Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / minijail / 32ac9f5392525576dcd7bf2e18fb4c230649a3da^! / . / libminijail.h
commit32ac9f5392525576dcd7bf2e18fb4c230649a3da[log] [tgz]
authorWill Drewry <wad@chromium.org>Thu Aug 18 21:36:27 2011 -0500
committerWill Drewry <wad@chromium.org>Thu Sep 15 12:33:36 2011 -0700
tree287e74301275033f40a0f441b0769faeb2e41337
parentf0ef52e0bb54e6ea28e3abf96b95ed1bb9225cb4 [diff] [blame]
libminijail,minijail0: add seccomp filter support

This change adds support for installing seccomp filters via libminijail
or by using minijail0 with an arch-specific filters file.

Support for LD_PRELOAD marshalling is still missing and will come in a new change.

BUG=chromium-os:19459
TEST=minijail0 -r -S dash-cat.policy -u chronos -- /bin/dash -c '/bin/cat /proc/self/seccomp_filter'
dash-cat.policy can be found  in the bug.
built for arm-generic, tegra2_seaboard, and x86-alex.  Tested on x86-alex as above and with -H.

Change-Id: I3cac97d1df62f70cd546763aeca8f52dd0aea09d
Reviewed-on: http://gerrit.chromium.org/gerrit/7773
Reviewed-by: Elly Jones <ellyjones@chromium.org>
Tested-by: Will Drewry <wad@chromium.org>

diff --git a/libminijail.h b/libminijail.h
index 0df119e..6d36b85 100644
--- a/libminijail.h
+++ b/libminijail.h

@@ -1,6 +1,7 @@
 /* Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
- * found in the LICENSE file. */
+ * found in the LICENSE file.
+ */
 
 /* The general pattern of use here:
  * 1) Construct a minijail with minijail_new()
@@ -41,6 +42,10 @@
 /* 'group' should be kept valid until minijail_destroy() */
 int minijail_change_group(struct minijail *j, const char *group);
 void minijail_use_seccomp(struct minijail *j);
+void minijail_use_seccomp_filter(struct minijail *j);
+void minijail_parse_seccomp_filters(struct minijail *j, const char *path);
+int minijail_add_seccomp_filter(struct minijail *j, int nr,
+                                const char *filter);
 void minijail_use_caps(struct minijail *j, uint64_t capmask);
 void minijail_namespace_vfs(struct minijail *j);
 void minijail_namespace_pids(struct minijail *j);
@@ -48,6 +53,13 @@
 void minijail_inherit_usergroups(struct minijail *j);
 void minijail_disable_ptrace(struct minijail *j);
 
+/* Exposes minijail's name-to-int mapping for system calls for the
+ * architecture it was built on.  This is primarily exposed for
+ * minijail_add_seccomp_filter() and testing.
+ * Returns the system call number on success or -1 on failure.
+ */
+int minijail_lookup_syscall(const char *name);
+
 /* Lock this process into the given minijail. Note that this procedure cannot fail,
  * since there is no way to undo privilege-dropping; therefore, if any part of
  * the privilege-drop fails, minijail_enter() will abort the entire process.