[minijail] Add the ability to set capabilities from the command line

minijail_main.cc

-// Copyright (c) 2009 The Chromium OS Authors. All rights reserved.
+// Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
-// Some portions Copyright (c) 2009 The Chromium Authors.
+// Some portions Copyright (c) 2011 The Chromium Authors.
 //
 // Driver program for applying a minijail from the commandline to
 // a process and its children (depending on the feature).
 
 #include "minijail/minijail.h"
 
 #include <errno.h>
 #include <linux/capability.h>
 #include <stdio.h>
 #include <sys/prctl.h>
 #include <unistd.h>
 
 #include <iostream>
 #include <new>
 #include <string>
 #include <vector>
 
 #include <base/basictypes.h>
 #include <base/command_line.h>
 #include <base/logging.h>
+#include <base/string_number_conversions.h>
 #include <base/string_util.h>
 
 namespace switches {
 static const char kAddReadonlyMounts[] = "add-readonly-mounts";
 static const char kDisableTracing[] = "disable-tracing";
 static const char kEnforceSyscallsBenchmark[] = "enforce-syscall-benchmark";
 static const char kEnforceSyscallsBySource[] = "enforce-syscall-by-source";
 static const char kGid[] = "gid";
 static const char kNamespaceVfs[] = "namespace-vfs";
 static const char kNamespacePid[] = "namespace-pid";
@@ skipping 21 matching lines @@
 "  --namespace-vfs\n"
 "    Enables a process-tree specific VFS view.\n"
 "  --namespace-pid\n"
 "    Makes the executed process into procss id 1 in its own process view.\n"
 "    With --add-readonly-mounts, other processes will not be visible\n"
 "  --sanitize-environment\n"
 "    Scrubs the environment clean of potentially dangerous values.\n"
 "    (Note, this is a blacklist and not a whitelist so it may need attention)\n"
 "  --uid [number]\n"
 "    Numeric uid to transition to prior to execution.\n"
-"  --use-capabilities\n"
+"  --use-capabilities [uint64 bitmask]\n"
 "    Restricts all root-level capabilities to CAP_SETPCAP and enables\n"
 "    SECURE_NOROOT.\n"
 "  -- /path/to/program [arg1 [arg2 [ . . . ] ] ]\n"
 "    Supplies the required program to execute and its arguments.\n"
 "    At present, an empty environment will be passed.\n"
 "\n";
 
 }  // namespace switches
 
 static void ProcessSwitches(CommandLine *cl,
@@ skipping 10 matching lines @@
     cl->HasSwitch(switches::kAddReadonlyMounts));
   jail_opts->set_disable_tracing(cl->HasSwitch(switches::kDisableTracing));
   jail_opts->set_enforce_syscalls_benchmark(
     cl->HasSwitch(switches::kEnforceSyscallsBenchmark));
   jail_opts->set_enforce_syscalls_by_source(
     cl->HasSwitch(switches::kEnforceSyscallsBySource));
   jail_opts->set_use_capabilities(cl->HasSwitch(switches::kUseCapabilities));
   jail_opts->set_sanitize_environment(
     cl->HasSwitch(switches::kSanitizeEnvironment));
 
+  if (jail_opts->use_capabilities()) {
+    jail_opts->set_caps_bitmask(0);
+    // TODO(cmasone): switch to something that parses unsigned ints.
+    int64 caps = 0;
+    if (base::StringToInt64(
+            cl->GetSwitchValueASCII(switches::kUseCapabilities), &caps)) {
+      uint64 bitmask = (caps < 0 ? 0 : caps);
+      jail_opts->set_caps_bitmask(bitmask);
+    }
+  }
+
   std::string uid_string = cl->GetSwitchValueASCII(switches::kUid);
   if (!uid_string.empty()) {
     errno = 0;
     uid_t uid = static_cast<uid_t>(strtol(uid_string.c_str(), NULL, 0));
     PLOG_IF(WARNING, errno) << "failed to parse uid";
     jail_opts->set_uid(uid);
   }
 
   std::string gid_string = cl->GetSwitchValueASCII(switches::kGid);
   if (!gid_string.empty()) {
@@ skipping 38 matching lines @@
   ProcessSwitches(cl, &jail_opts);
   jail_opts.set_environment(envp);
 
   LOG_IF(FATAL, !jail_opts.executable_path()) << "No executable given";
 
   chromeos::MiniJail jail;
   jail.Initialize(&jail_opts);
   bool ok = jail.Jail() && jail.Run();
   return !ok;
 }