flexibility for having extra policy files
add an interface to accept a list of additional policy files, instead of just a single file.
Also add TEST_MAPPING for presubmit.
Bug: 147914640
Test: boot with empty, 1, and 2 element lists, atest
Change-Id: I97e8e0ec7b68699838595c09a4a8e7c7eef657c3
Merged-In: I97e8e0ec7b68699838595c09a4a8e7c7eef657c3
(cherry picked from commit 11c1a68778c39564ed37e653d7af6881a2d11ea6)
diff --git a/services/minijail/minijail.cpp b/services/minijail/minijail.cpp
index f213287..f40f0c5 100644
--- a/services/minijail/minijail.cpp
+++ b/services/minijail/minijail.cpp
@@ -29,7 +29,7 @@
namespace android {
int WritePolicyToPipe(const std::string& base_policy_content,
- const std::string& additional_policy_content)
+ const std::vector<std::string>& additional_policy_contents)
{
int pipefd[2];
if (pipe(pipefd) == -1) {
@@ -40,9 +40,11 @@
base::unique_fd write_end(pipefd[1]);
std::string content = base_policy_content;
- if (additional_policy_content.length() > 0) {
- content += "\n";
- content += additional_policy_content;
+ for (auto one_content : additional_policy_contents) {
+ if (one_content.length() > 0) {
+ content += "\n";
+ content += one_content;
+ }
}
if (!base::WriteStringToFd(content, write_end.get())) {
@@ -53,29 +55,40 @@
return pipefd[0];
}
-void SetUpMinijail(const std::string& base_policy_path, const std::string& additional_policy_path)
+void SetUpMinijail(const std::string& base_policy_path,
+ const std::string& additional_policy_path)
+{
+ SetUpMinijailList(base_policy_path, {additional_policy_path});
+}
+
+void SetUpMinijailList(const std::string& base_policy_path,
+ const std::vector<std::string>& additional_policy_paths)
{
// No seccomp policy defined for this architecture.
if (access(base_policy_path.c_str(), R_OK) == -1) {
- LOG(WARNING) << "No seccomp policy defined for this architecture.";
+ // LOG(WARNING) << "No seccomp policy defined for this architecture.";
+ LOG(WARNING) << "missing base seccomp_policy file '" << base_policy_path << "'";
return;
}
std::string base_policy_content;
- std::string additional_policy_content;
+ std::vector<std::string> additional_policy_contents;
if (!base::ReadFileToString(base_policy_path, &base_policy_content,
false /* follow_symlinks */)) {
LOG(FATAL) << "Could not read base policy file '" << base_policy_path << "'";
}
- if (additional_policy_path.length() > 0 &&
- !base::ReadFileToString(additional_policy_path, &additional_policy_content,
- false /* follow_symlinks */)) {
- LOG(WARNING) << "Could not read additional policy file '" << additional_policy_path << "'";
- additional_policy_content = std::string();
+ for (auto one_policy_path : additional_policy_paths) {
+ std::string one_policy_content;
+ if (one_policy_path.length() > 0 &&
+ !base::ReadFileToString(one_policy_path, &one_policy_content,
+ false /* follow_symlinks */)) {
+ LOG(WARNING) << "Could not read additional policy file '" << one_policy_path << "'";
+ }
+ additional_policy_contents.push_back(one_policy_content);
}
- base::unique_fd policy_fd(WritePolicyToPipe(base_policy_content, additional_policy_content));
+ base::unique_fd policy_fd(WritePolicyToPipe(base_policy_content, additional_policy_contents));
if (policy_fd.get() == -1) {
LOG(FATAL) << "Could not write seccomp policy to fd";
}