1e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland// 2e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland// Copyright (C) 2017 The Android Open Source Project 3e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland// 4e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland// Licensed under the Apache License, Version 2.0 (the "License"); 5e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland// you may not use this file except in compliance with the License. 6e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland// You may obtain a copy of the License at 7e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland// 8e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland// http://www.apache.org/licenses/LICENSE-2.0 9e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland// 10e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland// Unless required by applicable law or agreed to in writing, software 11e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland// distributed under the License is distributed on an "AS IS" BASIS, 12e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland// See the License for the specific language governing permissions and 14e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland// limitations under the License. 15e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland// 16e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland 17e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland#include <android-base/logging.h> 18e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland#include <libminijail.h> 19e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland 20e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland#include <hwminijail/HardwareMinijail.h> 21e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland 22e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Morelandnamespace android { 23e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Morelandnamespace hardware { 24e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland 25e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Morelandvoid SetupMinijail(const std::string& seccomp_policy_path) { 26e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland if (access(seccomp_policy_path.c_str(), R_OK) == -1) { 27e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland LOG(WARNING) << "Could not find seccomp policy file at: " << seccomp_policy_path; 28e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland return; 29e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland } 30e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland 31e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland struct minijail* jail = minijail_new(); 32e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland if (jail == NULL) { 33e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland LOG(FATAL) << "Failed to create minijail."; 34e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland } 35e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland 36e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland minijail_no_new_privs(jail); 37e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland minijail_log_seccomp_filter_failures(jail); 38e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland minijail_use_seccomp_filter(jail); 39e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland minijail_parse_seccomp_filters(jail, seccomp_policy_path.c_str()); 40e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland minijail_enter(jail); 41e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland minijail_destroy(jail); 42e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland} 43e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland 44e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland} // namespace hardware 45e665697c7d4138a26b68c5b28edf09b33e9283ccSteven Moreland} // namespace android 46