| OLD | NEW |
|---|
| 1 // Copyright (c) 2009 The Chromium OS Authors. All rights reserved. | 1 // Copyright (c) 2009 The Chromium OS Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 // Some portions Copyright (c) 2009 The Chromium Authors. | 4 // Some portions Copyright (c) 2009 The Chromium Authors. |
| 5 // | 5 // |
| 6 // Options abstract class for minijails. | 6 // Options abstract class for minijails. |
| 7 #ifndef __CHROMEOS_MINIJAIL_OPTIONS_H | 7 #ifndef __CHROMEOS_MINIJAIL_OPTIONS_H |
| 8 #define __CHROMEOS_MINIJAIL_OPTIONS_H | 8 #define __CHROMEOS_MINIJAIL_OPTIONS_H |
| 9 | 9 |
| 10 #include <base/basictypes.h> | 10 #include <base/basictypes.h> |
| 11 #include <base/logging.h> | 11 #include <base/logging.h> |
| 12 #include <base/scoped_ptr.h> | 12 #include <base/scoped_ptr.h> |
| 13 | 13 |
| 14 #include "minijail/env.h" | 14 #include "minijail/env.h" |
| 15 | 15 |
| 16 namespace chromeos { | 16 namespace chromeos { |
| 17 namespace minijail { | 17 namespace minijail { |
| 18 | 18 |
| 19 class Options { | 19 class Options { |
| 20 public: | 20 public: |
| 21 Options() : env_(new Env), | 21 Options() : env_(new Env), |
| 22 executable_path_(NULL), | 22 executable_path_(NULL), |
| 23 argument_count_(0), | 23 argument_count_(0), |
| 24 arguments_(NULL), | 24 arguments_(NULL), |
| 25 environment_(NULL), | 25 environment_(NULL), |
| 26 add_readonly_mounts_(false), | 26 add_readonly_mounts_(false), |
| 27 caps_bitmask_(0), |
| 27 change_gid_(false), | 28 change_gid_(false), |
| 28 change_uid_(false), | 29 change_uid_(false), |
| 29 disable_tracing_(false), | 30 disable_tracing_(false), |
| 30 enforce_syscalls_benchmark_(false), | 31 enforce_syscalls_benchmark_(false), |
| 31 enforce_syscalls_by_source_(false), | 32 enforce_syscalls_by_source_(false), |
| 32 gid_(0), | 33 gid_(0), |
| 33 namespace_vfs_(false), | 34 namespace_vfs_(false), |
| 34 namespace_pid_(false), | 35 namespace_pid_(false), |
| 35 sanitize_environment_(false), | 36 sanitize_environment_(false), |
| 36 uid_(0), | 37 uid_(0), |
| (...skipping 66 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 103 virtual bool sanitize_environment() const | 104 virtual bool sanitize_environment() const |
| 104 { return sanitize_environment_; } | 105 { return sanitize_environment_; } |
| 105 // The value passed with this is the numeric UID to transition to. | 106 // The value passed with this is the numeric UID to transition to. |
| 106 virtual void set_uid(uid_t val) { uid_ = val; change_uid_ = true; } | 107 virtual void set_uid(uid_t val) { uid_ = val; change_uid_ = true; } |
| 107 virtual uid_t uid() const { return uid_; } | 108 virtual uid_t uid() const { return uid_; } |
| 108 // Enables the use and sanitization of POSIX capabilities. | 109 // Enables the use and sanitization of POSIX capabilities. |
| 109 // Without kKeepCapabilities, all capabilities save CAP_SETPCAP are | 110 // Without kKeepCapabilities, all capabilities save CAP_SETPCAP are |
| 110 // removed from the effective, inherited, permitted and bounding sets. | 111 // removed from the effective, inherited, permitted and bounding sets. |
| 111 virtual void set_use_capabilities(bool val) { use_capabilities_ = val; } | 112 virtual void set_use_capabilities(bool val) { use_capabilities_ = val; } |
| 112 virtual bool use_capabilities() const { return use_capabilities_; } | 113 virtual bool use_capabilities() const { return use_capabilities_; } |
| 114 // The set of caps to use when use_capabilities is set. |
| 115 virtual void set_caps_bitmask(uint64 val) { caps_bitmask_ = val; } |
| 116 virtual uint64 caps_bitmask() const { return caps_bitmask_; } |
| 113 | 117 |
| 114 #if 0 | 118 #if 0 |
| 115 TODO(wad): additional functionality: | 119 TODO(wad): additional functionality: |
| 116 virtual void set_cgroup_dir(const string& val) { cgroup_dir_ = val; } | 120 virtual void set_cgroup_dir(const string& val) { cgroup_dir_ = val; } |
| 117 virtual const string& cgroup_dir() const { return cgroup_dir_; } | 121 virtual const string& cgroup_dir() const { return cgroup_dir_; } |
| 118 | 122 |
| 119 virtual void set_supplemental_groups(std::vector<std::string>& val) | 123 virtual void set_supplemental_groups(std::vector<std::string>& val) |
| 120 { supplemental_groups_ = val; } | 124 { supplemental_groups_ = val; } |
| 121 virtual const std::vector<std::string> *supplemental_groups() const | 125 virtual const std::vector<std::string> *supplemental_groups() const |
| 122 { return supplemental_groups_; } | 126 { return supplemental_groups_; } |
| 123 | 127 |
| 124 virtual void set_bounding_set(uint64 val) { bounding_set_ = val; } | |
| 125 virtual uint64 bounding_set() const { return bounding_set_; } | |
| 126 | |
| 127 virtual void set_use_delayed_chroot(bool val) { use_delayed_chroot_ = val; } | 128 virtual void set_use_delayed_chroot(bool val) { use_delayed_chroot_ = val; } |
| 128 virtual bool use_delayed_chroot() const { return use_delayed_chroot_; } | 129 virtual bool use_delayed_chroot() const { return use_delayed_chroot_; } |
| 129 | 130 |
| 130 virtual void set_memory_limit(int64 val) { memory_limit_ = val; } | 131 virtual void set_memory_limit(int64 val) { memory_limit_ = val; } |
| 131 virtual int64 memory_limit() const { return memory_limit_; } | 132 virtual int64 memory_limit() const { return memory_limit_; } |
| 132 | 133 |
| 133 virtual void set_cpu_limit(int64 val) { cpu_limit_ = val; } | 134 virtual void set_cpu_limit(int64 val) { cpu_limit_ = val; } |
| 134 virtual int64 cpu_limit() const { return cpu_limit_; } | 135 virtual int64 cpu_limit() const { return cpu_limit_; } |
| 135 | 136 |
| 136 virtual void set_open_file_limit(int32 val) { open_file_limit_ = val; } | 137 virtual void set_open_file_limit(int32 val) { open_file_limit_ = val; } |
| (...skipping 19 matching lines...) Expand all Loading... |
| 156 | 157 |
| 157 | 158 |
| 158 private: | 159 private: |
| 159 scoped_ptr<Env> env_; | 160 scoped_ptr<Env> env_; |
| 160 const char *executable_path_; | 161 const char *executable_path_; |
| 161 int argument_count_; | 162 int argument_count_; |
| 162 char * const *arguments_; | 163 char * const *arguments_; |
| 163 char * const *environment_; | 164 char * const *environment_; |
| 164 | 165 |
| 165 bool add_readonly_mounts_; | 166 bool add_readonly_mounts_; |
| 167 uint64 caps_bitmask_; |
| 166 bool change_gid_; | 168 bool change_gid_; |
| 167 bool change_uid_; | 169 bool change_uid_; |
| 168 bool disable_tracing_; | 170 bool disable_tracing_; |
| 169 bool enforce_syscalls_benchmark_; | 171 bool enforce_syscalls_benchmark_; |
| 170 bool enforce_syscalls_by_source_; | 172 bool enforce_syscalls_by_source_; |
| 171 gid_t gid_; | 173 gid_t gid_; |
| 172 bool namespace_vfs_; | 174 bool namespace_vfs_; |
| 173 bool namespace_pid_; | 175 bool namespace_pid_; |
| 174 bool sanitize_environment_; | 176 bool sanitize_environment_; |
| 175 uid_t uid_; | 177 uid_t uid_; |
| 176 bool use_capabilities_; | 178 bool use_capabilities_; |
| 177 | 179 |
| 178 DISALLOW_COPY_AND_ASSIGN(Options); | 180 DISALLOW_COPY_AND_ASSIGN(Options); |
| 179 }; | 181 }; |
| 180 | 182 |
| 181 } // namespace minijail | 183 } // namespace minijail |
| 182 } // namespace chromeos | 184 } // namespace chromeos |
| 183 | 185 |
| 184 #endif // __CHROMEOS_MINIJAIL_OPTIONS_H | 186 #endif // __CHROMEOS_MINIJAIL_OPTIONS_H |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 6881066:
[minijail] Add the ability to set capabilities from the command line (Closed)
Base URL: http://git.chromium.org/git/minijail.git@master