apmanager: run daemon inside minijail
Run apmanager inside a minijail with limited privileges and system calls
through seccomp filter.
BUG=chromium:442186
TEST=Verify AP services with client connectiviy on arm (peach_pit),
x86 (x86-alex), and amd64 (stumpy) platforms.
CQ-DEPEND=CL:236097
Change-Id: I10b2b0c6943cad134028894505d54e2ca4993a26
Reviewed-on: https://chromium-review.googlesource.com/236098
Tested-by: Zeping Qiu <zqiu@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Queue: Zeping Qiu <zqiu@chromium.org>
Trybot-Ready: Zeping Qiu <zqiu@chromium.org>
diff --git a/main.cc b/main.cc
index b6c860a..d5fdb55 100644
--- a/main.cc
+++ b/main.cc
@@ -36,6 +36,7 @@
const char kLoggerCommand[] = "/usr/bin/logger";
const char kLoggerUser[] = "syslog";
+const char kSeccompFilePath[] = "/usr/share/policy/apmanager-seccomp.policy";
} // namespace
@@ -83,11 +84,15 @@
}
void DropPrivileges(chromeos::Minijail* minijail) {
- // TODO(zqiu): Need to figure out the right set of privileges to allow
- // hostapd to configure interfaces.
struct minijail* jail = minijail->New();
minijail->DropRoot(jail, apmanager::Daemon::kAPManagerUserName,
apmanager::Daemon::kAPManagerGroupName);
+ // Permissions needed for the daemon and its child processes for managing
+ // network interfaces and binding to network sockets.
+ minijail->UseCapabilities(jail, CAP_TO_MASK(CAP_NET_ADMIN) |
+ CAP_TO_MASK(CAP_NET_RAW) |
+ CAP_TO_MASK(CAP_NET_BIND_SERVICE));
+ minijail->UseSeccompFilter(jail, kSeccompFilePath);
minijail_enter(jail);
minijail->Destroy(jail);
}
@@ -98,11 +103,9 @@
LOG(INFO) << __func__ << ": Dropping privileges";
- // TODO(zqiu): temporary, until we figure out the exact privileges required
- // to start required daemons (hostapd and dnsmasq).
// Now that the daemon has all the resources it needs to run, we can drop
// privileges further.
- // DropPrivileges(minijail);
+ DropPrivileges(minijail);
}
int main(int argc, char* argv[]) {