blob: 7e72f036158db810c05b92a7ed2298cf328060f6 [file] [log] [blame]
Elly Fong-Jonesd9a16cd2012-11-12 16:09:49 -05001// Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
Alex Vakulenko262be3f2014-07-30 15:25:50 -07005#include "debugd/src/sandboxed_process.h"
Elly Fong-Jonesd9a16cd2012-11-12 16:09:49 -05006
Ben Chan297c3c22013-07-17 17:34:12 -07007#include <base/strings/stringprintf.h>
8
Elly Fong-Jonesd9a16cd2012-11-12 16:09:49 -05009namespace debugd {
10
Elly Fong-Jones215b5622013-03-20 14:32:18 -040011const char *SandboxedProcess::kDefaultUser = "debugd";
12const char *SandboxedProcess::kDefaultGroup = "debugd";
13
Elly Fong-Jonesd9a16cd2012-11-12 16:09:49 -050014SandboxedProcess::SandboxedProcess()
Jorge Lucangeli Obesc99a12a2014-09-17 16:43:40 -070015 : sandboxing_(true),
16 access_root_mount_ns_(false),
17 user_(kDefaultUser),
18 group_(kDefaultGroup) {
19}
Elly Fong-Jonesd9a16cd2012-11-12 16:09:49 -050020
Ben Chan297c3c22013-07-17 17:34:12 -070021// static
22bool SandboxedProcess::GetHelperPath(const std::string& relative_path,
23 std::string* full_path) {
24 // This environment variable controls the root directory for debugd helpers,
25 // which lets people develop helpers even when verified boot is on.
26 const char* helpers_dir = getenv("DEBUGD_HELPERS");
27 std::string path = base::StringPrintf(
28 "%s/%s",
29 helpers_dir ? helpers_dir : "/usr/libexec/debugd/helpers",
30 relative_path.c_str());
31
32 if (path.length() > PATH_MAX)
33 return false;
34
35 *full_path = path;
36 return true;
37}
38
Elly Fong-Jonesd9a16cd2012-11-12 16:09:49 -050039bool SandboxedProcess::Init() {
40 const char *kMiniJail = "/sbin/minijail0";
Jorge Lucangeli Obes623f8ca2014-09-18 10:50:06 -070041
42 AddArg(kMiniJail);
43 // Enter a new mount namespace. This is done for every process to avoid
44 // affecting the original mount namespace.
45 AddArg("-v");
46
Elly Fong-Jonesd9a16cd2012-11-12 16:09:49 -050047 if (sandboxing_) {
48 if (user_.empty() || group_.empty())
49 return false;
Jorge Lucangeli Obesc99a12a2014-09-17 16:43:40 -070050
Elly Fong-Jonese56a8f62013-01-23 15:50:21 -050051 if (user_ != "root") {
52 AddArg("-u");
53 AddArg(user_);
54 }
55 if (group_ != "root") {
56 AddArg("-g");
57 AddArg(group_);
58 }
Elly Fong-Jonesd9a16cd2012-11-12 16:09:49 -050059 }
Jorge Lucangeli Obes623f8ca2014-09-18 10:50:06 -070060
61 if (access_root_mount_ns_) {
62 // Enter root mount namespace.
63 AddStringOption("-V", "/proc/1/ns/mnt");
64 }
65
66 AddArg("--");
67
Elly Fong-Jonesd9a16cd2012-11-12 16:09:49 -050068 return true;
69}
70
71void SandboxedProcess::DisableSandbox() {
72 sandboxing_ = false;
73}
74
75void SandboxedProcess::SandboxAs(const std::string& user,
76 const std::string& group) {
77 sandboxing_ = true;
78 user_ = user;
79 group_ = group;
80}
81
Jorge Lucangeli Obesc99a12a2014-09-17 16:43:40 -070082void SandboxedProcess::AllowAccessRootMountNamespace() {
83 access_root_mount_ns_ = true;
84}
85
Ben Chana0011d82014-05-13 00:19:29 -070086} // namespace debugd