Lines Matching refs:j
192 void minijail_preenter(struct minijail *j) in minijail_preenter() argument
194 j->flags.vfs = 0; in minijail_preenter()
195 j->flags.enter_vfs = 0; in minijail_preenter()
196 j->flags.skip_remount_private = 0; in minijail_preenter()
197 j->flags.remount_proc_ro = 0; in minijail_preenter()
198 j->flags.pids = 0; in minijail_preenter()
199 j->flags.do_init = 0; in minijail_preenter()
200 j->flags.pid_file = 0; in minijail_preenter()
201 j->flags.cgroups = 0; in minijail_preenter()
208 void minijail_preexec(struct minijail *j) in minijail_preexec() argument
210 int vfs = j->flags.vfs; in minijail_preexec()
211 int enter_vfs = j->flags.enter_vfs; in minijail_preexec()
212 int skip_remount_private = j->flags.skip_remount_private; in minijail_preexec()
213 int remount_proc_ro = j->flags.remount_proc_ro; in minijail_preexec()
214 int userns = j->flags.userns; in minijail_preexec()
215 if (j->user) in minijail_preexec()
216 free(j->user); in minijail_preexec()
217 j->user = NULL; in minijail_preexec()
218 if (j->suppl_gid_list) in minijail_preexec()
219 free(j->suppl_gid_list); in minijail_preexec()
220 j->suppl_gid_list = NULL; in minijail_preexec()
221 memset(&j->flags, 0, sizeof(j->flags)); in minijail_preexec()
223 j->flags.vfs = vfs; in minijail_preexec()
224 j->flags.enter_vfs = enter_vfs; in minijail_preexec()
225 j->flags.skip_remount_private = skip_remount_private; in minijail_preexec()
226 j->flags.remount_proc_ro = remount_proc_ro; in minijail_preexec()
227 j->flags.userns = userns; in minijail_preexec()
238 void API minijail_change_uid(struct minijail *j, uid_t uid) in minijail_change_uid() argument
242 j->uid = uid; in minijail_change_uid()
243 j->flags.uid = 1; in minijail_change_uid()
246 void API minijail_change_gid(struct minijail *j, gid_t gid) in minijail_change_gid() argument
250 j->gid = gid; in minijail_change_gid()
251 j->flags.gid = 1; in minijail_change_gid()
254 void API minijail_set_supplementary_gids(struct minijail *j, size_t size, in minijail_set_supplementary_gids() argument
259 if (j->flags.inherit_suppl_gids) in minijail_set_supplementary_gids()
261 if (j->flags.keep_suppl_gids) in minijail_set_supplementary_gids()
266 j->suppl_gid_list = NULL; in minijail_set_supplementary_gids()
267 j->suppl_gid_count = 0; in minijail_set_supplementary_gids()
268 j->flags.set_suppl_gids = 1; in minijail_set_supplementary_gids()
273 j->suppl_gid_list = calloc(size, sizeof(gid_t)); in minijail_set_supplementary_gids()
274 if (!j->suppl_gid_list) { in minijail_set_supplementary_gids()
278 j->suppl_gid_list[i] = list[i]; in minijail_set_supplementary_gids()
280 j->suppl_gid_count = size; in minijail_set_supplementary_gids()
281 j->flags.set_suppl_gids = 1; in minijail_set_supplementary_gids()
284 void API minijail_keep_supplementary_gids(struct minijail *j) { in minijail_keep_supplementary_gids() argument
285 j->flags.keep_suppl_gids = 1; in minijail_keep_supplementary_gids()
288 int API minijail_change_user(struct minijail *j, const char *user) in minijail_change_user() argument
315 minijail_change_uid(j, ppw->pw_uid); in minijail_change_user()
316 j->user = strdup(user); in minijail_change_user()
317 if (!j->user) in minijail_change_user()
319 j->usergid = ppw->pw_gid; in minijail_change_user()
323 int API minijail_change_group(struct minijail *j, const char *group) in minijail_change_group() argument
349 minijail_change_gid(j, pgr->gr_gid); in minijail_change_group()
353 void API minijail_use_seccomp(struct minijail *j) in minijail_use_seccomp() argument
355 j->flags.seccomp = 1; in minijail_use_seccomp()
358 void API minijail_no_new_privs(struct minijail *j) in minijail_no_new_privs() argument
360 j->flags.no_new_privs = 1; in minijail_no_new_privs()
363 void API minijail_use_seccomp_filter(struct minijail *j) in minijail_use_seccomp_filter() argument
365 j->flags.seccomp_filter = 1; in minijail_use_seccomp_filter()
368 void API minijail_set_seccomp_filter_tsync(struct minijail *j) in minijail_set_seccomp_filter_tsync() argument
370 if (j->filter_len > 0 && j->filter_prog != NULL) { in minijail_set_seccomp_filter_tsync()
374 j->flags.seccomp_filter_tsync = 1; in minijail_set_seccomp_filter_tsync()
377 void API minijail_log_seccomp_filter_failures(struct minijail *j) in minijail_log_seccomp_filter_failures() argument
379 if (j->filter_len > 0 && j->filter_prog != NULL) { in minijail_log_seccomp_filter_failures()
383 j->flags.seccomp_filter_logging = 1; in minijail_log_seccomp_filter_failures()
386 void API minijail_use_caps(struct minijail *j, uint64_t capmask) in minijail_use_caps() argument
396 if (j->flags.capbset_drop) { in minijail_use_caps()
398 j->cap_bset = 0; in minijail_use_caps()
399 j->flags.capbset_drop = 0; in minijail_use_caps()
401 j->caps = capmask; in minijail_use_caps()
402 j->flags.use_caps = 1; in minijail_use_caps()
405 void API minijail_capbset_drop(struct minijail *j, uint64_t capmask) in minijail_capbset_drop() argument
407 if (j->flags.use_caps) { in minijail_capbset_drop()
418 j->cap_bset = capmask; in minijail_capbset_drop()
419 j->flags.capbset_drop = 1; in minijail_capbset_drop()
422 void API minijail_reset_signal_mask(struct minijail *j) in minijail_reset_signal_mask() argument
424 j->flags.reset_signal_mask = 1; in minijail_reset_signal_mask()
427 void API minijail_namespace_vfs(struct minijail *j) in minijail_namespace_vfs() argument
429 j->flags.vfs = 1; in minijail_namespace_vfs()
432 void API minijail_namespace_enter_vfs(struct minijail *j, const char *ns_path) in minijail_namespace_enter_vfs() argument
438 j->mountns_fd = ns_fd; in minijail_namespace_enter_vfs()
439 j->flags.enter_vfs = 1; in minijail_namespace_enter_vfs()
442 void API minijail_new_session_keyring(struct minijail *j) in minijail_new_session_keyring() argument
444 j->flags.new_session_keyring = 1; in minijail_new_session_keyring()
447 void API minijail_skip_remount_private(struct minijail *j) in minijail_skip_remount_private() argument
449 j->flags.skip_remount_private = 1; in minijail_skip_remount_private()
452 void API minijail_namespace_pids(struct minijail *j) in minijail_namespace_pids() argument
454 j->flags.vfs = 1; in minijail_namespace_pids()
455 j->flags.remount_proc_ro = 1; in minijail_namespace_pids()
456 j->flags.pids = 1; in minijail_namespace_pids()
457 j->flags.do_init = 1; in minijail_namespace_pids()
460 void API minijail_namespace_ipc(struct minijail *j) in minijail_namespace_ipc() argument
462 j->flags.ipc = 1; in minijail_namespace_ipc()
465 void API minijail_namespace_net(struct minijail *j) in minijail_namespace_net() argument
467 j->flags.net = 1; in minijail_namespace_net()
470 void API minijail_namespace_enter_net(struct minijail *j, const char *ns_path) in minijail_namespace_enter_net() argument
476 j->netns_fd = ns_fd; in minijail_namespace_enter_net()
477 j->flags.enter_net = 1; in minijail_namespace_enter_net()
480 void API minijail_namespace_cgroups(struct minijail *j) in minijail_namespace_cgroups() argument
482 j->flags.ns_cgroups = 1; in minijail_namespace_cgroups()
485 void API minijail_close_open_fds(struct minijail *j) in minijail_close_open_fds() argument
487 j->flags.close_open_fds = 1; in minijail_close_open_fds()
490 void API minijail_remount_proc_readonly(struct minijail *j) in minijail_remount_proc_readonly() argument
492 j->flags.vfs = 1; in minijail_remount_proc_readonly()
493 j->flags.remount_proc_ro = 1; in minijail_remount_proc_readonly()
496 void API minijail_namespace_user(struct minijail *j) in minijail_namespace_user() argument
498 j->flags.userns = 1; in minijail_namespace_user()
501 void API minijail_namespace_user_disable_setgroups(struct minijail *j) in minijail_namespace_user_disable_setgroups() argument
503 j->flags.disable_setgroups = 1; in minijail_namespace_user_disable_setgroups()
506 int API minijail_uidmap(struct minijail *j, const char *uidmap) in minijail_uidmap() argument
508 j->uidmap = strdup(uidmap); in minijail_uidmap()
509 if (!j->uidmap) in minijail_uidmap()
512 for (ch = j->uidmap; *ch; ch++) { in minijail_uidmap()
519 int API minijail_gidmap(struct minijail *j, const char *gidmap) in minijail_gidmap() argument
521 j->gidmap = strdup(gidmap); in minijail_gidmap()
522 if (!j->gidmap) in minijail_gidmap()
525 for (ch = j->gidmap; *ch; ch++) { in minijail_gidmap()
532 void API minijail_inherit_usergroups(struct minijail *j) in minijail_inherit_usergroups() argument
534 j->flags.inherit_suppl_gids = 1; in minijail_inherit_usergroups()
537 void API minijail_run_as_init(struct minijail *j) in minijail_run_as_init() argument
543 j->flags.do_init = 0; in minijail_run_as_init()
546 int API minijail_enter_chroot(struct minijail *j, const char *dir) in minijail_enter_chroot() argument
548 if (j->chrootdir) in minijail_enter_chroot()
550 j->chrootdir = strdup(dir); in minijail_enter_chroot()
551 if (!j->chrootdir) in minijail_enter_chroot()
553 j->flags.chroot = 1; in minijail_enter_chroot()
557 int API minijail_enter_pivot_root(struct minijail *j, const char *dir) in minijail_enter_pivot_root() argument
559 if (j->chrootdir) in minijail_enter_pivot_root()
561 j->chrootdir = strdup(dir); in minijail_enter_pivot_root()
562 if (!j->chrootdir) in minijail_enter_pivot_root()
564 j->flags.pivot_root = 1; in minijail_enter_pivot_root()
568 char API *minijail_get_original_path(struct minijail *j, in minijail_get_original_path() argument
573 b = j->mounts_head; in minijail_get_original_path()
603 if (j->chrootdir) in minijail_get_original_path()
604 return path_join(j->chrootdir, path_inside_chroot); in minijail_get_original_path()
610 size_t minijail_get_tmpfs_size(const struct minijail *j) in minijail_get_tmpfs_size() argument
612 return j->tmpfs_size; in minijail_get_tmpfs_size()
615 void API minijail_mount_tmp(struct minijail *j) in minijail_mount_tmp() argument
617 minijail_mount_tmp_size(j, 64 * 1024 * 1024); in minijail_mount_tmp()
620 void API minijail_mount_tmp_size(struct minijail *j, size_t size) in minijail_mount_tmp_size() argument
622 j->tmpfs_size = size; in minijail_mount_tmp_size()
623 j->flags.mount_tmp = 1; in minijail_mount_tmp_size()
626 int API minijail_write_pid_file(struct minijail *j, const char *path) in minijail_write_pid_file() argument
628 j->pid_file_path = strdup(path); in minijail_write_pid_file()
629 if (!j->pid_file_path) in minijail_write_pid_file()
631 j->flags.pid_file = 1; in minijail_write_pid_file()
635 int API minijail_add_to_cgroup(struct minijail *j, const char *path) in minijail_add_to_cgroup() argument
637 if (j->cgroup_count >= MAX_CGROUPS) in minijail_add_to_cgroup()
639 j->cgroups[j->cgroup_count] = strdup(path); in minijail_add_to_cgroup()
640 if (!j->cgroups[j->cgroup_count]) in minijail_add_to_cgroup()
642 j->cgroup_count++; in minijail_add_to_cgroup()
643 j->flags.cgroups = 1; in minijail_add_to_cgroup()
647 int API minijail_mount_with_data(struct minijail *j, const char *src, in minijail_mount_with_data() argument
681 minijail_namespace_vfs(j); in minijail_mount_with_data()
683 if (j->mounts_tail) in minijail_mount_with_data()
684 j->mounts_tail->next = m; in minijail_mount_with_data()
686 j->mounts_head = m; in minijail_mount_with_data()
687 j->mounts_tail = m; in minijail_mount_with_data()
688 j->mounts_count++; in minijail_mount_with_data()
700 int API minijail_mount(struct minijail *j, const char *src, const char *dest, in minijail_mount() argument
703 return minijail_mount_with_data(j, src, dest, type, flags, NULL); in minijail_mount()
706 int API minijail_bind(struct minijail *j, const char *src, const char *dest, in minijail_bind() argument
714 return minijail_mount(j, src, dest, "", flags); in minijail_bind()
717 static void clear_seccomp_options(struct minijail *j) in clear_seccomp_options() argument
719 j->flags.seccomp_filter = 0; in clear_seccomp_options()
720 j->flags.seccomp_filter_tsync = 0; in clear_seccomp_options()
721 j->flags.seccomp_filter_logging = 0; in clear_seccomp_options()
722 j->filter_len = 0; in clear_seccomp_options()
723 j->filter_prog = NULL; in clear_seccomp_options()
724 j->flags.no_new_privs = 0; in clear_seccomp_options()
727 static int seccomp_should_parse_filters(struct minijail *j) in seccomp_should_parse_filters() argument
739 clear_seccomp_options(j); in seccomp_should_parse_filters()
748 if (j->flags.seccomp_filter_tsync) { in seccomp_should_parse_filters()
755 clear_seccomp_options(j); in seccomp_should_parse_filters()
761 clear_seccomp_options(j); in seccomp_should_parse_filters()
775 static int parse_seccomp_filters(struct minijail *j, FILE *policy_file) in parse_seccomp_filters() argument
779 j->flags.seccomp_filter_tsync || j->flags.seccomp_filter_logging; in parse_seccomp_filters()
780 int allow_logging = j->flags.seccomp_filter_logging; in parse_seccomp_filters()
787 j->filter_len = fprog->len; in parse_seccomp_filters()
788 j->filter_prog = fprog; in parse_seccomp_filters()
792 void API minijail_parse_seccomp_filters(struct minijail *j, const char *path) in minijail_parse_seccomp_filters() argument
794 if (!seccomp_should_parse_filters(j)) in minijail_parse_seccomp_filters()
802 if (parse_seccomp_filters(j, file) != 0) { in minijail_parse_seccomp_filters()
809 void API minijail_parse_seccomp_filters_from_fd(struct minijail *j, int fd) in minijail_parse_seccomp_filters_from_fd() argument
811 if (!seccomp_should_parse_filters(j)) in minijail_parse_seccomp_filters_from_fd()
819 if (parse_seccomp_filters(j, file) != 0) { in minijail_parse_seccomp_filters_from_fd()
826 int API minijail_use_alt_syscall(struct minijail *j, const char *table) in minijail_use_alt_syscall() argument
828 j->alt_syscall_table = strdup(table); in minijail_use_alt_syscall()
829 if (!j->alt_syscall_table) in minijail_use_alt_syscall()
831 j->flags.alt_syscall = 1; in minijail_use_alt_syscall()
875 const struct minijail *j) in minijail_marshal_helper() argument
880 marshal_append(state, (char *)j, sizeof(*j)); in minijail_marshal_helper()
881 if (j->user) in minijail_marshal_helper()
882 marshal_append(state, j->user, strlen(j->user) + 1); in minijail_marshal_helper()
883 if (j->suppl_gid_list) { in minijail_marshal_helper()
884 marshal_append(state, j->suppl_gid_list, in minijail_marshal_helper()
885 j->suppl_gid_count * sizeof(gid_t)); in minijail_marshal_helper()
887 if (j->chrootdir) in minijail_marshal_helper()
888 marshal_append(state, j->chrootdir, strlen(j->chrootdir) + 1); in minijail_marshal_helper()
889 if (j->alt_syscall_table) { in minijail_marshal_helper()
890 marshal_append(state, j->alt_syscall_table, in minijail_marshal_helper()
891 strlen(j->alt_syscall_table) + 1); in minijail_marshal_helper()
893 if (j->flags.seccomp_filter && j->filter_prog) { in minijail_marshal_helper()
894 struct sock_fprog *fp = j->filter_prog; in minijail_marshal_helper()
898 for (m = j->mounts_head; m; m = m->next) { in minijail_marshal_helper()
901 for (i = 0; i < j->cgroup_count; ++i) in minijail_marshal_helper()
902 marshal_append(state, j->cgroups[i], strlen(j->cgroups[i]) + 1); in minijail_marshal_helper()
905 size_t API minijail_size(const struct minijail *j) in minijail_size() argument
909 minijail_marshal_helper(&state, j); in minijail_size()
913 int minijail_marshal(const struct minijail *j, char *buf, size_t available) in minijail_marshal() argument
917 minijail_marshal_helper(&state, j); in minijail_marshal()
921 int minijail_unmarshal(struct minijail *j, char *serialized, size_t length) in minijail_unmarshal() argument
927 if (length < sizeof(*j)) in minijail_unmarshal()
929 memcpy((void *)j, serialized, sizeof(*j)); in minijail_unmarshal()
930 serialized += sizeof(*j); in minijail_unmarshal()
931 length -= sizeof(*j); in minijail_unmarshal()
934 j->pid_file_path = NULL; in minijail_unmarshal()
935 j->uidmap = NULL; in minijail_unmarshal()
936 j->gidmap = NULL; in minijail_unmarshal()
937 j->mounts_head = NULL; in minijail_unmarshal()
938 j->mounts_tail = NULL; in minijail_unmarshal()
939 j->filter_prog = NULL; in minijail_unmarshal()
941 if (j->user) { /* stale pointer */ in minijail_unmarshal()
945 j->user = strdup(user); in minijail_unmarshal()
946 if (!j->user) in minijail_unmarshal()
950 if (j->suppl_gid_list) { /* stale pointer */ in minijail_unmarshal()
951 if (j->suppl_gid_count > NGROUPS_MAX) { in minijail_unmarshal()
954 size_t gid_list_size = j->suppl_gid_count * sizeof(gid_t); in minijail_unmarshal()
960 j->suppl_gid_list = calloc(j->suppl_gid_count, sizeof(gid_t)); in minijail_unmarshal()
961 if (!j->suppl_gid_list) in minijail_unmarshal()
964 memcpy(j->suppl_gid_list, gid_list_bytes, gid_list_size); in minijail_unmarshal()
967 if (j->chrootdir) { /* stale pointer */ in minijail_unmarshal()
971 j->chrootdir = strdup(chrootdir); in minijail_unmarshal()
972 if (!j->chrootdir) in minijail_unmarshal()
976 if (j->alt_syscall_table) { /* stale pointer */ in minijail_unmarshal()
980 j->alt_syscall_table = strdup(alt_syscall_table); in minijail_unmarshal()
981 if (!j->alt_syscall_table) in minijail_unmarshal()
985 if (j->flags.seccomp_filter && j->filter_len > 0) { in minijail_unmarshal()
986 size_t ninstrs = j->filter_len; in minijail_unmarshal()
996 j->filter_prog = malloc(sizeof(struct sock_fprog)); in minijail_unmarshal()
997 if (!j->filter_prog) in minijail_unmarshal()
1000 j->filter_prog->len = ninstrs; in minijail_unmarshal()
1001 j->filter_prog->filter = malloc(program_len); in minijail_unmarshal()
1002 if (!j->filter_prog->filter) in minijail_unmarshal()
1005 memcpy(j->filter_prog->filter, program, program_len); in minijail_unmarshal()
1008 count = j->mounts_count; in minijail_unmarshal()
1009 j->mounts_count = 0; in minijail_unmarshal()
1037 if (minijail_mount_with_data(j, src, dest, type, *flags, data)) in minijail_unmarshal()
1041 count = j->cgroup_count; in minijail_unmarshal()
1042 j->cgroup_count = 0; in minijail_unmarshal()
1047 j->cgroups[i] = strdup(cgroup); in minijail_unmarshal()
1048 if (!j->cgroups[i]) in minijail_unmarshal()
1050 ++j->cgroup_count; in minijail_unmarshal()
1056 while (j->mounts_head) { in minijail_unmarshal()
1057 struct mountpoint *m = j->mounts_head; in minijail_unmarshal()
1058 j->mounts_head = j->mounts_head->next; in minijail_unmarshal()
1065 for (i = 0; i < j->cgroup_count; ++i) in minijail_unmarshal()
1066 free(j->cgroups[i]); in minijail_unmarshal()
1068 if (j->flags.seccomp_filter && j->filter_len > 0) { in minijail_unmarshal()
1069 free(j->filter_prog->filter); in minijail_unmarshal()
1070 free(j->filter_prog); in minijail_unmarshal()
1073 if (j->filter_prog) in minijail_unmarshal()
1074 free(j->filter_prog); in minijail_unmarshal()
1076 if (j->alt_syscall_table) in minijail_unmarshal()
1077 free(j->alt_syscall_table); in minijail_unmarshal()
1079 if (j->chrootdir) in minijail_unmarshal()
1080 free(j->chrootdir); in minijail_unmarshal()
1082 if (j->suppl_gid_list) in minijail_unmarshal()
1083 free(j->suppl_gid_list); in minijail_unmarshal()
1085 if (j->user) in minijail_unmarshal()
1086 free(j->user); in minijail_unmarshal()
1088 j->user = NULL; in minijail_unmarshal()
1089 j->suppl_gid_list = NULL; in minijail_unmarshal()
1090 j->chrootdir = NULL; in minijail_unmarshal()
1091 j->alt_syscall_table = NULL; in minijail_unmarshal()
1092 j->cgroup_count = 0; in minijail_unmarshal()
1137 static int mount_one(const struct minijail *j, struct mountpoint *m) in mount_one() argument
1144 if (asprintf(&dest, "%s%s", j->chrootdir, m->dest) < 0) in mount_one()
1147 if (setup_mount_destination(m->src, dest, j->uid, j->gid)) in mount_one()
1174 return mount_one(j, m->next); in mount_one()
1178 static int enter_chroot(const struct minijail *j) in enter_chroot() argument
1182 if (j->mounts_head && (ret = mount_one(j, j->mounts_head))) in enter_chroot()
1185 if (chroot(j->chrootdir)) in enter_chroot()
1194 static int enter_pivot_root(const struct minijail *j) in enter_pivot_root() argument
1198 if (j->mounts_head && (ret = mount_one(j, j->mounts_head))) in enter_pivot_root()
1208 newroot = open(j->chrootdir, O_DIRECTORY | O_RDONLY | O_CLOEXEC); in enter_pivot_root()
1210 pdie("failed to open %s for fchdir", j->chrootdir); in enter_pivot_root()
1216 if (mount(j->chrootdir, j->chrootdir, "bind", MS_BIND | MS_REC, "")) in enter_pivot_root()
1217 pdie("failed to bind mount '%s'", j->chrootdir); in enter_pivot_root()
1218 if (chdir(j->chrootdir)) in enter_pivot_root()
1260 static int mount_tmp(const struct minijail *j) in mount_tmp() argument
1267 ret = snprintf(data, sizeof(data), fmt, j->tmpfs_size); in mount_tmp()
1277 static int remount_proc_readonly(const struct minijail *j) in remount_proc_readonly() argument
1293 if (j->flags.userns) { in remount_proc_readonly()
1305 static void kill_child_and_die(const struct minijail *j, const char *msg) in kill_child_and_die() argument
1307 kill(j->initpid, SIGKILL); in kill_child_and_die()
1311 static void write_pid_file_or_die(const struct minijail *j) in write_pid_file_or_die() argument
1313 if (write_pid_to_path(j->initpid, j->pid_file_path)) in write_pid_file_or_die()
1314 kill_child_and_die(j, "failed to write pid file"); in write_pid_file_or_die()
1317 static void add_to_cgroups_or_die(const struct minijail *j) in add_to_cgroups_or_die() argument
1321 for (i = 0; i < j->cgroup_count; ++i) { in add_to_cgroups_or_die()
1322 if (write_pid_to_path(j->initpid, j->cgroups[i])) in add_to_cgroups_or_die()
1323 kill_child_and_die(j, "failed to add to cgroups"); in add_to_cgroups_or_die()
1327 static void write_ugid_maps_or_die(const struct minijail *j) in write_ugid_maps_or_die() argument
1329 if (j->uidmap && write_proc_file(j->initpid, j->uidmap, "uid_map") != 0) in write_ugid_maps_or_die()
1330 kill_child_and_die(j, "failed to write uid_map"); in write_ugid_maps_or_die()
1331 if (j->gidmap && j->flags.disable_setgroups) { in write_ugid_maps_or_die()
1333 int ret = write_proc_file(j->initpid, "deny", "setgroups"); in write_ugid_maps_or_die()
1339 kill_child_and_die(j, "failed to disable setgroups(2)"); in write_ugid_maps_or_die()
1342 if (j->gidmap && write_proc_file(j->initpid, j->gidmap, "gid_map") != 0) in write_ugid_maps_or_die()
1343 kill_child_and_die(j, "failed to write gid_map"); in write_ugid_maps_or_die()
1346 static void enter_user_namespace(const struct minijail *j) in enter_user_namespace() argument
1348 if (j->uidmap && setresuid(0, 0, 0)) in enter_user_namespace()
1350 if (j->gidmap && setresgid(0, 0, 0)) in enter_user_namespace()
1376 static void drop_ugid(const struct minijail *j) in drop_ugid() argument
1378 if (j->flags.inherit_suppl_gids + j->flags.keep_suppl_gids + in drop_ugid()
1379 j->flags.set_suppl_gids > 1) { in drop_ugid()
1384 if (j->flags.inherit_suppl_gids) { in drop_ugid()
1385 if (initgroups(j->user, j->usergid)) in drop_ugid()
1386 pdie("initgroups(%s, %d) failed", j->user, j->usergid); in drop_ugid()
1387 } else if (j->flags.set_suppl_gids) { in drop_ugid()
1388 if (setgroups(j->suppl_gid_count, j->suppl_gid_list)) in drop_ugid()
1390 } else if (!j->flags.keep_suppl_gids) { in drop_ugid()
1395 if ((j->flags.uid || j->flags.gid) && setgroups(0, NULL)) in drop_ugid()
1399 if (j->flags.gid && setresgid(j->gid, j->gid, j->gid)) in drop_ugid()
1400 pdie("setresgid(%d, %d, %d) failed", j->gid, j->gid, j->gid); in drop_ugid()
1402 if (j->flags.uid && setresuid(j->uid, j->uid, j->uid)) in drop_ugid()
1403 pdie("setresuid(%d, %d, %d) failed", j->uid, j->uid, j->uid); in drop_ugid()
1449 static void drop_caps(const struct minijail *j, unsigned int last_valid_cap) in drop_caps() argument
1451 if (!j->flags.use_caps) in drop_caps()
1466 for (i = 0; i < sizeof(j->caps) * 8 && i <= last_valid_cap; ++i) { in drop_caps()
1468 if (i != CAP_SETPCAP && !(j->caps & (one << i))) in drop_caps()
1487 drop_capbset(j->caps, last_valid_cap); in drop_caps()
1490 if ((j->caps & (one << CAP_SETPCAP)) == 0) { in drop_caps()
1506 static void set_seccomp_filter(const struct minijail *j) in set_seccomp_filter() argument
1512 if (j->flags.no_new_privs) { in set_seccomp_filter()
1527 if (j->flags.seccomp_filter && running_with_asan()) { in set_seccomp_filter()
1532 if (j->flags.seccomp_filter) { in set_seccomp_filter()
1533 if (j->flags.seccomp_filter_logging) { in set_seccomp_filter()
1541 } else if (j->flags.seccomp_filter_tsync) { in set_seccomp_filter()
1556 if (j->flags.seccomp_filter) { in set_seccomp_filter()
1557 if (j->flags.seccomp_filter_tsync) { in set_seccomp_filter()
1560 j->filter_prog)) { in set_seccomp_filter()
1565 j->filter_prog)) { in set_seccomp_filter()
1601 void API minijail_enter(const struct minijail *j) in minijail_enter() argument
1608 if (j->flags.capbset_drop || j->flags.use_caps) in minijail_enter()
1611 if (j->flags.pids) in minijail_enter()
1615 if (j->flags.inherit_suppl_gids && !j->user) in minijail_enter()
1624 if (j->flags.enter_vfs && setns(j->mountns_fd, CLONE_NEWNS)) in minijail_enter()
1627 if (j->flags.vfs) { in minijail_enter()
1636 if (!j->flags.skip_remount_private) { in minijail_enter()
1643 if (j->flags.ipc && unshare(CLONE_NEWIPC)) { in minijail_enter()
1647 if (j->flags.enter_net) { in minijail_enter()
1648 if (setns(j->netns_fd, CLONE_NEWNET)) in minijail_enter()
1650 } else if (j->flags.net) { in minijail_enter()
1656 if (j->flags.ns_cgroups && unshare(CLONE_NEWCGROUP)) in minijail_enter()
1659 if (j->flags.new_session_keyring) { in minijail_enter()
1664 if (j->flags.chroot && enter_chroot(j)) in minijail_enter()
1667 if (j->flags.pivot_root && enter_pivot_root(j)) in minijail_enter()
1670 if (j->flags.mount_tmp && mount_tmp(j)) in minijail_enter()
1673 if (j->flags.remount_proc_ro && remount_proc_readonly(j)) in minijail_enter()
1680 if (j->flags.capbset_drop) { in minijail_enter()
1681 drop_capbset(j->cap_bset, last_valid_cap); in minijail_enter()
1684 if (j->flags.use_caps) { in minijail_enter()
1715 if (j->flags.no_new_privs) { in minijail_enter()
1721 drop_ugid(j); in minijail_enter()
1722 drop_caps(j, last_valid_cap); in minijail_enter()
1723 set_seccomp_filter(j); in minijail_enter()
1732 set_seccomp_filter(j); in minijail_enter()
1733 drop_ugid(j); in minijail_enter()
1734 drop_caps(j, last_valid_cap); in minijail_enter()
1741 if (j->flags.alt_syscall) { in minijail_enter()
1742 if (prctl(PR_ALT_SYSCALL, 1, j->alt_syscall_table)) in minijail_enter()
1750 if (j->flags.seccomp && prctl(PR_SET_SECCOMP, 1)) { in minijail_enter()
1787 int API minijail_from_fd(int fd, struct minijail *j) in minijail_from_fd() argument
1805 r = minijail_unmarshal(j, buf, sz); in minijail_from_fd()
1810 int API minijail_to_fd(struct minijail *j, int fd) in minijail_to_fd() argument
1813 size_t sz = minijail_size(j); in minijail_to_fd()
1820 r = minijail_marshal(j, buf, sz); in minijail_to_fd()
1931 int minijail_run_internal(struct minijail *j, const char *filename,
1936 int API minijail_run(struct minijail *j, const char *filename, in minijail_run() argument
1939 return minijail_run_internal(j, filename, argv, NULL, NULL, NULL, NULL, in minijail_run()
1943 int API minijail_run_pid(struct minijail *j, const char *filename, in minijail_run_pid() argument
1946 return minijail_run_internal(j, filename, argv, pchild_pid, in minijail_run_pid()
1950 int API minijail_run_pipe(struct minijail *j, const char *filename, in minijail_run_pipe() argument
1953 return minijail_run_internal(j, filename, argv, NULL, pstdin_fd, in minijail_run_pipe()
1957 int API minijail_run_pid_pipes(struct minijail *j, const char *filename, in minijail_run_pid_pipes() argument
1961 return minijail_run_internal(j, filename, argv, pchild_pid, in minijail_run_pid_pipes()
1965 int API minijail_run_no_preload(struct minijail *j, const char *filename, in minijail_run_no_preload() argument
1968 return minijail_run_internal(j, filename, argv, NULL, NULL, NULL, NULL, in minijail_run_no_preload()
1972 int API minijail_run_pid_pipes_no_preload(struct minijail *j, in minijail_run_pid_pipes_no_preload() argument
1979 return minijail_run_internal(j, filename, argv, pchild_pid, in minijail_run_pid_pipes_no_preload()
1983 int minijail_run_internal(struct minijail *j, const char *filename, in minijail_run_internal() argument
1998 int pid_namespace = j->flags.pids; in minijail_run_internal()
1999 int do_init = j->flags.do_init; in minijail_run_internal()
2014 if (j->flags.use_caps && j->caps != 0) in minijail_run_internal()
2077 if (j->flags.userns || j->flags.cgroups) { in minijail_run_internal()
2126 if (j->flags.userns) in minijail_run_internal()
2152 j->initpid = child_pid; in minijail_run_internal()
2154 if (j->flags.pid_file) in minijail_run_internal()
2155 write_pid_file_or_die(j); in minijail_run_internal()
2157 if (j->flags.cgroups) in minijail_run_internal()
2158 add_to_cgroups_or_die(j); in minijail_run_internal()
2160 if (j->flags.userns) in minijail_run_internal()
2161 write_ugid_maps_or_die(j); in minijail_run_internal()
2169 ret = minijail_to_fd(j, pipe_fds[1]); in minijail_run_internal()
2172 kill(j->initpid, SIGKILL); in minijail_run_internal()
2209 if (j->flags.reset_signal_mask) { in minijail_run_internal()
2217 if (j->flags.close_open_fds) { in minijail_run_internal()
2249 if (j->flags.userns) in minijail_run_internal()
2250 enter_user_namespace(j); in minijail_run_internal()
2297 j->flags.remount_proc_ro = 0; in minijail_run_internal()
2301 minijail_preexec(j); in minijail_run_internal()
2308 j->flags.pids = 0; in minijail_run_internal()
2311 minijail_enter(j); in minijail_run_internal()
2352 int API minijail_kill(struct minijail *j) in minijail_kill() argument
2355 if (kill(j->initpid, SIGTERM)) in minijail_kill()
2357 if (waitpid(j->initpid, &st, 0) < 0) in minijail_kill()
2362 int API minijail_wait(struct minijail *j) in minijail_wait() argument
2365 if (waitpid(j->initpid, &st, 0) < 0) in minijail_wait()
2373 j->initpid, signum); in minijail_wait()
2393 j->initpid, exit_status); in minijail_wait()
2398 void API minijail_destroy(struct minijail *j) in minijail_destroy() argument
2402 if (j->flags.seccomp_filter && j->filter_prog) { in minijail_destroy()
2403 free(j->filter_prog->filter); in minijail_destroy()
2404 free(j->filter_prog); in minijail_destroy()
2406 while (j->mounts_head) { in minijail_destroy()
2407 struct mountpoint *m = j->mounts_head; in minijail_destroy()
2408 j->mounts_head = j->mounts_head->next; in minijail_destroy()
2415 j->mounts_tail = NULL; in minijail_destroy()
2416 if (j->user) in minijail_destroy()
2417 free(j->user); in minijail_destroy()
2418 if (j->suppl_gid_list) in minijail_destroy()
2419 free(j->suppl_gid_list); in minijail_destroy()
2420 if (j->chrootdir) in minijail_destroy()
2421 free(j->chrootdir); in minijail_destroy()
2422 if (j->pid_file_path) in minijail_destroy()
2423 free(j->pid_file_path); in minijail_destroy()
2424 if (j->uidmap) in minijail_destroy()
2425 free(j->uidmap); in minijail_destroy()
2426 if (j->gidmap) in minijail_destroy()
2427 free(j->gidmap); in minijail_destroy()
2428 if (j->alt_syscall_table) in minijail_destroy()
2429 free(j->alt_syscall_table); in minijail_destroy()
2430 for (i = 0; i < j->cgroup_count; ++i) in minijail_destroy()
2431 free(j->cgroups[i]); in minijail_destroy()
2432 free(j); in minijail_destroy()