libminijail.c revision 3cc05eab4d956e9bb919ebe7a2166c987ba1d5bf
1/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved. 2 * Use of this source code is governed by a BSD-style license that can be 3 * found in the LICENSE file. 4 */ 5 6#define _BSD_SOURCE 7#define _GNU_SOURCE 8 9#include <asm/unistd.h> 10#include <ctype.h> 11#include <errno.h> 12#include <fcntl.h> 13#include <grp.h> 14#include <inttypes.h> 15#include <limits.h> 16#include <linux/capability.h> 17#include <pwd.h> 18#include <sched.h> 19#include <signal.h> 20#include <stdarg.h> 21#include <stddef.h> 22#include <stdio.h> 23#include <stdlib.h> 24#include <string.h> 25#include <syscall.h> 26#include <sys/capability.h> 27#include <sys/mount.h> 28#include <sys/param.h> 29#include <sys/prctl.h> 30#include <sys/stat.h> 31#include <sys/types.h> 32#include <sys/user.h> 33#include <sys/wait.h> 34#include <unistd.h> 35 36#include "libminijail.h" 37#include "libminijail-private.h" 38 39#include "signal_handler.h" 40#include "syscall_filter.h" 41#include "util.h" 42 43#ifdef HAVE_SECUREBITS_H 44#include <linux/securebits.h> 45#else 46#define SECURE_ALL_BITS 0x15 47#define SECURE_ALL_LOCKS (SECURE_ALL_BITS << 1) 48#endif 49 50/* Until these are reliably available in linux/prctl.h */ 51#ifndef PR_SET_SECCOMP 52# define PR_SET_SECCOMP 22 53#endif 54 55/* For seccomp_filter using BPF. */ 56#ifndef PR_SET_NO_NEW_PRIVS 57# define PR_SET_NO_NEW_PRIVS 38 58#endif 59#ifndef SECCOMP_MODE_FILTER 60# define SECCOMP_MODE_FILTER 2 /* uses user-supplied filter. */ 61#endif 62 63#ifdef USE_SECCOMP_SOFTFAIL 64# define SECCOMP_SOFTFAIL 1 65#else 66# define SECCOMP_SOFTFAIL 0 67#endif 68 69struct binding { 70 char *src; 71 char *dest; 72 int writeable; 73 struct binding *next; 74}; 75 76struct minijail { 77 /* 78 * WARNING: if you add a flag here you need to make sure it's 79 * accounted for in minijail_pre{enter|exec}() below. 80 */ 81 struct { 82 int uid:1; 83 int gid:1; 84 int caps:1; 85 int vfs:1; 86 int enter_vfs:1; 87 int pids:1; 88 int net:1; 89 int userns:1; 90 int seccomp:1; 91 int readonly:1; 92 int usergroups:1; 93 int ptrace:1; 94 int no_new_privs:1; 95 int seccomp_filter:1; 96 int log_seccomp_filter:1; 97 int chroot:1; 98 int mount_tmp:1; 99 int do_init:1; 100 int pid_file:1; 101 } flags; 102 uid_t uid; 103 gid_t gid; 104 gid_t usergid; 105 char *user; 106 uint64_t caps; 107 pid_t initpid; 108 int mountns_fd; 109 int filter_len; 110 int binding_count; 111 char *chrootdir; 112 char *pid_file_path; 113 char *uidmap; 114 char *gidmap; 115 struct sock_fprog *filter_prog; 116 struct binding *bindings_head; 117 struct binding *bindings_tail; 118}; 119 120/* 121 * Strip out flags meant for the parent. 122 * We keep things that are not inherited across execve(2) (e.g. capabilities), 123 * or are easier to set after execve(2) (e.g. seccomp filters). 124 */ 125void minijail_preenter(struct minijail *j) 126{ 127 j->flags.vfs = 0; 128 j->flags.enter_vfs = 0; 129 j->flags.readonly = 0; 130 j->flags.pids = 0; 131 j->flags.do_init = 0; 132 j->flags.pid_file = 0; 133} 134 135/* 136 * Strip out flags meant for the child. 137 * We keep things that are inherited across execve(2). 138 */ 139void minijail_preexec(struct minijail *j) 140{ 141 int vfs = j->flags.vfs; 142 int enter_vfs = j->flags.enter_vfs; 143 int readonly = j->flags.readonly; 144 int userns = j->flags.userns; 145 if (j->user) 146 free(j->user); 147 j->user = NULL; 148 memset(&j->flags, 0, sizeof(j->flags)); 149 /* Now restore anything we meant to keep. */ 150 j->flags.vfs = vfs; 151 j->flags.enter_vfs = enter_vfs; 152 j->flags.readonly = readonly; 153 j->flags.userns = userns; 154 /* Note, |pids| will already have been used before this call. */ 155} 156 157/* Minijail API. */ 158 159struct minijail API *minijail_new(void) 160{ 161 return calloc(1, sizeof(struct minijail)); 162} 163 164void API minijail_change_uid(struct minijail *j, uid_t uid) 165{ 166 if (uid == 0) 167 die("useless change to uid 0"); 168 j->uid = uid; 169 j->flags.uid = 1; 170} 171 172void API minijail_change_gid(struct minijail *j, gid_t gid) 173{ 174 if (gid == 0) 175 die("useless change to gid 0"); 176 j->gid = gid; 177 j->flags.gid = 1; 178} 179 180int API minijail_change_user(struct minijail *j, const char *user) 181{ 182 char *buf = NULL; 183 struct passwd pw; 184 struct passwd *ppw = NULL; 185 ssize_t sz = sysconf(_SC_GETPW_R_SIZE_MAX); 186 if (sz == -1) 187 sz = 65536; /* your guess is as good as mine... */ 188 189 /* 190 * sysconf(_SC_GETPW_R_SIZE_MAX), under glibc, is documented to return 191 * the maximum needed size of the buffer, so we don't have to search. 192 */ 193 buf = malloc(sz); 194 if (!buf) 195 return -ENOMEM; 196 getpwnam_r(user, &pw, buf, sz, &ppw); 197 /* 198 * We're safe to free the buffer here. The strings inside pw point 199 * inside buf, but we don't use any of them; this leaves the pointers 200 * dangling but it's safe. ppw points at pw if getpwnam_r succeeded. 201 */ 202 free(buf); 203 /* getpwnam_r(3) does *not* set errno when |ppw| is NULL. */ 204 if (!ppw) 205 return -1; 206 minijail_change_uid(j, ppw->pw_uid); 207 j->user = strdup(user); 208 if (!j->user) 209 return -ENOMEM; 210 j->usergid = ppw->pw_gid; 211 return 0; 212} 213 214int API minijail_change_group(struct minijail *j, const char *group) 215{ 216 char *buf = NULL; 217 struct group gr; 218 struct group *pgr = NULL; 219 ssize_t sz = sysconf(_SC_GETGR_R_SIZE_MAX); 220 if (sz == -1) 221 sz = 65536; /* and mine is as good as yours, really */ 222 223 /* 224 * sysconf(_SC_GETGR_R_SIZE_MAX), under glibc, is documented to return 225 * the maximum needed size of the buffer, so we don't have to search. 226 */ 227 buf = malloc(sz); 228 if (!buf) 229 return -ENOMEM; 230 getgrnam_r(group, &gr, buf, sz, &pgr); 231 /* 232 * We're safe to free the buffer here. The strings inside gr point 233 * inside buf, but we don't use any of them; this leaves the pointers 234 * dangling but it's safe. pgr points at gr if getgrnam_r succeeded. 235 */ 236 free(buf); 237 /* getgrnam_r(3) does *not* set errno when |pgr| is NULL. */ 238 if (!pgr) 239 return -1; 240 minijail_change_gid(j, pgr->gr_gid); 241 return 0; 242} 243 244void API minijail_use_seccomp(struct minijail *j) 245{ 246 j->flags.seccomp = 1; 247} 248 249void API minijail_no_new_privs(struct minijail *j) 250{ 251 j->flags.no_new_privs = 1; 252} 253 254void API minijail_use_seccomp_filter(struct minijail *j) 255{ 256 j->flags.seccomp_filter = 1; 257} 258 259void API minijail_log_seccomp_filter_failures(struct minijail *j) 260{ 261 j->flags.log_seccomp_filter = 1; 262} 263 264void API minijail_use_caps(struct minijail *j, uint64_t capmask) 265{ 266 j->caps = capmask; 267 j->flags.caps = 1; 268} 269 270void API minijail_namespace_vfs(struct minijail *j) 271{ 272 j->flags.vfs = 1; 273} 274 275void API minijail_namespace_enter_vfs(struct minijail *j, const char *ns_path) 276{ 277 int ns_fd = open(ns_path, O_RDONLY); 278 if (ns_fd < 0) { 279 pdie("failed to open namespace '%s'", ns_path); 280 } 281 j->mountns_fd = ns_fd; 282 j->flags.enter_vfs = 1; 283} 284 285void API minijail_namespace_pids(struct minijail *j) 286{ 287 j->flags.vfs = 1; 288 j->flags.readonly = 1; 289 j->flags.pids = 1; 290 j->flags.do_init = 1; 291} 292 293void API minijail_namespace_net(struct minijail *j) 294{ 295 j->flags.net = 1; 296} 297 298void API minijail_remount_readonly(struct minijail *j) 299{ 300 j->flags.vfs = 1; 301 j->flags.readonly = 1; 302} 303 304void API minijail_namespace_user(struct minijail *j) 305{ 306 j->flags.userns = 1; 307} 308 309int API minijail_uidmap(struct minijail *j, const char *uidmap) 310{ 311 j->uidmap = strdup(uidmap); 312 if (!j->uidmap) 313 return -ENOMEM; 314 return 0; 315} 316 317int API minijail_gidmap(struct minijail *j, const char *gidmap) 318{ 319 j->gidmap = strdup(gidmap); 320 if (!j->gidmap) 321 return -ENOMEM; 322 return 0; 323} 324 325void API minijail_inherit_usergroups(struct minijail *j) 326{ 327 j->flags.usergroups = 1; 328} 329 330void API minijail_disable_ptrace(struct minijail *j) 331{ 332 j->flags.ptrace = 1; 333} 334 335void API minijail_run_as_init(struct minijail *j) 336{ 337 /* 338 * Since the jailed program will become 'init' in the new PID namespace, 339 * Minijail does not need to fork an 'init' process. 340 */ 341 j->flags.do_init = 0; 342} 343 344int API minijail_enter_chroot(struct minijail *j, const char *dir) 345{ 346 if (j->chrootdir) 347 return -EINVAL; 348 j->chrootdir = strdup(dir); 349 if (!j->chrootdir) 350 return -ENOMEM; 351 j->flags.chroot = 1; 352 return 0; 353} 354 355void API minijail_mount_tmp(struct minijail *j) 356{ 357 j->flags.mount_tmp = 1; 358} 359 360int API minijail_write_pid_file(struct minijail *j, const char *path) 361{ 362 j->pid_file_path = strdup(path); 363 if (!j->pid_file_path) 364 return -ENOMEM; 365 j->flags.pid_file = 1; 366 return 0; 367} 368 369int API minijail_bind(struct minijail *j, const char *src, const char *dest, 370 int writeable) 371{ 372 struct binding *b; 373 374 if (*dest != '/') 375 return -EINVAL; 376 b = calloc(1, sizeof(*b)); 377 if (!b) 378 return -ENOMEM; 379 b->dest = strdup(dest); 380 if (!b->dest) 381 goto error; 382 b->src = strdup(src); 383 if (!b->src) 384 goto error; 385 b->writeable = writeable; 386 387 info("bind %s -> %s", src, dest); 388 389 /* 390 * Force vfs namespacing so the bind mounts don't leak out into the 391 * containing vfs namespace. 392 */ 393 minijail_namespace_vfs(j); 394 395 if (j->bindings_tail) 396 j->bindings_tail->next = b; 397 else 398 j->bindings_head = b; 399 j->bindings_tail = b; 400 j->binding_count++; 401 402 return 0; 403 404error: 405 free(b->src); 406 free(b->dest); 407 free(b); 408 return -ENOMEM; 409} 410 411void API minijail_parse_seccomp_filters(struct minijail *j, const char *path) 412{ 413 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL)) { 414 if ((errno == ENOSYS) && SECCOMP_SOFTFAIL) { 415 warn("not loading seccomp filter, seccomp not supported"); 416 return; 417 } 418 } 419 FILE *file = fopen(path, "r"); 420 if (!file) { 421 pdie("failed to open seccomp filter file '%s'", path); 422 } 423 424 struct sock_fprog *fprog = malloc(sizeof(struct sock_fprog)); 425 if (compile_filter(file, fprog, j->flags.log_seccomp_filter)) { 426 die("failed to compile seccomp filter BPF program in '%s'", 427 path); 428 } 429 430 j->filter_len = fprog->len; 431 j->filter_prog = fprog; 432 433 fclose(file); 434} 435 436struct marshal_state { 437 size_t available; 438 size_t total; 439 char *buf; 440}; 441 442void marshal_state_init(struct marshal_state *state, 443 char *buf, size_t available) 444{ 445 state->available = available; 446 state->buf = buf; 447 state->total = 0; 448} 449 450void marshal_append(struct marshal_state *state, 451 char *src, size_t length) 452{ 453 size_t copy_len = MIN(state->available, length); 454 455 /* Up to |available| will be written. */ 456 if (copy_len) { 457 memcpy(state->buf, src, copy_len); 458 state->buf += copy_len; 459 state->available -= copy_len; 460 } 461 /* |total| will contain the expected length. */ 462 state->total += length; 463} 464 465void minijail_marshal_helper(struct marshal_state *state, 466 const struct minijail *j) 467{ 468 struct binding *b = NULL; 469 marshal_append(state, (char *)j, sizeof(*j)); 470 if (j->user) 471 marshal_append(state, j->user, strlen(j->user) + 1); 472 if (j->chrootdir) 473 marshal_append(state, j->chrootdir, strlen(j->chrootdir) + 1); 474 if (j->flags.seccomp_filter && j->filter_prog) { 475 struct sock_fprog *fp = j->filter_prog; 476 marshal_append(state, (char *)fp->filter, 477 fp->len * sizeof(struct sock_filter)); 478 } 479 for (b = j->bindings_head; b; b = b->next) { 480 marshal_append(state, b->src, strlen(b->src) + 1); 481 marshal_append(state, b->dest, strlen(b->dest) + 1); 482 marshal_append(state, (char *)&b->writeable, 483 sizeof(b->writeable)); 484 } 485} 486 487size_t API minijail_size(const struct minijail *j) 488{ 489 struct marshal_state state; 490 marshal_state_init(&state, NULL, 0); 491 minijail_marshal_helper(&state, j); 492 return state.total; 493} 494 495int minijail_marshal(const struct minijail *j, char *buf, size_t available) 496{ 497 struct marshal_state state; 498 marshal_state_init(&state, buf, available); 499 minijail_marshal_helper(&state, j); 500 return (state.total > available); 501} 502 503/* consumebytes: consumes @length bytes from a buffer @buf of length @buflength 504 * @length Number of bytes to consume 505 * @buf Buffer to consume from 506 * @buflength Size of @buf 507 * 508 * Returns a pointer to the base of the bytes, or NULL for errors. 509 */ 510void *consumebytes(size_t length, char **buf, size_t *buflength) 511{ 512 char *p = *buf; 513 if (length > *buflength) 514 return NULL; 515 *buf += length; 516 *buflength -= length; 517 return p; 518} 519 520/* consumestr: consumes a C string from a buffer @buf of length @length 521 * @buf Buffer to consume 522 * @length Length of buffer 523 * 524 * Returns a pointer to the base of the string, or NULL for errors. 525 */ 526char *consumestr(char **buf, size_t *buflength) 527{ 528 size_t len = strnlen(*buf, *buflength); 529 if (len == *buflength) 530 /* There's no null-terminator */ 531 return NULL; 532 return consumebytes(len + 1, buf, buflength); 533} 534 535int minijail_unmarshal(struct minijail *j, char *serialized, size_t length) 536{ 537 int i; 538 int count; 539 int ret = -EINVAL; 540 541 if (length < sizeof(*j)) 542 goto out; 543 memcpy((void *)j, serialized, sizeof(*j)); 544 serialized += sizeof(*j); 545 length -= sizeof(*j); 546 547 /* Potentially stale pointers not used as signals. */ 548 j->bindings_head = NULL; 549 j->bindings_tail = NULL; 550 j->filter_prog = NULL; 551 552 if (j->user) { /* stale pointer */ 553 char *user = consumestr(&serialized, &length); 554 if (!user) 555 goto clear_pointers; 556 j->user = strdup(user); 557 if (!j->user) 558 goto clear_pointers; 559 } 560 561 if (j->chrootdir) { /* stale pointer */ 562 char *chrootdir = consumestr(&serialized, &length); 563 if (!chrootdir) 564 goto bad_chrootdir; 565 j->chrootdir = strdup(chrootdir); 566 if (!j->chrootdir) 567 goto bad_chrootdir; 568 } 569 570 if (j->flags.seccomp_filter && j->filter_len > 0) { 571 size_t ninstrs = j->filter_len; 572 if (ninstrs > (SIZE_MAX / sizeof(struct sock_filter)) || 573 ninstrs > USHRT_MAX) 574 goto bad_filters; 575 576 size_t program_len = ninstrs * sizeof(struct sock_filter); 577 void *program = consumebytes(program_len, &serialized, &length); 578 if (!program) 579 goto bad_filters; 580 581 j->filter_prog = malloc(sizeof(struct sock_fprog)); 582 j->filter_prog->len = ninstrs; 583 j->filter_prog->filter = malloc(program_len); 584 memcpy(j->filter_prog->filter, program, program_len); 585 } 586 587 count = j->binding_count; 588 j->binding_count = 0; 589 for (i = 0; i < count; ++i) { 590 int *writeable; 591 const char *dest; 592 const char *src = consumestr(&serialized, &length); 593 if (!src) 594 goto bad_bindings; 595 dest = consumestr(&serialized, &length); 596 if (!dest) 597 goto bad_bindings; 598 writeable = consumebytes(sizeof(*writeable), &serialized, &length); 599 if (!writeable) 600 goto bad_bindings; 601 if (minijail_bind(j, src, dest, *writeable)) 602 goto bad_bindings; 603 } 604 605 return 0; 606 607bad_bindings: 608 if (j->flags.seccomp_filter && j->filter_len > 0) { 609 free(j->filter_prog->filter); 610 free(j->filter_prog); 611 } 612bad_filters: 613 if (j->chrootdir) 614 free(j->chrootdir); 615bad_chrootdir: 616 if (j->user) 617 free(j->user); 618clear_pointers: 619 j->user = NULL; 620 j->chrootdir = NULL; 621out: 622 return ret; 623} 624 625static void write_ugid_mappings(const struct minijail *j, int *pipe_fds) 626{ 627 int fd, ret, len; 628 size_t sz; 629 char fname[32]; 630 close(pipe_fds[0]); 631 632 sz = sizeof(fname); 633 if (j->uidmap) { 634 ret = snprintf(fname, sz, "/proc/%d/uid_map", j->initpid); 635 if (ret < 0 || ret >= sz) 636 die("failed to write file name of uid_map"); 637 fd = open(fname, O_WRONLY); 638 if (fd < 0) 639 pdie("failed to open '%s'", fname); 640 len = strlen(j->uidmap); 641 if (write(fd, j->uidmap, len) < len) 642 die("failed to set uid_map"); 643 close(fd); 644 } 645 if (j->gidmap) { 646 ret = snprintf(fname, sz, "/proc/%d/gid_map", j->initpid); 647 if (ret < 0 || ret >= sz) 648 die("failed to write file name of gid_map"); 649 fd = open(fname, O_WRONLY); 650 if (fd < 0) 651 pdie("failed to open '%s'", fname); 652 len = strlen(j->gidmap); 653 if (write(fd, j->gidmap, len) < len) 654 die("failed to set gid_map"); 655 close(fd); 656 } 657 658 close(pipe_fds[1]); 659} 660 661static void enter_user_namespace(const struct minijail *j, int *pipe_fds) 662{ 663 char buf; 664 665 close(pipe_fds[1]); 666 667 /* Wait for parent to set up uid/gid mappings. */ 668 if (read(pipe_fds[0], &buf, 1) != 0) 669 die("failed to sync with parent"); 670 close(pipe_fds[0]); 671 672 if (j->uidmap && setresuid(0, 0, 0)) 673 pdie("setresuid"); 674 if (j->gidmap && setresgid(0, 0, 0)) 675 pdie("setresgid"); 676} 677 678/* bind_one: Applies bindings from @b for @j, recursing as needed. 679 * @j Minijail these bindings are for 680 * @b Head of list of bindings 681 * 682 * Returns 0 for success. 683 */ 684int bind_one(const struct minijail *j, struct binding *b) 685{ 686 int ret = 0; 687 char *dest = NULL; 688 if (ret) 689 return ret; 690 /* dest has a leading "/" */ 691 if (asprintf(&dest, "%s%s", j->chrootdir, b->dest) < 0) 692 return -ENOMEM; 693 ret = mount(b->src, dest, NULL, MS_BIND, NULL); 694 if (ret) 695 pdie("bind: %s -> %s", b->src, dest); 696 if (!b->writeable) { 697 ret = mount(b->src, dest, NULL, 698 MS_BIND | MS_REMOUNT | MS_RDONLY, NULL); 699 if (ret) 700 pdie("bind ro: %s -> %s", b->src, dest); 701 } 702 free(dest); 703 if (b->next) 704 return bind_one(j, b->next); 705 return ret; 706} 707 708int enter_chroot(const struct minijail *j) 709{ 710 int ret; 711 if (j->bindings_head && (ret = bind_one(j, j->bindings_head))) 712 return ret; 713 714 if (chroot(j->chrootdir)) 715 return -errno; 716 717 if (chdir("/")) 718 return -errno; 719 720 return 0; 721} 722 723int mount_tmp(void) 724{ 725 return mount("none", "/tmp", "tmpfs", 0, "size=64M,mode=777"); 726} 727 728int remount_readonly(const struct minijail *j) 729{ 730 const char *kProcPath = "/proc"; 731 const unsigned int kSafeFlags = MS_NODEV | MS_NOEXEC | MS_NOSUID; 732 /* 733 * Right now, we're holding a reference to our parent's old mount of 734 * /proc in our namespace, which means using MS_REMOUNT here would 735 * mutate our parent's mount as well, even though we're in a VFS 736 * namespace (!). Instead, remove their mount from our namespace 737 * and make our own. However, if we are in a new user namespace, /proc 738 * is not seen as mounted, so don't return error if umount() fails. 739 */ 740 if (umount(kProcPath) && !j->flags.userns) 741 return -errno; 742 if (mount("", kProcPath, "proc", kSafeFlags | MS_RDONLY, "")) 743 return -errno; 744 return 0; 745} 746 747static void write_pid_file(const struct minijail *j) 748{ 749 FILE *fp = fopen(j->pid_file_path, "w"); 750 751 if (!fp) 752 pdie("failed to open '%s'", j->pid_file_path); 753 if (fprintf(fp, "%d\n", (int)j->initpid) < 0) 754 pdie("fprintf(%s)", j->pid_file_path); 755 if (fclose(fp)) 756 pdie("fclose(%s)", j->pid_file_path); 757} 758 759void drop_ugid(const struct minijail *j) 760{ 761 if (j->flags.usergroups) { 762 if (initgroups(j->user, j->usergid)) 763 pdie("initgroups"); 764 } else { 765 /* Only attempt to clear supplemental groups if we are changing 766 * users. */ 767 if ((j->uid || j->gid) && setgroups(0, NULL)) 768 pdie("setgroups"); 769 } 770 771 if (j->flags.gid && setresgid(j->gid, j->gid, j->gid)) 772 pdie("setresgid"); 773 774 if (j->flags.uid && setresuid(j->uid, j->uid, j->uid)) 775 pdie("setresuid"); 776} 777 778/* 779 * We specifically do not use cap_valid() as that only tells us the last 780 * valid cap we were *compiled* against (i.e. what the version of kernel 781 * headers says). If we run on a different kernel version, then it's not 782 * uncommon for that to be less (if an older kernel) or more (if a newer 783 * kernel). So suck up the answer via /proc. 784 */ 785static int run_cap_valid(unsigned int cap) 786{ 787 static unsigned int last_cap; 788 789 if (!last_cap) { 790 const char cap_file[] = "/proc/sys/kernel/cap_last_cap"; 791 FILE *fp = fopen(cap_file, "re"); 792 if (fscanf(fp, "%u", &last_cap) != 1) 793 pdie("fscanf(%s)", cap_file); 794 fclose(fp); 795 } 796 797 return cap <= last_cap; 798} 799 800void drop_caps(const struct minijail *j) 801{ 802 cap_t caps = cap_get_proc(); 803 cap_value_t flag[1]; 804 const uint64_t one = 1; 805 unsigned int i; 806 if (!caps) 807 die("can't get process caps"); 808 if (cap_clear_flag(caps, CAP_INHERITABLE)) 809 die("can't clear inheritable caps"); 810 if (cap_clear_flag(caps, CAP_EFFECTIVE)) 811 die("can't clear effective caps"); 812 if (cap_clear_flag(caps, CAP_PERMITTED)) 813 die("can't clear permitted caps"); 814 for (i = 0; i < sizeof(j->caps) * 8 && run_cap_valid(i); ++i) { 815 /* Keep CAP_SETPCAP for dropping bounding set bits. */ 816 if (i != CAP_SETPCAP && !(j->caps & (one << i))) 817 continue; 818 flag[0] = i; 819 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, flag, CAP_SET)) 820 die("can't add effective cap"); 821 if (cap_set_flag(caps, CAP_PERMITTED, 1, flag, CAP_SET)) 822 die("can't add permitted cap"); 823 if (cap_set_flag(caps, CAP_INHERITABLE, 1, flag, CAP_SET)) 824 die("can't add inheritable cap"); 825 } 826 if (cap_set_proc(caps)) 827 die("can't apply initial cleaned capset"); 828 829 /* 830 * Instead of dropping bounding set first, do it here in case 831 * the caller had a more permissive bounding set which could 832 * have been used above to raise a capability that wasn't already 833 * present. This requires CAP_SETPCAP, so we raised/kept it above. 834 */ 835 for (i = 0; i < sizeof(j->caps) * 8 && run_cap_valid(i); ++i) { 836 if (j->caps & (one << i)) 837 continue; 838 if (prctl(PR_CAPBSET_DROP, i)) 839 pdie("prctl(PR_CAPBSET_DROP)"); 840 } 841 842 /* If CAP_SETPCAP wasn't specifically requested, now we remove it. */ 843 if ((j->caps & (one << CAP_SETPCAP)) == 0) { 844 flag[0] = CAP_SETPCAP; 845 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, flag, CAP_CLEAR)) 846 die("can't clear effective cap"); 847 if (cap_set_flag(caps, CAP_PERMITTED, 1, flag, CAP_CLEAR)) 848 die("can't clear permitted cap"); 849 if (cap_set_flag(caps, CAP_INHERITABLE, 1, flag, CAP_CLEAR)) 850 die("can't clear inheritable cap"); 851 } 852 853 if (cap_set_proc(caps)) 854 die("can't apply final cleaned capset"); 855 856 cap_free(caps); 857} 858 859void set_seccomp_filter(const struct minijail *j) 860{ 861 /* 862 * Set no_new_privs. See </kernel/seccomp.c> and </kernel/sys.c> 863 * in the kernel source tree for an explanation of the parameters. 864 */ 865 if (j->flags.no_new_privs) { 866 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) 867 pdie("prctl(PR_SET_NO_NEW_PRIVS)"); 868 } 869 870 /* 871 * If we're logging seccomp filter failures, 872 * install the SIGSYS handler first. 873 */ 874 if (j->flags.seccomp_filter && j->flags.log_seccomp_filter) { 875 if (install_sigsys_handler()) 876 pdie("install SIGSYS handler"); 877 warn("logging seccomp filter failures"); 878 } 879 880 /* 881 * Install the syscall filter. 882 */ 883 if (j->flags.seccomp_filter) { 884 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, j->filter_prog)) { 885 if ((errno == ENOSYS) && SECCOMP_SOFTFAIL) { 886 warn("seccomp not supported"); 887 return; 888 } 889 pdie("prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER)"); 890 } 891 } 892} 893 894void API minijail_enter(const struct minijail *j) 895{ 896 if (j->flags.pids) 897 die("tried to enter a pid-namespaced jail;" 898 " try minijail_run()?"); 899 900 if (j->flags.usergroups && !j->user) 901 die("usergroup inheritance without username"); 902 903 /* 904 * We can't recover from failures if we've dropped privileges partially, 905 * so we don't even try. If any of our operations fail, we abort() the 906 * entire process. 907 */ 908 if (j->flags.enter_vfs && setns(j->mountns_fd, CLONE_NEWNS)) 909 pdie("setns(CLONE_NEWNS)"); 910 911 if (j->flags.vfs && unshare(CLONE_NEWNS)) 912 pdie("unshare(vfs)"); 913 914 if (j->flags.net && unshare(CLONE_NEWNET)) 915 pdie("unshare(net)"); 916 917 if (j->flags.chroot && enter_chroot(j)) 918 pdie("chroot"); 919 920 if (j->flags.mount_tmp && mount_tmp()) 921 pdie("mount_tmp"); 922 923 if (j->flags.readonly && remount_readonly(j)) 924 pdie("remount"); 925 926 if (j->flags.caps) { 927 /* 928 * POSIX capabilities are a bit tricky. If we drop our 929 * capability to change uids, our attempt to use setuid() 930 * below will fail. Hang on to root caps across setuid(), then 931 * lock securebits. 932 */ 933 if (prctl(PR_SET_KEEPCAPS, 1)) 934 pdie("prctl(PR_SET_KEEPCAPS)"); 935 if (prctl 936 (PR_SET_SECUREBITS, SECURE_ALL_BITS | SECURE_ALL_LOCKS)) 937 pdie("prctl(PR_SET_SECUREBITS)"); 938 } 939 940 /* 941 * If we're setting no_new_privs, we can drop privileges 942 * before setting seccomp filter. This way filter policies 943 * don't need to allow privilege-dropping syscalls. 944 */ 945 if (j->flags.no_new_privs) { 946 drop_ugid(j); 947 if (j->flags.caps) 948 drop_caps(j); 949 950 set_seccomp_filter(j); 951 } else { 952 /* 953 * If we're not setting no_new_privs, 954 * we need to set seccomp filter *before* dropping privileges. 955 * WARNING: this means that filter policies *must* allow 956 * setgroups()/setresgid()/setresuid() for dropping root and 957 * capget()/capset()/prctl() for dropping caps. 958 */ 959 set_seccomp_filter(j); 960 961 drop_ugid(j); 962 if (j->flags.caps) 963 drop_caps(j); 964 } 965 966 /* 967 * seccomp has to come last since it cuts off all the other 968 * privilege-dropping syscalls :) 969 */ 970 if (j->flags.seccomp && prctl(PR_SET_SECCOMP, 1)) { 971 if ((errno == ENOSYS) && SECCOMP_SOFTFAIL) { 972 warn("seccomp not supported"); 973 return; 974 } 975 pdie("prctl(PR_SET_SECCOMP)"); 976 } 977} 978 979/* TODO(wad) will visibility affect this variable? */ 980static int init_exitstatus = 0; 981 982void init_term(int __attribute__ ((unused)) sig) 983{ 984 _exit(init_exitstatus); 985} 986 987int init(pid_t rootpid) 988{ 989 pid_t pid; 990 int status; 991 /* so that we exit with the right status */ 992 signal(SIGTERM, init_term); 993 /* TODO(wad) self jail with seccomp_filters here. */ 994 while ((pid = wait(&status)) > 0) { 995 /* 996 * This loop will only end when either there are no processes 997 * left inside our pid namespace or we get a signal. 998 */ 999 if (pid == rootpid) 1000 init_exitstatus = status; 1001 } 1002 if (!WIFEXITED(init_exitstatus)) 1003 _exit(MINIJAIL_ERR_INIT); 1004 _exit(WEXITSTATUS(init_exitstatus)); 1005} 1006 1007int API minijail_from_fd(int fd, struct minijail *j) 1008{ 1009 size_t sz = 0; 1010 size_t bytes = read(fd, &sz, sizeof(sz)); 1011 char *buf; 1012 int r; 1013 if (sizeof(sz) != bytes) 1014 return -EINVAL; 1015 if (sz > USHRT_MAX) /* Arbitrary sanity check */ 1016 return -E2BIG; 1017 buf = malloc(sz); 1018 if (!buf) 1019 return -ENOMEM; 1020 bytes = read(fd, buf, sz); 1021 if (bytes != sz) { 1022 free(buf); 1023 return -EINVAL; 1024 } 1025 r = minijail_unmarshal(j, buf, sz); 1026 free(buf); 1027 return r; 1028} 1029 1030int API minijail_to_fd(struct minijail *j, int fd) 1031{ 1032 char *buf; 1033 size_t sz = minijail_size(j); 1034 ssize_t written; 1035 int r; 1036 1037 if (!sz) 1038 return -EINVAL; 1039 buf = malloc(sz); 1040 r = minijail_marshal(j, buf, sz); 1041 if (r) { 1042 free(buf); 1043 return r; 1044 } 1045 /* Sends [size][minijail]. */ 1046 written = write(fd, &sz, sizeof(sz)); 1047 if (written != sizeof(sz)) { 1048 free(buf); 1049 return -EFAULT; 1050 } 1051 written = write(fd, buf, sz); 1052 if (written < 0 || (size_t) written != sz) { 1053 free(buf); 1054 return -EFAULT; 1055 } 1056 free(buf); 1057 return 0; 1058} 1059 1060int setup_preload(void) 1061{ 1062#if defined(__ANDROID__) 1063 /* Don't use LDPRELOAD on Brillo. */ 1064 return 0; 1065#else 1066 char *oldenv = getenv(kLdPreloadEnvVar) ? : ""; 1067 char *newenv = malloc(strlen(oldenv) + 2 + strlen(PRELOADPATH)); 1068 if (!newenv) 1069 return -ENOMEM; 1070 1071 /* Only insert a separating space if we have something to separate... */ 1072 sprintf(newenv, "%s%s%s", oldenv, strlen(oldenv) ? " " : "", 1073 PRELOADPATH); 1074 1075 /* setenv() makes a copy of the string we give it */ 1076 setenv(kLdPreloadEnvVar, newenv, 1); 1077 free(newenv); 1078 return 0; 1079#endif 1080} 1081 1082int setup_pipe(int fds[2]) 1083{ 1084 int r = pipe(fds); 1085 char fd_buf[11]; 1086 if (r) 1087 return r; 1088 r = snprintf(fd_buf, sizeof(fd_buf), "%d", fds[0]); 1089 if (r <= 0) 1090 return -EINVAL; 1091 setenv(kFdEnvVar, fd_buf, 1); 1092 return 0; 1093} 1094 1095int setup_pipe_end(int fds[2], size_t index) 1096{ 1097 if (index > 1) 1098 return -1; 1099 1100 close(fds[1 - index]); 1101 return fds[index]; 1102} 1103 1104int setup_and_dupe_pipe_end(int fds[2], size_t index, int fd) 1105{ 1106 if (index > 1) 1107 return -1; 1108 1109 close(fds[1 - index]); 1110 /* dup2(2) the corresponding end of the pipe into |fd|. */ 1111 return dup2(fds[index], fd); 1112} 1113 1114int API minijail_run(struct minijail *j, const char *filename, 1115 char *const argv[]) 1116{ 1117 return minijail_run_pid_pipes(j, filename, argv, 1118 NULL, NULL, NULL, NULL); 1119} 1120 1121int API minijail_run_pid(struct minijail *j, const char *filename, 1122 char *const argv[], pid_t *pchild_pid) 1123{ 1124 return minijail_run_pid_pipes(j, filename, argv, pchild_pid, 1125 NULL, NULL, NULL); 1126} 1127 1128int API minijail_run_pipe(struct minijail *j, const char *filename, 1129 char *const argv[], int *pstdin_fd) 1130{ 1131 return minijail_run_pid_pipes(j, filename, argv, NULL, pstdin_fd, 1132 NULL, NULL); 1133} 1134 1135int API minijail_run_pid_pipe(struct minijail *j, const char *filename, 1136 char *const argv[], pid_t *pchild_pid, 1137 int *pstdin_fd) 1138{ 1139 return minijail_run_pid_pipes(j, filename, argv, pchild_pid, pstdin_fd, 1140 NULL, NULL); 1141} 1142 1143int API minijail_run_pid_pipes(struct minijail *j, const char *filename, 1144 char *const argv[], pid_t *pchild_pid, 1145 int *pstdin_fd, int *pstdout_fd, int *pstderr_fd) 1146{ 1147 char *oldenv, *oldenv_copy = NULL; 1148 pid_t child_pid; 1149 int pipe_fds[2]; 1150 int stdin_fds[2]; 1151 int stdout_fds[2]; 1152 int stderr_fds[2]; 1153 int userns_pipe_fds[2]; 1154 int ret; 1155 /* We need to remember this across the minijail_preexec() call. */ 1156 int pid_namespace = j->flags.pids; 1157 int do_init = j->flags.do_init; 1158 1159 oldenv = getenv(kLdPreloadEnvVar); 1160 if (oldenv) { 1161 oldenv_copy = strdup(oldenv); 1162 if (!oldenv_copy) 1163 return -ENOMEM; 1164 } 1165 1166 if (setup_preload()) 1167 return -EFAULT; 1168 1169 /* 1170 * Make the process group ID of this process equal to its PID, so that 1171 * both the Minijail process and the jailed process can be killed 1172 * together. 1173 * Don't fail on EPERM, since setpgid(0, 0) can only EPERM when 1174 * the process is already a process group leader. 1175 */ 1176 if (setpgid(0 /* use calling PID */, 0 /* make PGID = PID */)) { 1177 if (errno != EPERM) { 1178 pdie("setpgid(0, 0)"); 1179 } 1180 } 1181 1182 /* 1183 * Before we fork(2) and execve(2) the child process, we need to open 1184 * a pipe(2) to send the minijail configuration over. 1185 */ 1186 if (setup_pipe(pipe_fds)) 1187 return -EFAULT; 1188 1189 /* 1190 * If we want to write to the child process' standard input, 1191 * create the pipe(2) now. 1192 */ 1193 if (pstdin_fd) { 1194 if (pipe(stdin_fds)) 1195 return -EFAULT; 1196 } 1197 1198 /* 1199 * If we want to read from the child process' standard output, 1200 * create the pipe(2) now. 1201 */ 1202 if (pstdout_fd) { 1203 if (pipe(stdout_fds)) 1204 return -EFAULT; 1205 } 1206 1207 /* 1208 * If we want to read from the child process' standard error, 1209 * create the pipe(2) now. 1210 */ 1211 if (pstderr_fd) { 1212 if (pipe(stderr_fds)) 1213 return -EFAULT; 1214 } 1215 1216 /* 1217 * If we want to set up a new uid/gid mapping in the user namespace, 1218 * create the pipe(2) to sync between parent and child. 1219 */ 1220 if (j->flags.userns) { 1221 if (pipe(userns_pipe_fds)) 1222 return -EFAULT; 1223 } 1224 1225 /* Use sys_clone() if and only if we're creating a pid namespace. 1226 * 1227 * tl;dr: WARNING: do not mix pid namespaces and multithreading. 1228 * 1229 * In multithreaded programs, there are a bunch of locks inside libc, 1230 * some of which may be held by other threads at the time that we call 1231 * minijail_run_pid(). If we call fork(), glibc does its level best to 1232 * ensure that we hold all of these locks before it calls clone() 1233 * internally and drop them after clone() returns, but when we call 1234 * sys_clone(2) directly, all that gets bypassed and we end up with a 1235 * child address space where some of libc's important locks are held by 1236 * other threads (which did not get cloned, and hence will never release 1237 * those locks). This is okay so long as we call exec() immediately 1238 * after, but a bunch of seemingly-innocent libc functions like setenv() 1239 * take locks. 1240 * 1241 * Hence, only call sys_clone() if we need to, in order to get at pid 1242 * namespacing. If we follow this path, the child's address space might 1243 * have broken locks; you may only call functions that do not acquire 1244 * any locks. 1245 * 1246 * Unfortunately, fork() acquires every lock it can get its hands on, as 1247 * previously detailed, so this function is highly likely to deadlock 1248 * later on (see "deadlock here") if we're multithreaded. 1249 * 1250 * We might hack around this by having the clone()d child (init of the 1251 * pid namespace) return directly, rather than leaving the clone()d 1252 * process hanging around to be init for the new namespace (and having 1253 * its fork()ed child return in turn), but that process would be crippled 1254 * with its libc locks potentially broken. We might try fork()ing in the 1255 * parent before we clone() to ensure that we own all the locks, but 1256 * then we have to have the forked child hanging around consuming 1257 * resources (and possibly having file descriptors / shared memory 1258 * regions / etc attached). We'd need to keep the child around to avoid 1259 * having its children get reparented to init. 1260 * 1261 * TODO(ellyjones): figure out if the "forked child hanging around" 1262 * problem is fixable or not. It would be nice if we worked in this 1263 * case. 1264 */ 1265 if (pid_namespace) { 1266 int clone_flags = CLONE_NEWPID | SIGCHLD; 1267 if (j->flags.userns) 1268 clone_flags |= CLONE_NEWUSER; 1269 child_pid = syscall(SYS_clone, clone_flags, NULL); 1270 } 1271 else 1272 child_pid = fork(); 1273 1274 if (child_pid < 0) { 1275 free(oldenv_copy); 1276 die("failed to fork child"); 1277 } 1278 1279 if (child_pid) { 1280 /* Restore parent's LD_PRELOAD. */ 1281 if (oldenv_copy) { 1282 setenv(kLdPreloadEnvVar, oldenv_copy, 1); 1283 free(oldenv_copy); 1284 } else { 1285 unsetenv(kLdPreloadEnvVar); 1286 } 1287 unsetenv(kFdEnvVar); 1288 1289 j->initpid = child_pid; 1290 1291 if (j->flags.pid_file) 1292 write_pid_file(j); 1293 1294 if (j->flags.userns) 1295 write_ugid_mappings(j, userns_pipe_fds); 1296 1297 /* Send marshalled minijail. */ 1298 close(pipe_fds[0]); /* read endpoint */ 1299 ret = minijail_to_fd(j, pipe_fds[1]); 1300 close(pipe_fds[1]); /* write endpoint */ 1301 if (ret) { 1302 kill(j->initpid, SIGKILL); 1303 die("failed to send marshalled minijail"); 1304 } 1305 1306 if (pchild_pid) 1307 *pchild_pid = child_pid; 1308 1309 /* 1310 * If we want to write to the child process' standard input, 1311 * set up the write end of the pipe. 1312 */ 1313 if (pstdin_fd) 1314 *pstdin_fd = setup_pipe_end(stdin_fds, 1315 1 /* write end */); 1316 1317 /* 1318 * If we want to read from the child process' standard output, 1319 * set up the read end of the pipe. 1320 */ 1321 if (pstdout_fd) 1322 *pstdout_fd = setup_pipe_end(stdout_fds, 1323 0 /* read end */); 1324 1325 /* 1326 * If we want to read from the child process' standard error, 1327 * set up the read end of the pipe. 1328 */ 1329 if (pstderr_fd) 1330 *pstderr_fd = setup_pipe_end(stderr_fds, 1331 0 /* read end */); 1332 1333 return 0; 1334 } 1335 free(oldenv_copy); 1336 1337 1338 if (j->flags.userns) 1339 enter_user_namespace(j, userns_pipe_fds); 1340 1341 /* 1342 * If we want to write to the jailed process' standard input, 1343 * set up the read end of the pipe. 1344 */ 1345 if (pstdin_fd) { 1346 if (setup_and_dupe_pipe_end(stdin_fds, 0 /* read end */, 1347 STDIN_FILENO) < 0) 1348 die("failed to set up stdin pipe"); 1349 } 1350 1351 /* 1352 * If we want to read from the jailed process' standard output, 1353 * set up the write end of the pipe. 1354 */ 1355 if (pstdout_fd) { 1356 if (setup_and_dupe_pipe_end(stdout_fds, 1 /* write end */, 1357 STDOUT_FILENO) < 0) 1358 die("failed to set up stdout pipe"); 1359 } 1360 1361 /* 1362 * If we want to read from the jailed process' standard error, 1363 * set up the write end of the pipe. 1364 */ 1365 if (pstderr_fd) { 1366 if (setup_and_dupe_pipe_end(stderr_fds, 1 /* write end */, 1367 STDERR_FILENO) < 0) 1368 die("failed to set up stderr pipe"); 1369 } 1370 1371 /* Strip out flags that cannot be inherited across execve. */ 1372 minijail_preexec(j); 1373 /* Jail this process and its descendants... */ 1374 minijail_enter(j); 1375 1376 if (pid_namespace && do_init) { 1377 /* 1378 * pid namespace: this process will become init inside the new 1379 * namespace. We don't want all programs we might exec to have 1380 * to know how to be init. Normally |do_init == 1| we fork off 1381 * a child to actually run the program. If |do_init == 0|, we 1382 * let the program keep pid 1 and be init. 1383 * 1384 * If we're multithreaded, we'll probably deadlock here. See 1385 * WARNING above. 1386 */ 1387 child_pid = fork(); 1388 if (child_pid < 0) 1389 _exit(child_pid); 1390 else if (child_pid > 0) 1391 init(child_pid); /* never returns */ 1392 } 1393 1394 /* 1395 * If we aren't pid-namespaced, or jailed program asked to be init: 1396 * calling process 1397 * -> execve()-ing process 1398 * If we are: 1399 * calling process 1400 * -> init()-ing process 1401 * -> execve()-ing process 1402 */ 1403 _exit(execve(filename, argv, environ)); 1404} 1405 1406int API minijail_run_static(struct minijail *j, const char *filename, 1407 char *const argv[]) 1408{ 1409 pid_t child_pid; 1410 int userns_pipe_fds[2]; 1411 int pid_namespace = j->flags.pids; 1412 int do_init = j->flags.do_init; 1413 1414 if (j->flags.caps) 1415 die("caps not supported with static targets"); 1416 1417 /* 1418 * If we want to set up a new uid/gid mapping in the user namespace, 1419 * create the pipe(2) to sync between parent and child. 1420 */ 1421 if (j->flags.userns) { 1422 if (pipe(userns_pipe_fds)) 1423 return -EFAULT; 1424 } 1425 1426 if (pid_namespace) { 1427 int clone_flags = CLONE_NEWPID | SIGCHLD; 1428 if (j->flags.userns) 1429 clone_flags |= CLONE_NEWUSER; 1430 child_pid = syscall(SYS_clone, clone_flags, NULL); 1431 } 1432 else 1433 child_pid = fork(); 1434 1435 if (child_pid < 0) { 1436 die("failed to fork child"); 1437 } 1438 if (child_pid > 0 ) { 1439 j->initpid = child_pid; 1440 1441 if (j->flags.pid_file) 1442 write_pid_file(j); 1443 1444 if (j->flags.userns) 1445 write_ugid_mappings(j, userns_pipe_fds); 1446 1447 return 0; 1448 } 1449 1450 if (j->flags.userns) 1451 enter_user_namespace(j, userns_pipe_fds); 1452 1453 /* 1454 * We can now drop this child into the sandbox 1455 * then execve the target. 1456 */ 1457 1458 j->flags.pids = 0; 1459 minijail_enter(j); 1460 1461 if (pid_namespace && do_init) { 1462 /* 1463 * pid namespace: this process will become init inside the new 1464 * namespace. We don't want all programs we might exec to have 1465 * to know how to be init. Normally |do_init == 1| we fork off 1466 * a child to actually run the program. If |do_init == 0|, we 1467 * let the program keep pid 1 and be init. 1468 * 1469 * If we're multithreaded, we'll probably deadlock here. See 1470 * WARNING above. 1471 */ 1472 child_pid = fork(); 1473 if (child_pid < 0) 1474 _exit(child_pid); 1475 else if (child_pid > 0) 1476 init(child_pid); /* never returns */ 1477 } 1478 1479 _exit(execve(filename, argv, environ)); 1480} 1481 1482int API minijail_kill(struct minijail *j) 1483{ 1484 int st; 1485 if (kill(j->initpid, SIGTERM)) 1486 return -errno; 1487 if (waitpid(j->initpid, &st, 0) < 0) 1488 return -errno; 1489 return st; 1490} 1491 1492int API minijail_wait(struct minijail *j) 1493{ 1494 int st; 1495 if (waitpid(j->initpid, &st, 0) < 0) 1496 return -errno; 1497 1498 if (!WIFEXITED(st)) { 1499 int error_status = st; 1500 if (WIFSIGNALED(st)) { 1501 int signum = WTERMSIG(st); 1502 warn("child process %d received signal %d", 1503 j->initpid, signum); 1504 /* 1505 * We return MINIJAIL_ERR_JAIL if the process received 1506 * SIGSYS, which happens when a syscall is blocked by 1507 * seccomp filters. 1508 * If not, we do what bash(1) does: 1509 * $? = 128 + signum 1510 */ 1511 if (signum == SIGSYS) { 1512 error_status = MINIJAIL_ERR_JAIL; 1513 } else { 1514 error_status = 128 + signum; 1515 } 1516 } 1517 return error_status; 1518 } 1519 1520 int exit_status = WEXITSTATUS(st); 1521 if (exit_status != 0) 1522 info("child process %d exited with status %d", 1523 j->initpid, exit_status); 1524 1525 return exit_status; 1526} 1527 1528void API minijail_destroy(struct minijail *j) 1529{ 1530 if (j->flags.seccomp_filter && j->filter_prog) { 1531 free(j->filter_prog->filter); 1532 free(j->filter_prog); 1533 } 1534 while (j->bindings_head) { 1535 struct binding *b = j->bindings_head; 1536 j->bindings_head = j->bindings_head->next; 1537 free(b->dest); 1538 free(b->src); 1539 free(b); 1540 } 1541 j->bindings_tail = NULL; 1542 if (j->user) 1543 free(j->user); 1544 if (j->chrootdir) 1545 free(j->chrootdir); 1546 free(j); 1547} 1548