1 // Copyright 2015, The Android Open Source Project
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #include <fcntl.h>
16 #include <sys/stat.h>
17 #include <sys/types.h>
18 #include <unistd.h>
19
20 #include <android-base/file.h>
21 #include <android-base/logging.h>
22 #include <android-base/unique_fd.h>
23
24 #include <libminijail.h>
25 #include <scoped_minijail.h>
26
27 #include "minijail.h"
28
29 namespace android {
30
WritePolicyToPipe(const std::string & base_policy_content,const std::string & additional_policy_content)31 int WritePolicyToPipe(const std::string& base_policy_content,
32 const std::string& additional_policy_content)
33 {
34 int pipefd[2];
35 if (pipe(pipefd) == -1) {
36 PLOG(ERROR) << "pipe() failed";
37 return -1;
38 }
39
40 base::unique_fd write_end(pipefd[1]);
41 std::string content = base_policy_content;
42
43 if (additional_policy_content.length() > 0) {
44 content += "\n";
45 content += additional_policy_content;
46 }
47
48 if (!base::WriteStringToFd(content, write_end.get())) {
49 LOG(ERROR) << "Could not write policy to fd";
50 return -1;
51 }
52
53 return pipefd[0];
54 }
55
SetUpMinijail(const std::string & base_policy_path,const std::string & additional_policy_path)56 void SetUpMinijail(const std::string& base_policy_path, const std::string& additional_policy_path)
57 {
58 // No seccomp policy defined for this architecture.
59 if (access(base_policy_path.c_str(), R_OK) == -1) {
60 LOG(WARNING) << "No seccomp policy defined for this architecture.";
61 return;
62 }
63
64 std::string base_policy_content;
65 std::string additional_policy_content;
66 if (!base::ReadFileToString(base_policy_path, &base_policy_content,
67 false /* follow_symlinks */)) {
68 LOG(FATAL) << "Could not read base policy file '" << base_policy_path << "'";
69 }
70
71 if (additional_policy_path.length() > 0 &&
72 !base::ReadFileToString(additional_policy_path, &additional_policy_content,
73 false /* follow_symlinks */)) {
74 LOG(WARNING) << "Could not read additional policy file '" << additional_policy_path << "'";
75 additional_policy_content = std::string();
76 }
77
78 base::unique_fd policy_fd(WritePolicyToPipe(base_policy_content, additional_policy_content));
79 if (policy_fd.get() == -1) {
80 LOG(FATAL) << "Could not write seccomp policy to fd";
81 }
82
83 ScopedMinijail jail{minijail_new()};
84 if (!jail) {
85 LOG(FATAL) << "Failed to create minijail.";
86 }
87
88 minijail_no_new_privs(jail.get());
89 minijail_log_seccomp_filter_failures(jail.get());
90 minijail_use_seccomp_filter(jail.get());
91 // Transfer ownership of |policy_fd|.
92 minijail_parse_seccomp_filters_from_fd(jail.get(), policy_fd.release());
93 minijail_enter(jail.get());
94 }
95 }
96