1 // Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "brillo/minijail/minijail.h"
6
7 #include <sys/types.h>
8 #include <sys/wait.h>
9
10 using std::vector;
11
12 namespace brillo {
13
Minijail()14 Minijail::Minijail() {}
15
~Minijail()16 Minijail::~Minijail() {}
17
18 // static
GetInstance()19 Minijail* Minijail::GetInstance() {
20 static Minijail* minijail = new Minijail();
21 return minijail;
22 }
23
New()24 struct minijail* Minijail::New() {
25 return minijail_new();
26 }
27
Destroy(struct minijail * jail)28 void Minijail::Destroy(struct minijail* jail) {
29 minijail_destroy(jail);
30 }
31
DropRoot(struct minijail * jail,uid_t uid,gid_t gid)32 void Minijail::DropRoot(struct minijail* jail, uid_t uid, gid_t gid) {
33 minijail_change_uid(jail, uid);
34 minijail_change_gid(jail, gid);
35 }
36
DropRoot(struct minijail * jail,const char * user,const char * group)37 bool Minijail::DropRoot(struct minijail* jail,
38 const char* user,
39 const char* group) {
40 // |user| and |group| are copied so the only reason either of these
41 // calls can fail is ENOMEM.
42 return !minijail_change_user(jail, user) &&
43 !minijail_change_group(jail, group);
44 }
45
EnterNewPidNamespace(struct minijail * jail)46 void Minijail::EnterNewPidNamespace(struct minijail* jail) {
47 minijail_namespace_pids(jail);
48 }
49
MountTmp(struct minijail * jail)50 void Minijail::MountTmp(struct minijail* jail) {
51 minijail_mount_tmp(jail);
52 }
53
UseSeccompFilter(struct minijail * jail,const char * path)54 void Minijail::UseSeccompFilter(struct minijail* jail, const char* path) {
55 minijail_no_new_privs(jail);
56 minijail_use_seccomp_filter(jail);
57 minijail_parse_seccomp_filters(jail, path);
58 }
59
UseCapabilities(struct minijail * jail,uint64_t capmask)60 void Minijail::UseCapabilities(struct minijail* jail, uint64_t capmask) {
61 minijail_use_caps(jail, capmask);
62 }
63
ResetSignalMask(struct minijail * jail)64 void Minijail::ResetSignalMask(struct minijail* jail) {
65 minijail_reset_signal_mask(jail);
66 }
67
Enter(struct minijail * jail)68 void Minijail::Enter(struct minijail* jail) {
69 minijail_enter(jail);
70 }
71
Run(struct minijail * jail,vector<char * > args,pid_t * pid)72 bool Minijail::Run(struct minijail* jail, vector<char*> args, pid_t* pid) {
73 return minijail_run_pid(jail, args[0], args.data(), pid) == 0;
74 }
75
RunSync(struct minijail * jail,vector<char * > args,int * status)76 bool Minijail::RunSync(struct minijail* jail, vector<char*> args, int* status) {
77 pid_t pid;
78 if (Run(jail, args, &pid) && waitpid(pid, status, 0) == pid) {
79 return true;
80 }
81
82 return false;
83 }
84
RunPipe(struct minijail * jail,vector<char * > args,pid_t * pid,int * stdin)85 bool Minijail::RunPipe(struct minijail* jail,
86 vector<char*> args,
87 pid_t* pid,
88 int* stdin) {
89 #if defined(__ANDROID__)
90 return minijail_run_pid_pipes_no_preload(jail, args[0], args.data(), pid,
91 stdin, NULL, NULL) == 0;
92 #else
93 return minijail_run_pid_pipes(jail, args[0], args.data(), pid, stdin, NULL,
94 NULL) == 0;
95 #endif // __ANDROID__
96 }
97
RunPipes(struct minijail * jail,vector<char * > args,pid_t * pid,int * stdin,int * stdout,int * stderr)98 bool Minijail::RunPipes(struct minijail* jail,
99 vector<char*> args,
100 pid_t* pid,
101 int* stdin,
102 int* stdout,
103 int* stderr) {
104 #if defined(__ANDROID__)
105 return minijail_run_pid_pipes_no_preload(jail, args[0], args.data(), pid,
106 stdin, stdout, stderr) == 0;
107 #else
108 return minijail_run_pid_pipes(jail, args[0], args.data(), pid, stdin, stdout,
109 stderr) == 0;
110 #endif // __ANDROID__
111 }
112
RunAndDestroy(struct minijail * jail,vector<char * > args,pid_t * pid)113 bool Minijail::RunAndDestroy(struct minijail* jail,
114 vector<char*> args,
115 pid_t* pid) {
116 bool res = Run(jail, args, pid);
117 Destroy(jail);
118 return res;
119 }
120
RunSyncAndDestroy(struct minijail * jail,vector<char * > args,int * status)121 bool Minijail::RunSyncAndDestroy(struct minijail* jail,
122 vector<char*> args,
123 int* status) {
124 bool res = RunSync(jail, args, status);
125 Destroy(jail);
126 return res;
127 }
128
RunPipeAndDestroy(struct minijail * jail,vector<char * > args,pid_t * pid,int * stdin)129 bool Minijail::RunPipeAndDestroy(struct minijail* jail,
130 vector<char*> args,
131 pid_t* pid,
132 int* stdin) {
133 bool res = RunPipe(jail, args, pid, stdin);
134 Destroy(jail);
135 return res;
136 }
137
RunPipesAndDestroy(struct minijail * jail,vector<char * > args,pid_t * pid,int * stdin,int * stdout,int * stderr)138 bool Minijail::RunPipesAndDestroy(struct minijail* jail,
139 vector<char*> args,
140 pid_t* pid,
141 int* stdin,
142 int* stdout,
143 int* stderr) {
144 bool res = RunPipes(jail, args, pid, stdin, stdout, stderr);
145 Destroy(jail);
146 return res;
147 }
148
149 } // namespace brillo
150