1 // Copyright (c) 2012 The Chromium OS Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "brillo/minijail/minijail.h" 6 7 #include <sys/types.h> 8 #include <sys/wait.h> 9 10 using std::vector; 11 12 namespace brillo { 13 14 Minijail::Minijail() {} 15 16 Minijail::~Minijail() {} 17 18 // static 19 Minijail* Minijail::GetInstance() { 20 static Minijail* minijail = new Minijail(); 21 return minijail; 22 } 23 24 struct minijail* Minijail::New() { 25 return minijail_new(); 26 } 27 28 void Minijail::Destroy(struct minijail* jail) { 29 minijail_destroy(jail); 30 } 31 32 void Minijail::DropRoot(struct minijail* jail, uid_t uid, gid_t gid) { 33 minijail_change_uid(jail, uid); 34 minijail_change_gid(jail, gid); 35 } 36 37 bool Minijail::DropRoot(struct minijail* jail, 38 const char* user, 39 const char* group) { 40 // |user| and |group| are copied so the only reason either of these 41 // calls can fail is ENOMEM. 42 return !minijail_change_user(jail, user) && 43 !minijail_change_group(jail, group); 44 } 45 46 void Minijail::EnterNewPidNamespace(struct minijail* jail) { 47 minijail_namespace_pids(jail); 48 } 49 50 void Minijail::MountTmp(struct minijail* jail) { 51 minijail_mount_tmp(jail); 52 } 53 54 void Minijail::UseSeccompFilter(struct minijail* jail, const char* path) { 55 minijail_no_new_privs(jail); 56 minijail_use_seccomp_filter(jail); 57 minijail_parse_seccomp_filters(jail, path); 58 } 59 60 void Minijail::UseCapabilities(struct minijail* jail, uint64_t capmask) { 61 minijail_use_caps(jail, capmask); 62 } 63 64 void Minijail::ResetSignalMask(struct minijail* jail) { 65 minijail_reset_signal_mask(jail); 66 } 67 68 void Minijail::Enter(struct minijail* jail) { 69 minijail_enter(jail); 70 } 71 72 bool Minijail::Run(struct minijail* jail, vector<char*> args, pid_t* pid) { 73 return minijail_run_pid(jail, args[0], args.data(), pid) == 0; 74 } 75 76 bool Minijail::RunSync(struct minijail* jail, vector<char*> args, int* status) { 77 pid_t pid; 78 if (Run(jail, args, &pid) && waitpid(pid, status, 0) == pid) { 79 return true; 80 } 81 82 return false; 83 } 84 85 bool Minijail::RunPipe(struct minijail* jail, 86 vector<char*> args, 87 pid_t* pid, 88 int* stdin) { 89 #if defined(__ANDROID__) 90 return minijail_run_pid_pipes_no_preload(jail, args[0], args.data(), pid, 91 stdin, NULL, NULL) == 0; 92 #else 93 return minijail_run_pid_pipes(jail, args[0], args.data(), pid, stdin, NULL, 94 NULL) == 0; 95 #endif // __ANDROID__ 96 } 97 98 bool Minijail::RunPipes(struct minijail* jail, 99 vector<char*> args, 100 pid_t* pid, 101 int* stdin, 102 int* stdout, 103 int* stderr) { 104 #if defined(__ANDROID__) 105 return minijail_run_pid_pipes_no_preload(jail, args[0], args.data(), pid, 106 stdin, stdout, stderr) == 0; 107 #else 108 return minijail_run_pid_pipes(jail, args[0], args.data(), pid, stdin, stdout, 109 stderr) == 0; 110 #endif // __ANDROID__ 111 } 112 113 bool Minijail::RunAndDestroy(struct minijail* jail, 114 vector<char*> args, 115 pid_t* pid) { 116 bool res = Run(jail, args, pid); 117 Destroy(jail); 118 return res; 119 } 120 121 bool Minijail::RunSyncAndDestroy(struct minijail* jail, 122 vector<char*> args, 123 int* status) { 124 bool res = RunSync(jail, args, status); 125 Destroy(jail); 126 return res; 127 } 128 129 bool Minijail::RunPipeAndDestroy(struct minijail* jail, 130 vector<char*> args, 131 pid_t* pid, 132 int* stdin) { 133 bool res = RunPipe(jail, args, pid, stdin); 134 Destroy(jail); 135 return res; 136 } 137 138 bool Minijail::RunPipesAndDestroy(struct minijail* jail, 139 vector<char*> args, 140 pid_t* pid, 141 int* stdin, 142 int* stdout, 143 int* stderr) { 144 bool res = RunPipes(jail, args, pid, stdin, stdout, stderr); 145 Destroy(jail); 146 return res; 147 } 148 149 } // namespace brillo 150