You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
511 lines
19 KiB
511 lines
19 KiB
/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
|
|
* Use of this source code is governed by a BSD-style license that can be
|
|
* found in the LICENSE file.
|
|
*/
|
|
|
|
/*
|
|
* The general pattern of use here:
|
|
* 1) Construct a minijail with minijail_new()
|
|
* 2) Apply the desired restrictions to it
|
|
* 3) Enter it, which locks the current process inside it, or:
|
|
* 3) Run a process inside it
|
|
* 4) Destroy it.
|
|
*/
|
|
|
|
#ifndef _LIBMINIJAIL_H_
|
|
#define _LIBMINIJAIL_H_
|
|
|
|
#include <stdint.h>
|
|
#include <sys/resource.h>
|
|
#include <sys/types.h>
|
|
|
|
/*
|
|
* Rust's bindgen needs the actual definition of sock_fprog in order to
|
|
* generate usable bindings.
|
|
*/
|
|
#ifdef USE_BINDGEN
|
|
#include <linux/filter.h>
|
|
#endif
|
|
|
|
#ifdef __cplusplus
|
|
extern "C" {
|
|
#endif
|
|
|
|
/* Possible exit status codes returned by minijail_wait(). */
|
|
enum {
|
|
/* Command can be found but cannot be run */
|
|
MINIJAIL_ERR_NO_ACCESS = 126,
|
|
|
|
/* Command cannot be found */
|
|
MINIJAIL_ERR_NO_COMMAND = 127,
|
|
|
|
/* (MINIJAIL_ERR_SIG_BASE + n) if process killed by signal n != SIGSYS */
|
|
MINIJAIL_ERR_SIG_BASE = 128,
|
|
|
|
/* Cannot mount a file or folder in mount namespace */
|
|
MINIJAIL_ERR_MOUNT = 251,
|
|
|
|
MINIJAIL_ERR_PRELOAD = 252,
|
|
|
|
/* Process killed by SIGSYS */
|
|
MINIJAIL_ERR_JAIL = 253,
|
|
|
|
MINIJAIL_ERR_INIT = 254,
|
|
};
|
|
|
|
struct minijail;
|
|
struct sock_fprog;
|
|
|
|
/*
|
|
* A hook that can be used to execute code at various events during minijail
|
|
* setup in the forked process. These can only be used if the jailed process is
|
|
* not going to be invoked with LD_PRELOAD.
|
|
*
|
|
* If the return value is non-zero, it will be interpreted as -errno and the
|
|
* process will abort.
|
|
*/
|
|
typedef int (*minijail_hook_t)(void *context);
|
|
|
|
/*
|
|
* The events during minijail setup in which hooks can run. All the events are
|
|
* run in the new process.
|
|
*/
|
|
typedef enum {
|
|
/* The hook will run just before dropping capabilities. */
|
|
MINIJAIL_HOOK_EVENT_PRE_DROP_CAPS,
|
|
|
|
/* The hook will run just before calling execve(2). */
|
|
MINIJAIL_HOOK_EVENT_PRE_EXECVE,
|
|
|
|
/* The hook will run just before calling chroot(2) / pivot_root(2). */
|
|
MINIJAIL_HOOK_EVENT_PRE_CHROOT,
|
|
|
|
/* Sentinel for error checking. Must be last. */
|
|
MINIJAIL_HOOK_EVENT_MAX,
|
|
} minijail_hook_event_t;
|
|
|
|
/* Allocates a new minijail with no restrictions. */
|
|
struct minijail *minijail_new(void);
|
|
|
|
/*
|
|
* These functions add restrictions to the minijail. They are not applied until
|
|
* minijail_enter() is called. See the documentation in minijail0.1 for
|
|
* explanations in detail of what the restrictions do.
|
|
*/
|
|
void minijail_change_uid(struct minijail *j, uid_t uid);
|
|
void minijail_change_gid(struct minijail *j, gid_t gid);
|
|
/* Copies |list|. */
|
|
void minijail_set_supplementary_gids(struct minijail *j, size_t size,
|
|
const gid_t *list);
|
|
void minijail_keep_supplementary_gids(struct minijail *j);
|
|
/* Stores user to change to and copies |user| for internal consistency. */
|
|
int minijail_change_user(struct minijail *j, const char *user);
|
|
/* Does not take ownership of |group|. */
|
|
int minijail_change_group(struct minijail *j, const char *group);
|
|
void minijail_use_seccomp(struct minijail *j);
|
|
void minijail_no_new_privs(struct minijail *j);
|
|
void minijail_use_seccomp_filter(struct minijail *j);
|
|
void minijail_set_seccomp_filter_tsync(struct minijail *j);
|
|
/*
|
|
* Allow speculative execution features that may cause data leaks across
|
|
* processes, by setting the SECCOMP_FILTER_FLAG_SPEC_ALLOW seccomp flag.
|
|
*
|
|
* WARNING: Enabling this may make the process vulnerable to speculative
|
|
* execution attacks (Branch Target Injection, and Speculative Store Bypass).
|
|
* This is only safe to use for processes that do not execute untrusted code.
|
|
*/
|
|
void minijail_set_seccomp_filter_allow_speculation(struct minijail *j);
|
|
/* Does not take ownership of |filter|. */
|
|
void minijail_set_seccomp_filters(struct minijail *j,
|
|
const struct sock_fprog *filter);
|
|
void minijail_parse_seccomp_filters(struct minijail *j, const char *path);
|
|
void minijail_parse_seccomp_filters_from_fd(struct minijail *j, int fd);
|
|
void minijail_log_seccomp_filter_failures(struct minijail *j);
|
|
/* 'minijail_use_caps' and 'minijail_capbset_drop' are mutually exclusive. */
|
|
void minijail_use_caps(struct minijail *j, uint64_t capmask);
|
|
void minijail_capbset_drop(struct minijail *j, uint64_t capmask);
|
|
/* 'minijail_set_ambient_caps' requires 'minijail_use_caps'. */
|
|
void minijail_set_ambient_caps(struct minijail *j);
|
|
void minijail_reset_signal_mask(struct minijail *j);
|
|
void minijail_reset_signal_handlers(struct minijail *j);
|
|
void minijail_namespace_vfs(struct minijail *j);
|
|
void minijail_namespace_enter_vfs(struct minijail *j, const char *ns_path);
|
|
void minijail_new_session_keyring(struct minijail *j);
|
|
void minijail_skip_setting_securebits(struct minijail *j,
|
|
uint64_t securebits_skip_mask);
|
|
|
|
/*
|
|
* This option is *dangerous* as it negates most of the functionality of
|
|
* minijail_namespace_vfs(). You very likely don't need this.
|
|
*/
|
|
void minijail_skip_remount_private(struct minijail *j);
|
|
void minijail_remount_mode(struct minijail *j, unsigned long mode);
|
|
void minijail_namespace_ipc(struct minijail *j);
|
|
void minijail_namespace_uts(struct minijail *j);
|
|
int minijail_namespace_set_hostname(struct minijail *j, const char *name);
|
|
void minijail_namespace_net(struct minijail *j);
|
|
void minijail_namespace_enter_net(struct minijail *j, const char *ns_path);
|
|
void minijail_namespace_cgroups(struct minijail *j);
|
|
/* Closes all open file descriptors after forking. */
|
|
void minijail_close_open_fds(struct minijail *j);
|
|
/*
|
|
* Implies namespace_vfs and remount_proc_readonly.
|
|
* WARNING: this is NOT THREAD SAFE. See the block comment in </libminijail.c>.
|
|
*/
|
|
void minijail_namespace_pids(struct minijail *j);
|
|
/*
|
|
* Implies namespace_vfs.
|
|
* WARNING: this is NOT THREAD SAFE. See the block comment in </libminijail.c>.
|
|
* Minijail will by default remount /proc read-only when using a PID namespace.
|
|
* Certain complex applications expect to be able to do their own sandboxing
|
|
* which might require writing to /proc, so support a weaker version of PID
|
|
* namespacing with a RW /proc.
|
|
*/
|
|
void minijail_namespace_pids_rw_proc(struct minijail *j);
|
|
void minijail_namespace_user(struct minijail *j);
|
|
void minijail_namespace_user_disable_setgroups(struct minijail *j);
|
|
int minijail_uidmap(struct minijail *j, const char *uidmap);
|
|
int minijail_gidmap(struct minijail *j, const char *gidmap);
|
|
void minijail_remount_proc_readonly(struct minijail *j);
|
|
void minijail_run_as_init(struct minijail *j);
|
|
int minijail_write_pid_file(struct minijail *j, const char *path);
|
|
void minijail_inherit_usergroups(struct minijail *j);
|
|
/*
|
|
* Changes the jailed process's syscall table to the alt_syscall table
|
|
* named |table|.
|
|
*/
|
|
int minijail_use_alt_syscall(struct minijail *j, const char *table);
|
|
|
|
/* Sets the given runtime limit. See getrlimit(2). */
|
|
int minijail_rlimit(struct minijail *j, int type, rlim_t cur, rlim_t max);
|
|
|
|
/*
|
|
* Adds the jailed process to the cgroup given by |path|. |path| should be the
|
|
* full path to the cgroups "tasks" file.
|
|
* Example: /sys/fs/cgroup/cpu/jailed_procs/tasks adds to the "jailed_procs" cpu
|
|
* cgroup.
|
|
*/
|
|
int minijail_add_to_cgroup(struct minijail *j, const char *path);
|
|
|
|
/*
|
|
* Install signal handlers in the minijail process that forward received
|
|
* signals to the jailed child process.
|
|
*/
|
|
int minijail_forward_signals(struct minijail *j);
|
|
|
|
/* The jailed child process should call setsid() to create a new session. */
|
|
int minijail_create_session(struct minijail *j);
|
|
|
|
/*
|
|
* minijail_enter_chroot: enables chroot() restriction for @j
|
|
* @j minijail to apply restriction to
|
|
* @dir directory to chroot() to. Owned by caller.
|
|
*
|
|
* Enters @dir, binding all bind mounts specified with minijail_bind() into
|
|
* place. Requires @dir to contain all necessary directories for bind mounts
|
|
* (i.e., if you have requested a bind mount at /etc, /etc must exist in @dir.)
|
|
*
|
|
* Returns 0 on success.
|
|
*/
|
|
int minijail_enter_chroot(struct minijail *j, const char *dir);
|
|
int minijail_enter_pivot_root(struct minijail *j, const char *dir);
|
|
|
|
/*
|
|
* minijail_get_original_path: returns the path of a given file outside of the
|
|
* chroot.
|
|
* @j minijail to obtain the path from.
|
|
* @chroot_path path inside of the chroot() to.
|
|
*
|
|
* When executing a binary in a chroot or pivot_root, return path to the binary
|
|
* outside of the chroot.
|
|
*
|
|
* Returns a string containing the path. This must be freed by the caller.
|
|
*/
|
|
char *minijail_get_original_path(struct minijail *j, const char *chroot_path);
|
|
|
|
/*
|
|
* minijail_mount_tmp: enables mounting of a 64M tmpfs filesystem on /tmp.
|
|
* As be rules of bind mounts, /tmp must exist in chroot.
|
|
*/
|
|
void minijail_mount_tmp(struct minijail *j);
|
|
|
|
/*
|
|
* minijail_mount_tmp_size: enables mounting of a tmpfs filesystem on /tmp.
|
|
* As be rules of bind mounts, /tmp must exist in chroot. Size is in bytes.
|
|
*/
|
|
void minijail_mount_tmp_size(struct minijail *j, size_t size);
|
|
|
|
/*
|
|
* minijail_mount_dev: enables mounting of a tmpfs filesystem on /dev.
|
|
* It will then be seeded with a basic set of device nodes. For the exact
|
|
* list, consult the minijail(0) man page.
|
|
*/
|
|
void minijail_mount_dev(struct minijail *j);
|
|
|
|
/*
|
|
* minijail_mount_with_data: when entering minijail @j,
|
|
* mounts @src at @dst with @flags and @data.
|
|
* @j minijail to bind inside
|
|
* @src source to bind
|
|
* @dest location to bind (inside chroot)
|
|
* @type type of filesystem
|
|
* @flags flags passed to mount
|
|
* @data data arguments passed to mount(2), e.g. "mode=755"
|
|
*
|
|
* This may be called multiple times; all mounts will be applied in the order
|
|
* of minijail_mount() calls.
|
|
* If @flags is 0, then MS_NODEV | MS_NOEXEC | MS_NOSUID will be used instead.
|
|
* If @data is NULL or "", and @type is tmpfs, then "mode=0755,size=10M" will
|
|
* be used instead.
|
|
*/
|
|
int minijail_mount_with_data(struct minijail *j, const char *src,
|
|
const char *dest, const char *type,
|
|
unsigned long flags, const char *data);
|
|
|
|
/*
|
|
* minijail_mount: when entering minijail @j, mounts @src at @dst with @flags
|
|
* @j minijail to bind inside
|
|
* @src source to bind
|
|
* @dest location to bind (inside chroot)
|
|
* @type type of filesystem
|
|
* @flags flags passed to mount
|
|
*
|
|
* This may be called multiple times; all mounts will be applied in the order
|
|
* of minijail_mount() calls.
|
|
*/
|
|
int minijail_mount(struct minijail *j, const char *src, const char *dest,
|
|
const char *type, unsigned long flags);
|
|
|
|
/*
|
|
* minijail_bind: bind-mounts @src into @j as @dest, optionally writeable
|
|
* @j minijail to bind inside
|
|
* @src source to bind
|
|
* @dest location to bind (inside chroot)
|
|
* @writeable 1 if the bind mount should be writeable
|
|
*
|
|
* This may be called multiple times; all bindings will be applied in the order
|
|
* of minijail_bind() calls.
|
|
*/
|
|
int minijail_bind(struct minijail *j, const char *src, const char *dest,
|
|
int writeable);
|
|
|
|
/*
|
|
* minijail_add_remount: when entering minijail @j, remounts @mount_name and all
|
|
* subdirectories as @remount_mode rather than the default MS_PRIVATE
|
|
* @j minijail to bind inside
|
|
* @mount_name mount to remount
|
|
* @remount_mode remount mode to use
|
|
*
|
|
* This may be called multiple times; this overrides |j->remount_mode| for the
|
|
* given mount.
|
|
*/
|
|
int minijail_add_remount(struct minijail *j, const char *mount_name,
|
|
unsigned long remount_mode);
|
|
/*
|
|
* minijail_add_hook: adds @hook to the list of hooks that will be
|
|
* invoked when @event is reached during minijail setup. The caller is
|
|
* responsible for the lifetime of @payload.
|
|
* @j minijail to add the hook to
|
|
* @hook the function that will be invoked
|
|
* @payload an opaque pointer
|
|
* @event the event that will trigger the hook
|
|
*/
|
|
int minijail_add_hook(struct minijail *j,
|
|
minijail_hook_t hook, void *payload,
|
|
minijail_hook_event_t event);
|
|
|
|
/*
|
|
* minijail_preserve_fd: preserves @parent_fd and makes it available as
|
|
* @child_fd in the child process. @parent_fd will be closed if no other
|
|
* redirect has claimed it as a @child_fd. This works even if
|
|
* minijail_close_open_fds() is invoked.
|
|
* @j minijail to add the fd to
|
|
* @parent_fd the fd in the parent process
|
|
* @child_fd the fd that will be available in the child process
|
|
*/
|
|
int minijail_preserve_fd(struct minijail *j, int parent_fd, int child_fd);
|
|
|
|
/*
|
|
* minijail_set_preload_path: overrides the default path for
|
|
* libminijailpreload.so.
|
|
*/
|
|
int minijail_set_preload_path(struct minijail *j, const char *preload_path);
|
|
|
|
/*
|
|
* Lock this process into the given minijail. Note that this procedure cannot
|
|
* fail, since there is no way to undo privilege-dropping; therefore, if any
|
|
* part of the privilege-drop fails, minijail_enter() will abort the entire
|
|
* process.
|
|
*
|
|
* Some restrictions cannot be enabled this way (pid namespaces) and attempting
|
|
* to do so will cause an abort.
|
|
*/
|
|
void minijail_enter(const struct minijail *j);
|
|
|
|
/*
|
|
* Run the specified command in the given minijail, execve(2)-style.
|
|
* If minijail_namespace_pids() or minijail_namespace_user() are used,
|
|
* this or minijail_fork() is required instead of minijail_enter().
|
|
*/
|
|
int minijail_run(struct minijail *j, const char *filename,
|
|
char *const argv[]);
|
|
|
|
/*
|
|
* Run the specified command in the given minijail, execve(2)-style.
|
|
* Don't use LD_PRELOAD to do privilege dropping. This is useful when sandboxing
|
|
* static binaries, or on systems without support for LD_PRELOAD.
|
|
*/
|
|
int minijail_run_no_preload(struct minijail *j, const char *filename,
|
|
char *const argv[]);
|
|
|
|
/*
|
|
* Run the specified command in the given minijail, execve(2)-style.
|
|
* Update |*pchild_pid| with the pid of the child.
|
|
*/
|
|
int minijail_run_pid(struct minijail *j, const char *filename,
|
|
char *const argv[], pid_t *pchild_pid);
|
|
|
|
/*
|
|
* Run the specified command in the given minijail, execve(2)-style.
|
|
* Update |*pstdin_fd| with a fd that allows writing to the child's
|
|
* standard input.
|
|
*/
|
|
int minijail_run_pipe(struct minijail *j, const char *filename,
|
|
char *const argv[], int *pstdin_fd);
|
|
|
|
/*
|
|
* Run the specified command in the given minijail, execve(2)-style.
|
|
* Update |*pchild_pid| with the pid of the child.
|
|
* Update |*pstdin_fd| with a fd that allows writing to the child's
|
|
* standard input.
|
|
* Update |*pstdout_fd| with a fd that allows reading from the child's
|
|
* standard output.
|
|
* Update |*pstderr_fd| with a fd that allows reading from the child's
|
|
* standard error.
|
|
*/
|
|
int minijail_run_pid_pipes(struct minijail *j, const char *filename,
|
|
char *const argv[], pid_t *pchild_pid,
|
|
int *pstdin_fd, int *pstdout_fd, int *pstderr_fd);
|
|
|
|
/*
|
|
* Run the specified command in the given minijail, execve(2)-style.
|
|
* Pass |envp| as the full environment for the child.
|
|
* Update |*pchild_pid| with the pid of the child.
|
|
* Update |*pstdin_fd| with a fd that allows writing to the child's
|
|
* standard input.
|
|
* Update |*pstdout_fd| with a fd that allows reading from the child's
|
|
* standard output.
|
|
* Update |*pstderr_fd| with a fd that allows reading from the child's
|
|
* standard error.
|
|
*/
|
|
int minijail_run_env_pid_pipes(struct minijail *j, const char *filename,
|
|
char *const argv[], char *const envp[],
|
|
pid_t *pchild_pid, int *pstdin_fd,
|
|
int *pstdout_fd, int *pstderr_fd);
|
|
|
|
/*
|
|
* Run the specified command in the given minijail, execve(2)-style.
|
|
* Update |*pchild_pid| with the pid of the child.
|
|
* Update |*pstdin_fd| with a fd that allows writing to the child's
|
|
* standard input.
|
|
* Update |*pstdout_fd| with a fd that allows reading from the child's
|
|
* standard output.
|
|
* Update |*pstderr_fd| with a fd that allows reading from the child's
|
|
* standard error.
|
|
* Don't use LD_PRELOAD to do privilege dropping. This is useful when sandboxing
|
|
* static binaries, or on systems without support for LD_PRELOAD.
|
|
*/
|
|
int minijail_run_pid_pipes_no_preload(struct minijail *j, const char *filename,
|
|
char *const argv[], pid_t *pchild_pid,
|
|
int *pstdin_fd, int *pstdout_fd,
|
|
int *pstderr_fd);
|
|
|
|
/*
|
|
* Run the specified command in the given minijail, execve(2)-style.
|
|
* Pass |envp| as the full environment for the child.
|
|
* Update |*pchild_pid| with the pid of the child.
|
|
* Update |*pstdin_fd| with a fd that allows writing to the child's
|
|
* standard input.
|
|
* Update |*pstdout_fd| with a fd that allows reading from the child's
|
|
* standard output.
|
|
* Update |*pstderr_fd| with a fd that allows reading from the child's
|
|
* standard error.
|
|
* Don't use LD_PRELOAD to do privilege dropping. This is useful when sandboxing
|
|
* static binaries, or on systems without support for LD_PRELOAD.
|
|
*/
|
|
int minijail_run_env_pid_pipes_no_preload(struct minijail *j,
|
|
const char *filename,
|
|
char *const argv[],
|
|
char *const envp[], pid_t *pchild_pid,
|
|
int *pstdin_fd, int *pstdout_fd,
|
|
int *pstderr_fd);
|
|
|
|
/*
|
|
* Fork, jail the child, and return. This behaves similar to fork(2), except it
|
|
* puts the child process in a jail before returning.
|
|
* `minijail_fork` returns in both the parent and the child. The pid of the
|
|
* child is returned to the parent. Zero is returned in the child. LD_PRELOAD
|
|
* is not supported.
|
|
* If minijail_namespace_pids() or minijail_namespace_user() are used,
|
|
* this or minijail_run*() is required instead of minijail_enter().
|
|
*/
|
|
pid_t minijail_fork(struct minijail *j);
|
|
|
|
/*
|
|
* Send SIGTERM to the process in the minijail and wait for it to terminate.
|
|
*
|
|
* Return the same nonnegative exit status as minijail_wait(), or a negative
|
|
* error code (eg -ESRCH if the process has already been waited for).
|
|
*
|
|
* This is most useful if the minijail has been created with PID namespacing
|
|
* since, in this case, all processes inside it are atomically killed.
|
|
*/
|
|
int minijail_kill(struct minijail *j);
|
|
|
|
/*
|
|
* Wait for the first process spawned in the specified minijail to exit, and
|
|
* return its exit status. A process can only be waited once.
|
|
*
|
|
* Return:
|
|
* A negative error code if the process cannot be waited for (eg -ECHILD if no
|
|
* process has been started or if the process has already been waited for).
|
|
* MINIJAIL_ERR_NO_COMMAND if command cannot be found.
|
|
* MINIJAIL_ERR_NO_ACCESS if command cannot be run.
|
|
* MINIJAIL_ERR_JAIL if process was killed by SIGSYS.
|
|
* (MINIJAIL_ERR_SIG_BASE + n) if process was killed by signal n != SIGSYS.
|
|
* (n & 0xFF) if process finished by returning code n.
|
|
*/
|
|
int minijail_wait(struct minijail *j);
|
|
|
|
/*
|
|
* Frees the given minijail. It does not matter if the process is inside the
|
|
* minijail or not.
|
|
*/
|
|
void minijail_destroy(struct minijail *j);
|
|
|
|
/*
|
|
* Deep copies the minijail in |from| to |out| providing two identical jails
|
|
* that can be used to contain separate children created with minijail_fork().
|
|
*
|
|
* Duplicating a jail is invalid after a jail has been passed to
|
|
* minijail_fork(). Many minijail_*() calls will yield undefined
|
|
* results when called on a jail duplicated post-fork.
|
|
*/
|
|
int minijail_copy_jail(const struct minijail *from, struct minijail *out);
|
|
|
|
/*
|
|
* minijail_log_to_fd: redirects the module-wide logging to an FD instead of
|
|
* syslog.
|
|
* @fd FD to log to. Caller must ensure this is available after
|
|
* jailing (e.g. with minijail_preserve_fd()).
|
|
* @min_priority the minimum logging priority. Same as the priority argument
|
|
* to syslog(2).
|
|
*/
|
|
void minijail_log_to_fd(int fd, int min_priority);
|
|
|
|
#ifdef __cplusplus
|
|
} /* extern "C" */
|
|
#endif
|
|
|
|
#endif /* !_LIBMINIJAIL_H_ */
|