libminijail,minijail0: add seccomp filter support
This change adds support for installing seccomp filters via libminijail
or by using minijail0 with an arch-specific filters file.
Support for LD_PRELOAD marshalling is still missing and will come in a new change.
BUG=chromium-os:19459
TEST=minijail0 -r -S dash-cat.policy -u chronos -- /bin/dash -c '/bin/cat /proc/self/seccomp_filter'
dash-cat.policy can be found in the bug.
built for arm-generic, tegra2_seaboard, and x86-alex. Tested on x86-alex as above and with -H.
Change-Id: I3cac97d1df62f70cd546763aeca8f52dd0aea09d
Reviewed-on: http://gerrit.chromium.org/gerrit/7773
Reviewed-by: Elly Jones <ellyjones@chromium.org>
Tested-by: Will Drewry <wad@chromium.org>
diff --git a/libminijail.h b/libminijail.h
index 0df119e..6d36b85 100644
--- a/libminijail.h
+++ b/libminijail.h
@@ -1,6 +1,7 @@
/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
* Use of this source code is governed by a BSD-style license that can be
- * found in the LICENSE file. */
+ * found in the LICENSE file.
+ */
/* The general pattern of use here:
* 1) Construct a minijail with minijail_new()
@@ -41,6 +42,10 @@
/* 'group' should be kept valid until minijail_destroy() */
int minijail_change_group(struct minijail *j, const char *group);
void minijail_use_seccomp(struct minijail *j);
+void minijail_use_seccomp_filter(struct minijail *j);
+void minijail_parse_seccomp_filters(struct minijail *j, const char *path);
+int minijail_add_seccomp_filter(struct minijail *j, int nr,
+ const char *filter);
void minijail_use_caps(struct minijail *j, uint64_t capmask);
void minijail_namespace_vfs(struct minijail *j);
void minijail_namespace_pids(struct minijail *j);
@@ -48,6 +53,13 @@
void minijail_inherit_usergroups(struct minijail *j);
void minijail_disable_ptrace(struct minijail *j);
+/* Exposes minijail's name-to-int mapping for system calls for the
+ * architecture it was built on. This is primarily exposed for
+ * minijail_add_seccomp_filter() and testing.
+ * Returns the system call number on success or -1 on failure.
+ */
+int minijail_lookup_syscall(const char *name);
+
/* Lock this process into the given minijail. Note that this procedure cannot fail,
* since there is no way to undo privilege-dropping; therefore, if any part of
* the privilege-drop fails, minijail_enter() will abort the entire process.