src/platform/minijail/minijail.cc - Issue 466049: Baseline minijail with a commandline switch driven main.

Side by Side Diff

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Side by Side Diff: src/platform/minijail/minijail.cc

Issue 466049: Baseline minijail with a commandline switch driven main. (Closed)

Patch Set: fix overly long lines Created 11 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 // Copyright (c) 2009 The Chromium OS Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4 // Some portions Copyright (c) 2009 The Chromium Authors.

	5 //

	6 // Implements MiniJail jailing logic.

	7

	8 #include "minijail.h"

	9

	10 #include <errno.h>

	11

	12 namespace chromeos {

	13

	14 bool MiniJail::Jail() const {

	15 // XXX This is a very early implementation of the jailing logic.

	16 // XXX Many features are missing or will be made more tunable.

	17 const minijail::Options *opts = options();

	18 const minijail::Env *env = opts->env();

	19

	20 int namespaces = 0;

	21 if (opts->namespace_pid())

	22 namespaces \|= CLONE_NEWPID;

	23 if (opts->namespace_vfs())

	24 namespaces \|= CLONE_NEWNS;

	25 // Dumb forced exit on failure.

	26 LOG_IF(FATAL, !env->EnterNamespace(namespaces));

	27

	28 if (opts->namespace_vfs() && opts->add_readonly_mounts())

	29 LOG_IF(FATAL, !env->Mount()); // TODO(wad) add flags

	30

	31 if (opts->use_capabilities()) {

	32 LOG_IF(FATAL, !env->KeepRootCapabilities());

	33 LOG_IF(FATAL, !env->DisableDefaultRootPrivileges());

	34 }

	35

	36 if (opts->disable_tracing())

	37 LOG_IF(FATAL, !env->DisableTracing());

	38

	39 uid_t uid = getuid();

	40 if (opts->change_uid()) {

	41 uid = opts->uid();

	42 }

	43 gid_t gid = getgid();

	44 if (opts->change_gid()) {

	45 gid = opts->gid();

	46 }

	47 // TODO(wad) separate group and user changes

	48 if (opts->change_uid() \|\| opts->change_gid()) {

	49 LOG_IF(FATAL, !env->ChangeUser(uid, gid));

	50 }

	51

	52 if (opts->enforce_syscalls_by_source()) {

	53 LOG_IF(FATAL, !env->FilterSyscallsBySource());

	54 } else if (opts->enforce_syscalls_benchmark()) {

	55 LOG_IF(FATAL, !env->FilterSyscallsBenchmarkOnly());

	56 }

	57

	58 if (opts->use_capabilities()) {

	59 // TODO(wad) use helpers to read caps from flags

	60 LOG_IF(FATAL, !env->SanitizeCapabilities(0));

	61 LOG_IF(FATAL, !env->SanitizeBoundingSet(0));

	62 }

	63 return true;

	64 }

	65

	66 } // namespace chromeos

OLD	NEW

« no previous file with comments | « src/platform/minijail/minijail.h ('k') | src/platform/minijail/minijail_main.cc » ('j') | no next file with comments »