Unify media.codec and media.extractor Minijail usage.
That way we can modify this code in one place to take a list of seccomp
policy files.
This CL removes around 70 lines by unifying identical code. No change
in behavior.
Bug: 34723744
Test: media.codec, media.extractor start, have Seccomp.
Test: cat /proc/`pgrep .codec`/status | grep Seccomp
Seccomp: 2
Test: cat /proc/`pgrep .extractor`/status | grep Seccomp
Seccomp: 2
Change-Id: Ia8be7b9c3d6163804d2a45954f8d03315ae32e7a
diff --git a/services/minijail/minijail.cpp b/services/minijail/minijail.cpp
new file mode 100644
index 0000000..53ff858
--- /dev/null
+++ b/services/minijail/minijail.cpp
@@ -0,0 +1,57 @@
+// Copyright 2015, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include <android-base/logging.h>
+#include <android-base/unique_fd.h>
+
+#include <libminijail.h>
+#include <scoped_minijail.h>
+
+#include "minijail.h"
+
+namespace android {
+
+int SetUpMinijail(const std::string& seccomp_policy_path)
+{
+ // No seccomp policy defined for this architecture.
+ if (access(seccomp_policy_path.c_str(), R_OK) == -1) {
+ LOG(WARNING) << "No seccomp policy defined for this architecture.";
+ return 0;
+ }
+
+ int policy_fd = TEMP_FAILURE_RETRY(open(seccomp_policy_path.c_str(), O_RDONLY | O_CLOEXEC));
+ if (policy_fd == -1) {
+ PLOG(FATAL) << "Failed to open seccomp policy file '" << seccomp_policy_path << "'";
+ }
+
+ ScopedMinijail jail{minijail_new()};
+ if (!jail) {
+ LOG(WARNING) << "Failed to create minijail.";
+ return -1;
+ }
+
+ minijail_no_new_privs(jail.get());
+ minijail_log_seccomp_filter_failures(jail.get());
+ minijail_use_seccomp_filter(jail.get());
+ // This closes |policy_fd|.
+ minijail_parse_seccomp_filters_from_fd(jail.get(), policy_fd);
+ minijail_enter(jail.get());
+ return 0;
+}
+}