1 // Copyright 2015, The Android Open Source Project
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #include <fcntl.h>
16 #include <sys/stat.h>
17 #include <sys/types.h>
18 #include <unistd.h>
19
20 #include <android-base/file.h>
21 #include <android-base/logging.h>
22 #include <android-base/unique_fd.h>
23
24 #include <libminijail.h>
25 #include <scoped_minijail.h>
26
27 #include "minijail.h"
28
29 namespace android {
30
WritePolicyToPipe(const std::string & base_policy_content,const std::vector<std::string> & additional_policy_contents)31 int WritePolicyToPipe(const std::string& base_policy_content,
32 const std::vector<std::string>& additional_policy_contents)
33 {
34 int pipefd[2];
35 if (pipe(pipefd) == -1) {
36 PLOG(ERROR) << "pipe() failed";
37 return -1;
38 }
39
40 base::unique_fd write_end(pipefd[1]);
41 std::string content = base_policy_content;
42
43 for (auto one_content : additional_policy_contents) {
44 if (one_content.length() > 0) {
45 content += "\n";
46 content += one_content;
47 }
48 }
49
50 if (!base::WriteStringToFd(content, write_end.get())) {
51 LOG(ERROR) << "Could not write policy to fd";
52 return -1;
53 }
54
55 return pipefd[0];
56 }
57
SetUpMinijail(const std::string & base_policy_path,const std::string & additional_policy_path)58 void SetUpMinijail(const std::string& base_policy_path,
59 const std::string& additional_policy_path)
60 {
61 SetUpMinijailList(base_policy_path, {additional_policy_path});
62 }
63
SetUpMinijailList(const std::string & base_policy_path,const std::vector<std::string> & additional_policy_paths)64 void SetUpMinijailList(const std::string& base_policy_path,
65 const std::vector<std::string>& additional_policy_paths)
66 {
67 std::string base_policy_content;
68 std::vector<std::string> additional_policy_contents;
69 if (!base::ReadFileToString(base_policy_path, &base_policy_content,
70 false /* follow_symlinks */)) {
71 LOG(FATAL) << "Could not read base policy file '" << base_policy_path << "'";
72 }
73
74 for (auto one_policy_path : additional_policy_paths) {
75 std::string one_policy_content;
76 if (one_policy_path.length() > 0 &&
77 !base::ReadFileToString(one_policy_path, &one_policy_content,
78 false /* follow_symlinks */)) {
79 // TODO: harder failure (fatal unless ENOENT?)
80 LOG(WARNING) << "Could not read additional policy file '" << one_policy_path << "'";
81 }
82 additional_policy_contents.push_back(one_policy_content);
83 }
84
85 base::unique_fd policy_fd(WritePolicyToPipe(base_policy_content, additional_policy_contents));
86 if (policy_fd.get() == -1) {
87 LOG(FATAL) << "Could not write seccomp policy to fd";
88 }
89
90 ScopedMinijail jail{minijail_new()};
91 if (!jail) {
92 LOG(FATAL) << "Failed to create minijail.";
93 }
94
95 minijail_no_new_privs(jail.get());
96 minijail_log_seccomp_filter_failures(jail.get());
97 minijail_use_seccomp_filter(jail.get());
98 // Transfer ownership of |policy_fd|.
99 minijail_parse_seccomp_filters_from_fd(jail.get(), policy_fd.release());
100 minijail_enter(jail.get());
101 }
102 }
103