blob: 85222af1baf2b175e126ab199935ea6b0f19825f [file] [log] [blame]
Peter Qiu326b6cf2015-09-02 11:11:42 -07001//
2// Copyright (C) 2014 The Android Open Source Project
3//
4// Licensed under the Apache License, Version 2.0 (the "License");
5// you may not use this file except in compliance with the License.
6// You may obtain a copy of the License at
7//
8// http://www.apache.org/licenses/LICENSE-2.0
9//
10// Unless required by applicable law or agreed to in writing, software
11// distributed under the License is distributed on an "AS IS" BASIS,
12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13// See the License for the specific language governing permissions and
14// limitations under the License.
15//
Peter Qiu5dd242d2014-10-14 12:23:21 -070016
17#include <vector>
18
19#include <base/bind.h>
20#include <base/command_line.h>
21#include <base/logging.h>
22#include <chromeos/minijail/minijail.h>
23#include <chromeos/syslog_logging.h>
24
25#include "apmanager/daemon.h"
26
27using std::vector;
28
29namespace {
30
31namespace switches {
32
33// Don't daemon()ize; run in foreground.
34const char kForeground[] = "foreground";
35// Flag that causes apmanager to show the help message and exit.
36const char kHelp[] = "help";
37
38// The help message shown if help flag is passed to the program.
39const char kHelpMessage[] = "\n"
40 "Available Switches: \n"
41 " --foreground\n"
42 " Don\'t daemon()ize; run in foreground.\n";
43} // namespace switches
44
45} // namespace
46
47namespace {
48
49const char kLoggerCommand[] = "/usr/bin/logger";
50const char kLoggerUser[] = "syslog";
Peter Qiu58676b62014-12-16 16:47:12 -080051const char kSeccompFilePath[] = "/usr/share/policy/apmanager-seccomp.policy";
Peter Qiu5dd242d2014-10-14 12:23:21 -070052
53} // namespace
54
55// Always logs to the syslog and logs to stderr if
56// we are running in the foreground.
57void SetupLogging(chromeos::Minijail* minijail,
58 bool foreground,
59 const char* daemon_name) {
60 int log_flags = 0;
61 log_flags |= chromeos::kLogToSyslog;
62 log_flags |= chromeos::kLogHeader;
63 if (foreground) {
64 log_flags |= chromeos::kLogToStderr;
65 }
66 chromeos::InitLog(log_flags);
67
68 if (!foreground) {
69 vector<char*> logger_command_line;
70 int logger_stdin_fd;
71 logger_command_line.push_back(const_cast<char*>(kLoggerCommand));
72 logger_command_line.push_back(const_cast<char*>("--priority"));
73 logger_command_line.push_back(const_cast<char*>("daemon.err"));
74 logger_command_line.push_back(const_cast<char*>("--tag"));
75 logger_command_line.push_back(const_cast<char*>(daemon_name));
76 logger_command_line.push_back(nullptr);
77
78 struct minijail* jail = minijail->New();
79 minijail->DropRoot(jail, kLoggerUser, kLoggerUser);
80
81 if (!minijail->RunPipeAndDestroy(jail, logger_command_line,
82 nullptr, &logger_stdin_fd)) {
83 LOG(ERROR) << "Unable to spawn logger. "
84 << "Writes to stderr will be discarded.";
85 return;
86 }
87
88 // Note that we don't set O_CLOEXEC here. This means that stderr
89 // from any child processes will, by default, be logged to syslog.
90 if (dup2(logger_stdin_fd, fileno(stderr)) != fileno(stderr)) {
91 LOG(ERROR) << "Failed to redirect stderr to syslog: "
92 << strerror(errno);
93 }
94 close(logger_stdin_fd);
95 }
96}
97
98void DropPrivileges(chromeos::Minijail* minijail) {
Peter Qiu5dd242d2014-10-14 12:23:21 -070099 struct minijail* jail = minijail->New();
100 minijail->DropRoot(jail, apmanager::Daemon::kAPManagerUserName,
101 apmanager::Daemon::kAPManagerGroupName);
Peter Qiu58676b62014-12-16 16:47:12 -0800102 // Permissions needed for the daemon and its child processes for managing
103 // network interfaces and binding to network sockets.
104 minijail->UseCapabilities(jail, CAP_TO_MASK(CAP_NET_ADMIN) |
105 CAP_TO_MASK(CAP_NET_RAW) |
106 CAP_TO_MASK(CAP_NET_BIND_SERVICE));
107 minijail->UseSeccompFilter(jail, kSeccompFilePath);
Peter Qiu5dd242d2014-10-14 12:23:21 -0700108 minijail_enter(jail);
109 minijail->Destroy(jail);
110}
111
Alex Vakulenko7f267ab2015-04-02 14:31:10 -0700112void OnStartup(const char* daemon_name, base::CommandLine* cl) {
Peter Qiu5dd242d2014-10-14 12:23:21 -0700113 chromeos::Minijail* minijail = chromeos::Minijail::GetInstance();
114 SetupLogging(minijail, cl->HasSwitch(switches::kForeground), daemon_name);
115
116 LOG(INFO) << __func__ << ": Dropping privileges";
117
118 // Now that the daemon has all the resources it needs to run, we can drop
119 // privileges further.
Peter Qiu58676b62014-12-16 16:47:12 -0800120 DropPrivileges(minijail);
Peter Qiu5dd242d2014-10-14 12:23:21 -0700121}
122
123int main(int argc, char* argv[]) {
Alex Vakulenko7f267ab2015-04-02 14:31:10 -0700124 base::CommandLine::Init(argc, argv);
125 base::CommandLine* cl = base::CommandLine::ForCurrentProcess();
Peter Qiu5dd242d2014-10-14 12:23:21 -0700126
127 if (cl->HasSwitch(switches::kHelp)) {
128 LOG(INFO) << switches::kHelpMessage;
129 return 0;
130 }
131
Peter Qiu5dd242d2014-10-14 12:23:21 -0700132 apmanager::Daemon daemon(base::Bind(&OnStartup, argv[0], cl));
133
134 daemon.Run();
135
136 return 0;
137}