Lines Matching refs:j
203 static void run_hooks_or_die(const struct minijail *j,
206 static void free_mounts_list(struct minijail *j) in free_mounts_list() argument
208 while (j->mounts_head) { in free_mounts_list()
209 struct mountpoint *m = j->mounts_head; in free_mounts_list()
210 j->mounts_head = j->mounts_head->next; in free_mounts_list()
218 j->mounts_tail = NULL; in free_mounts_list()
226 void minijail_preenter(struct minijail *j) in minijail_preenter() argument
228 j->flags.vfs = 0; in minijail_preenter()
229 j->flags.enter_vfs = 0; in minijail_preenter()
230 j->flags.ns_cgroups = 0; in minijail_preenter()
231 j->flags.net = 0; in minijail_preenter()
232 j->flags.uts = 0; in minijail_preenter()
233 j->flags.remount_proc_ro = 0; in minijail_preenter()
234 j->flags.pids = 0; in minijail_preenter()
235 j->flags.do_init = 0; in minijail_preenter()
236 j->flags.run_as_init = 0; in minijail_preenter()
237 j->flags.pid_file = 0; in minijail_preenter()
238 j->flags.cgroups = 0; in minijail_preenter()
239 j->flags.forward_signals = 0; in minijail_preenter()
240 j->remount_mode = 0; in minijail_preenter()
247 void minijail_preexec(struct minijail *j) in minijail_preexec() argument
249 int vfs = j->flags.vfs; in minijail_preexec()
250 int enter_vfs = j->flags.enter_vfs; in minijail_preexec()
251 int ns_cgroups = j->flags.ns_cgroups; in minijail_preexec()
252 int net = j->flags.net; in minijail_preexec()
253 int uts = j->flags.uts; in minijail_preexec()
254 int remount_proc_ro = j->flags.remount_proc_ro; in minijail_preexec()
255 int userns = j->flags.userns; in minijail_preexec()
256 if (j->user) in minijail_preexec()
257 free(j->user); in minijail_preexec()
258 j->user = NULL; in minijail_preexec()
259 if (j->suppl_gid_list) in minijail_preexec()
260 free(j->suppl_gid_list); in minijail_preexec()
261 j->suppl_gid_list = NULL; in minijail_preexec()
262 if (j->preload_path) in minijail_preexec()
263 free(j->preload_path); in minijail_preexec()
264 j->preload_path = NULL; in minijail_preexec()
265 free_mounts_list(j); in minijail_preexec()
266 memset(&j->flags, 0, sizeof(j->flags)); in minijail_preexec()
268 j->flags.vfs = vfs; in minijail_preexec()
269 j->flags.enter_vfs = enter_vfs; in minijail_preexec()
270 j->flags.ns_cgroups = ns_cgroups; in minijail_preexec()
271 j->flags.net = net; in minijail_preexec()
272 j->flags.uts = uts; in minijail_preexec()
273 j->flags.remount_proc_ro = remount_proc_ro; in minijail_preexec()
274 j->flags.userns = userns; in minijail_preexec()
282 struct minijail *j = calloc(1, sizeof(struct minijail)); in minijail_new() local
283 j->remount_mode = MS_PRIVATE; in minijail_new()
284 return j; in minijail_new()
287 void API minijail_change_uid(struct minijail *j, uid_t uid) in minijail_change_uid() argument
291 j->uid = uid; in minijail_change_uid()
292 j->flags.uid = 1; in minijail_change_uid()
295 void API minijail_change_gid(struct minijail *j, gid_t gid) in minijail_change_gid() argument
299 j->gid = gid; in minijail_change_gid()
300 j->flags.gid = 1; in minijail_change_gid()
303 void API minijail_set_supplementary_gids(struct minijail *j, size_t size, in minijail_set_supplementary_gids() argument
308 if (j->flags.inherit_suppl_gids) in minijail_set_supplementary_gids()
310 if (j->flags.keep_suppl_gids) in minijail_set_supplementary_gids()
315 j->suppl_gid_list = NULL; in minijail_set_supplementary_gids()
316 j->suppl_gid_count = 0; in minijail_set_supplementary_gids()
317 j->flags.set_suppl_gids = 1; in minijail_set_supplementary_gids()
322 j->suppl_gid_list = calloc(size, sizeof(gid_t)); in minijail_set_supplementary_gids()
323 if (!j->suppl_gid_list) { in minijail_set_supplementary_gids()
327 j->suppl_gid_list[i] = list[i]; in minijail_set_supplementary_gids()
329 j->suppl_gid_count = size; in minijail_set_supplementary_gids()
330 j->flags.set_suppl_gids = 1; in minijail_set_supplementary_gids()
333 void API minijail_keep_supplementary_gids(struct minijail *j) { in minijail_keep_supplementary_gids() argument
334 j->flags.keep_suppl_gids = 1; in minijail_keep_supplementary_gids()
337 int API minijail_change_user(struct minijail *j, const char *user) in minijail_change_user() argument
344 minijail_change_uid(j, uid); in minijail_change_user()
345 j->user = strdup(user); in minijail_change_user()
346 if (!j->user) in minijail_change_user()
348 j->usergid = gid; in minijail_change_user()
352 int API minijail_change_group(struct minijail *j, const char *group) in minijail_change_group() argument
358 minijail_change_gid(j, gid); in minijail_change_group()
362 void API minijail_use_seccomp(struct minijail *j) in minijail_use_seccomp() argument
364 j->flags.seccomp = 1; in minijail_use_seccomp()
367 void API minijail_no_new_privs(struct minijail *j) in minijail_no_new_privs() argument
369 j->flags.no_new_privs = 1; in minijail_no_new_privs()
372 void API minijail_use_seccomp_filter(struct minijail *j) in minijail_use_seccomp_filter() argument
374 j->flags.seccomp_filter = 1; in minijail_use_seccomp_filter()
377 void API minijail_set_seccomp_filter_tsync(struct minijail *j) in minijail_set_seccomp_filter_tsync() argument
379 if (j->filter_len > 0 && j->filter_prog != NULL) { in minijail_set_seccomp_filter_tsync()
383 j->flags.seccomp_filter_tsync = 1; in minijail_set_seccomp_filter_tsync()
386 void API minijail_log_seccomp_filter_failures(struct minijail *j) in minijail_log_seccomp_filter_failures() argument
388 if (j->filter_len > 0 && j->filter_prog != NULL) { in minijail_log_seccomp_filter_failures()
393 j->flags.seccomp_filter_logging = 1; in minijail_log_seccomp_filter_failures()
399 void API minijail_use_caps(struct minijail *j, uint64_t capmask) in minijail_use_caps() argument
409 if (j->flags.capbset_drop) { in minijail_use_caps()
411 j->cap_bset = 0; in minijail_use_caps()
412 j->flags.capbset_drop = 0; in minijail_use_caps()
414 j->caps = capmask; in minijail_use_caps()
415 j->flags.use_caps = 1; in minijail_use_caps()
418 void API minijail_capbset_drop(struct minijail *j, uint64_t capmask) in minijail_capbset_drop() argument
420 if (j->flags.use_caps) { in minijail_capbset_drop()
431 j->cap_bset = capmask; in minijail_capbset_drop()
432 j->flags.capbset_drop = 1; in minijail_capbset_drop()
435 void API minijail_set_ambient_caps(struct minijail *j) in minijail_set_ambient_caps() argument
437 j->flags.set_ambient_caps = 1; in minijail_set_ambient_caps()
440 void API minijail_reset_signal_mask(struct minijail *j) in minijail_reset_signal_mask() argument
442 j->flags.reset_signal_mask = 1; in minijail_reset_signal_mask()
445 void API minijail_reset_signal_handlers(struct minijail *j) in minijail_reset_signal_handlers() argument
447 j->flags.reset_signal_handlers = 1; in minijail_reset_signal_handlers()
450 void API minijail_namespace_vfs(struct minijail *j) in minijail_namespace_vfs() argument
452 j->flags.vfs = 1; in minijail_namespace_vfs()
455 void API minijail_namespace_enter_vfs(struct minijail *j, const char *ns_path) in minijail_namespace_enter_vfs() argument
462 j->mountns_fd = ns_fd; in minijail_namespace_enter_vfs()
463 j->flags.enter_vfs = 1; in minijail_namespace_enter_vfs()
466 void API minijail_new_session_keyring(struct minijail *j) in minijail_new_session_keyring() argument
468 j->flags.new_session_keyring = 1; in minijail_new_session_keyring()
471 void API minijail_skip_setting_securebits(struct minijail *j, in minijail_skip_setting_securebits() argument
474 j->securebits_skip_mask = securebits_skip_mask; in minijail_skip_setting_securebits()
477 void API minijail_remount_mode(struct minijail *j, unsigned long mode) in minijail_remount_mode() argument
479 j->remount_mode = mode; in minijail_remount_mode()
482 void API minijail_skip_remount_private(struct minijail *j) in minijail_skip_remount_private() argument
484 j->remount_mode = 0; in minijail_skip_remount_private()
487 void API minijail_namespace_pids(struct minijail *j) in minijail_namespace_pids() argument
489 j->flags.vfs = 1; in minijail_namespace_pids()
490 j->flags.remount_proc_ro = 1; in minijail_namespace_pids()
491 j->flags.pids = 1; in minijail_namespace_pids()
492 j->flags.do_init = 1; in minijail_namespace_pids()
495 void API minijail_namespace_pids_rw_proc(struct minijail *j) in minijail_namespace_pids_rw_proc() argument
497 j->flags.vfs = 1; in minijail_namespace_pids_rw_proc()
498 j->flags.pids = 1; in minijail_namespace_pids_rw_proc()
499 j->flags.do_init = 1; in minijail_namespace_pids_rw_proc()
502 void API minijail_namespace_ipc(struct minijail *j) in minijail_namespace_ipc() argument
504 j->flags.ipc = 1; in minijail_namespace_ipc()
507 void API minijail_namespace_uts(struct minijail *j) in minijail_namespace_uts() argument
509 j->flags.uts = 1; in minijail_namespace_uts()
512 int API minijail_namespace_set_hostname(struct minijail *j, const char *name) in minijail_namespace_set_hostname() argument
514 if (j->hostname) in minijail_namespace_set_hostname()
516 minijail_namespace_uts(j); in minijail_namespace_set_hostname()
517 j->hostname = strdup(name); in minijail_namespace_set_hostname()
518 if (!j->hostname) in minijail_namespace_set_hostname()
523 void API minijail_namespace_net(struct minijail *j) in minijail_namespace_net() argument
525 j->flags.net = 1; in minijail_namespace_net()
528 void API minijail_namespace_enter_net(struct minijail *j, const char *ns_path) in minijail_namespace_enter_net() argument
535 j->netns_fd = ns_fd; in minijail_namespace_enter_net()
536 j->flags.enter_net = 1; in minijail_namespace_enter_net()
539 void API minijail_namespace_cgroups(struct minijail *j) in minijail_namespace_cgroups() argument
541 j->flags.ns_cgroups = 1; in minijail_namespace_cgroups()
544 void API minijail_close_open_fds(struct minijail *j) in minijail_close_open_fds() argument
546 j->flags.close_open_fds = 1; in minijail_close_open_fds()
549 void API minijail_remount_proc_readonly(struct minijail *j) in minijail_remount_proc_readonly() argument
551 j->flags.vfs = 1; in minijail_remount_proc_readonly()
552 j->flags.remount_proc_ro = 1; in minijail_remount_proc_readonly()
555 void API minijail_namespace_user(struct minijail *j) in minijail_namespace_user() argument
557 j->flags.userns = 1; in minijail_namespace_user()
560 void API minijail_namespace_user_disable_setgroups(struct minijail *j) in minijail_namespace_user_disable_setgroups() argument
562 j->flags.disable_setgroups = 1; in minijail_namespace_user_disable_setgroups()
565 int API minijail_uidmap(struct minijail *j, const char *uidmap) in minijail_uidmap() argument
567 j->uidmap = strdup(uidmap); in minijail_uidmap()
568 if (!j->uidmap) in minijail_uidmap()
571 for (ch = j->uidmap; *ch; ch++) { in minijail_uidmap()
578 int API minijail_gidmap(struct minijail *j, const char *gidmap) in minijail_gidmap() argument
580 j->gidmap = strdup(gidmap); in minijail_gidmap()
581 if (!j->gidmap) in minijail_gidmap()
584 for (ch = j->gidmap; *ch; ch++) { in minijail_gidmap()
591 void API minijail_inherit_usergroups(struct minijail *j) in minijail_inherit_usergroups() argument
593 j->flags.inherit_suppl_gids = 1; in minijail_inherit_usergroups()
596 void API minijail_run_as_init(struct minijail *j) in minijail_run_as_init() argument
602 j->flags.run_as_init = 1; in minijail_run_as_init()
605 int API minijail_enter_chroot(struct minijail *j, const char *dir) in minijail_enter_chroot() argument
607 if (j->chrootdir) in minijail_enter_chroot()
609 j->chrootdir = strdup(dir); in minijail_enter_chroot()
610 if (!j->chrootdir) in minijail_enter_chroot()
612 j->flags.chroot = 1; in minijail_enter_chroot()
616 int API minijail_enter_pivot_root(struct minijail *j, const char *dir) in minijail_enter_pivot_root() argument
618 if (j->chrootdir) in minijail_enter_pivot_root()
620 j->chrootdir = strdup(dir); in minijail_enter_pivot_root()
621 if (!j->chrootdir) in minijail_enter_pivot_root()
623 j->flags.pivot_root = 1; in minijail_enter_pivot_root()
627 char API *minijail_get_original_path(struct minijail *j, in minijail_get_original_path() argument
632 b = j->mounts_head; in minijail_get_original_path()
662 if (j->chrootdir) in minijail_get_original_path()
663 return path_join(j->chrootdir, path_inside_chroot); in minijail_get_original_path()
669 size_t minijail_get_tmpfs_size(const struct minijail *j) in minijail_get_tmpfs_size() argument
671 return j->tmpfs_size; in minijail_get_tmpfs_size()
674 void API minijail_mount_dev(struct minijail *j) in minijail_mount_dev() argument
676 j->flags.mount_dev = 1; in minijail_mount_dev()
679 void API minijail_mount_tmp(struct minijail *j) in minijail_mount_tmp() argument
681 minijail_mount_tmp_size(j, 64 * 1024 * 1024); in minijail_mount_tmp()
684 void API minijail_mount_tmp_size(struct minijail *j, size_t size) in minijail_mount_tmp_size() argument
686 j->tmpfs_size = size; in minijail_mount_tmp_size()
687 j->flags.mount_tmp = 1; in minijail_mount_tmp_size()
690 int API minijail_write_pid_file(struct minijail *j, const char *path) in minijail_write_pid_file() argument
692 j->pid_file_path = strdup(path); in minijail_write_pid_file()
693 if (!j->pid_file_path) in minijail_write_pid_file()
695 j->flags.pid_file = 1; in minijail_write_pid_file()
699 int API minijail_add_to_cgroup(struct minijail *j, const char *path) in minijail_add_to_cgroup() argument
701 if (j->cgroup_count >= MAX_CGROUPS) in minijail_add_to_cgroup()
703 j->cgroups[j->cgroup_count] = strdup(path); in minijail_add_to_cgroup()
704 if (!j->cgroups[j->cgroup_count]) in minijail_add_to_cgroup()
706 j->cgroup_count++; in minijail_add_to_cgroup()
707 j->flags.cgroups = 1; in minijail_add_to_cgroup()
711 int API minijail_rlimit(struct minijail *j, int type, rlim_t cur, rlim_t max) in minijail_rlimit() argument
715 if (j->rlimit_count >= MAX_RLIMITS) in minijail_rlimit()
718 for (i = 0; i < j->rlimit_count; i++) { in minijail_rlimit()
719 if (j->rlimits[i].type == type) in minijail_rlimit()
723 j->rlimits[j->rlimit_count].type = type; in minijail_rlimit()
724 j->rlimits[j->rlimit_count].cur = cur; in minijail_rlimit()
725 j->rlimits[j->rlimit_count].max = max; in minijail_rlimit()
726 j->rlimit_count++; in minijail_rlimit()
730 int API minijail_forward_signals(struct minijail *j) in minijail_forward_signals() argument
732 j->flags.forward_signals = 1; in minijail_forward_signals()
736 int API minijail_mount_with_data(struct minijail *j, const char *src, in minijail_mount_with_data() argument
785 minijail_namespace_vfs(j); in minijail_mount_with_data()
787 if (j->mounts_tail) in minijail_mount_with_data()
788 j->mounts_tail->next = m; in minijail_mount_with_data()
790 j->mounts_head = m; in minijail_mount_with_data()
791 j->mounts_tail = m; in minijail_mount_with_data()
792 j->mounts_count++; in minijail_mount_with_data()
804 int API minijail_mount(struct minijail *j, const char *src, const char *dest, in minijail_mount() argument
807 return minijail_mount_with_data(j, src, dest, type, flags, NULL); in minijail_mount()
810 int API minijail_bind(struct minijail *j, const char *src, const char *dest, in minijail_bind() argument
818 return minijail_mount(j, src, dest, "", flags); in minijail_bind()
821 int API minijail_add_hook(struct minijail *j, minijail_hook_t hook, in minijail_add_hook() argument
838 if (j->hooks_tail) in minijail_add_hook()
839 j->hooks_tail->next = c; in minijail_add_hook()
841 j->hooks_head = c; in minijail_add_hook()
842 j->hooks_tail = c; in minijail_add_hook()
847 int API minijail_preserve_fd(struct minijail *j, int parent_fd, int child_fd) in minijail_preserve_fd() argument
851 if (j->preserved_fd_count >= MAX_PRESERVED_FDS) in minijail_preserve_fd()
853 j->preserved_fds[j->preserved_fd_count].parent_fd = parent_fd; in minijail_preserve_fd()
854 j->preserved_fds[j->preserved_fd_count].child_fd = child_fd; in minijail_preserve_fd()
855 j->preserved_fd_count++; in minijail_preserve_fd()
859 int API minijail_set_preload_path(struct minijail *j, const char *preload_path) in minijail_set_preload_path() argument
861 if (j->preload_path) in minijail_set_preload_path()
863 j->preload_path = strdup(preload_path); in minijail_set_preload_path()
864 if (!j->preload_path) in minijail_set_preload_path()
869 static void clear_seccomp_options(struct minijail *j) in clear_seccomp_options() argument
871 j->flags.seccomp_filter = 0; in clear_seccomp_options()
872 j->flags.seccomp_filter_tsync = 0; in clear_seccomp_options()
873 j->flags.seccomp_filter_logging = 0; in clear_seccomp_options()
874 j->filter_len = 0; in clear_seccomp_options()
875 j->filter_prog = NULL; in clear_seccomp_options()
876 j->flags.no_new_privs = 0; in clear_seccomp_options()
879 static int seccomp_should_use_filters(struct minijail *j) in seccomp_should_use_filters() argument
891 clear_seccomp_options(j); in seccomp_should_use_filters()
900 if (j->flags.seccomp_filter_tsync) { in seccomp_should_use_filters()
907 clear_seccomp_options(j); in seccomp_should_use_filters()
913 clear_seccomp_options(j); in seccomp_should_use_filters()
927 static int set_seccomp_filters_internal(struct minijail *j, in set_seccomp_filters_internal() argument
948 if (j->filter_prog) { in set_seccomp_filters_internal()
949 free(j->filter_prog->filter); in set_seccomp_filters_internal()
950 free(j->filter_prog); in set_seccomp_filters_internal()
953 j->filter_len = fprog->len; in set_seccomp_filters_internal()
954 j->filter_prog = fprog; in set_seccomp_filters_internal()
958 void API minijail_set_seccomp_filters(struct minijail *j, in minijail_set_seccomp_filters() argument
961 if (!seccomp_should_use_filters(j)) in minijail_set_seccomp_filters()
964 if (j->flags.seccomp_filter_logging) { in minijail_set_seccomp_filters()
974 if (set_seccomp_filters_internal(j, (struct sock_fprog *)filter, in minijail_set_seccomp_filters()
980 static int parse_seccomp_filters(struct minijail *j, const char *filename, in parse_seccomp_filters() argument
987 j->flags.seccomp_filter_tsync || j->flags.seccomp_filter_logging; in parse_seccomp_filters()
988 int allow_logging = j->flags.seccomp_filter_logging; in parse_seccomp_filters()
996 return set_seccomp_filters_internal(j, fprog, true); in parse_seccomp_filters()
999 void API minijail_parse_seccomp_filters(struct minijail *j, const char *path) in minijail_parse_seccomp_filters() argument
1001 if (!seccomp_should_use_filters(j)) in minijail_parse_seccomp_filters()
1009 if (parse_seccomp_filters(j, path, file) != 0) { in minijail_parse_seccomp_filters()
1016 void API minijail_parse_seccomp_filters_from_fd(struct minijail *j, int fd) in minijail_parse_seccomp_filters_from_fd() argument
1021 if (!seccomp_should_use_filters(j)) in minijail_parse_seccomp_filters_from_fd()
1036 if (parse_seccomp_filters(j, path ? path : "<fd>", file) != 0) { in minijail_parse_seccomp_filters_from_fd()
1044 int API minijail_use_alt_syscall(struct minijail *j, const char *table) in minijail_use_alt_syscall() argument
1046 j->alt_syscall_table = strdup(table); in minijail_use_alt_syscall()
1047 if (!j->alt_syscall_table) in minijail_use_alt_syscall()
1049 j->flags.alt_syscall = 1; in minijail_use_alt_syscall()
1093 const struct minijail *j) in minijail_marshal_helper() argument
1098 marshal_append(state, (char *)j, sizeof(*j)); in minijail_marshal_helper()
1099 if (j->user) in minijail_marshal_helper()
1100 marshal_append(state, j->user, strlen(j->user) + 1); in minijail_marshal_helper()
1101 if (j->suppl_gid_list) { in minijail_marshal_helper()
1102 marshal_append(state, j->suppl_gid_list, in minijail_marshal_helper()
1103 j->suppl_gid_count * sizeof(gid_t)); in minijail_marshal_helper()
1105 if (j->chrootdir) in minijail_marshal_helper()
1106 marshal_append(state, j->chrootdir, strlen(j->chrootdir) + 1); in minijail_marshal_helper()
1107 if (j->hostname) in minijail_marshal_helper()
1108 marshal_append(state, j->hostname, strlen(j->hostname) + 1); in minijail_marshal_helper()
1109 if (j->alt_syscall_table) { in minijail_marshal_helper()
1110 marshal_append(state, j->alt_syscall_table, in minijail_marshal_helper()
1111 strlen(j->alt_syscall_table) + 1); in minijail_marshal_helper()
1113 if (j->flags.seccomp_filter && j->filter_prog) { in minijail_marshal_helper()
1114 struct sock_fprog *fp = j->filter_prog; in minijail_marshal_helper()
1118 for (m = j->mounts_head; m; m = m->next) { in minijail_marshal_helper()
1121 for (i = 0; i < j->cgroup_count; ++i) in minijail_marshal_helper()
1122 marshal_append(state, j->cgroups[i], strlen(j->cgroups[i]) + 1); in minijail_marshal_helper()
1125 size_t API minijail_size(const struct minijail *j) in minijail_size() argument
1129 minijail_marshal_helper(&state, j); in minijail_size()
1133 int minijail_marshal(const struct minijail *j, char *buf, size_t available) in minijail_marshal() argument
1137 minijail_marshal_helper(&state, j); in minijail_marshal()
1141 int minijail_unmarshal(struct minijail *j, char *serialized, size_t length) in minijail_unmarshal() argument
1147 if (length < sizeof(*j)) in minijail_unmarshal()
1149 memcpy((void *)j, serialized, sizeof(*j)); in minijail_unmarshal()
1150 serialized += sizeof(*j); in minijail_unmarshal()
1151 length -= sizeof(*j); in minijail_unmarshal()
1154 j->preload_path = NULL; in minijail_unmarshal()
1155 j->pid_file_path = NULL; in minijail_unmarshal()
1156 j->uidmap = NULL; in minijail_unmarshal()
1157 j->gidmap = NULL; in minijail_unmarshal()
1158 j->mounts_head = NULL; in minijail_unmarshal()
1159 j->mounts_tail = NULL; in minijail_unmarshal()
1160 j->filter_prog = NULL; in minijail_unmarshal()
1161 j->hooks_head = NULL; in minijail_unmarshal()
1162 j->hooks_tail = NULL; in minijail_unmarshal()
1164 if (j->user) { /* stale pointer */ in minijail_unmarshal()
1168 j->user = strdup(user); in minijail_unmarshal()
1169 if (!j->user) in minijail_unmarshal()
1173 if (j->suppl_gid_list) { /* stale pointer */ in minijail_unmarshal()
1174 if (j->suppl_gid_count > NGROUPS_MAX) { in minijail_unmarshal()
1177 size_t gid_list_size = j->suppl_gid_count * sizeof(gid_t); in minijail_unmarshal()
1183 j->suppl_gid_list = calloc(j->suppl_gid_count, sizeof(gid_t)); in minijail_unmarshal()
1184 if (!j->suppl_gid_list) in minijail_unmarshal()
1187 memcpy(j->suppl_gid_list, gid_list_bytes, gid_list_size); in minijail_unmarshal()
1190 if (j->chrootdir) { /* stale pointer */ in minijail_unmarshal()
1194 j->chrootdir = strdup(chrootdir); in minijail_unmarshal()
1195 if (!j->chrootdir) in minijail_unmarshal()
1199 if (j->hostname) { /* stale pointer */ in minijail_unmarshal()
1203 j->hostname = strdup(hostname); in minijail_unmarshal()
1204 if (!j->hostname) in minijail_unmarshal()
1208 if (j->alt_syscall_table) { /* stale pointer */ in minijail_unmarshal()
1212 j->alt_syscall_table = strdup(alt_syscall_table); in minijail_unmarshal()
1213 if (!j->alt_syscall_table) in minijail_unmarshal()
1217 if (j->flags.seccomp_filter && j->filter_len > 0) { in minijail_unmarshal()
1218 size_t ninstrs = j->filter_len; in minijail_unmarshal()
1228 j->filter_prog = malloc(sizeof(struct sock_fprog)); in minijail_unmarshal()
1229 if (!j->filter_prog) in minijail_unmarshal()
1232 j->filter_prog->len = ninstrs; in minijail_unmarshal()
1233 j->filter_prog->filter = malloc(program_len); in minijail_unmarshal()
1234 if (!j->filter_prog->filter) in minijail_unmarshal()
1237 memcpy(j->filter_prog->filter, program, program_len); in minijail_unmarshal()
1240 count = j->mounts_count; in minijail_unmarshal()
1241 j->mounts_count = 0; in minijail_unmarshal()
1269 if (minijail_mount_with_data(j, src, dest, type, *flags, data)) in minijail_unmarshal()
1273 count = j->cgroup_count; in minijail_unmarshal()
1274 j->cgroup_count = 0; in minijail_unmarshal()
1279 j->cgroups[i] = strdup(cgroup); in minijail_unmarshal()
1280 if (!j->cgroups[i]) in minijail_unmarshal()
1282 ++j->cgroup_count; in minijail_unmarshal()
1288 free_mounts_list(j); in minijail_unmarshal()
1289 for (i = 0; i < j->cgroup_count; ++i) in minijail_unmarshal()
1290 free(j->cgroups[i]); in minijail_unmarshal()
1292 if (j->filter_prog && j->filter_prog->filter) in minijail_unmarshal()
1293 free(j->filter_prog->filter); in minijail_unmarshal()
1295 if (j->filter_prog) in minijail_unmarshal()
1296 free(j->filter_prog); in minijail_unmarshal()
1298 if (j->alt_syscall_table) in minijail_unmarshal()
1299 free(j->alt_syscall_table); in minijail_unmarshal()
1301 if (j->chrootdir) in minijail_unmarshal()
1302 free(j->chrootdir); in minijail_unmarshal()
1304 if (j->hostname) in minijail_unmarshal()
1305 free(j->hostname); in minijail_unmarshal()
1307 if (j->suppl_gid_list) in minijail_unmarshal()
1308 free(j->suppl_gid_list); in minijail_unmarshal()
1310 if (j->user) in minijail_unmarshal()
1311 free(j->user); in minijail_unmarshal()
1313 j->user = NULL; in minijail_unmarshal()
1314 j->suppl_gid_list = NULL; in minijail_unmarshal()
1315 j->chrootdir = NULL; in minijail_unmarshal()
1316 j->hostname = NULL; in minijail_unmarshal()
1317 j->alt_syscall_table = NULL; in minijail_unmarshal()
1318 j->cgroup_count = 0; in minijail_unmarshal()
1446 static int mount_dev_finalize(const struct minijail *j, char *dev_path) in mount_dev_finalize() argument
1455 if (asprintf(&dest, "%s/dev", j->chrootdir ? : "") < 0) in mount_dev_finalize()
1476 static int mount_one(const struct minijail *j, struct mountpoint *m, in mount_one() argument
1490 if (asprintf(&dest, "%s%s", j->chrootdir ?: "", m->dest) < 0) in mount_one()
1495 setup_mount_destination(m->src, dest, j->uid, j->gid, in mount_one()
1538 return mount_one(j, m->next, dev_path); in mount_one()
1546 static void process_mounts_or_die(const struct minijail *j) in process_mounts_or_die() argument
1553 if (j->flags.mount_dev && mount_dev(&dev_path)) in process_mounts_or_die()
1556 if (j->mounts_head && mount_one(j, j->mounts_head, dev_path)) { in process_mounts_or_die()
1569 if (j->flags.mount_dev && mount_dev_finalize(j, dev_path)) in process_mounts_or_die()
1573 static int enter_chroot(const struct minijail *j) in enter_chroot() argument
1575 run_hooks_or_die(j, MINIJAIL_HOOK_EVENT_PRE_CHROOT); in enter_chroot()
1577 if (chroot(j->chrootdir)) in enter_chroot()
1586 static int enter_pivot_root(const struct minijail *j) in enter_pivot_root() argument
1590 run_hooks_or_die(j, MINIJAIL_HOOK_EVENT_PRE_CHROOT); in enter_pivot_root()
1599 newroot = open(j->chrootdir, O_DIRECTORY | O_RDONLY | O_CLOEXEC); in enter_pivot_root()
1601 pdie("failed to open %s for fchdir", j->chrootdir); in enter_pivot_root()
1607 if (mount(j->chrootdir, j->chrootdir, "bind", MS_BIND | MS_REC, "")) in enter_pivot_root()
1608 pdie("failed to bind mount '%s'", j->chrootdir); in enter_pivot_root()
1609 if (chdir(j->chrootdir)) in enter_pivot_root()
1651 static int mount_tmp(const struct minijail *j) in mount_tmp() argument
1658 ret = snprintf(data, sizeof(data), fmt, j->tmpfs_size); in mount_tmp()
1668 static int remount_proc_readonly(const struct minijail *j) in remount_proc_readonly() argument
1684 if (j->flags.userns) { in remount_proc_readonly()
1696 static void kill_child_and_die(const struct minijail *j, const char *msg) in kill_child_and_die() argument
1698 kill(j->initpid, SIGKILL); in kill_child_and_die()
1702 static void write_pid_file_or_die(const struct minijail *j) in write_pid_file_or_die() argument
1704 if (write_pid_to_path(j->initpid, j->pid_file_path)) in write_pid_file_or_die()
1705 kill_child_and_die(j, "failed to write pid file"); in write_pid_file_or_die()
1708 static void add_to_cgroups_or_die(const struct minijail *j) in add_to_cgroups_or_die() argument
1712 for (i = 0; i < j->cgroup_count; ++i) { in add_to_cgroups_or_die()
1713 if (write_pid_to_path(j->initpid, j->cgroups[i])) in add_to_cgroups_or_die()
1714 kill_child_and_die(j, "failed to add to cgroups"); in add_to_cgroups_or_die()
1718 static void set_rlimits_or_die(const struct minijail *j) in set_rlimits_or_die() argument
1722 for (i = 0; i < j->rlimit_count; ++i) { in set_rlimits_or_die()
1724 limit.rlim_cur = j->rlimits[i].cur; in set_rlimits_or_die()
1725 limit.rlim_max = j->rlimits[i].max; in set_rlimits_or_die()
1726 if (prlimit(j->initpid, j->rlimits[i].type, &limit, NULL)) in set_rlimits_or_die()
1727 kill_child_and_die(j, "failed to set rlimit"); in set_rlimits_or_die()
1731 static void write_ugid_maps_or_die(const struct minijail *j) in write_ugid_maps_or_die() argument
1733 if (j->uidmap && write_proc_file(j->initpid, j->uidmap, "uid_map") != 0) in write_ugid_maps_or_die()
1734 kill_child_and_die(j, "failed to write uid_map"); in write_ugid_maps_or_die()
1735 if (j->gidmap && j->flags.disable_setgroups) { in write_ugid_maps_or_die()
1737 int ret = write_proc_file(j->initpid, "deny", "setgroups"); in write_ugid_maps_or_die()
1743 kill_child_and_die(j, "failed to disable setgroups(2)"); in write_ugid_maps_or_die()
1746 if (j->gidmap && write_proc_file(j->initpid, j->gidmap, "gid_map") != 0) in write_ugid_maps_or_die()
1747 kill_child_and_die(j, "failed to write gid_map"); in write_ugid_maps_or_die()
1750 static void enter_user_namespace(const struct minijail *j) in enter_user_namespace() argument
1752 int uid = j->flags.uid ? j->uid : 0; in enter_user_namespace()
1753 int gid = j->flags.gid ? j->gid : 0; in enter_user_namespace()
1754 if (j->gidmap && setresgid(gid, gid, gid)) { in enter_user_namespace()
1758 if (j->uidmap && setresuid(uid, uid, uid)) { in enter_user_namespace()
1786 static void drop_ugid(const struct minijail *j) in drop_ugid() argument
1788 if (j->flags.inherit_suppl_gids + j->flags.keep_suppl_gids + in drop_ugid()
1789 j->flags.set_suppl_gids > 1) { in drop_ugid()
1794 if (j->flags.inherit_suppl_gids) { in drop_ugid()
1795 if (initgroups(j->user, j->usergid)) in drop_ugid()
1796 pdie("initgroups(%s, %d) failed", j->user, j->usergid); in drop_ugid()
1797 } else if (j->flags.set_suppl_gids) { in drop_ugid()
1798 if (setgroups(j->suppl_gid_count, j->suppl_gid_list)) in drop_ugid()
1800 } else if (!j->flags.keep_suppl_gids && !j->flags.disable_setgroups) { in drop_ugid()
1807 if ((j->flags.uid || j->flags.gid) && setgroups(0, NULL)) in drop_ugid()
1811 if (j->flags.gid && setresgid(j->gid, j->gid, j->gid)) in drop_ugid()
1812 pdie("setresgid(%d, %d, %d) failed", j->gid, j->gid, j->gid); in drop_ugid()
1814 if (j->flags.uid && setresuid(j->uid, j->uid, j->uid)) in drop_ugid()
1815 pdie("setresuid(%d, %d, %d) failed", j->uid, j->uid, j->uid); in drop_ugid()
1830 static void drop_caps(const struct minijail *j, unsigned int last_valid_cap) in drop_caps() argument
1832 if (!j->flags.use_caps) in drop_caps()
1837 const size_t ncaps = sizeof(j->caps) * 8; in drop_caps()
1847 if (i != CAP_SETPCAP && !(j->caps & (one << i))) in drop_caps()
1878 if (secure_noroot_set_and_locked(~j->securebits_skip_mask)) { in drop_caps()
1879 drop_capbset(j->caps, last_valid_cap); in drop_caps()
1885 if ((j->caps & (one << CAP_SETPCAP)) == 0) { in drop_caps()
1902 if (j->flags.set_ambient_caps) { in drop_caps()
1912 if (!(j->caps & (one << i))) in drop_caps()
1927 static void set_seccomp_filter(const struct minijail *j) in set_seccomp_filter() argument
1933 if (j->flags.no_new_privs) { in set_seccomp_filter()
1948 if (j->flags.seccomp_filter && running_with_asan()) { in set_seccomp_filter()
1953 if (j->flags.seccomp_filter) { in set_seccomp_filter()
1954 if (j->flags.seccomp_filter_logging) { in set_seccomp_filter()
1962 } else if (j->flags.seccomp_filter_tsync) { in set_seccomp_filter()
1976 if (j->flags.seccomp_filter) { in set_seccomp_filter()
1977 if (j->flags.seccomp_filter_tsync) { in set_seccomp_filter()
1980 j->filter_prog)) { in set_seccomp_filter()
1985 j->filter_prog)) { in set_seccomp_filter()
2047 static void run_hooks_or_die(const struct minijail *j, in run_hooks_or_die() argument
2052 for (struct hook *c = j->hooks_head; c; c = c->next) { in run_hooks_or_die()
2066 void API minijail_enter(const struct minijail *j) in minijail_enter() argument
2073 if (j->flags.capbset_drop || j->flags.use_caps) in minijail_enter()
2076 if (j->flags.pids) in minijail_enter()
2080 if (j->flags.inherit_suppl_gids && !j->user) in minijail_enter()
2089 if (j->flags.enter_vfs) { in minijail_enter()
2090 if (setns(j->mountns_fd, CLONE_NEWNS)) in minijail_enter()
2092 close(j->mountns_fd); in minijail_enter()
2095 if (j->flags.vfs) { in minijail_enter()
2104 if (j->remount_mode) { in minijail_enter()
2105 if (mount(NULL, "/", NULL, MS_REC | j->remount_mode, NULL)) in minijail_enter()
2111 if (j->flags.ipc && unshare(CLONE_NEWIPC)) { in minijail_enter()
2115 if (j->flags.uts) { in minijail_enter()
2119 if (j->hostname && sethostname(j->hostname, strlen(j->hostname))) in minijail_enter()
2120 pdie("sethostname(%s) failed", j->hostname); in minijail_enter()
2123 if (j->flags.enter_net) { in minijail_enter()
2124 if (setns(j->netns_fd, CLONE_NEWNET)) in minijail_enter()
2126 close(j->netns_fd); in minijail_enter()
2127 } else if (j->flags.net) { in minijail_enter()
2133 if (j->flags.ns_cgroups && unshare(CLONE_NEWCGROUP)) in minijail_enter()
2136 if (j->flags.new_session_keyring) { in minijail_enter()
2142 process_mounts_or_die(j); in minijail_enter()
2144 if (j->flags.chroot && enter_chroot(j)) in minijail_enter()
2147 if (j->flags.pivot_root && enter_pivot_root(j)) in minijail_enter()
2150 if (j->flags.mount_tmp && mount_tmp(j)) in minijail_enter()
2153 if (j->flags.remount_proc_ro && remount_proc_readonly(j)) in minijail_enter()
2156 run_hooks_or_die(j, MINIJAIL_HOOK_EVENT_PRE_DROP_CAPS); in minijail_enter()
2162 if (j->flags.capbset_drop) { in minijail_enter()
2163 drop_capbset(j->cap_bset, last_valid_cap); in minijail_enter()
2171 if (j->flags.use_caps) { in minijail_enter()
2177 bool require_keep_caps = !j->flags.set_ambient_caps; in minijail_enter()
2178 if (lock_securebits(j->securebits_skip_mask, in minijail_enter()
2184 if (j->flags.no_new_privs) { in minijail_enter()
2190 drop_ugid(j); in minijail_enter()
2191 drop_caps(j, last_valid_cap); in minijail_enter()
2192 set_seccomp_filter(j); in minijail_enter()
2201 set_seccomp_filter(j); in minijail_enter()
2202 drop_ugid(j); in minijail_enter()
2203 drop_caps(j, last_valid_cap); in minijail_enter()
2210 if (j->flags.alt_syscall) { in minijail_enter()
2211 if (prctl(PR_ALT_SYSCALL, 1, j->alt_syscall_table)) in minijail_enter()
2219 if (j->flags.seccomp && prctl(PR_SET_SECCOMP, 1)) { in minijail_enter()
2256 int API minijail_from_fd(int fd, struct minijail *j) in minijail_from_fd() argument
2274 r = minijail_unmarshal(j, buf, sz); in minijail_from_fd()
2279 int API minijail_to_fd(struct minijail *j, int fd) in minijail_to_fd() argument
2282 size_t sz = minijail_size(j); in minijail_to_fd()
2289 r = minijail_marshal(j, buf, sz); in minijail_to_fd()
2309 static int setup_preload(const struct minijail *j attribute_unused, in setup_preload()
2316 const char *preload_path = j->preload_path ?: PRELOADPATH; in setup_preload()
2391 static int redirect_fds(struct minijail *j) in redirect_fds() argument
2395 for (i = 0; i < j->preserved_fd_count; i++) { in redirect_fds()
2396 if (dup2(j->preserved_fds[i].parent_fd, in redirect_fds()
2397 j->preserved_fds[i].child_fd) == -1) { in redirect_fds()
2405 for (i = 0; i < j->preserved_fd_count; i++) { in redirect_fds()
2407 for (i2 = 0; i2 < j->preserved_fd_count; i2++) { in redirect_fds()
2408 closeable &= j->preserved_fds[i].parent_fd != in redirect_fds()
2409 j->preserved_fds[i2].child_fd; in redirect_fds()
2412 close(j->preserved_fds[i].parent_fd); in redirect_fds()
2452 static int minijail_run_internal(struct minijail *j,
2456 int API minijail_run(struct minijail *j, const char *filename, in minijail_run() argument
2467 return minijail_run_internal(j, &config, &status); in minijail_run()
2470 int API minijail_run_pid(struct minijail *j, const char *filename, in minijail_run_pid() argument
2483 return minijail_run_internal(j, &config, &status); in minijail_run_pid()
2486 int API minijail_run_pipe(struct minijail *j, const char *filename, in minijail_run_pipe() argument
2499 return minijail_run_internal(j, &config, &status); in minijail_run_pipe()
2502 int API minijail_run_pid_pipes(struct minijail *j, const char *filename, in minijail_run_pid_pipes() argument
2519 return minijail_run_internal(j, &config, &status); in minijail_run_pid_pipes()
2522 int API minijail_run_no_preload(struct minijail *j, const char *filename, in minijail_run_no_preload() argument
2533 return minijail_run_internal(j, &config, &status); in minijail_run_no_preload()
2536 int API minijail_run_pid_pipes_no_preload(struct minijail *j, in minijail_run_pid_pipes_no_preload() argument
2557 return minijail_run_internal(j, &config, &status); in minijail_run_pid_pipes_no_preload()
2560 int API minijail_run_env_pid_pipes_no_preload(struct minijail *j, in minijail_run_env_pid_pipes_no_preload() argument
2580 return minijail_run_internal(j, &config, &status); in minijail_run_env_pid_pipes_no_preload()
2583 pid_t API minijail_fork(struct minijail *j) in minijail_fork() argument
2587 return minijail_run_internal(j, &config, &status); in minijail_fork()
2590 static int minijail_run_internal(struct minijail *j, in minijail_run_internal() argument
2604 int pid_namespace = j->flags.pids; in minijail_run_internal()
2609 int do_init = j->flags.do_init && !j->flags.run_as_init; in minijail_run_internal()
2613 if (j->hooks_head != NULL) in minijail_run_internal()
2627 if (setup_preload(j, oldenv)) in minijail_run_internal()
2632 if (j->flags.use_caps && j->caps != 0 && in minijail_run_internal()
2633 !j->flags.set_ambient_caps) { in minijail_run_internal()
2680 if (j->flags.userns || j->flags.cgroups) { in minijail_run_internal()
2729 if (j->flags.userns) in minijail_run_internal()
2755 j->initpid = child_pid; in minijail_run_internal()
2757 if (j->flags.forward_signals) { in minijail_run_internal()
2762 if (j->flags.pid_file) in minijail_run_internal()
2763 write_pid_file_or_die(j); in minijail_run_internal()
2765 if (j->flags.cgroups) in minijail_run_internal()
2766 add_to_cgroups_or_die(j); in minijail_run_internal()
2768 if (j->rlimit_count) in minijail_run_internal()
2769 set_rlimits_or_die(j); in minijail_run_internal()
2771 if (j->flags.userns) in minijail_run_internal()
2772 write_ugid_maps_or_die(j); in minijail_run_internal()
2774 if (j->flags.enter_vfs) in minijail_run_internal()
2775 close(j->mountns_fd); in minijail_run_internal()
2777 if (j->flags.enter_net) in minijail_run_internal()
2778 close(j->netns_fd); in minijail_run_internal()
2786 ret = minijail_to_fd(j, pipe_fds[1]); in minijail_run_internal()
2789 kill(j->initpid, SIGKILL); in minijail_run_internal()
2832 if (j->flags.reset_signal_mask) { in minijail_run_internal()
2840 if (j->flags.reset_signal_handlers) { in minijail_run_internal()
2855 if (j->flags.close_open_fds) { in minijail_run_internal()
2880 for (i = 0; i < j->preserved_fd_count; i++) { in minijail_run_internal()
2885 inheritable_fds[size++] = j->preserved_fds[i].parent_fd; in minijail_run_internal()
2892 if (redirect_fds(j)) in minijail_run_internal()
2898 if (j->flags.userns) in minijail_run_internal()
2899 enter_user_namespace(j); in minijail_run_internal()
2949 j->flags.remount_proc_ro = 0; in minijail_run_internal()
2953 minijail_preexec(j); in minijail_run_internal()
2960 j->flags.pids = 0; in minijail_run_internal()
2968 minijail_enter(j); in minijail_run_internal()
2993 run_hooks_or_die(j, MINIJAIL_HOOK_EVENT_PRE_EXECVE); in minijail_run_internal()
3026 int API minijail_kill(struct minijail *j) in minijail_kill() argument
3029 if (kill(j->initpid, SIGTERM)) in minijail_kill()
3031 if (waitpid(j->initpid, &st, 0) < 0) in minijail_kill()
3036 int API minijail_wait(struct minijail *j) in minijail_wait() argument
3039 if (waitpid(j->initpid, &st, 0) < 0) in minijail_wait()
3047 j->initpid, signum); in minijail_wait()
3067 j->initpid, exit_status); in minijail_wait()
3072 void API minijail_destroy(struct minijail *j) in minijail_destroy() argument
3076 if (j->filter_prog) { in minijail_destroy()
3077 free(j->filter_prog->filter); in minijail_destroy()
3078 free(j->filter_prog); in minijail_destroy()
3080 free_mounts_list(j); in minijail_destroy()
3081 while (j->hooks_head) { in minijail_destroy()
3082 struct hook *c = j->hooks_head; in minijail_destroy()
3083 j->hooks_head = c->next; in minijail_destroy()
3086 j->hooks_tail = NULL; in minijail_destroy()
3087 if (j->user) in minijail_destroy()
3088 free(j->user); in minijail_destroy()
3089 if (j->suppl_gid_list) in minijail_destroy()
3090 free(j->suppl_gid_list); in minijail_destroy()
3091 if (j->chrootdir) in minijail_destroy()
3092 free(j->chrootdir); in minijail_destroy()
3093 if (j->pid_file_path) in minijail_destroy()
3094 free(j->pid_file_path); in minijail_destroy()
3095 if (j->uidmap) in minijail_destroy()
3096 free(j->uidmap); in minijail_destroy()
3097 if (j->gidmap) in minijail_destroy()
3098 free(j->gidmap); in minijail_destroy()
3099 if (j->hostname) in minijail_destroy()
3100 free(j->hostname); in minijail_destroy()
3101 if (j->preload_path) in minijail_destroy()
3102 free(j->preload_path); in minijail_destroy()
3103 if (j->alt_syscall_table) in minijail_destroy()
3104 free(j->alt_syscall_table); in minijail_destroy()
3105 for (i = 0; i < j->cgroup_count; ++i) in minijail_destroy()
3106 free(j->cgroups[i]); in minijail_destroy()
3107 free(j); in minijail_destroy()