Gitiles
Code Review Sign In
gerrit.openfyde.cn / chromium.googlesource.com / chromiumos / platform2 / a4f0a41df1a0662b176628c4eb0f6e21cce64050 / . / debugd / src / sandboxed_process.cc
blob: 42497645e1191aadcddb21cac0f534b325359139 [file] [log] [blame]
Elly Fong-Jonesd9a16cd2012-11-12 16:09:49 -0500[diff] [blame]1// Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
Alex Vakulenko262be3f2014-07-30 15:25:50 -0700[diff] [blame]5#include "debugd/src/sandboxed_process.h"
Elly Fong-Jonesd9a16cd2012-11-12 16:09:49 -0500[diff] [blame]6
Ben Chan297c3c22013-07-17 17:34:12 -0700[diff] [blame]7#include <base/strings/stringprintf.h>
8
Elly Fong-Jonesd9a16cd2012-11-12 16:09:49 -0500[diff] [blame]9namespace debugd {
10
Elly Fong-Jones215b5622013-03-20 14:32:18 -0400[diff] [blame]11const char *SandboxedProcess::kDefaultUser = "debugd";
12const char *SandboxedProcess::kDefaultGroup = "debugd";
13
Elly Fong-Jonesd9a16cd2012-11-12 16:09:49 -0500[diff] [blame]14SandboxedProcess::SandboxedProcess()
Jorge Lucangeli Obesc99a12a2014-09-17 16:43:40 -0700[diff] [blame]15 : sandboxing_(true),
16 access_root_mount_ns_(false),
17 user_(kDefaultUser),
18 group_(kDefaultGroup) {
19}
Elly Fong-Jonesd9a16cd2012-11-12 16:09:49 -0500[diff] [blame]20
Ben Chan297c3c22013-07-17 17:34:12 -0700[diff] [blame]21// static
22bool SandboxedProcess::GetHelperPath(const std::string& relative_path,
23 std::string* full_path) {
24 // This environment variable controls the root directory for debugd helpers,
25 // which lets people develop helpers even when verified boot is on.
26 const char* helpers_dir = getenv("DEBUGD_HELPERS");
27 std::string path = base::StringPrintf(
28 "%s/%s",
29 helpers_dir ? helpers_dir : "/usr/libexec/debugd/helpers",
30 relative_path.c_str());
31
32 if (path.length() > PATH_MAX)
33 return false;
34
35 *full_path = path;
36 return true;
37}
38
Elly Fong-Jonesd9a16cd2012-11-12 16:09:49 -0500[diff] [blame]39bool SandboxedProcess::Init() {
40 const char *kMiniJail = "/sbin/minijail0";
41 if (sandboxing_) {
42 if (user_.empty() || group_.empty())
43 return false;
Jorge Lucangeli Obesc99a12a2014-09-17 16:43:40 -0700[diff] [blame]44
Elly Fong-Jonesd9a16cd2012-11-12 16:09:49 -0500[diff] [blame]45 AddArg(kMiniJail);
Elly Fong-Jonese56a8f62013-01-23 15:50:21 -0500[diff] [blame]46 if (user_ != "root") {
47 AddArg("-u");
48 AddArg(user_);
49 }
50 if (group_ != "root") {
51 AddArg("-g");
52 AddArg(group_);
53 }
Jorge Lucangeli Obesc99a12a2014-09-17 16:43:40 -0700[diff] [blame]54
55 if (access_root_mount_ns_) {
56 // Enter root mount namespace.
57 AddStringOption("-V", "/proc/1/ns/mnt");
58 // Enter a new mount namespace.
59 // This will maintain access to the root mount namespace but will not
60 // pollute it with new mounts.
61 AddArg("-v");
62 }
63
Elly Fong-Jonesec8d7622013-01-22 11:35:22 -0500[diff] [blame]64 AddArg("--");
Elly Fong-Jonesd9a16cd2012-11-12 16:09:49 -0500[diff] [blame]65 }
66 return true;
67}
68
69void SandboxedProcess::DisableSandbox() {
70 sandboxing_ = false;
71}
72
73void SandboxedProcess::SandboxAs(const std::string& user,
74 const std::string& group) {
75 sandboxing_ = true;
76 user_ = user;
77 group_ = group;
78}
79
Jorge Lucangeli Obesc99a12a2014-09-17 16:43:40 -0700[diff] [blame]80void SandboxedProcess::AllowAccessRootMountNamespace() {
81 access_root_mount_ns_ = true;
82}
83
Ben Chana0011d82014-05-13 00:19:29 -0700[diff] [blame]84} // namespace debugd