xref: /aosp_15_r20/system/libhidl/minijail/HardwareMinijail.cpp (revision 8222fbe171c3d6fadfe95119c180cf3010c392a8) 
1*8222fbe1SAndroid Build Coastguard Worker //
2*8222fbe1SAndroid Build Coastguard Worker // Copyright (C) 2017 The Android Open Source Project
3*8222fbe1SAndroid Build Coastguard Worker //
4*8222fbe1SAndroid Build Coastguard Worker // Licensed under the Apache License, Version 2.0 (the "License");
5*8222fbe1SAndroid Build Coastguard Worker // you may not use this file except in compliance with the License.
6*8222fbe1SAndroid Build Coastguard Worker // You may obtain a copy of the License at
7*8222fbe1SAndroid Build Coastguard Worker //
8*8222fbe1SAndroid Build Coastguard Worker //      http://www.apache.org/licenses/LICENSE-2.0
9*8222fbe1SAndroid Build Coastguard Worker //
10*8222fbe1SAndroid Build Coastguard Worker // Unless required by applicable law or agreed to in writing, software
11*8222fbe1SAndroid Build Coastguard Worker // distributed under the License is distributed on an "AS IS" BASIS,
12*8222fbe1SAndroid Build Coastguard Worker // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13*8222fbe1SAndroid Build Coastguard Worker // See the License for the specific language governing permissions and
14*8222fbe1SAndroid Build Coastguard Worker // limitations under the License.
15*8222fbe1SAndroid Build Coastguard Worker //
16*8222fbe1SAndroid Build Coastguard Worker 
17*8222fbe1SAndroid Build Coastguard Worker #include <android-base/logging.h>
18*8222fbe1SAndroid Build Coastguard Worker #include <libminijail.h>
19*8222fbe1SAndroid Build Coastguard Worker 
20*8222fbe1SAndroid Build Coastguard Worker #include <hwminijail/HardwareMinijail.h>
21*8222fbe1SAndroid Build Coastguard Worker 
22*8222fbe1SAndroid Build Coastguard Worker namespace android {
23*8222fbe1SAndroid Build Coastguard Worker namespace hardware {
24*8222fbe1SAndroid Build Coastguard Worker 
SetupMinijail(const std::string & seccomp_policy_path)25*8222fbe1SAndroid Build Coastguard Worker void SetupMinijail(const std::string& seccomp_policy_path) {
26*8222fbe1SAndroid Build Coastguard Worker     if (access(seccomp_policy_path.c_str(), R_OK) == -1) {
27*8222fbe1SAndroid Build Coastguard Worker         LOG(WARNING) << "Could not find seccomp policy file at: " << seccomp_policy_path;
28*8222fbe1SAndroid Build Coastguard Worker         return;
29*8222fbe1SAndroid Build Coastguard Worker     }
30*8222fbe1SAndroid Build Coastguard Worker 
31*8222fbe1SAndroid Build Coastguard Worker     struct minijail* jail = minijail_new();
32*8222fbe1SAndroid Build Coastguard Worker     if (jail == nullptr) {
33*8222fbe1SAndroid Build Coastguard Worker         LOG(FATAL) << "Failed to create minijail.";
34*8222fbe1SAndroid Build Coastguard Worker     }
35*8222fbe1SAndroid Build Coastguard Worker 
36*8222fbe1SAndroid Build Coastguard Worker     minijail_no_new_privs(jail);
37*8222fbe1SAndroid Build Coastguard Worker     minijail_log_seccomp_filter_failures(jail);
38*8222fbe1SAndroid Build Coastguard Worker     minijail_use_seccomp_filter(jail);
39*8222fbe1SAndroid Build Coastguard Worker     minijail_parse_seccomp_filters(jail, seccomp_policy_path.c_str());
40*8222fbe1SAndroid Build Coastguard Worker     minijail_enter(jail);
41*8222fbe1SAndroid Build Coastguard Worker     minijail_destroy(jail);
42*8222fbe1SAndroid Build Coastguard Worker }
43*8222fbe1SAndroid Build Coastguard Worker 
44*8222fbe1SAndroid Build Coastguard Worker }  // namespace hardware
45*8222fbe1SAndroid Build Coastguard Worker }  // namespace android
46