Home | History | Annotate | Download | only in minijail
      1 // Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #include "brillo/minijail/minijail.h"
      6 
      7 #include <sys/types.h>
      8 #include <sys/wait.h>
      9 
     10 using std::vector;
     11 
     12 namespace brillo {
     13 
     14 static base::LazyInstance<Minijail> g_minijail = LAZY_INSTANCE_INITIALIZER;
     15 
     16 Minijail::Minijail() {}
     17 
     18 Minijail::~Minijail() {}
     19 
     20 // static
     21 Minijail* Minijail::GetInstance() {
     22   return g_minijail.Pointer();
     23 }
     24 
     25 struct minijail* Minijail::New() {
     26   return minijail_new();
     27 }
     28 
     29 void Minijail::Destroy(struct minijail* jail) {
     30   minijail_destroy(jail);
     31 }
     32 
     33 void Minijail::DropRoot(struct minijail* jail, uid_t uid, gid_t gid) {
     34   minijail_change_uid(jail, uid);
     35   minijail_change_gid(jail, gid);
     36 }
     37 
     38 bool Minijail::DropRoot(struct minijail* jail,
     39                         const char* user,
     40                         const char* group) {
     41   // |user| and |group| are copied so the only reason either of these
     42   // calls can fail is ENOMEM.
     43   return !minijail_change_user(jail, user) &&
     44          !minijail_change_group(jail, group);
     45 }
     46 
     47 void Minijail::EnterNewPidNamespace(struct minijail* jail) {
     48   minijail_namespace_pids(jail);
     49 }
     50 
     51 void Minijail::MountTmp(struct minijail* jail) {
     52   minijail_mount_tmp(jail);
     53 }
     54 
     55 void Minijail::UseSeccompFilter(struct minijail* jail, const char* path) {
     56   minijail_no_new_privs(jail);
     57   minijail_use_seccomp_filter(jail);
     58   minijail_parse_seccomp_filters(jail, path);
     59 }
     60 
     61 void Minijail::UseCapabilities(struct minijail* jail, uint64_t capmask) {
     62   minijail_use_caps(jail, capmask);
     63 }
     64 
     65 void Minijail::ResetSignalMask(struct minijail* jail) {
     66   minijail_reset_signal_mask(jail);
     67 }
     68 
     69 void Minijail::Enter(struct minijail* jail) {
     70   minijail_enter(jail);
     71 }
     72 
     73 bool Minijail::Run(struct minijail* jail, vector<char*> args, pid_t* pid) {
     74   return minijail_run_pid(jail, args[0], args.data(), pid) == 0;
     75 }
     76 
     77 bool Minijail::RunSync(struct minijail* jail, vector<char*> args, int* status) {
     78   pid_t pid;
     79   if (Run(jail, args, &pid) && waitpid(pid, status, 0) == pid) {
     80     return true;
     81   }
     82 
     83   return false;
     84 }
     85 
     86 bool Minijail::RunPipe(struct minijail* jail,
     87                        vector<char*> args,
     88                        pid_t* pid,
     89                        int* stdin) {
     90 #if defined(__ANDROID__)
     91   return minijail_run_pid_pipes_no_preload(jail, args[0], args.data(), pid,
     92                                            stdin, NULL, NULL) == 0;
     93 #else
     94   return minijail_run_pid_pipes(jail, args[0], args.data(), pid, stdin, NULL,
     95                                 NULL) == 0;
     96 #endif  // __ANDROID__
     97 }
     98 
     99 bool Minijail::RunPipes(struct minijail* jail,
    100                         vector<char*> args,
    101                         pid_t* pid,
    102                         int* stdin,
    103                         int* stdout,
    104                         int* stderr) {
    105 #if defined(__ANDROID__)
    106   return minijail_run_pid_pipes_no_preload(jail, args[0], args.data(), pid,
    107                                            stdin, stdout, stderr) == 0;
    108 #else
    109   return minijail_run_pid_pipes(jail, args[0], args.data(), pid, stdin, stdout,
    110                                 stderr) == 0;
    111 #endif  // __ANDROID__
    112 }
    113 
    114 bool Minijail::RunAndDestroy(struct minijail* jail,
    115                              vector<char*> args,
    116                              pid_t* pid) {
    117   bool res = Run(jail, args, pid);
    118   Destroy(jail);
    119   return res;
    120 }
    121 
    122 bool Minijail::RunSyncAndDestroy(struct minijail* jail,
    123                                  vector<char*> args,
    124                                  int* status) {
    125   bool res = RunSync(jail, args, status);
    126   Destroy(jail);
    127   return res;
    128 }
    129 
    130 bool Minijail::RunPipeAndDestroy(struct minijail* jail,
    131                                  vector<char*> args,
    132                                  pid_t* pid,
    133                                  int* stdin) {
    134   bool res = RunPipe(jail, args, pid, stdin);
    135   Destroy(jail);
    136   return res;
    137 }
    138 
    139 bool Minijail::RunPipesAndDestroy(struct minijail* jail,
    140                                   vector<char*> args,
    141                                   pid_t* pid,
    142                                   int* stdin,
    143                                   int* stdout,
    144                                   int* stderr) {
    145   bool res = RunPipes(jail, args, pid, stdin, stdout, stderr);
    146   Destroy(jail);
    147   return res;
    148 }
    149 
    150 }  // namespace brillo
    151