1*1a96fba6SXin Li // Copyright (c) 2012 The Chromium OS Authors. All rights reserved. 2*1a96fba6SXin Li // Use of this source code is governed by a BSD-style license that can be 3*1a96fba6SXin Li // found in the LICENSE file. 4*1a96fba6SXin Li 5*1a96fba6SXin Li #ifndef LIBBRILLO_BRILLO_MINIJAIL_MINIJAIL_H_ 6*1a96fba6SXin Li #define LIBBRILLO_BRILLO_MINIJAIL_MINIJAIL_H_ 7*1a96fba6SXin Li 8*1a96fba6SXin Li #include <vector> 9*1a96fba6SXin Li 10*1a96fba6SXin Li extern "C" { 11*1a96fba6SXin Li #include <linux/capability.h> 12*1a96fba6SXin Li #include <sys/types.h> 13*1a96fba6SXin Li } 14*1a96fba6SXin Li 15*1a96fba6SXin Li #include <base/lazy_instance.h> 16*1a96fba6SXin Li #include <brillo/brillo_export.h> 17*1a96fba6SXin Li 18*1a96fba6SXin Li #include <libminijail.h> 19*1a96fba6SXin Li 20*1a96fba6SXin Li #include "base/macros.h" 21*1a96fba6SXin Li 22*1a96fba6SXin Li namespace brillo { 23*1a96fba6SXin Li 24*1a96fba6SXin Li // A Minijail abstraction allowing Minijail mocking in tests. 25*1a96fba6SXin Li class BRILLO_EXPORT Minijail { 26*1a96fba6SXin Li public: 27*1a96fba6SXin Li virtual ~Minijail(); 28*1a96fba6SXin Li 29*1a96fba6SXin Li // This is a singleton -- use Minijail::GetInstance()->Foo(). 30*1a96fba6SXin Li static Minijail* GetInstance(); 31*1a96fba6SXin Li 32*1a96fba6SXin Li // minijail_new 33*1a96fba6SXin Li virtual struct minijail* New(); 34*1a96fba6SXin Li // minijail_destroy 35*1a96fba6SXin Li virtual void Destroy(struct minijail* jail); 36*1a96fba6SXin Li 37*1a96fba6SXin Li // minijail_change_uid/minijail_change_gid 38*1a96fba6SXin Li virtual void DropRoot(struct minijail* jail, uid_t uid, gid_t gid); 39*1a96fba6SXin Li 40*1a96fba6SXin Li // minijail_change_user/minijail_change_group 41*1a96fba6SXin Li virtual bool DropRoot(struct minijail* jail, 42*1a96fba6SXin Li const char* user, 43*1a96fba6SXin Li const char* group); 44*1a96fba6SXin Li 45*1a96fba6SXin Li // minijail_namespace_pids 46*1a96fba6SXin Li virtual void EnterNewPidNamespace(struct minijail* jail); 47*1a96fba6SXin Li 48*1a96fba6SXin Li // minijail_mount_tmp 49*1a96fba6SXin Li virtual void MountTmp(struct minijail* jail); 50*1a96fba6SXin Li 51*1a96fba6SXin Li // minijail_use_seccomp_filter/minijail_no_new_privs/ 52*1a96fba6SXin Li // minijail_parse_seccomp_filters 53*1a96fba6SXin Li virtual void UseSeccompFilter(struct minijail* jail, const char* path); 54*1a96fba6SXin Li 55*1a96fba6SXin Li // minijail_use_caps 56*1a96fba6SXin Li virtual void UseCapabilities(struct minijail* jail, uint64_t capmask); 57*1a96fba6SXin Li 58*1a96fba6SXin Li // minijail_reset_signal_mask 59*1a96fba6SXin Li virtual void ResetSignalMask(struct minijail* jail); 60*1a96fba6SXin Li 61*1a96fba6SXin Li // minijail_close_open_fds 62*1a96fba6SXin Li virtual void CloseOpenFds(struct minijail* jail); 63*1a96fba6SXin Li 64*1a96fba6SXin Li // minijail_preserve_fd 65*1a96fba6SXin Li virtual void PreserveFd(struct minijail* jail, int parent_fd, int child_fd); 66*1a96fba6SXin Li 67*1a96fba6SXin Li // minijail_enter 68*1a96fba6SXin Li virtual void Enter(struct minijail* jail); 69*1a96fba6SXin Li 70*1a96fba6SXin Li // minijail_run_pid 71*1a96fba6SXin Li virtual bool Run(struct minijail* jail, std::vector<char*> args, pid_t* pid); 72*1a96fba6SXin Li 73*1a96fba6SXin Li // minijail_run_pid and waitpid 74*1a96fba6SXin Li virtual bool RunSync(struct minijail* jail, 75*1a96fba6SXin Li std::vector<char*> args, 76*1a96fba6SXin Li int* status); 77*1a96fba6SXin Li 78*1a96fba6SXin Li // minijail_run_pid_pipes, with |pstdout_fd| and |pstderr_fd| set to NULL. 79*1a96fba6SXin Li virtual bool RunPipe(struct minijail* jail, 80*1a96fba6SXin Li std::vector<char*> args, 81*1a96fba6SXin Li pid_t* pid, 82*1a96fba6SXin Li int* stdin); 83*1a96fba6SXin Li 84*1a96fba6SXin Li // minijail_run_pid_pipes 85*1a96fba6SXin Li virtual bool RunPipes(struct minijail* jail, 86*1a96fba6SXin Li std::vector<char*> args, 87*1a96fba6SXin Li pid_t* pid, 88*1a96fba6SXin Li int* stdin, 89*1a96fba6SXin Li int* stdout, 90*1a96fba6SXin Li int* stderr); 91*1a96fba6SXin Li 92*1a96fba6SXin Li // minijail_run_env_pid_pipes 93*1a96fba6SXin Li virtual bool RunEnvPipes(struct minijail* jail, 94*1a96fba6SXin Li std::vector<char*> args, 95*1a96fba6SXin Li std::vector<char*> env, 96*1a96fba6SXin Li pid_t* pid, 97*1a96fba6SXin Li int* stdin, 98*1a96fba6SXin Li int* stdout, 99*1a96fba6SXin Li int* stderr); 100*1a96fba6SXin Li // Run() and Destroy() 101*1a96fba6SXin Li virtual bool RunAndDestroy(struct minijail* jail, 102*1a96fba6SXin Li std::vector<char*> args, 103*1a96fba6SXin Li pid_t* pid); 104*1a96fba6SXin Li 105*1a96fba6SXin Li // RunSync() and Destroy() 106*1a96fba6SXin Li virtual bool RunSyncAndDestroy(struct minijail* jail, 107*1a96fba6SXin Li std::vector<char*> args, 108*1a96fba6SXin Li int* status); 109*1a96fba6SXin Li 110*1a96fba6SXin Li // RunPipe() and Destroy() 111*1a96fba6SXin Li virtual bool RunPipeAndDestroy(struct minijail* jail, 112*1a96fba6SXin Li std::vector<char*> args, 113*1a96fba6SXin Li pid_t* pid, 114*1a96fba6SXin Li int* stdin); 115*1a96fba6SXin Li 116*1a96fba6SXin Li // RunPipes() and Destroy() 117*1a96fba6SXin Li virtual bool RunPipesAndDestroy(struct minijail* jail, 118*1a96fba6SXin Li std::vector<char*> args, 119*1a96fba6SXin Li pid_t* pid, 120*1a96fba6SXin Li int* stdin, 121*1a96fba6SXin Li int* stdout, 122*1a96fba6SXin Li int* stderr); 123*1a96fba6SXin Li 124*1a96fba6SXin Li // RunEnvPipes() and Destroy() 125*1a96fba6SXin Li virtual bool RunEnvPipesAndDestroy(struct minijail* jail, 126*1a96fba6SXin Li std::vector<char*> args, 127*1a96fba6SXin Li std::vector<char*> env, 128*1a96fba6SXin Li pid_t* pid, 129*1a96fba6SXin Li int* stdin, 130*1a96fba6SXin Li int* stdout, 131*1a96fba6SXin Li int* stderr); 132*1a96fba6SXin Li 133*1a96fba6SXin Li protected: 134*1a96fba6SXin Li Minijail(); 135*1a96fba6SXin Li 136*1a96fba6SXin Li private: 137*1a96fba6SXin Li friend base::LazyInstanceTraitsBase<Minijail>; 138*1a96fba6SXin Li 139*1a96fba6SXin Li DISALLOW_COPY_AND_ASSIGN(Minijail); 140*1a96fba6SXin Li }; 141*1a96fba6SXin Li 142*1a96fba6SXin Li } // namespace brillo 143*1a96fba6SXin Li 144*1a96fba6SXin Li #endif // LIBBRILLO_BRILLO_MINIJAIL_MINIJAIL_H_ 145