 }; 256f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes 266f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obesvoid log_resugid() { 276f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes uid_t ruid, euid, suid; 286f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes gid_t rgid, egid, sgid; 296f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes getresuid(&ruid, &euid, &suid); 306f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes getresgid(&rgid, &egid, &sgid); 316f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes 326f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes LOG(INFO) << "ruid " << ruid << " euid " << euid << " suid " << suid; 336f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes LOG(INFO) << "rgid " << rgid << " egid " << egid << " sgid " << sgid; 346f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes 356f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes int nsupp_groups = getgroups(0, NULL); 366f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes if (nsupp_groups < 0) { 376f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes PLOG(FATAL) << "getgroups(0)"; 386f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes } 396f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes if (nsupp_groups == 0) { 406f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes LOG(INFO) << "no supplemental groups"; 416f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes return; 426f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes } 436f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes 446f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes gid_t *list = (gid_t*)calloc((size_t)nsupp_groups, sizeof(gid_t)); 456f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes nsupp_groups = getgroups(nsupp_groups, list); 466f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes if (nsupp_groups < 0) { 476f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes PLOG(FATAL) << "getgroups(nsupp_groups)"; 486f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes } 496f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes for (size_t i = 0; i < (size_t)nsupp_groups; i++) { 506f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes LOG(INFO) << "supp gid " << i + 1 << " " << list[i]; 516f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes } 52ac9e342ef745e9057edc4e1b02a52d8943ea608aJorge Lucangeli Obes free(list); 536f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes} 546f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes 556f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obesint main(void) { 566f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes log_resugid(); 576f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes minijail *j = minijail_new(); 586f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes minijail_change_user(j, "system"); 596f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes minijail_change_group(j, "system"); 60404d2bb02680f9f433dbe9c71f87bf1f003bf495Mike Frysinger minijail_set_supplementary_gids(j, arraysize(groups), groups); 616f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes // minijail_use_caps(j, CAP_TO_MASK(CAP_SETUID) | CAP_TO_MASK(CAP_SETGID)); 62b98ad29bc07149cc8ffa29b986c7bc4339c9ad82Jorge Lucangeli Obes // minijail_use_seccomp_filter(j); 63b98ad29bc07149cc8ffa29b986c7bc4339c9ad82Jorge Lucangeli Obes // minijail_log_seccomp_filter_failures(j); 64b98ad29bc07149cc8ffa29b986c7bc4339c9ad82Jorge Lucangeli Obes // minijail_parse_seccomp_filters(j, "/data/filter.policy"); 656f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes minijail_enter(j); 666f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes log_resugid(); 676f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes minijail_destroy(j); 686f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes // minijail *j2 = minijail_new(); 696f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes // minijail_change_uid(j2, 5000); 706f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes // minijail_change_gid(j2, 5000); 716f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes // minijail_enter(j2); 726f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes // log_resugid(); 736f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes return 0; 746f967c545e8383ebe1f9331e0208468bff883f2eJorge Lucangeli Obes} 75