xref: /aosp_15_r20/external/sandboxed-api/sandboxed_api/sandbox2/namespace.h (revision ec63e07ab9515d95e79c211197c445ef84cefa6a) 
1 // Copyright 2019 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 // The sandbox2::Namespace class defines ways of inserting the sandboxed process
16 // into Linux namespaces.
17 
18 #ifndef SANDBOXED_API_SANDBOX2_NAMESPACE_H_
19 #define SANDBOXED_API_SANDBOX2_NAMESPACE_H_
20 
21 #include <sched.h>
22 #include <sys/types.h>
23 
24 #include <cstdint>
25 #include <string>
26 
27 #include "sandboxed_api/sandbox2/mounts.h"
28 #include "sandboxed_api/sandbox2/violation.pb.h"
29 
30 namespace sandbox2 {
31 
32 class Namespace final {
33  public:
34   // Performs the namespace setup (mounts, write the uid_map, etc.).
35   static void InitializeNamespaces(uid_t uid, gid_t gid, int32_t clone_flags,
36                                    const Mounts& mounts,
37                                    const std::string& hostname,
38                                    bool avoid_pivot_root,
39                                    bool allow_mount_propagation);
40   static void InitializeInitialNamespaces(uid_t uid, gid_t gid);
41 
42   Namespace(bool allow_unrestricted_networking, Mounts mounts,
43             std::string hostname, bool allow_mount_propagation);
44 
45   // Stores information about this namespace in the protobuf structure.
46   void GetNamespaceDescription(NamespaceDescription* pb_description) const;
47 
clone_flags()48   int32_t clone_flags() const { return clone_flags_; }
49 
mounts()50   Mounts& mounts() { return mounts_; }
mounts()51   const Mounts& mounts() const { return mounts_; }
52 
hostname()53   const std::string& hostname() const { return hostname_; }
54 
allow_mount_propagation()55   bool allow_mount_propagation() const { return allow_mount_propagation_; }
56 
57  private:
58   int32_t clone_flags_ = CLONE_NEWUSER | CLONE_NEWNS | CLONE_NEWUTS |
59                          CLONE_NEWPID | CLONE_NEWIPC | CLONE_NEWNET;
60   Mounts mounts_;
61   std::string hostname_;
62   bool allow_mount_propagation_ = false;
63 };
64 
65 }  // namespace sandbox2
66 
67 #endif  // SANDBOXED_API_SANDBOX2_NAMESPACE_H_
68