| Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 1 | /* Copyright (c) 2011 The Chromium OS Authors. All rights reserved. |
| 2 | * Use of this source code is governed by a BSD-style license that can be |
| Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame^] | 3 | * found in the LICENSE file. |
| 4 | */ |
| Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 5 | |
| 6 | #include <stdio.h> |
| 7 | #include <stdlib.h> |
| 8 | #include <string.h> |
| 9 | #include <unistd.h> |
| 10 | |
| 11 | #include "libminijail.h" |
| Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame^] | 12 | #include "libsyscalls.h" |
| Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 13 | |
| 14 | static void set_user(struct minijail *j, const char *arg) { |
| 15 | char *end = NULL; |
| 16 | int uid = strtod(arg, &end); |
| 17 | if (!*end && *arg) { |
| 18 | minijail_change_uid(j, uid); |
| 19 | return; |
| 20 | } |
| 21 | |
| 22 | if (minijail_change_user(j, arg)) { |
| 23 | fprintf(stderr, "Bad user: '%s'\n", arg); |
| 24 | exit(1); |
| 25 | } |
| 26 | } |
| 27 | |
| 28 | static void set_group(struct minijail *j, const char *arg) { |
| 29 | char *end = NULL; |
| 30 | int gid = strtod(arg, &end); |
| 31 | if (!*end && *arg) { |
| 32 | minijail_change_gid(j, gid); |
| 33 | return; |
| 34 | } |
| 35 | |
| 36 | if (minijail_change_group(j, arg)) { |
| 37 | fprintf(stderr, "Bad group: '%s'\n", arg); |
| 38 | exit(1); |
| 39 | } |
| 40 | } |
| 41 | |
| 42 | static void use_caps(struct minijail *j, const char *arg) { |
| 43 | uint64_t caps; |
| 44 | char *end = NULL; |
| 45 | caps = strtoull(arg, &end, 16); |
| 46 | if (*end) { |
| 47 | fprintf(stderr, "Invalid cap set: '%s'\n", arg); |
| 48 | exit(1); |
| 49 | } |
| 50 | minijail_use_caps(j, caps); |
| 51 | } |
| 52 | |
| 53 | static void usage(const char *progn) { |
| Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame^] | 54 | printf("Usage: %s [-Ghprsv] [-c <caps>] [-g <group>] [-S <file>] [-u <user>] " |
| 55 | "<program> [args...]\n" |
| Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 56 | " -c: restrict caps to <caps>\n" |
| 57 | " -G: inherit groups from uid\n" |
| 58 | " -g: change gid to <group>\n" |
| 59 | " -h: help (this message)\n" |
| Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame^] | 60 | " -H: seccomp filter help message\n" |
| Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 61 | " -p: use pid namespace\n" |
| 62 | " -r: remount filesystems readonly (implies -v)\n" |
| 63 | " -s: use seccomp\n" |
| Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame^] | 64 | " -S: set seccomp filters using <file>\n" |
| 65 | " E.g., -S /usr/share/blah/seccomp_filters.$(uname -m)\n" |
| Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 66 | " -u: change uid to <user>\n" |
| 67 | " -v: use vfs namespace\n", progn); |
| 68 | } |
| 69 | |
| Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame^] | 70 | static void seccomp_filter_usage(const char *progn) { |
| 71 | const struct syscall_entry *entry = syscall_table; |
| 72 | printf("Usage: %s -S <policy.file> <program> [args...]\n\n" |
| 73 | "System call names supported:\n", progn); |
| 74 | for (; entry->name && entry->nr >= 0; ++entry) |
| 75 | printf(" %s [%d]\n", entry->name, entry->nr); |
| 76 | printf("\nSee minijail0(5) for example policies.\n"); |
| 77 | } |
| 78 | |
| Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 79 | int main(int argc, char *argv[]) { |
| 80 | struct minijail *j = minijail_new(); |
| 81 | |
| 82 | int opt; |
| Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame^] | 83 | while ((opt = getopt(argc, argv, "u:g:sS:c:vrGhHp")) != -1) { |
| Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 84 | switch (opt) { |
| 85 | case 'u': |
| 86 | set_user(j, optarg); |
| 87 | break; |
| 88 | case 'g': |
| 89 | set_group(j, optarg); |
| 90 | break; |
| 91 | case 's': |
| 92 | minijail_use_seccomp(j); |
| 93 | break; |
| Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame^] | 94 | case 'S': |
| 95 | minijail_parse_seccomp_filters(j, optarg); |
| 96 | minijail_use_seccomp_filter(j); |
| 97 | break; |
| Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 98 | case 'c': |
| 99 | use_caps(j, optarg); |
| 100 | break; |
| 101 | case 'v': |
| 102 | minijail_namespace_vfs(j); |
| 103 | break; |
| 104 | case 'r': |
| 105 | minijail_remount_readonly(j); |
| 106 | break; |
| 107 | case 'G': |
| 108 | minijail_inherit_usergroups(j); |
| 109 | break; |
| 110 | case 'p': |
| 111 | minijail_namespace_pids(j); |
| 112 | break; |
| Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame^] | 113 | case 'H': |
| 114 | seccomp_filter_usage(argv[0]); |
| 115 | exit(1); |
| Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 116 | default: |
| 117 | usage(argv[0]); |
| 118 | exit(1); |
| 119 | } |
| 120 | } |
| 121 | |
| 122 | if (argc == optind) { |
| 123 | usage(argv[0]); |
| 124 | exit(1); |
| 125 | } |
| 126 | |
| 127 | argc -= optind; |
| 128 | argv += optind; |
| 129 | |
| 130 | minijail_run(j, argv[0], argv); |
| 131 | return minijail_wait(j); |
| 132 | } |