1*ec779b8eSAndroid Build Coastguard Worker // Copyright 2015, The Android Open Source Project
2*ec779b8eSAndroid Build Coastguard Worker //
3*ec779b8eSAndroid Build Coastguard Worker // Licensed under the Apache License, Version 2.0 (the "License");
4*ec779b8eSAndroid Build Coastguard Worker // you may not use this file except in compliance with the License.
5*ec779b8eSAndroid Build Coastguard Worker // You may obtain a copy of the License at
6*ec779b8eSAndroid Build Coastguard Worker //
7*ec779b8eSAndroid Build Coastguard Worker // http://www.apache.org/licenses/LICENSE-2.0
8*ec779b8eSAndroid Build Coastguard Worker //
9*ec779b8eSAndroid Build Coastguard Worker // Unless required by applicable law or agreed to in writing, software
10*ec779b8eSAndroid Build Coastguard Worker // distributed under the License is distributed on an "AS IS" BASIS,
11*ec779b8eSAndroid Build Coastguard Worker // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12*ec779b8eSAndroid Build Coastguard Worker // See the License for the specific language governing permissions and
13*ec779b8eSAndroid Build Coastguard Worker // limitations under the License.
14*ec779b8eSAndroid Build Coastguard Worker
15*ec779b8eSAndroid Build Coastguard Worker #include <fcntl.h>
16*ec779b8eSAndroid Build Coastguard Worker #include <sys/stat.h>
17*ec779b8eSAndroid Build Coastguard Worker #include <sys/types.h>
18*ec779b8eSAndroid Build Coastguard Worker #include <unistd.h>
19*ec779b8eSAndroid Build Coastguard Worker
20*ec779b8eSAndroid Build Coastguard Worker #include <android-base/file.h>
21*ec779b8eSAndroid Build Coastguard Worker #include <android-base/logging.h>
22*ec779b8eSAndroid Build Coastguard Worker #include <android-base/unique_fd.h>
23*ec779b8eSAndroid Build Coastguard Worker
24*ec779b8eSAndroid Build Coastguard Worker #include <libminijail.h>
25*ec779b8eSAndroid Build Coastguard Worker #include <scoped_minijail.h>
26*ec779b8eSAndroid Build Coastguard Worker
27*ec779b8eSAndroid Build Coastguard Worker #include "minijail.h"
28*ec779b8eSAndroid Build Coastguard Worker
29*ec779b8eSAndroid Build Coastguard Worker namespace android {
30*ec779b8eSAndroid Build Coastguard Worker
WritePolicyToPipe(const std::string & base_policy_content,const std::vector<std::string> & additional_policy_contents)31*ec779b8eSAndroid Build Coastguard Worker int WritePolicyToPipe(const std::string& base_policy_content,
32*ec779b8eSAndroid Build Coastguard Worker const std::vector<std::string>& additional_policy_contents)
33*ec779b8eSAndroid Build Coastguard Worker {
34*ec779b8eSAndroid Build Coastguard Worker int pipefd[2];
35*ec779b8eSAndroid Build Coastguard Worker if (pipe(pipefd) == -1) {
36*ec779b8eSAndroid Build Coastguard Worker PLOG(ERROR) << "pipe() failed";
37*ec779b8eSAndroid Build Coastguard Worker return -1;
38*ec779b8eSAndroid Build Coastguard Worker }
39*ec779b8eSAndroid Build Coastguard Worker
40*ec779b8eSAndroid Build Coastguard Worker base::unique_fd write_end(pipefd[1]);
41*ec779b8eSAndroid Build Coastguard Worker std::string content = base_policy_content;
42*ec779b8eSAndroid Build Coastguard Worker
43*ec779b8eSAndroid Build Coastguard Worker for (auto one_content : additional_policy_contents) {
44*ec779b8eSAndroid Build Coastguard Worker if (one_content.length() > 0) {
45*ec779b8eSAndroid Build Coastguard Worker content += "\n";
46*ec779b8eSAndroid Build Coastguard Worker content += one_content;
47*ec779b8eSAndroid Build Coastguard Worker }
48*ec779b8eSAndroid Build Coastguard Worker }
49*ec779b8eSAndroid Build Coastguard Worker
50*ec779b8eSAndroid Build Coastguard Worker if (!base::WriteStringToFd(content, write_end.get())) {
51*ec779b8eSAndroid Build Coastguard Worker LOG(ERROR) << "Could not write policy to fd";
52*ec779b8eSAndroid Build Coastguard Worker return -1;
53*ec779b8eSAndroid Build Coastguard Worker }
54*ec779b8eSAndroid Build Coastguard Worker
55*ec779b8eSAndroid Build Coastguard Worker return pipefd[0];
56*ec779b8eSAndroid Build Coastguard Worker }
57*ec779b8eSAndroid Build Coastguard Worker
SetUpMinijail(const std::string & base_policy_path,const std::string & additional_policy_path)58*ec779b8eSAndroid Build Coastguard Worker void SetUpMinijail(const std::string& base_policy_path,
59*ec779b8eSAndroid Build Coastguard Worker const std::string& additional_policy_path)
60*ec779b8eSAndroid Build Coastguard Worker {
61*ec779b8eSAndroid Build Coastguard Worker SetUpMinijailList(base_policy_path, {additional_policy_path});
62*ec779b8eSAndroid Build Coastguard Worker }
63*ec779b8eSAndroid Build Coastguard Worker
SetUpMinijailList(const std::string & base_policy_path,const std::vector<std::string> & additional_policy_paths)64*ec779b8eSAndroid Build Coastguard Worker void SetUpMinijailList(const std::string& base_policy_path,
65*ec779b8eSAndroid Build Coastguard Worker const std::vector<std::string>& additional_policy_paths)
66*ec779b8eSAndroid Build Coastguard Worker {
67*ec779b8eSAndroid Build Coastguard Worker std::string base_policy_content;
68*ec779b8eSAndroid Build Coastguard Worker std::vector<std::string> additional_policy_contents;
69*ec779b8eSAndroid Build Coastguard Worker if (!base::ReadFileToString(base_policy_path, &base_policy_content,
70*ec779b8eSAndroid Build Coastguard Worker false /* follow_symlinks */)) {
71*ec779b8eSAndroid Build Coastguard Worker LOG(FATAL) << "Could not read base policy file '" << base_policy_path << "'";
72*ec779b8eSAndroid Build Coastguard Worker }
73*ec779b8eSAndroid Build Coastguard Worker
74*ec779b8eSAndroid Build Coastguard Worker for (auto one_policy_path : additional_policy_paths) {
75*ec779b8eSAndroid Build Coastguard Worker std::string one_policy_content;
76*ec779b8eSAndroid Build Coastguard Worker if (one_policy_path.length() > 0 &&
77*ec779b8eSAndroid Build Coastguard Worker !base::ReadFileToString(one_policy_path, &one_policy_content,
78*ec779b8eSAndroid Build Coastguard Worker false /* follow_symlinks */)) {
79*ec779b8eSAndroid Build Coastguard Worker // TODO: harder failure (fatal unless ENOENT?)
80*ec779b8eSAndroid Build Coastguard Worker LOG(WARNING) << "Could not read additional policy file '" << one_policy_path << "'";
81*ec779b8eSAndroid Build Coastguard Worker }
82*ec779b8eSAndroid Build Coastguard Worker additional_policy_contents.push_back(one_policy_content);
83*ec779b8eSAndroid Build Coastguard Worker }
84*ec779b8eSAndroid Build Coastguard Worker
85*ec779b8eSAndroid Build Coastguard Worker base::unique_fd policy_fd(WritePolicyToPipe(base_policy_content, additional_policy_contents));
86*ec779b8eSAndroid Build Coastguard Worker if (policy_fd.get() == -1) {
87*ec779b8eSAndroid Build Coastguard Worker LOG(FATAL) << "Could not write seccomp policy to fd";
88*ec779b8eSAndroid Build Coastguard Worker }
89*ec779b8eSAndroid Build Coastguard Worker
90*ec779b8eSAndroid Build Coastguard Worker ScopedMinijail jail{minijail_new()};
91*ec779b8eSAndroid Build Coastguard Worker if (!jail) {
92*ec779b8eSAndroid Build Coastguard Worker LOG(FATAL) << "Failed to create minijail.";
93*ec779b8eSAndroid Build Coastguard Worker }
94*ec779b8eSAndroid Build Coastguard Worker
95*ec779b8eSAndroid Build Coastguard Worker minijail_no_new_privs(jail.get());
96*ec779b8eSAndroid Build Coastguard Worker minijail_log_seccomp_filter_failures(jail.get());
97*ec779b8eSAndroid Build Coastguard Worker minijail_use_seccomp_filter(jail.get());
98*ec779b8eSAndroid Build Coastguard Worker // Transfer ownership of |policy_fd|.
99*ec779b8eSAndroid Build Coastguard Worker minijail_parse_seccomp_filters_from_fd(jail.get(), policy_fd.release());
100*ec779b8eSAndroid Build Coastguard Worker minijail_enter(jail.get());
101*ec779b8eSAndroid Build Coastguard Worker }
102*ec779b8eSAndroid Build Coastguard Worker }
103