Gitiles
Code Review Sign In
gerrit.openfyde.cn / chromium.googlesource.com / chromiumos / platform2 / 7350f85b31eee33e6eda8dcc1a8c9802b57fd021 / . / debugd / src / sandboxed_process.h
blob: 9341e94362db77bff131542b9cbd9d1a54282a35 [file] [log] [blame]
Elly Fong-Jonesd9a16cd2012-11-12 16:09:49 -0500[diff] [blame]1// Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
Alex Vakulenko262be3f2014-07-30 15:25:50 -0700[diff] [blame]5#ifndef DEBUGD_SRC_SANDBOXED_PROCESS_H_
6#define DEBUGD_SRC_SANDBOXED_PROCESS_H_
Ben Chana0011d82014-05-13 00:19:29 -0700[diff] [blame]7
8#include <string>
Ricky Liang1ef73e52016-05-24 16:32:34 +0800[diff] [blame]9#include <vector>
Elly Fong-Jonesd9a16cd2012-11-12 16:09:49 -0500[diff] [blame]10
Alex Vakulenkoe7696532015-10-16 16:27:29 -0700[diff] [blame]11#include <brillo/process.h>
Elly Fong-Jonesd9a16cd2012-11-12 16:09:49 -0500[diff] [blame]12
13namespace debugd {
14
Alex Vakulenkoe7696532015-10-16 16:27:29 -0700[diff] [blame]15class SandboxedProcess : public brillo::ProcessImpl {
Elly Fong-Jonesd9a16cd2012-11-12 16:09:49 -0500[diff] [blame]16 public:
17 SandboxedProcess();
Ricky Liang1ef73e52016-05-24 16:32:34 +0800[diff] [blame]18 ~SandboxedProcess() override;
Ben Chan297c3c22013-07-17 17:34:12 -0700[diff] [blame]19
20 // Get the full path of a helper executable located at the |relative_path|
21 // relative to the debugd helpers directory. Return false if the full path
22 // is too long.
23 static bool GetHelperPath(const std::string& relative_path,
24 std::string* full_path);
Elly Fong-Jonesd9a16cd2012-11-12 16:09:49 -0500[diff] [blame]25
26 virtual bool Init();
27
Ricky Liang1ef73e52016-05-24 16:32:34 +0800[diff] [blame]28 void BindFd(int parent_fd, int child_fd) override;
29
Jorge Lucangeli Obesc99a12a2014-09-17 16:43:40 -0700[diff] [blame]30 // Disable the default sandboxing for this process.
Elly Fong-Jonesd9a16cd2012-11-12 16:09:49 -0500[diff] [blame]31 virtual void DisableSandbox();
32
Jorge Lucangeli Obesc99a12a2014-09-17 16:43:40 -0700[diff] [blame]33 // Change the default sandboxing for this process.
Elly Fong-Jonesd9a16cd2012-11-12 16:09:49 -0500[diff] [blame]34 virtual void SandboxAs(const std::string& user, const std::string& group);
35
Jorge Lucangeli Obesc99a12a2014-09-17 16:43:40 -0700[diff] [blame]36 // Allow this process to access the root mount namespace.
37 virtual void AllowAccessRootMountNamespace();
38
Jorge Lucangeli Obes389a9ee2015-05-14 17:37:01 -0700[diff] [blame]39 // Kill the sandboxed process' process group.
40 virtual bool KillProcessGroup();
41
Elly Fong-Jones215b5622013-03-20 14:32:18 -0400[diff] [blame]42 static const char *kDefaultUser;
43 static const char *kDefaultGroup;
44
Elly Fong-Jonesd9a16cd2012-11-12 16:09:49 -0500[diff] [blame]45 private:
46 bool sandboxing_;
Jorge Lucangeli Obesc99a12a2014-09-17 16:43:40 -0700[diff] [blame]47 bool access_root_mount_ns_;
Elly Fong-Jonesd9a16cd2012-11-12 16:09:49 -0500[diff] [blame]48 std::string user_;
49 std::string group_;
Ricky Liang1ef73e52016-05-24 16:32:34 +0800[diff] [blame]50 std::vector<int> bound_fds_;
Elly Fong-Jonesd9a16cd2012-11-12 16:09:49 -0500[diff] [blame]51};
52
Ben Chana0011d82014-05-13 00:19:29 -0700[diff] [blame]53} // namespace debugd
Elly Fong-Jonesd9a16cd2012-11-12 16:09:49 -0500[diff] [blame]54
Alex Vakulenko262be3f2014-07-30 15:25:50 -0700[diff] [blame]55#endif // DEBUGD_SRC_SANDBOXED_PROCESS_H_