Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(117)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/platform/minijail/minijail.cc

Issue 542124: Update minijail tests with real mocks and packaging testing deps (Closed)
Patch Set: integrate notes from cmasone Created 10 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « src/platform/minijail/debian/control ('k') | src/platform/minijail/minijail_testrunner.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2009 The Chromium OS Authors. All rights reserved. 1 // Copyright (c) 2009 The Chromium OS Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 // Some portions Copyright (c) 2009 The Chromium Authors. 4 // Some portions Copyright (c) 2009 The Chromium Authors.
5 // 5 //
6 // Implements MiniJail jailing logic. 6 // Implements MiniJail jailing logic.
7 7
8 #include "minijail.h" 8 #include "minijail.h"
9 9
10 #include <errno.h> 10 #include <errno.h>
11 11
12 namespace chromeos { 12 namespace chromeos {
13 13
14 bool MiniJail::Jail() const { 14 bool MiniJail::Jail() const {
15 // XXX This is a very early implementation of the jailing logic. 15 // XXX This is a very early implementation of the jailing logic.
16 // XXX Many features are missing or will be made more tunable. 16 // XXX Many features are missing or will be made more tunable.
17 const minijail::Options *opts = options(); 17 const minijail::Options *opts = options();
18 if (!opts) { 18 if (!opts) {
19 LOG(ERROR) << "No Options given. Initialize must be called first " 19 LOG(ERROR) << "No Options given. Initialize must be called first "
20 << "with a valid Option pointer."; 20 << "with a valid Option pointer.";
21 return false; 21 return false;
22 } 22 }
23 const minijail::Env *env = opts->env(); 23 const minijail::Env *env = opts->env();
24 24
25 int namespaces = 0; 25 int namespaces = 0;
26 if (opts->namespace_pid()) 26 if (opts->namespace_pid())
27 namespaces |= CLONE_NEWPID; 27 namespaces |= CLONE_NEWPID;
28 if (opts->namespace_vfs()) 28 if (opts->namespace_vfs())
29 namespaces |= CLONE_NEWNS; 29 namespaces |= CLONE_NEWNS;
30 // Dumb forced exit on failure. 30 if (namespaces && !env->EnterNamespace(namespaces)) {
31 LOG_IF(FATAL, !env->EnterNamespace(namespaces)); 31 return false;
32 }
32 33
33 if (opts->namespace_vfs() && opts->add_readonly_mounts()) 34 if (opts->namespace_vfs() && opts->add_readonly_mounts()) {
34 LOG_IF(FATAL, !env->Mount()); // TODO(wad) add flags 35 if (!env->Mount()) { // TODO(wad) add flags
36 return false;
37 }
38 }
35 39
36 if (opts->use_capabilities()) { 40 if (opts->use_capabilities()) {
37 LOG_IF(FATAL, !env->KeepRootCapabilities()); 41 if (!env->KeepRootCapabilities()) {
38 LOG_IF(FATAL, !env->DisableDefaultRootPrivileges()); 42 return false;
43 }
44 if (!env->DisableDefaultRootPrivileges()) {
45 return false;
46 }
39 } 47 }
40 48
41 if (opts->disable_tracing()) 49 if (opts->disable_tracing()) {
42 LOG_IF(FATAL, !env->DisableTracing()); 50 if (!env->DisableTracing()) {
51 return false;
52 }
53 }
43 54
44 uid_t uid = getuid(); 55 uid_t uid = getuid();
45 if (opts->change_uid()) { 56 if (opts->change_uid()) {
46 uid = opts->uid(); 57 uid = opts->uid();
47 } 58 }
48 gid_t gid = getgid(); 59 gid_t gid = getgid();
49 if (opts->change_gid()) { 60 if (opts->change_gid()) {
50 gid = opts->gid(); 61 gid = opts->gid();
51 } 62 }
52 // TODO(wad) separate group and user changes 63 // TODO(wad) separate group and user changes
53 if (opts->change_uid() || opts->change_gid()) { 64 if (opts->change_uid() || opts->change_gid()) {
54 LOG_IF(FATAL, !env->ChangeUser(uid, gid)); 65 DLOG(INFO) << "Attempting to change user and/or groups...";
66 if (!env->ChangeUser(uid, gid)) {
67 return false;
68 }
55 } 69 }
56 70
57 if (opts->enforce_syscalls_by_source()) { 71 if (opts->enforce_syscalls_by_source()) {
58 LOG_IF(FATAL, !env->FilterSyscallsBySource()); 72 if (!env->FilterSyscallsBySource()) {
73 return false;
74 }
59 } else if (opts->enforce_syscalls_benchmark()) { 75 } else if (opts->enforce_syscalls_benchmark()) {
60 LOG_IF(FATAL, !env->FilterSyscallsBenchmarkOnly()); 76 if (!env->FilterSyscallsBenchmarkOnly()) {
77 return false;
78 }
61 } 79 }
62 80
63 if (opts->use_capabilities()) { 81 if (opts->use_capabilities()) {
64 // TODO(wad) use helpers to read caps from flags 82 // TODO(wad) use helpers to read caps from flags
65 LOG_IF(FATAL, !env->SanitizeCapabilities(0)); 83 if (!env->SanitizeCapabilities(0)) {
66 LOG_IF(FATAL, !env->SanitizeBoundingSet(0)); 84 return false;
85 }
86 if (!env->SanitizeBoundingSet(0)) {
87 return false;
88 }
67 } 89 }
68 return true; 90 return true;
69 } 91 }
70 92
71 } // namespace chromeos 93 } // namespace chromeos
OLDNEW
« no previous file with comments | « src/platform/minijail/debian/control ('k') | src/platform/minijail/minijail_testrunner.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698