| drewry@google.com | bd940e9 | 2009-12-07 19:13:27 +0000 | [diff] [blame] | 1 | // Copyright (c) 2009 The Chromium OS Authors. All rights reserved. |
| 2 | // Use of this source code is governed by a BSD-style license that can be |
| 3 | // found in the LICENSE file. |
| 4 | // Some portions Copyright (c) 2009 The Chromium Authors. |
| 5 | // |
| 6 | // Implements MiniJail jailing logic. |
| 7 | |
| 8 | #include "minijail.h" |
| 9 | |
| 10 | #include <errno.h> |
| 11 | |
| 12 | namespace chromeos { |
| 13 | |
| 14 | bool MiniJail::Jail() const { |
| 15 | // XXX This is a very early implementation of the jailing logic. |
| 16 | // XXX Many features are missing or will be made more tunable. |
| 17 | const minijail::Options *opts = options(); |
| Will Drewry | 8e7799c | 2009-12-07 15:50:16 -0800 | [diff] [blame] | 18 | if (!opts) { |
| 19 | LOG(ERROR) << "No Options given. Initialize must be called first " |
| 20 | << "with a valid Option pointer."; |
| 21 | return false; |
| 22 | } |
| drewry@google.com | bd940e9 | 2009-12-07 19:13:27 +0000 | [diff] [blame] | 23 | const minijail::Env *env = opts->env(); |
| 24 | |
| 25 | int namespaces = 0; |
| 26 | if (opts->namespace_pid()) |
| 27 | namespaces |= CLONE_NEWPID; |
| 28 | if (opts->namespace_vfs()) |
| 29 | namespaces |= CLONE_NEWNS; |
| Will Drewry | 4dd0e66 | 2010-01-19 14:43:50 -0800 | [diff] [blame] | 30 | if (namespaces && !env->EnterNamespace(namespaces)) { |
| 31 | return false; |
| drewry@google.com | bd940e9 | 2009-12-07 19:13:27 +0000 | [diff] [blame] | 32 | } |
| 33 | |
| Will Drewry | 4dd0e66 | 2010-01-19 14:43:50 -0800 | [diff] [blame] | 34 | if (opts->namespace_vfs() && opts->add_readonly_mounts()) { |
| 35 | if (!env->Mount()) { // TODO(wad) add flags |
| 36 | return false; |
| 37 | } |
| 38 | } |
| 39 | |
| 40 | if (opts->use_capabilities()) { |
| 41 | if (!env->KeepRootCapabilities()) { |
| 42 | return false; |
| 43 | } |
| 44 | if (!env->DisableDefaultRootPrivileges()) { |
| 45 | return false; |
| 46 | } |
| 47 | } |
| 48 | |
| 49 | if (opts->disable_tracing()) { |
| 50 | if (!env->DisableTracing()) { |
| 51 | return false; |
| 52 | } |
| 53 | } |
| drewry@google.com | bd940e9 | 2009-12-07 19:13:27 +0000 | [diff] [blame] | 54 | |
| 55 | uid_t uid = getuid(); |
| 56 | if (opts->change_uid()) { |
| 57 | uid = opts->uid(); |
| 58 | } |
| 59 | gid_t gid = getgid(); |
| 60 | if (opts->change_gid()) { |
| 61 | gid = opts->gid(); |
| 62 | } |
| 63 | // TODO(wad) separate group and user changes |
| 64 | if (opts->change_uid() || opts->change_gid()) { |
| Will Drewry | 4dd0e66 | 2010-01-19 14:43:50 -0800 | [diff] [blame] | 65 | DLOG(INFO) << "Attempting to change user and/or groups..."; |
| 66 | if (!env->ChangeUser(uid, gid)) { |
| 67 | return false; |
| 68 | } |
| drewry@google.com | bd940e9 | 2009-12-07 19:13:27 +0000 | [diff] [blame] | 69 | } |
| 70 | |
| 71 | if (opts->enforce_syscalls_by_source()) { |
| Will Drewry | 4dd0e66 | 2010-01-19 14:43:50 -0800 | [diff] [blame] | 72 | if (!env->FilterSyscallsBySource()) { |
| 73 | return false; |
| 74 | } |
| drewry@google.com | bd940e9 | 2009-12-07 19:13:27 +0000 | [diff] [blame] | 75 | } else if (opts->enforce_syscalls_benchmark()) { |
| Will Drewry | 4dd0e66 | 2010-01-19 14:43:50 -0800 | [diff] [blame] | 76 | if (!env->FilterSyscallsBenchmarkOnly()) { |
| 77 | return false; |
| 78 | } |
| drewry@google.com | bd940e9 | 2009-12-07 19:13:27 +0000 | [diff] [blame] | 79 | } |
| 80 | |
| 81 | if (opts->use_capabilities()) { |
| 82 | // TODO(wad) use helpers to read caps from flags |
| Will Drewry | 4dd0e66 | 2010-01-19 14:43:50 -0800 | [diff] [blame] | 83 | if (!env->SanitizeCapabilities(0)) { |
| 84 | return false; |
| 85 | } |
| 86 | if (!env->SanitizeBoundingSet(0)) { |
| 87 | return false; |
| 88 | } |
| drewry@google.com | bd940e9 | 2009-12-07 19:13:27 +0000 | [diff] [blame] | 89 | } |
| 90 | return true; |
| 91 | } |
| 92 | |
| 93 | } // namespace chromeos |