1*1a96fba6SXin Li // Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
2*1a96fba6SXin Li // Use of this source code is governed by a BSD-style license that can be
3*1a96fba6SXin Li // found in the LICENSE file.
4*1a96fba6SXin Li
5*1a96fba6SXin Li #include "brillo/minijail/minijail.h"
6*1a96fba6SXin Li
7*1a96fba6SXin Li #include <sys/types.h>
8*1a96fba6SXin Li #include <sys/wait.h>
9*1a96fba6SXin Li
10*1a96fba6SXin Li using std::vector;
11*1a96fba6SXin Li
12*1a96fba6SXin Li namespace brillo {
13*1a96fba6SXin Li
14*1a96fba6SXin Li static base::LazyInstance<Minijail>::DestructorAtExit g_minijail
15*1a96fba6SXin Li = LAZY_INSTANCE_INITIALIZER;
16*1a96fba6SXin Li
Minijail()17*1a96fba6SXin Li Minijail::Minijail() {}
18*1a96fba6SXin Li
~Minijail()19*1a96fba6SXin Li Minijail::~Minijail() {}
20*1a96fba6SXin Li
21*1a96fba6SXin Li // static
GetInstance()22*1a96fba6SXin Li Minijail* Minijail::GetInstance() {
23*1a96fba6SXin Li static Minijail* minijail = new Minijail();
24*1a96fba6SXin Li return minijail;
25*1a96fba6SXin Li }
26*1a96fba6SXin Li
New()27*1a96fba6SXin Li struct minijail* Minijail::New() {
28*1a96fba6SXin Li return minijail_new();
29*1a96fba6SXin Li }
30*1a96fba6SXin Li
Destroy(struct minijail * jail)31*1a96fba6SXin Li void Minijail::Destroy(struct minijail* jail) {
32*1a96fba6SXin Li minijail_destroy(jail);
33*1a96fba6SXin Li }
34*1a96fba6SXin Li
DropRoot(struct minijail * jail,uid_t uid,gid_t gid)35*1a96fba6SXin Li void Minijail::DropRoot(struct minijail* jail, uid_t uid, gid_t gid) {
36*1a96fba6SXin Li minijail_change_uid(jail, uid);
37*1a96fba6SXin Li minijail_change_gid(jail, gid);
38*1a96fba6SXin Li }
39*1a96fba6SXin Li
DropRoot(struct minijail * jail,const char * user,const char * group)40*1a96fba6SXin Li bool Minijail::DropRoot(struct minijail* jail,
41*1a96fba6SXin Li const char* user,
42*1a96fba6SXin Li const char* group) {
43*1a96fba6SXin Li // |user| and |group| are copied so the only reason either of these
44*1a96fba6SXin Li // calls can fail is ENOMEM.
45*1a96fba6SXin Li return !minijail_change_user(jail, user) &&
46*1a96fba6SXin Li !minijail_change_group(jail, group);
47*1a96fba6SXin Li }
48*1a96fba6SXin Li
EnterNewPidNamespace(struct minijail * jail)49*1a96fba6SXin Li void Minijail::EnterNewPidNamespace(struct minijail* jail) {
50*1a96fba6SXin Li minijail_namespace_pids(jail);
51*1a96fba6SXin Li }
52*1a96fba6SXin Li
MountTmp(struct minijail * jail)53*1a96fba6SXin Li void Minijail::MountTmp(struct minijail* jail) {
54*1a96fba6SXin Li minijail_mount_tmp(jail);
55*1a96fba6SXin Li }
56*1a96fba6SXin Li
UseSeccompFilter(struct minijail * jail,const char * path)57*1a96fba6SXin Li void Minijail::UseSeccompFilter(struct minijail* jail, const char* path) {
58*1a96fba6SXin Li minijail_no_new_privs(jail);
59*1a96fba6SXin Li minijail_use_seccomp_filter(jail);
60*1a96fba6SXin Li minijail_parse_seccomp_filters(jail, path);
61*1a96fba6SXin Li }
62*1a96fba6SXin Li
UseCapabilities(struct minijail * jail,uint64_t capmask)63*1a96fba6SXin Li void Minijail::UseCapabilities(struct minijail* jail, uint64_t capmask) {
64*1a96fba6SXin Li minijail_use_caps(jail, capmask);
65*1a96fba6SXin Li }
66*1a96fba6SXin Li
ResetSignalMask(struct minijail * jail)67*1a96fba6SXin Li void Minijail::ResetSignalMask(struct minijail* jail) {
68*1a96fba6SXin Li minijail_reset_signal_mask(jail);
69*1a96fba6SXin Li }
70*1a96fba6SXin Li
CloseOpenFds(struct minijail * jail)71*1a96fba6SXin Li void Minijail::CloseOpenFds(struct minijail* jail) {
72*1a96fba6SXin Li minijail_close_open_fds(jail);
73*1a96fba6SXin Li }
74*1a96fba6SXin Li
PreserveFd(struct minijail * jail,int parent_fd,int child_fd)75*1a96fba6SXin Li void Minijail::PreserveFd(struct minijail* jail, int parent_fd, int child_fd) {
76*1a96fba6SXin Li minijail_preserve_fd(jail, parent_fd, child_fd);
77*1a96fba6SXin Li }
78*1a96fba6SXin Li
Enter(struct minijail * jail)79*1a96fba6SXin Li void Minijail::Enter(struct minijail* jail) {
80*1a96fba6SXin Li minijail_enter(jail);
81*1a96fba6SXin Li }
82*1a96fba6SXin Li
Run(struct minijail * jail,vector<char * > args,pid_t * pid)83*1a96fba6SXin Li bool Minijail::Run(struct minijail* jail, vector<char*> args, pid_t* pid) {
84*1a96fba6SXin Li return minijail_run_pid(jail, args[0], args.data(), pid) == 0;
85*1a96fba6SXin Li }
86*1a96fba6SXin Li
RunSync(struct minijail * jail,vector<char * > args,int * status)87*1a96fba6SXin Li bool Minijail::RunSync(struct minijail* jail, vector<char*> args, int* status) {
88*1a96fba6SXin Li pid_t pid;
89*1a96fba6SXin Li if (Run(jail, args, &pid) && waitpid(pid, status, 0) == pid) {
90*1a96fba6SXin Li return true;
91*1a96fba6SXin Li }
92*1a96fba6SXin Li
93*1a96fba6SXin Li return false;
94*1a96fba6SXin Li }
95*1a96fba6SXin Li
RunPipe(struct minijail * jail,vector<char * > args,pid_t * pid,int * stdin)96*1a96fba6SXin Li bool Minijail::RunPipe(struct minijail* jail,
97*1a96fba6SXin Li vector<char*> args,
98*1a96fba6SXin Li pid_t* pid,
99*1a96fba6SXin Li int* stdin) {
100*1a96fba6SXin Li #if defined(__ANDROID__)
101*1a96fba6SXin Li return minijail_run_pid_pipes_no_preload(jail, args[0], args.data(), pid,
102*1a96fba6SXin Li stdin, NULL, NULL) == 0;
103*1a96fba6SXin Li #else
104*1a96fba6SXin Li return minijail_run_pid_pipes(jail, args[0], args.data(), pid, stdin, NULL,
105*1a96fba6SXin Li NULL) == 0;
106*1a96fba6SXin Li #endif // __ANDROID__
107*1a96fba6SXin Li }
108*1a96fba6SXin Li
RunPipes(struct minijail * jail,vector<char * > args,pid_t * pid,int * stdin,int * stdout,int * stderr)109*1a96fba6SXin Li bool Minijail::RunPipes(struct minijail* jail,
110*1a96fba6SXin Li vector<char*> args,
111*1a96fba6SXin Li pid_t* pid,
112*1a96fba6SXin Li int* stdin,
113*1a96fba6SXin Li int* stdout,
114*1a96fba6SXin Li int* stderr) {
115*1a96fba6SXin Li #if defined(__ANDROID__)
116*1a96fba6SXin Li return minijail_run_pid_pipes_no_preload(jail, args[0], args.data(), pid,
117*1a96fba6SXin Li stdin, stdout, stderr) == 0;
118*1a96fba6SXin Li #else
119*1a96fba6SXin Li return minijail_run_pid_pipes(jail, args[0], args.data(), pid, stdin, stdout,
120*1a96fba6SXin Li stderr) == 0;
121*1a96fba6SXin Li #endif // __ANDROID__
122*1a96fba6SXin Li }
123*1a96fba6SXin Li
RunEnvPipes(struct minijail * jail,vector<char * > args,vector<char * > env,pid_t * pid,int * stdin,int * stdout,int * stderr)124*1a96fba6SXin Li bool Minijail::RunEnvPipes(struct minijail* jail,
125*1a96fba6SXin Li vector<char*> args,
126*1a96fba6SXin Li vector<char*> env,
127*1a96fba6SXin Li pid_t* pid,
128*1a96fba6SXin Li int* stdin,
129*1a96fba6SXin Li int* stdout,
130*1a96fba6SXin Li int* stderr) {
131*1a96fba6SXin Li #if defined(__ANDROID__)
132*1a96fba6SXin Li return minijail_run_env_pid_pipes_no_preload(jail, args[0], args.data(),
133*1a96fba6SXin Li env.data(), pid, stdin, stdout,
134*1a96fba6SXin Li stderr) == 0;
135*1a96fba6SXin Li #else
136*1a96fba6SXin Li return minijail_run_env_pid_pipes(jail, args[0], args.data(), env.data(), pid,
137*1a96fba6SXin Li stdin, stdout, stderr) == 0;
138*1a96fba6SXin Li #endif // __ANDROID__
139*1a96fba6SXin Li }
140*1a96fba6SXin Li
RunAndDestroy(struct minijail * jail,vector<char * > args,pid_t * pid)141*1a96fba6SXin Li bool Minijail::RunAndDestroy(struct minijail* jail,
142*1a96fba6SXin Li vector<char*> args,
143*1a96fba6SXin Li pid_t* pid) {
144*1a96fba6SXin Li bool res = Run(jail, args, pid);
145*1a96fba6SXin Li Destroy(jail);
146*1a96fba6SXin Li return res;
147*1a96fba6SXin Li }
148*1a96fba6SXin Li
RunSyncAndDestroy(struct minijail * jail,vector<char * > args,int * status)149*1a96fba6SXin Li bool Minijail::RunSyncAndDestroy(struct minijail* jail,
150*1a96fba6SXin Li vector<char*> args,
151*1a96fba6SXin Li int* status) {
152*1a96fba6SXin Li bool res = RunSync(jail, args, status);
153*1a96fba6SXin Li Destroy(jail);
154*1a96fba6SXin Li return res;
155*1a96fba6SXin Li }
156*1a96fba6SXin Li
RunPipeAndDestroy(struct minijail * jail,vector<char * > args,pid_t * pid,int * stdin)157*1a96fba6SXin Li bool Minijail::RunPipeAndDestroy(struct minijail* jail,
158*1a96fba6SXin Li vector<char*> args,
159*1a96fba6SXin Li pid_t* pid,
160*1a96fba6SXin Li int* stdin) {
161*1a96fba6SXin Li bool res = RunPipe(jail, args, pid, stdin);
162*1a96fba6SXin Li Destroy(jail);
163*1a96fba6SXin Li return res;
164*1a96fba6SXin Li }
165*1a96fba6SXin Li
RunPipesAndDestroy(struct minijail * jail,vector<char * > args,pid_t * pid,int * stdin,int * stdout,int * stderr)166*1a96fba6SXin Li bool Minijail::RunPipesAndDestroy(struct minijail* jail,
167*1a96fba6SXin Li vector<char*> args,
168*1a96fba6SXin Li pid_t* pid,
169*1a96fba6SXin Li int* stdin,
170*1a96fba6SXin Li int* stdout,
171*1a96fba6SXin Li int* stderr) {
172*1a96fba6SXin Li bool res = RunPipes(jail, args, pid, stdin, stdout, stderr);
173*1a96fba6SXin Li Destroy(jail);
174*1a96fba6SXin Li return res;
175*1a96fba6SXin Li }
176*1a96fba6SXin Li
RunEnvPipesAndDestroy(struct minijail * jail,vector<char * > args,vector<char * > env,pid_t * pid,int * stdin,int * stdout,int * stderr)177*1a96fba6SXin Li bool Minijail::RunEnvPipesAndDestroy(struct minijail* jail,
178*1a96fba6SXin Li vector<char*> args,
179*1a96fba6SXin Li vector<char*> env,
180*1a96fba6SXin Li pid_t* pid,
181*1a96fba6SXin Li int* stdin,
182*1a96fba6SXin Li int* stdout,
183*1a96fba6SXin Li int* stderr) {
184*1a96fba6SXin Li bool res = RunEnvPipes(jail, args, env, pid, stdin, stdout, stderr);
185*1a96fba6SXin Li Destroy(jail);
186*1a96fba6SXin Li return res;
187*1a96fba6SXin Li }
188*1a96fba6SXin Li
189*1a96fba6SXin Li } // namespace brillo
190