Home | History | Annotate | Download | only in minijail 
      1 /* Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
      2  * Use of this source code is governed by a BSD-style license that can be
      3  * found in the LICENSE file.
      4  */
      5 
      6 /*
      7  * The general pattern of use here:
      8  * 1) Construct a minijail with minijail_new()
      9  * 2) Apply the desired restrictions to it
     10  * 3) Enter it, which locks the current process inside it, or:
     11  * 3) Run a process inside it
     12  * 4) Destroy it.
     13  */
     14 
     15 #ifndef _LIBMINIJAIL_H_
     16 #define _LIBMINIJAIL_H_
     17 
     18 #include <stdint.h>
     19 #include <sys/types.h>
     20 
     21 #ifdef __cplusplus
     22 extern "C" {
     23 #endif
     24 
     25 enum {
     26 	MINIJAIL_ERR_PRELOAD = 252,
     27 	MINIJAIL_ERR_JAIL = 253,
     28 	MINIJAIL_ERR_INIT = 254,
     29 };
     30 
     31 struct minijail;
     32 
     33 /* Allocates a new minijail with no restrictions. */
     34 struct minijail *minijail_new(void);
     35 
     36 /*
     37  * These functions add restrictions to the minijail. They are not applied until
     38  * minijail_enter() is called. See the documentation in minijail0.1 for
     39  * explanations in detail of what the restrictions do.
     40  */
     41 void minijail_change_uid(struct minijail *j, uid_t uid);
     42 void minijail_change_gid(struct minijail *j, gid_t gid);
     43 /* Copies |list|. */
     44 void minijail_set_supplementary_gids(struct minijail *j, size_t size,
     45 				     const gid_t *list);
     46 void minijail_keep_supplementary_gids(struct minijail *j);
     47 /* Stores user to change to and copies |user| for internal consistency. */
     48 int minijail_change_user(struct minijail *j, const char *user);
     49 /* Does not take ownership of |group|. */
     50 int minijail_change_group(struct minijail *j, const char *group);
     51 void minijail_use_seccomp(struct minijail *j);
     52 void minijail_no_new_privs(struct minijail *j);
     53 void minijail_use_seccomp_filter(struct minijail *j);
     54 void minijail_set_seccomp_filter_tsync(struct minijail *j);
     55 void minijail_parse_seccomp_filters(struct minijail *j, const char *path);
     56 void minijail_parse_seccomp_filters_from_fd(struct minijail *j, int fd);
     57 void minijail_log_seccomp_filter_failures(struct minijail *j);
     58 /* 'minijail_use_caps' and 'minijail_capbset_drop' are mutually exclusive. */
     59 void minijail_use_caps(struct minijail *j, uint64_t capmask);
     60 void minijail_capbset_drop(struct minijail *j, uint64_t capmask);
     61 void minijail_reset_signal_mask(struct minijail *j);
     62 void minijail_namespace_vfs(struct minijail *j);
     63 void minijail_namespace_enter_vfs(struct minijail *j, const char *ns_path);
     64 void minijail_new_session_keyring(struct minijail *j);
     65 
     66 /*
     67  * This option is *dangerous* as it negates most of the functionality of
     68  * minijail_namespace_vfs(). You very likely don't need this.
     69  */
     70 void minijail_skip_remount_private(struct minijail *j);
     71 void minijail_namespace_ipc(struct minijail *j);
     72 void minijail_namespace_net(struct minijail *j);
     73 void minijail_namespace_enter_net(struct minijail *j, const char *ns_path);
     74 void minijail_namespace_cgroups(struct minijail *j);
     75 /* Closes all open file descriptors after forking. */
     76 void minijail_close_open_fds(struct minijail *j);
     77 /*
     78  * Implies namespace_vfs and remount_proc_readonly.
     79  * WARNING: this is NOT THREAD SAFE. See the block comment in </libminijail.c>.
     80  */
     81 void minijail_namespace_pids(struct minijail *j);
     82 void minijail_namespace_user(struct minijail *j);
     83 void minijail_namespace_user_disable_setgroups(struct minijail *j);
     84 int minijail_uidmap(struct minijail *j, const char *uidmap);
     85 int minijail_gidmap(struct minijail *j, const char *gidmap);
     86 void minijail_remount_proc_readonly(struct minijail *j);
     87 void minijail_run_as_init(struct minijail *j);
     88 int minijail_write_pid_file(struct minijail *j, const char *path);
     89 void minijail_inherit_usergroups(struct minijail *j);
     90 /*
     91  * Changes the jailed process's syscall table to the alt_syscall table
     92  * named |table|.
     93  */
     94 int minijail_use_alt_syscall(struct minijail *j, const char *table);
     95 
     96 /*
     97  * Adds the jailed process to the cgroup given by |path|.  |path| should be the
     98  * full path to the cgroups "tasks" file.
     99  * Example: /sys/fs/cgroup/cpu/jailed_procs/tasks adds to the "jailed_procs" cpu
    100  * cgroup.
    101  */
    102 int minijail_add_to_cgroup(struct minijail *j, const char *path);
    103 
    104 /*
    105  * minijail_enter_chroot: enables chroot() restriction for @j
    106  * @j   minijail to apply restriction to
    107  * @dir directory to chroot() to. Owned by caller.
    108  *
    109  * Enters @dir, binding all bind mounts specified with minijail_bind() into
    110  * place. Requires @dir to contain all necessary directories for bind mounts
    111  * (i.e., if you have requested a bind mount at /etc, /etc must exist in @dir.)
    112  *
    113  * Returns 0 on success.
    114  */
    115 int minijail_enter_chroot(struct minijail *j, const char *dir);
    116 int minijail_enter_pivot_root(struct minijail *j, const char *dir);
    117 
    118 /*
    119  * minijail_get_original_path: returns the path of a given file outside of the
    120  * chroot.
    121  * @j           minijail to obtain the path from.
    122  * @chroot_path path inside of the chroot() to.
    123  *
    124  * When executing a binary in a chroot or pivot_root, return path to the binary
    125  * outside of the chroot.
    126  *
    127  * Returns a string containing the path.  This must be freed by the caller.
    128  */
    129 char *minijail_get_original_path(struct minijail *j, const char *chroot_path);
    130 
    131 /*
    132  * minijail_mount_tmp: enables mounting of a 64M tmpfs filesystem on /tmp.
    133  * As be rules of bind mounts, /tmp must exist in chroot.
    134  */
    135 void minijail_mount_tmp(struct minijail *j);
    136 
    137 /*
    138  * minijail_mount_tmp_size: enables mounting of a tmpfs filesystem on /tmp.
    139  * As be rules of bind mounts, /tmp must exist in chroot.  Size is in bytes.
    140  */
    141 void minijail_mount_tmp_size(struct minijail *j, size_t size);
    142 
    143 /*
    144  * minijail_mount_with_data: when entering minijail @j,
    145  *   mounts @src at @dst with @flags and @data.
    146  * @j         minijail to bind inside
    147  * @src       source to bind
    148  * @dest      location to bind (inside chroot)
    149  * @type      type of filesystem
    150  * @flags     flags passed to mount
    151  * @data      data arguments passed to mount(2), e.g. "mode=755"
    152  *
    153  * This may be called multiple times; all mounts will be applied in the order
    154  * of minijail_mount() calls.
    155  */
    156 int minijail_mount_with_data(struct minijail *j, const char *src,
    157 			     const char *dest, const char *type,
    158 			     unsigned long flags, const char *data);
    159 
    160 /*
    161  * minijail_mount: when entering minijail @j, mounts @src at @dst with @flags
    162  * @j         minijail to bind inside
    163  * @src       source to bind
    164  * @dest      location to bind (inside chroot)
    165  * @type      type of filesystem
    166  * @flags     flags passed to mount
    167  *
    168  * This may be called multiple times; all mounts will be applied in the order
    169  * of minijail_mount() calls.
    170  */
    171 int minijail_mount(struct minijail *j, const char *src, const char *dest,
    172 		   const char *type, unsigned long flags);
    173 
    174 /*
    175  * minijail_bind: bind-mounts @src into @j as @dest, optionally writeable
    176  * @j         minijail to bind inside
    177  * @src       source to bind
    178  * @dest      location to bind (inside chroot)
    179  * @writeable 1 if the bind mount should be writeable
    180  *
    181  * This may be called multiple times; all bindings will be applied in the order
    182  * of minijail_bind() calls.
    183  */
    184 int minijail_bind(struct minijail *j, const char *src, const char *dest,
    185 		  int writeable);
    186 
    187 /*
    188  * Lock this process into the given minijail. Note that this procedure cannot
    189  * fail, since there is no way to undo privilege-dropping; therefore, if any
    190  * part of the privilege-drop fails, minijail_enter() will abort the entire
    191  * process.
    192  *
    193  * Some restrictions cannot be enabled this way (pid namespaces) and attempting
    194  * to do so will cause an abort.
    195  */
    196 void minijail_enter(const struct minijail *j);
    197 
    198 /*
    199  * Run the specified command in the given minijail, execve(2)-style. This is
    200  * required if minijail_namespace_pids() was used.
    201  */
    202 int minijail_run(struct minijail *j, const char *filename,
    203 		 char *const argv[]);
    204 
    205 /*
    206  * Run the specified command in the given minijail, execve(2)-style.
    207  * Used with static binaries, or on systems without support for LD_PRELOAD.
    208  */
    209 int minijail_run_no_preload(struct minijail *j, const char *filename,
    210 			    char *const argv[]);
    211 
    212 /*
    213  * Run the specified command in the given minijail, execve(2)-style.
    214  * Update |*pchild_pid| with the pid of the child.
    215  */
    216 int minijail_run_pid(struct minijail *j, const char *filename,
    217 		     char *const argv[], pid_t *pchild_pid);
    218 
    219 /*
    220  * Run the specified command in the given minijail, execve(2)-style.
    221  * Update |*pstdin_fd| with a fd that allows writing to the child's
    222  * standard input.
    223  */
    224 int minijail_run_pipe(struct minijail *j, const char *filename,
    225 		      char *const argv[], int *pstdin_fd);
    226 
    227 /*
    228  * Run the specified command in the given minijail, execve(2)-style.
    229  * Update |*pchild_pid| with the pid of the child.
    230  * Update |*pstdin_fd| with a fd that allows writing to the child's
    231  * standard input.
    232  * Update |*pstdout_fd| with a fd that allows reading from the child's
    233  * standard output.
    234  * Update |*pstderr_fd| with a fd that allows reading from the child's
    235  * standard error.
    236  */
    237 int minijail_run_pid_pipes(struct minijail *j, const char *filename,
    238 			   char *const argv[], pid_t *pchild_pid,
    239 			   int *pstdin_fd, int *pstdout_fd, int *pstderr_fd);
    240 
    241 /*
    242  * Run the specified command in the given minijail, execve(2)-style.
    243  * Update |*pchild_pid| with the pid of the child.
    244  * Update |*pstdin_fd| with a fd that allows writing to the child's
    245  * standard input.
    246  * Update |*pstdout_fd| with a fd that allows reading from the child's
    247  * standard output.
    248  * Update |*pstderr_fd| with a fd that allows reading from the child's
    249  * standard error.
    250  * Used with static binaries, or on systems without support for LD_PRELOAD.
    251  */
    252 int minijail_run_pid_pipes_no_preload(struct minijail *j, const char *filename,
    253 				      char *const argv[], pid_t *pchild_pid,
    254 				      int *pstdin_fd, int *pstdout_fd,
    255 				      int *pstderr_fd);
    256 
    257 /*
    258  * Kill the specified minijail. The minijail must have been created with pid
    259  * namespacing; if it was, all processes inside it are atomically killed.
    260  */
    261 int minijail_kill(struct minijail *j);
    262 
    263 /*
    264  * Wait for all processes in the specified minijail to exit. Returns the exit
    265  * status of the _first_ process spawned in the jail.
    266  */
    267 int minijail_wait(struct minijail *j);
    268 
    269 /*
    270  * Frees the given minijail. It does not matter if the process is inside the
    271  * minijail or not.
    272  */
    273 void minijail_destroy(struct minijail *j);
    274 
    275 #ifdef __cplusplus
    276 }; /* extern "C" */
    277 #endif
    278 
    279 #endif /* !_LIBMINIJAIL_H_ */
    280