1 // Copyright 2015, The Android Open Source Project
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 #include <fcntl.h>
16 #include <sys/stat.h>
17 #include <sys/types.h>
18 #include <unistd.h>
19 
20 #include <android-base/file.h>
21 #include <android-base/logging.h>
22 #include <android-base/unique_fd.h>
23 
24 #include <libminijail.h>
25 #include <scoped_minijail.h>
26 
27 #include "minijail.h"
28 
29 namespace android {
30 
WritePolicyToPipe(const std::string & base_policy_content,const std::string & additional_policy_content)31 int WritePolicyToPipe(const std::string& base_policy_content,
32                       const std::string& additional_policy_content)
33 {
34     int pipefd[2];
35     if (pipe(pipefd) == -1) {
36         PLOG(ERROR) << "pipe() failed";
37         return -1;
38     }
39 
40     base::unique_fd write_end(pipefd[1]);
41     std::string content = base_policy_content;
42 
43     if (additional_policy_content.length() > 0) {
44         content += "\n";
45         content += additional_policy_content;
46     }
47 
48     if (!base::WriteStringToFd(content, write_end.get())) {
49         LOG(ERROR) << "Could not write policy to fd";
50         return -1;
51     }
52 
53     return pipefd[0];
54 }
55 
SetUpMinijail(const std::string & base_policy_path,const std::string & additional_policy_path)56 void SetUpMinijail(const std::string& base_policy_path, const std::string& additional_policy_path)
57 {
58     // No seccomp policy defined for this architecture.
59     if (access(base_policy_path.c_str(), R_OK) == -1) {
60         LOG(WARNING) << "No seccomp policy defined for this architecture.";
61         return;
62     }
63 
64     std::string base_policy_content;
65     std::string additional_policy_content;
66     if (!base::ReadFileToString(base_policy_path, &base_policy_content,
67                                 false /* follow_symlinks */)) {
68         LOG(FATAL) << "Could not read base policy file '" << base_policy_path << "'";
69     }
70 
71     if (additional_policy_path.length() > 0 &&
72         !base::ReadFileToString(additional_policy_path, &additional_policy_content,
73                                 false /* follow_symlinks */)) {
74         LOG(WARNING) << "Could not read additional policy file '" << additional_policy_path << "'";
75         additional_policy_content = std::string();
76     }
77 
78     base::unique_fd policy_fd(WritePolicyToPipe(base_policy_content, additional_policy_content));
79     if (policy_fd.get() == -1) {
80         LOG(FATAL) << "Could not write seccomp policy to fd";
81     }
82 
83     ScopedMinijail jail{minijail_new()};
84     if (!jail) {
85         LOG(FATAL) << "Failed to create minijail.";
86     }
87 
88     minijail_no_new_privs(jail.get());
89     minijail_log_seccomp_filter_failures(jail.get());
90     minijail_use_seccomp_filter(jail.get());
91     // Transfer ownership of |policy_fd|.
92     minijail_parse_seccomp_filters_from_fd(jail.get(), policy_fd.release());
93     minijail_enter(jail.get());
94 }
95 }
96