Home | History | Annotate | Download | only in minijail 
      1 // Copyright 2015, The Android Open Source Project
      2 //
      3 // Licensed under the Apache License, Version 2.0 (the "License");
      4 // you may not use this file except in compliance with the License.
      5 // You may obtain a copy of the License at
      6 //
      7 //     http://www.apache.org/licenses/LICENSE-2.0
      8 //
      9 // Unless required by applicable law or agreed to in writing, software
     10 // distributed under the License is distributed on an "AS IS" BASIS,
     11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     12 // See the License for the specific language governing permissions and
     13 // limitations under the License.
     14 
     15 #include <fcntl.h>
     16 #include <sys/stat.h>
     17 #include <sys/types.h>
     18 #include <unistd.h>
     19 
     20 #include <android-base/file.h>
     21 #include <android-base/logging.h>
     22 #include <android-base/unique_fd.h>
     23 
     24 #include <libminijail.h>
     25 #include <scoped_minijail.h>
     26 
     27 #include "minijail.h"
     28 
     29 namespace android {
     30 
     31 int WritePolicyToPipe(const std::string& base_policy_content,
     32                       const std::string& additional_policy_content)
     33 {
     34     int pipefd[2];
     35     if (pipe(pipefd) == -1) {
     36         PLOG(ERROR) << "pipe() failed";
     37         return -1;
     38     }
     39 
     40     base::unique_fd write_end(pipefd[1]);
     41     std::string content = base_policy_content;
     42 
     43     if (additional_policy_content.length() > 0) {
     44         content += "\n";
     45         content += additional_policy_content;
     46     }
     47 
     48     if (!base::WriteStringToFd(content, write_end.get())) {
     49         LOG(ERROR) << "Could not write policy to fd";
     50         return -1;
     51     }
     52 
     53     return pipefd[0];
     54 }
     55 
     56 void SetUpMinijail(const std::string& base_policy_path, const std::string& additional_policy_path)
     57 {
     58     // No seccomp policy defined for this architecture.
     59     if (access(base_policy_path.c_str(), R_OK) == -1) {
     60         LOG(WARNING) << "No seccomp policy defined for this architecture.";
     61         return;
     62     }
     63 
     64     std::string base_policy_content;
     65     std::string additional_policy_content;
     66     if (!base::ReadFileToString(base_policy_path, &base_policy_content,
     67                                 false /* follow_symlinks */)) {
     68         LOG(FATAL) << "Could not read base policy file '" << base_policy_path << "'";
     69     }
     70 
     71     if (additional_policy_path.length() > 0 &&
     72         !base::ReadFileToString(additional_policy_path, &additional_policy_content,
     73                                 false /* follow_symlinks */)) {
     74         LOG(WARNING) << "Could not read additional policy file '" << additional_policy_path << "'";
     75         additional_policy_content = std::string();
     76     }
     77 
     78     base::unique_fd policy_fd(WritePolicyToPipe(base_policy_content, additional_policy_content));
     79     if (policy_fd.get() == -1) {
     80         LOG(FATAL) << "Could not write seccomp policy to fd";
     81     }
     82 
     83     ScopedMinijail jail{minijail_new()};
     84     if (!jail) {
     85         LOG(FATAL) << "Failed to create minijail.";
     86     }
     87 
     88     minijail_no_new_privs(jail.get());
     89     minijail_log_seccomp_filter_failures(jail.get());
     90     minijail_use_seccomp_filter(jail.get());
     91     // Transfer ownership of |policy_fd|.
     92     minijail_parse_seccomp_filters_from_fd(jail.get(), policy_fd.release());
     93     minijail_enter(jail.get());
     94 }
     95 }
     96