Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (c) 2012 The Chromium OS Authors. All rights reserved. |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 3 | * Use of this source code is governed by a BSD-style license that can be |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 4 | * found in the LICENSE file. |
| 5 | */ |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 6 | |
| 7 | #define _BSD_SOURCE |
| 8 | #define _GNU_SOURCE |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 9 | #include <ctype.h> |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 10 | #include <errno.h> |
| 11 | #include <grp.h> |
| 12 | #include <inttypes.h> |
Will Drewry | fe4a372 | 2011-09-16 14:50:50 -0500 | [diff] [blame] | 13 | #include <limits.h> |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 14 | #include <linux/capability.h> |
| 15 | #include <linux/securebits.h> |
| 16 | #include <pwd.h> |
| 17 | #include <sched.h> |
| 18 | #include <signal.h> |
Will Drewry | 2f54b6a | 2011-09-16 13:45:31 -0500 | [diff] [blame] | 19 | #include <stdarg.h> |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 20 | #include <stdio.h> |
| 21 | #include <stdlib.h> |
| 22 | #include <string.h> |
| 23 | #include <syscall.h> |
| 24 | #include <sys/capability.h> |
| 25 | #include <sys/mount.h> |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 26 | #include <sys/param.h> |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 27 | #include <sys/prctl.h> |
| 28 | #include <sys/wait.h> |
| 29 | #include <syslog.h> |
| 30 | #include <unistd.h> |
| 31 | |
| 32 | #include "libminijail.h" |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 33 | #include "libsyscalls.h" |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 34 | #include "libminijail-private.h" |
| 35 | |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 36 | /* Until these are reliably available in linux/prctl.h */ |
| 37 | #ifndef PR_SET_SECCOMP_FILTER |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 38 | # define PR_SECCOMP_FILTER_SYSCALL 0 |
| 39 | # define PR_SECCOMP_FILTER_EVENT 1 |
| 40 | # define PR_GET_SECCOMP_FILTER 35 |
| 41 | # define PR_SET_SECCOMP_FILTER 36 |
| 42 | # define PR_CLEAR_SECCOMP_FILTER 37 |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 43 | #endif |
| 44 | |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 45 | #define die(_msg, ...) do { \ |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 46 | syslog(LOG_ERR, "libminijail: " _msg, ## __VA_ARGS__); \ |
| 47 | abort(); \ |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 48 | } while (0) |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 49 | |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 50 | #define pdie(_msg, ...) \ |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 51 | die(_msg ": %s", ## __VA_ARGS__, strerror(errno)) |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 52 | |
| 53 | #define warn(_msg, ...) \ |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 54 | syslog(LOG_WARNING, "libminijail: " _msg, ## __VA_ARGS__) |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 55 | |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 56 | struct seccomp_filter { |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 57 | int nr; |
| 58 | char *filter; |
| 59 | struct seccomp_filter *next, *prev; |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 60 | }; |
| 61 | |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 62 | struct binding { |
| 63 | char *src; |
| 64 | char *dest; |
| 65 | int writeable; |
| 66 | struct binding *next; |
| 67 | }; |
| 68 | |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 69 | struct minijail { |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 70 | struct { |
| 71 | int uid:1; |
| 72 | int gid:1; |
| 73 | int caps:1; |
| 74 | int vfs:1; |
| 75 | int pids:1; |
| 76 | int seccomp:1; |
| 77 | int readonly:1; |
| 78 | int usergroups:1; |
| 79 | int ptrace:1; |
| 80 | int seccomp_filter:1; |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 81 | int chroot:1; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 82 | } flags; |
| 83 | uid_t uid; |
| 84 | gid_t gid; |
| 85 | gid_t usergid; |
| 86 | char *user; |
| 87 | uint64_t caps; |
| 88 | pid_t initpid; |
| 89 | int filter_count; |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 90 | int binding_count; |
| 91 | char *chrootdir; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 92 | struct seccomp_filter *filters; |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 93 | struct binding *bindings_head; |
| 94 | struct binding *bindings_tail; |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 95 | }; |
| 96 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 97 | struct minijail API *minijail_new(void) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 98 | { |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 99 | return calloc(1, sizeof(struct minijail)); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 100 | } |
| 101 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 102 | void API minijail_change_uid(struct minijail *j, uid_t uid) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 103 | { |
| 104 | if (uid == 0) |
| 105 | die("useless change to uid 0"); |
| 106 | j->uid = uid; |
| 107 | j->flags.uid = 1; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 108 | } |
| 109 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 110 | void API minijail_change_gid(struct minijail *j, gid_t gid) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 111 | { |
| 112 | if (gid == 0) |
| 113 | die("useless change to gid 0"); |
| 114 | j->gid = gid; |
| 115 | j->flags.gid = 1; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 116 | } |
| 117 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 118 | int API minijail_change_user(struct minijail *j, const char *user) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 119 | { |
| 120 | char *buf = NULL; |
| 121 | struct passwd pw; |
| 122 | struct passwd *ppw = NULL; |
| 123 | ssize_t sz = sysconf(_SC_GETPW_R_SIZE_MAX); |
| 124 | if (sz == -1) |
| 125 | sz = 65536; /* your guess is as good as mine... */ |
Elly Jones | eb300c5 | 2011-09-22 14:35:43 -0400 | [diff] [blame] | 126 | |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 127 | /* |
| 128 | * sysconf(_SC_GETPW_R_SIZE_MAX), under glibc, is documented to return |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 129 | * the maximum needed size of the buffer, so we don't have to search. |
| 130 | */ |
| 131 | buf = malloc(sz); |
| 132 | if (!buf) |
| 133 | return -ENOMEM; |
| 134 | getpwnam_r(user, &pw, buf, sz, &ppw); |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 135 | /* |
| 136 | * We're safe to free the buffer here. The strings inside pw point |
| 137 | * inside buf, but we don't use any of them; this leaves the pointers |
| 138 | * dangling but it's safe. ppw points at pw if getpwnam_r succeeded. |
| 139 | */ |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 140 | free(buf); |
| 141 | if (!ppw) |
| 142 | return -errno; |
| 143 | minijail_change_uid(j, ppw->pw_uid); |
| 144 | j->user = strdup(user); |
| 145 | if (!j->user) |
| 146 | return -ENOMEM; |
| 147 | j->usergid = ppw->pw_gid; |
| 148 | return 0; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 149 | } |
| 150 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 151 | int API minijail_change_group(struct minijail *j, const char *group) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 152 | { |
| 153 | char *buf = NULL; |
| 154 | struct group gr; |
| 155 | struct group *pgr = NULL; |
| 156 | ssize_t sz = sysconf(_SC_GETGR_R_SIZE_MAX); |
| 157 | if (sz == -1) |
| 158 | sz = 65536; /* and mine is as good as yours, really */ |
Elly Jones | eb300c5 | 2011-09-22 14:35:43 -0400 | [diff] [blame] | 159 | |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 160 | /* |
| 161 | * sysconf(_SC_GETGR_R_SIZE_MAX), under glibc, is documented to return |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 162 | * the maximum needed size of the buffer, so we don't have to search. |
| 163 | */ |
| 164 | buf = malloc(sz); |
| 165 | if (!buf) |
| 166 | return -ENOMEM; |
| 167 | getgrnam_r(group, &gr, buf, sz, &pgr); |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 168 | /* |
| 169 | * We're safe to free the buffer here. The strings inside gr point |
| 170 | * inside buf, but we don't use any of them; this leaves the pointers |
| 171 | * dangling but it's safe. pgr points at gr if getgrnam_r succeeded. |
| 172 | */ |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 173 | free(buf); |
| 174 | if (!pgr) |
| 175 | return -errno; |
| 176 | minijail_change_gid(j, pgr->gr_gid); |
| 177 | return 0; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 178 | } |
| 179 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 180 | void API minijail_use_seccomp(struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 181 | { |
| 182 | j->flags.seccomp = 1; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 183 | } |
| 184 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 185 | void API minijail_use_seccomp_filter(struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 186 | { |
Jorge Lucangeli Obes | 2343d83 | 2012-04-25 21:59:48 -0700 | [diff] [blame^] | 187 | /* TODO(jorgelo): re-enable this when the seccomp BPF merge is done. */ |
| 188 | j->flags.seccomp_filter = 0; |
| 189 | } |
| 190 | |
| 191 | /* TODO(jorgelo): remove this when the seccomp BPF merge is done. */ |
| 192 | void API minijail_force_seccomp_filter(struct minijail *j) |
| 193 | { |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 194 | j->flags.seccomp_filter = 1; |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 195 | } |
| 196 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 197 | void API minijail_use_caps(struct minijail *j, uint64_t capmask) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 198 | { |
| 199 | j->caps = capmask; |
| 200 | j->flags.caps = 1; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 201 | } |
| 202 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 203 | void API minijail_namespace_vfs(struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 204 | { |
| 205 | j->flags.vfs = 1; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 206 | } |
| 207 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 208 | void API minijail_namespace_pids(struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 209 | { |
Elly Jones | e58176c | 2012-01-23 11:46:17 -0500 | [diff] [blame] | 210 | j->flags.vfs = 1; |
| 211 | j->flags.readonly = 1; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 212 | j->flags.pids = 1; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 213 | } |
| 214 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 215 | void API minijail_remount_readonly(struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 216 | { |
| 217 | j->flags.vfs = 1; |
| 218 | j->flags.readonly = 1; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 219 | } |
| 220 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 221 | void API minijail_inherit_usergroups(struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 222 | { |
| 223 | j->flags.usergroups = 1; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 224 | } |
| 225 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 226 | void API minijail_disable_ptrace(struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 227 | { |
| 228 | j->flags.ptrace = 1; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 229 | } |
| 230 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 231 | int API minijail_enter_chroot(struct minijail *j, const char *dir) { |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 232 | if (j->chrootdir) |
| 233 | return -EINVAL; |
| 234 | j->chrootdir = strdup(dir); |
| 235 | if (!j->chrootdir) |
| 236 | return -ENOMEM; |
| 237 | j->flags.chroot = 1; |
| 238 | return 0; |
| 239 | } |
| 240 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 241 | int API minijail_bind(struct minijail *j, const char *src, const char *dest, |
| 242 | int writeable) { |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 243 | struct binding *b; |
| 244 | |
| 245 | if (*dest != '/') |
| 246 | return -EINVAL; |
| 247 | b = calloc(1, sizeof(*b)); |
| 248 | if (!b) |
| 249 | return -ENOMEM; |
| 250 | b->dest = strdup(dest); |
| 251 | if (!b->dest) |
| 252 | goto error; |
| 253 | b->src = strdup(src); |
| 254 | if (!b->src) |
| 255 | goto error; |
| 256 | b->writeable = writeable; |
| 257 | |
| 258 | syslog(LOG_INFO, "libminijail: bind %s -> %s", src, dest); |
| 259 | |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 260 | /* |
| 261 | * Force vfs namespacing so the bind mounts don't leak out into the |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 262 | * containing vfs namespace. |
| 263 | */ |
| 264 | minijail_namespace_vfs(j); |
| 265 | |
| 266 | if (j->bindings_tail) |
| 267 | j->bindings_tail->next = b; |
| 268 | else |
| 269 | j->bindings_head = b; |
| 270 | j->bindings_tail = b; |
| 271 | j->binding_count++; |
| 272 | |
| 273 | return 0; |
| 274 | |
| 275 | error: |
| 276 | free(b->src); |
| 277 | free(b->dest); |
| 278 | free(b); |
| 279 | return -ENOMEM; |
| 280 | } |
| 281 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 282 | int API minijail_add_seccomp_filter(struct minijail *j, int nr, |
| 283 | const char *filter) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 284 | { |
| 285 | struct seccomp_filter *sf; |
| 286 | if (!filter || nr < 0) |
| 287 | return -EINVAL; |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 288 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 289 | sf = malloc(sizeof(*sf)); |
| 290 | if (!sf) |
| 291 | return -ENOMEM; |
| 292 | sf->nr = nr; |
| 293 | sf->filter = strndup(filter, MINIJAIL_MAX_SECCOMP_FILTER_LINE); |
| 294 | if (!sf->filter) { |
| 295 | free(sf); |
| 296 | return -ENOMEM; |
| 297 | } |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 298 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 299 | j->filter_count++; |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 300 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 301 | if (!j->filters) { |
| 302 | j->filters = sf; |
| 303 | sf->next = sf; |
| 304 | sf->prev = sf; |
| 305 | return 0; |
| 306 | } |
| 307 | sf->next = j->filters; |
| 308 | sf->prev = j->filters->prev; |
| 309 | sf->prev->next = sf; |
| 310 | j->filters->prev = sf; |
| 311 | return 0; |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 312 | } |
| 313 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 314 | int API minijail_lookup_syscall(const char *name) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 315 | { |
| 316 | const struct syscall_entry *entry = syscall_table; |
| 317 | for (; entry->name && entry->nr >= 0; ++entry) |
| 318 | if (!strcmp(entry->name, name)) |
| 319 | return entry->nr; |
| 320 | return -1; |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 321 | } |
| 322 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 323 | char *strip(char *s) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 324 | { |
| 325 | char *end; |
| 326 | while (*s && isblank(*s)) |
| 327 | s++; |
| 328 | end = s + strlen(s) - 1; |
| 329 | while (*end && (isblank(*end) || *end == '\n')) |
| 330 | end--; |
| 331 | *(end + 1) = '\0'; |
| 332 | return s; |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 333 | } |
| 334 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 335 | void API minijail_parse_seccomp_filters(struct minijail *j, const char *path) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 336 | { |
| 337 | FILE *file = fopen(path, "r"); |
| 338 | char line[MINIJAIL_MAX_SECCOMP_FILTER_LINE]; |
Ben Chan | 1d69793 | 2011-10-14 10:53:32 -0700 | [diff] [blame] | 339 | int count = 0; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 340 | if (!file) |
| 341 | pdie("failed to open seccomp filters file"); |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 342 | |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 343 | /* |
| 344 | * Format is simple: |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 345 | * syscall_name<COLON><FILTER STRING>[\n|EOF] |
| 346 | * #...comment... |
| 347 | * <empty line? |
| 348 | */ |
| 349 | while (fgets(line, sizeof(line), file)) { |
| 350 | char *filter = line; |
| 351 | char *name = strsep(&filter, ":"); |
| 352 | char *name_end = NULL; |
| 353 | int nr = -1; |
Ben Chan | 1d69793 | 2011-10-14 10:53:32 -0700 | [diff] [blame] | 354 | count++; |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 355 | |
Ben Chan | 1d69793 | 2011-10-14 10:53:32 -0700 | [diff] [blame] | 356 | /* Allow comment lines */ |
| 357 | if (*name == '#') |
| 358 | continue; |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 359 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 360 | name = strip(name); |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 361 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 362 | if (!filter) { |
| 363 | if (strlen(name)) |
| 364 | die("invalid filter on line %d", count); |
| 365 | /* Allow empty lines */ |
| 366 | continue; |
| 367 | } |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 368 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 369 | filter = strip(filter); |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 370 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 371 | /* Take direct syscall numbers */ |
| 372 | nr = strtol(name, &name_end, 0); |
| 373 | /* Or fail-over to using names */ |
| 374 | if (*name_end != '\0') |
| 375 | nr = minijail_lookup_syscall(name); |
| 376 | if (nr < 0) |
| 377 | die("syscall '%s' unknown", name); |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 378 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 379 | if (minijail_add_seccomp_filter(j, nr, filter)) |
| 380 | pdie("failed to add filter for syscall '%s'", name); |
| 381 | } |
| 382 | fclose(file); |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 383 | } |
| 384 | |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 385 | struct marshal_state { |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 386 | size_t available; |
| 387 | size_t total; |
| 388 | char *buf; |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 389 | }; |
| 390 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 391 | void marshal_state_init(struct marshal_state *state, |
| 392 | char *buf, size_t available) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 393 | { |
| 394 | state->available = available; |
| 395 | state->buf = buf; |
| 396 | state->total = 0; |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 397 | } |
| 398 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 399 | void marshal_append(struct marshal_state *state, |
| 400 | char *src, size_t length) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 401 | { |
| 402 | size_t copy_len = MIN(state->available, length); |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 403 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 404 | /* Up to |available| will be written. */ |
| 405 | if (copy_len) { |
| 406 | memcpy(state->buf, src, copy_len); |
| 407 | state->buf += copy_len; |
| 408 | state->available -= copy_len; |
| 409 | } |
| 410 | /* |total| will contain the expected length. */ |
| 411 | state->total += length; |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 412 | } |
| 413 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 414 | void minijail_marshal_helper(struct marshal_state *state, |
| 415 | const struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 416 | { |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 417 | struct binding *b = NULL; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 418 | marshal_append(state, (char *)j, sizeof(*j)); |
| 419 | if (j->user) |
| 420 | marshal_append(state, j->user, strlen(j->user) + 1); |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 421 | if (j->chrootdir) |
| 422 | marshal_append(state, j->chrootdir, strlen(j->chrootdir) + 1); |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 423 | if (j->flags.seccomp_filter && j->filters) { |
| 424 | struct seccomp_filter *f = j->filters; |
| 425 | do { |
| 426 | marshal_append(state, (char *)&f->nr, sizeof(f->nr)); |
| 427 | marshal_append(state, f->filter, strlen(f->filter) + 1); |
| 428 | f = f->next; |
| 429 | } while (f != j->filters); |
| 430 | } |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 431 | for (b = j->bindings_head; b; b = b->next) { |
| 432 | marshal_append(state, b->src, strlen(b->src) + 1); |
| 433 | marshal_append(state, b->dest, strlen(b->dest) + 1); |
| 434 | marshal_append(state, (char *)&b->writeable, sizeof(b->writeable)); |
| 435 | } |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 436 | } |
| 437 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 438 | size_t API minijail_size(const struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 439 | { |
| 440 | struct marshal_state state; |
| 441 | marshal_state_init(&state, NULL, 0); |
| 442 | minijail_marshal_helper(&state, j); |
| 443 | return state.total; |
Will Drewry | 2ddaad0 | 2011-09-16 11:36:08 -0500 | [diff] [blame] | 444 | } |
| 445 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 446 | int minijail_marshal(const struct minijail *j, char *buf, size_t available) |
| 447 | { |
| 448 | struct marshal_state state; |
| 449 | marshal_state_init(&state, buf, available); |
| 450 | minijail_marshal_helper(&state, j); |
| 451 | return (state.total > available); |
Will Drewry | 2ddaad0 | 2011-09-16 11:36:08 -0500 | [diff] [blame] | 452 | } |
| 453 | |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 454 | /* consumebytes: consumes @length bytes from a buffer @buf of length @buflength |
| 455 | * @length Number of bytes to consume |
| 456 | * @buf Buffer to consume from |
| 457 | * @buflength Size of @buf |
| 458 | * |
| 459 | * Returns a pointer to the base of the bytes, or NULL for errors. |
| 460 | */ |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 461 | void *consumebytes(size_t length, char **buf, size_t *buflength) { |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 462 | char *p = *buf; |
| 463 | if (length > *buflength) |
| 464 | return NULL; |
| 465 | *buf += length; |
| 466 | *buflength -= length; |
| 467 | return p; |
| 468 | } |
| 469 | |
| 470 | /* consumestr: consumes a C string from a buffer @buf of length @length |
| 471 | * @buf Buffer to consume |
| 472 | * @length Length of buffer |
| 473 | * |
| 474 | * Returns a pointer to the base of the string, or NULL for errors. |
| 475 | */ |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 476 | char *consumestr(char **buf, size_t *buflength) { |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 477 | size_t len = strnlen(*buf, *buflength); |
| 478 | if (len == *buflength) |
| 479 | /* There's no null-terminator */ |
| 480 | return NULL; |
| 481 | return consumebytes(len + 1, buf, buflength); |
| 482 | } |
| 483 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 484 | int minijail_unmarshal(struct minijail *j, char *serialized, size_t length) |
| 485 | { |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 486 | int i; |
| 487 | int count; |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 488 | int ret = -EINVAL; |
| 489 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 490 | if (length < sizeof(*j)) |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 491 | goto out; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 492 | memcpy((void *)j, serialized, sizeof(*j)); |
| 493 | serialized += sizeof(*j); |
| 494 | length -= sizeof(*j); |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 495 | |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 496 | /* Potentially stale pointers not used as signals. */ |
| 497 | j->bindings_head = NULL; |
| 498 | j->bindings_tail = NULL; |
| 499 | j->filters = NULL; |
| 500 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 501 | if (j->user) { /* stale pointer */ |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 502 | char *user = consumestr(&serialized, &length); |
| 503 | if (!user) |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 504 | goto clear_pointers; |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 505 | j->user = strdup(user); |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 506 | if (!j->user) |
| 507 | goto clear_pointers; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 508 | } |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 509 | |
Elly Jones | a8d1e1b | 2011-10-21 15:38:00 -0400 | [diff] [blame] | 510 | if (j->chrootdir) { /* stale pointer */ |
| 511 | char *chrootdir = consumestr(&serialized, &length); |
| 512 | if (!chrootdir) |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 513 | goto bad_chrootdir; |
Elly Jones | a8d1e1b | 2011-10-21 15:38:00 -0400 | [diff] [blame] | 514 | j->chrootdir = strdup(chrootdir); |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 515 | if (!j->chrootdir) |
| 516 | goto bad_chrootdir; |
Elly Jones | a8d1e1b | 2011-10-21 15:38:00 -0400 | [diff] [blame] | 517 | } |
| 518 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 519 | if (j->flags.seccomp_filter && j->filter_count) { |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 520 | count = j->filter_count; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 521 | /* Let add_seccomp_filter recompute the value. */ |
| 522 | j->filter_count = 0; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 523 | for (; count > 0; --count) { |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 524 | int *nr = (int *)consumebytes(sizeof(*nr), &serialized, |
| 525 | &length); |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 526 | char *filter; |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 527 | if (!nr) |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 528 | goto bad_filters; |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 529 | filter = consumestr(&serialized, &length); |
| 530 | if (!filter) |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 531 | goto bad_filters; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 532 | if (minijail_add_seccomp_filter(j, *nr, filter)) |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 533 | goto bad_filters; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 534 | } |
| 535 | } |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 536 | |
| 537 | count = j->binding_count; |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 538 | j->binding_count = 0; |
| 539 | for (i = 0; i < count; ++i) { |
| 540 | int *writeable; |
| 541 | const char *dest; |
| 542 | const char *src = consumestr(&serialized, &length); |
| 543 | if (!src) |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 544 | goto bad_bindings; |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 545 | dest = consumestr(&serialized, &length); |
| 546 | if (!dest) |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 547 | goto bad_bindings; |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 548 | writeable = consumebytes(sizeof(*writeable), &serialized, &length); |
| 549 | if (!writeable) |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 550 | goto bad_bindings; |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 551 | if (minijail_bind(j, src, dest, *writeable)) |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 552 | goto bad_bindings; |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 553 | } |
| 554 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 555 | return 0; |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 556 | |
| 557 | bad_bindings: |
| 558 | bad_filters: |
| 559 | if (j->chrootdir) |
| 560 | free(j->chrootdir); |
| 561 | bad_chrootdir: |
| 562 | if (j->user) |
| 563 | free(j->user); |
| 564 | clear_pointers: |
| 565 | j->user = NULL; |
| 566 | j->chrootdir = NULL; |
| 567 | out: |
| 568 | return ret; |
Will Drewry | 2ddaad0 | 2011-09-16 11:36:08 -0500 | [diff] [blame] | 569 | } |
| 570 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 571 | void minijail_preenter(struct minijail *j) |
| 572 | { |
| 573 | /* Strip out options which are minijail_run() only. */ |
| 574 | j->flags.vfs = 0; |
| 575 | j->flags.readonly = 0; |
| 576 | j->flags.pids = 0; |
Will Drewry | fe4a372 | 2011-09-16 14:50:50 -0500 | [diff] [blame] | 577 | } |
| 578 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 579 | void minijail_preexec(struct minijail *j) |
| 580 | { |
| 581 | int vfs = j->flags.vfs; |
| 582 | int readonly = j->flags.readonly; |
| 583 | if (j->user) |
| 584 | free(j->user); |
| 585 | j->user = NULL; |
| 586 | memset(&j->flags, 0, sizeof(j->flags)); |
| 587 | /* Now restore anything we meant to keep. */ |
| 588 | j->flags.vfs = vfs; |
| 589 | j->flags.readonly = readonly; |
| 590 | /* Note, pidns will already have been used before this call. */ |
Will Drewry | 2ddaad0 | 2011-09-16 11:36:08 -0500 | [diff] [blame] | 591 | } |
| 592 | |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 593 | /* bind_one: Applies bindings from @b for @j, recursing as needed. |
| 594 | * @j Minijail these bindings are for |
| 595 | * @b Head of list of bindings |
| 596 | * |
| 597 | * Returns 0 for success. |
| 598 | */ |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 599 | int bind_one(const struct minijail *j, struct binding *b) { |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 600 | int ret = 0; |
| 601 | char *dest = NULL; |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 602 | if (ret) |
| 603 | return ret; |
| 604 | /* dest has a leading "/" */ |
| 605 | if (asprintf(&dest, "%s%s", j->chrootdir, b->dest) < 0) |
| 606 | return -ENOMEM; |
Elly Jones | a105963 | 2011-12-15 15:17:07 -0500 | [diff] [blame] | 607 | ret = mount(b->src, dest, NULL, MS_BIND, NULL); |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 608 | if (ret) |
| 609 | pdie("bind: %s -> %s", b->src, dest); |
Elly Jones | a105963 | 2011-12-15 15:17:07 -0500 | [diff] [blame] | 610 | if (!b->writeable) { |
| 611 | ret = mount(b->src, dest, NULL, |
| 612 | MS_BIND | MS_REMOUNT | MS_RDONLY, NULL); |
| 613 | if (ret) |
| 614 | pdie("bind ro: %s -> %s", b->src, dest); |
| 615 | } |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 616 | free(dest); |
| 617 | if (b->next) |
| 618 | return bind_one(j, b->next); |
| 619 | return ret; |
| 620 | } |
| 621 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 622 | int enter_chroot(const struct minijail *j) { |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 623 | int ret; |
| 624 | if (j->bindings_head && (ret = bind_one(j, j->bindings_head))) |
| 625 | return ret; |
| 626 | |
| 627 | if (chroot(j->chrootdir)) |
| 628 | return -errno; |
| 629 | |
| 630 | if (chdir("/")) |
| 631 | return -errno; |
| 632 | |
| 633 | return 0; |
| 634 | } |
| 635 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 636 | int remount_readonly(void) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 637 | { |
| 638 | const char *kProcPath = "/proc"; |
| 639 | const unsigned int kSafeFlags = MS_NODEV | MS_NOEXEC | MS_NOSUID; |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 640 | /* |
| 641 | * Right now, we're holding a reference to our parent's old mount of |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 642 | * /proc in our namespace, which means using MS_REMOUNT here would |
| 643 | * mutate our parent's mount as well, even though we're in a VFS |
| 644 | * namespace (!). Instead, remove their mount from our namespace |
| 645 | * and make our own. |
| 646 | */ |
| 647 | if (umount(kProcPath)) |
| 648 | return -errno; |
| 649 | if (mount("", kProcPath, "proc", kSafeFlags | MS_RDONLY, "")) |
| 650 | return -errno; |
| 651 | return 0; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 652 | } |
| 653 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 654 | void drop_caps(const struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 655 | { |
| 656 | cap_t caps = cap_get_proc(); |
| 657 | cap_value_t raise_flag[1]; |
| 658 | unsigned int i; |
| 659 | if (!caps) |
| 660 | die("can't get process caps"); |
| 661 | if (cap_clear_flag(caps, CAP_INHERITABLE)) |
| 662 | die("can't clear inheritable caps"); |
| 663 | if (cap_clear_flag(caps, CAP_EFFECTIVE)) |
| 664 | die("can't clear effective caps"); |
| 665 | if (cap_clear_flag(caps, CAP_PERMITTED)) |
| 666 | die("can't clear permitted caps"); |
| 667 | for (i = 0; i < sizeof(j->caps) * 8 && cap_valid((int)i); ++i) { |
| 668 | if (i != CAP_SETPCAP && !(j->caps & (1 << i))) |
| 669 | continue; |
| 670 | raise_flag[0] = i; |
| 671 | if (cap_set_flag(caps, CAP_EFFECTIVE, 1, raise_flag, CAP_SET)) |
| 672 | die("can't add effective cap"); |
| 673 | if (cap_set_flag(caps, CAP_PERMITTED, 1, raise_flag, CAP_SET)) |
| 674 | die("can't add permitted cap"); |
| 675 | if (cap_set_flag(caps, CAP_INHERITABLE, 1, raise_flag, CAP_SET)) |
| 676 | die("can't add inheritable cap"); |
| 677 | } |
| 678 | if (cap_set_proc(caps)) |
| 679 | die("can't apply cleaned capset"); |
| 680 | cap_free(caps); |
| 681 | for (i = 0; i < sizeof(j->caps) * 8 && cap_valid((int)i); ++i) { |
| 682 | if (j->caps & (1 << i)) |
| 683 | continue; |
| 684 | if (prctl(PR_CAPBSET_DROP, i)) |
| 685 | pdie("prctl(PR_CAPBSET_DROP)"); |
| 686 | } |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 687 | } |
| 688 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 689 | int setup_seccomp_filters(const struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 690 | { |
| 691 | const struct seccomp_filter *sf = j->filters; |
| 692 | int ret = 0; |
| 693 | int broaden = 0; |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 694 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 695 | /* No filters installed isn't necessarily an error. */ |
| 696 | if (!sf) |
| 697 | return ret; |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 698 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 699 | do { |
| 700 | errno = 0; |
| 701 | ret = prctl(PR_SET_SECCOMP_FILTER, PR_SECCOMP_FILTER_SYSCALL, |
| 702 | sf->nr, broaden ? "1" : sf->filter); |
| 703 | if (ret) { |
| 704 | switch (errno) { |
| 705 | case ENOSYS: |
| 706 | /* TODO(wad) make this a config option */ |
| 707 | if (broaden) |
| 708 | die("CONFIG_SECCOMP_FILTER is not" |
| 709 | "supported by your kernel"); |
| 710 | warn("missing CONFIG_FTRACE_SYSCALLS; relaxing" |
| 711 | "the filter for %d", sf->nr); |
| 712 | broaden = 1; |
| 713 | continue; |
| 714 | case E2BIG: |
| 715 | warn("seccomp filter too long: %d", sf->nr); |
| 716 | pdie("filter too long"); |
| 717 | case ENOSPC: |
| 718 | pdie("too many seccomp filters"); |
| 719 | case EPERM: |
| 720 | warn("syscall filter disallowed for %d", |
| 721 | sf->nr); |
| 722 | pdie("failed to install seccomp filter"); |
| 723 | case EINVAL: |
| 724 | warn("seccomp filter or call method is" |
| 725 | " invalid. %d:'%s'", sf->nr, sf->filter); |
| 726 | default: |
| 727 | pdie("failed to install seccomp filter"); |
| 728 | } |
| 729 | } |
| 730 | sf = sf->next; |
| 731 | broaden = 0; |
| 732 | } while (sf != j->filters); |
| 733 | return ret; |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 734 | } |
| 735 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 736 | void API minijail_enter(const struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 737 | { |
| 738 | if (j->flags.pids) |
| 739 | die("tried to enter a pid-namespaced jail;" |
| 740 | "try minijail_run()?"); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 741 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 742 | if (j->flags.seccomp_filter && setup_seccomp_filters(j)) |
| 743 | pdie("failed to configure seccomp filters"); |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 744 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 745 | if (j->flags.usergroups && !j->user) |
| 746 | die("usergroup inheritance without username"); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 747 | |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 748 | /* |
| 749 | * We can't recover from failures if we've dropped privileges partially, |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 750 | * so we don't even try. If any of our operations fail, we abort() the |
| 751 | * entire process. |
| 752 | */ |
| 753 | if (j->flags.vfs && unshare(CLONE_NEWNS)) |
| 754 | pdie("unshare"); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 755 | |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 756 | if (j->flags.chroot && enter_chroot(j)) |
| 757 | pdie("chroot"); |
| 758 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 759 | if (j->flags.readonly && remount_readonly()) |
| 760 | pdie("remount"); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 761 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 762 | if (j->flags.caps) { |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 763 | /* |
| 764 | * POSIX capabilities are a bit tricky. If we drop our |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 765 | * capability to change uids, our attempt to use setuid() |
| 766 | * below will fail. Hang on to root caps across setuid(), then |
| 767 | * lock securebits. |
| 768 | */ |
| 769 | if (prctl(PR_SET_KEEPCAPS, 1)) |
| 770 | pdie("prctl(PR_SET_KEEPCAPS)"); |
| 771 | if (prctl |
| 772 | (PR_SET_SECUREBITS, SECURE_ALL_BITS | SECURE_ALL_LOCKS)) |
| 773 | pdie("prctl(PR_SET_SECUREBITS)"); |
| 774 | } |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 775 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 776 | if (j->flags.usergroups) { |
| 777 | if (initgroups(j->user, j->usergid)) |
| 778 | pdie("initgroups"); |
| 779 | } else { |
| 780 | /* Only attempt to clear supplemental groups if we are changing |
| 781 | * users. */ |
| 782 | if ((j->uid || j->gid) && setgroups(0, NULL)) |
| 783 | pdie("setgroups"); |
| 784 | } |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 785 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 786 | if (j->flags.gid && setresgid(j->gid, j->gid, j->gid)) |
| 787 | pdie("setresgid"); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 788 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 789 | if (j->flags.uid && setresuid(j->uid, j->uid, j->uid)) |
| 790 | pdie("setresuid"); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 791 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 792 | if (j->flags.caps) |
| 793 | drop_caps(j); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 794 | |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 795 | /* |
| 796 | * seccomp has to come last since it cuts off all the other |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 797 | * privilege-dropping syscalls :) |
| 798 | */ |
| 799 | if (j->flags.seccomp_filter && prctl(PR_SET_SECCOMP, 13)) |
| 800 | pdie("prctl(PR_SET_SECCOMP, 13)"); |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 801 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 802 | if (j->flags.seccomp && prctl(PR_SET_SECCOMP, 1)) |
| 803 | pdie("prctl(PR_SET_SECCOMP)"); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 804 | } |
| 805 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 806 | /* TODO(wad) will visibility affect this variable? */ |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 807 | static int init_exitstatus = 0; |
| 808 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 809 | void init_term(int __attribute__ ((unused)) sig) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 810 | { |
| 811 | _exit(init_exitstatus); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 812 | } |
| 813 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 814 | int init(pid_t rootpid) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 815 | { |
| 816 | pid_t pid; |
| 817 | int status; |
| 818 | /* so that we exit with the right status */ |
| 819 | signal(SIGTERM, init_term); |
| 820 | /* TODO(wad) self jail with seccomp_filters here. */ |
| 821 | while ((pid = wait(&status)) > 0) { |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 822 | /* |
| 823 | * This loop will only end when either there are no processes |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 824 | * left inside our pid namespace or we get a signal. |
| 825 | */ |
| 826 | if (pid == rootpid) |
| 827 | init_exitstatus = status; |
| 828 | } |
| 829 | if (!WIFEXITED(init_exitstatus)) |
| 830 | _exit(MINIJAIL_ERR_INIT); |
| 831 | _exit(WEXITSTATUS(init_exitstatus)); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 832 | } |
| 833 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 834 | int API minijail_from_fd(int fd, struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 835 | { |
| 836 | size_t sz = 0; |
| 837 | size_t bytes = read(fd, &sz, sizeof(sz)); |
| 838 | char *buf; |
| 839 | int r; |
| 840 | if (sizeof(sz) != bytes) |
| 841 | return -EINVAL; |
| 842 | if (sz > USHRT_MAX) /* Arbitrary sanity check */ |
| 843 | return -E2BIG; |
| 844 | buf = malloc(sz); |
| 845 | if (!buf) |
| 846 | return -ENOMEM; |
| 847 | bytes = read(fd, buf, sz); |
| 848 | if (bytes != sz) { |
| 849 | free(buf); |
| 850 | return -EINVAL; |
| 851 | } |
| 852 | r = minijail_unmarshal(j, buf, sz); |
| 853 | free(buf); |
| 854 | return r; |
Will Drewry | 2f54b6a | 2011-09-16 13:45:31 -0500 | [diff] [blame] | 855 | } |
| 856 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 857 | int API minijail_to_fd(struct minijail *j, int fd) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 858 | { |
| 859 | char *buf; |
| 860 | size_t sz = minijail_size(j); |
| 861 | ssize_t written; |
| 862 | int r; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 863 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 864 | if (!sz) |
| 865 | return -EINVAL; |
| 866 | buf = malloc(sz); |
| 867 | r = minijail_marshal(j, buf, sz); |
| 868 | if (r) { |
| 869 | free(buf); |
| 870 | return r; |
| 871 | } |
| 872 | /* Sends [size][minijail]. */ |
| 873 | written = write(fd, &sz, sizeof(sz)); |
| 874 | if (written != sizeof(sz)) { |
| 875 | free(buf); |
| 876 | return -EFAULT; |
| 877 | } |
| 878 | written = write(fd, buf, sz); |
| 879 | if (written < 0 || (size_t) written != sz) { |
| 880 | free(buf); |
| 881 | return -EFAULT; |
| 882 | } |
| 883 | free(buf); |
| 884 | return 0; |
Will Drewry | 2f54b6a | 2011-09-16 13:45:31 -0500 | [diff] [blame] | 885 | } |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 886 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 887 | int setup_preload(void) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 888 | { |
| 889 | char *oldenv = getenv(kLdPreloadEnvVar) ? : ""; |
| 890 | char *newenv = malloc(strlen(oldenv) + 2 + strlen(PRELOADPATH)); |
| 891 | if (!newenv) |
| 892 | return -ENOMEM; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 893 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 894 | /* Only insert a separating space if we have something to separate... */ |
| 895 | sprintf(newenv, "%s%s%s", oldenv, strlen(oldenv) ? " " : "", |
| 896 | PRELOADPATH); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 897 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 898 | /* setenv() makes a copy of the string we give it */ |
| 899 | setenv(kLdPreloadEnvVar, newenv, 1); |
| 900 | free(newenv); |
| 901 | return 0; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 902 | } |
| 903 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 904 | int setup_pipe(int fds[2]) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 905 | { |
| 906 | int r = pipe(fds); |
| 907 | char fd_buf[11]; |
| 908 | if (r) |
| 909 | return r; |
| 910 | r = snprintf(fd_buf, sizeof(fd_buf), "%d", fds[0]); |
| 911 | if (r <= 0) |
| 912 | return -EINVAL; |
| 913 | setenv(kFdEnvVar, fd_buf, 1); |
| 914 | return 0; |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 915 | } |
| 916 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 917 | int API minijail_run(struct minijail *j, const char *filename, |
| 918 | char *const argv[]) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 919 | { |
Jorge Lucangeli Obes | 9807d03 | 2012-04-17 13:36:00 -0700 | [diff] [blame] | 920 | return minijail_run_pid(j, filename, argv, NULL); |
| 921 | } |
| 922 | |
| 923 | int API minijail_run_pid(struct minijail *j, const char *filename, |
| 924 | char *const argv[], pid_t *pchild_pid) |
| 925 | { |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 926 | unsigned int pidns = j->flags.pids ? CLONE_NEWPID : 0; |
| 927 | char *oldenv, *oldenv_copy = NULL; |
| 928 | pid_t child_pid; |
| 929 | int pipe_fds[2]; |
| 930 | int ret; |
Ben Chan | 541c7e5 | 2011-08-26 14:55:53 -0700 | [diff] [blame] | 931 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 932 | oldenv = getenv(kLdPreloadEnvVar); |
| 933 | if (oldenv) { |
| 934 | oldenv_copy = strdup(oldenv); |
| 935 | if (!oldenv_copy) |
| 936 | return -ENOMEM; |
| 937 | } |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 938 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 939 | if (setup_preload()) |
| 940 | return -EFAULT; |
Will Drewry | 2f54b6a | 2011-09-16 13:45:31 -0500 | [diff] [blame] | 941 | |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 942 | /* |
| 943 | * Before we fork(2) and execve(2) the child process, we need to open |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 944 | * a pipe(2) to send the minijail configuration over. |
| 945 | */ |
| 946 | if (setup_pipe(pipe_fds)) |
| 947 | return -EFAULT; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 948 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 949 | child_pid = syscall(SYS_clone, pidns | SIGCHLD, NULL); |
| 950 | if (child_pid < 0) { |
| 951 | free(oldenv_copy); |
| 952 | return child_pid; |
| 953 | } |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 954 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 955 | if (child_pid) { |
| 956 | /* Restore parent's LD_PRELOAD. */ |
| 957 | if (oldenv_copy) { |
| 958 | setenv(kLdPreloadEnvVar, oldenv_copy, 1); |
| 959 | free(oldenv_copy); |
| 960 | } else { |
| 961 | unsetenv(kLdPreloadEnvVar); |
| 962 | } |
| 963 | unsetenv(kFdEnvVar); |
| 964 | j->initpid = child_pid; |
| 965 | close(pipe_fds[0]); /* read endpoint */ |
| 966 | ret = minijail_to_fd(j, pipe_fds[1]); |
| 967 | close(pipe_fds[1]); /* write endpoint */ |
| 968 | if (ret) { |
| 969 | kill(j->initpid, SIGKILL); |
| 970 | die("failed to send marshalled minijail"); |
| 971 | } |
Jorge Lucangeli Obes | 9807d03 | 2012-04-17 13:36:00 -0700 | [diff] [blame] | 972 | if (pchild_pid) |
| 973 | *pchild_pid = child_pid; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 974 | return 0; |
| 975 | } |
| 976 | free(oldenv_copy); |
Ben Chan | 541c7e5 | 2011-08-26 14:55:53 -0700 | [diff] [blame] | 977 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 978 | /* Drop everything that cannot be inherited across execve. */ |
| 979 | minijail_preexec(j); |
| 980 | /* Jail this process and its descendants... */ |
| 981 | minijail_enter(j); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 982 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 983 | if (pidns) { |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 984 | /* |
| 985 | * pid namespace: this process will become init inside the new |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 986 | * namespace, so fork off a child to actually run the program |
| 987 | * (we don't want all programs we might exec to have to know |
| 988 | * how to be init). |
| 989 | */ |
| 990 | child_pid = fork(); |
| 991 | if (child_pid < 0) |
| 992 | _exit(child_pid); |
| 993 | else if (child_pid > 0) |
| 994 | init(child_pid); /* never returns */ |
| 995 | } |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 996 | |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 997 | /* |
| 998 | * If we aren't pid-namespaced: |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 999 | * calling process |
| 1000 | * -> execve()-ing process |
| 1001 | * If we are: |
| 1002 | * calling process |
| 1003 | * -> init()-ing process |
| 1004 | * -> execve()-ing process |
| 1005 | */ |
| 1006 | _exit(execve(filename, argv, environ)); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 1007 | } |
| 1008 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 1009 | int API minijail_kill(struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1010 | { |
| 1011 | int st; |
| 1012 | if (kill(j->initpid, SIGTERM)) |
| 1013 | return -errno; |
| 1014 | if (waitpid(j->initpid, &st, 0) < 0) |
| 1015 | return -errno; |
| 1016 | return st; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 1017 | } |
| 1018 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 1019 | int API minijail_wait(struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1020 | { |
| 1021 | int st; |
| 1022 | if (waitpid(j->initpid, &st, 0) < 0) |
| 1023 | return -errno; |
| 1024 | if (!WIFEXITED(st)) |
| 1025 | return MINIJAIL_ERR_JAIL; |
| 1026 | return WEXITSTATUS(st); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 1027 | } |
| 1028 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 1029 | void API minijail_destroy(struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1030 | { |
| 1031 | struct seccomp_filter *f = j->filters; |
| 1032 | /* Unlink the tail and head */ |
| 1033 | if (f) |
| 1034 | f->prev->next = NULL; |
| 1035 | while (f) { |
| 1036 | struct seccomp_filter *next = f->next; |
| 1037 | free(f->filter); |
| 1038 | free(f); |
| 1039 | f = next; |
| 1040 | } |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 1041 | while (j->bindings_head) { |
| 1042 | struct binding *b = j->bindings_head; |
| 1043 | j->bindings_head = j->bindings_head->next; |
| 1044 | free(b->dest); |
| 1045 | free(b->src); |
| 1046 | free(b); |
| 1047 | } |
| 1048 | j->bindings_tail = NULL; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1049 | if (j->user) |
| 1050 | free(j->user); |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 1051 | if (j->chrootdir) |
| 1052 | free(j->chrootdir); |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1053 | free(j); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 1054 | } |