1 // Copyright (c) 2012 The Chromium OS Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "brillo/minijail/minijail.h" 6 7 #include <sys/types.h> 8 #include <sys/wait.h> 9 10 using std::vector; 11 12 namespace brillo { 13 14 static base::LazyInstance<Minijail> g_minijail = LAZY_INSTANCE_INITIALIZER; 15 16 Minijail::Minijail() {} 17 18 Minijail::~Minijail() {} 19 20 // static 21 Minijail* Minijail::GetInstance() { 22 return g_minijail.Pointer(); 23 } 24 25 struct minijail* Minijail::New() { 26 return minijail_new(); 27 } 28 29 void Minijail::Destroy(struct minijail* jail) { 30 minijail_destroy(jail); 31 } 32 33 void Minijail::DropRoot(struct minijail* jail, uid_t uid, gid_t gid) { 34 minijail_change_uid(jail, uid); 35 minijail_change_gid(jail, gid); 36 } 37 38 bool Minijail::DropRoot(struct minijail* jail, 39 const char* user, 40 const char* group) { 41 // |user| and |group| are copied so the only reason either of these 42 // calls can fail is ENOMEM. 43 return !minijail_change_user(jail, user) && 44 !minijail_change_group(jail, group); 45 } 46 47 void Minijail::EnterNewPidNamespace(struct minijail* jail) { 48 minijail_namespace_pids(jail); 49 } 50 51 void Minijail::MountTmp(struct minijail* jail) { 52 minijail_mount_tmp(jail); 53 } 54 55 void Minijail::UseSeccompFilter(struct minijail* jail, const char* path) { 56 minijail_no_new_privs(jail); 57 minijail_use_seccomp_filter(jail); 58 minijail_parse_seccomp_filters(jail, path); 59 } 60 61 void Minijail::UseCapabilities(struct minijail* jail, uint64_t capmask) { 62 minijail_use_caps(jail, capmask); 63 } 64 65 void Minijail::ResetSignalMask(struct minijail* jail) { 66 minijail_reset_signal_mask(jail); 67 } 68 69 void Minijail::Enter(struct minijail* jail) { 70 minijail_enter(jail); 71 } 72 73 bool Minijail::Run(struct minijail* jail, vector<char*> args, pid_t* pid) { 74 return minijail_run_pid(jail, args[0], args.data(), pid) == 0; 75 } 76 77 bool Minijail::RunSync(struct minijail* jail, vector<char*> args, int* status) { 78 pid_t pid; 79 if (Run(jail, args, &pid) && waitpid(pid, status, 0) == pid) { 80 return true; 81 } 82 83 return false; 84 } 85 86 bool Minijail::RunPipe(struct minijail* jail, 87 vector<char*> args, 88 pid_t* pid, 89 int* stdin) { 90 #if defined(__ANDROID__) 91 return minijail_run_pid_pipes_no_preload(jail, args[0], args.data(), pid, 92 stdin, NULL, NULL) == 0; 93 #else 94 return minijail_run_pid_pipes(jail, args[0], args.data(), pid, stdin, NULL, 95 NULL) == 0; 96 #endif // __ANDROID__ 97 } 98 99 bool Minijail::RunPipes(struct minijail* jail, 100 vector<char*> args, 101 pid_t* pid, 102 int* stdin, 103 int* stdout, 104 int* stderr) { 105 #if defined(__ANDROID__) 106 return minijail_run_pid_pipes_no_preload(jail, args[0], args.data(), pid, 107 stdin, stdout, stderr) == 0; 108 #else 109 return minijail_run_pid_pipes(jail, args[0], args.data(), pid, stdin, stdout, 110 stderr) == 0; 111 #endif // __ANDROID__ 112 } 113 114 bool Minijail::RunAndDestroy(struct minijail* jail, 115 vector<char*> args, 116 pid_t* pid) { 117 bool res = Run(jail, args, pid); 118 Destroy(jail); 119 return res; 120 } 121 122 bool Minijail::RunSyncAndDestroy(struct minijail* jail, 123 vector<char*> args, 124 int* status) { 125 bool res = RunSync(jail, args, status); 126 Destroy(jail); 127 return res; 128 } 129 130 bool Minijail::RunPipeAndDestroy(struct minijail* jail, 131 vector<char*> args, 132 pid_t* pid, 133 int* stdin) { 134 bool res = RunPipe(jail, args, pid, stdin); 135 Destroy(jail); 136 return res; 137 } 138 139 bool Minijail::RunPipesAndDestroy(struct minijail* jail, 140 vector<char*> args, 141 pid_t* pid, 142 int* stdin, 143 int* stdout, 144 int* stderr) { 145 bool res = RunPipes(jail, args, pid, stdin, stdout, stderr); 146 Destroy(jail); 147 return res; 148 } 149 150 } // namespace brillo 151
