services/minijail/minijail.cpp

// Copyright 2015, The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

#include <fcntl.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>

#include <android-base/logging.h>
#include <android-base/unique_fd.h>

#include <libminijail.h>
#include <scoped_minijail.h>

#include "minijail.h"

namespace android {

int SetUpMinijail(const std::string& seccomp_policy_path)
{
    // No seccomp policy defined for this architecture.
    if (access(seccomp_policy_path.c_str(), R_OK) == -1) {
        LOG(WARNING) << "No seccomp policy defined for this architecture.";
        return 0;
    }

    int policy_fd = TEMP_FAILURE_RETRY(open(seccomp_policy_path.c_str(), O_RDONLY | O_CLOEXEC));
    if (policy_fd == -1) {
        PLOG(FATAL) << "Failed to open seccomp policy file '" << seccomp_policy_path << "'";
    }

    ScopedMinijail jail{minijail_new()};
    if (!jail) {
        LOG(WARNING) << "Failed to create minijail.";
        return -1;
    }

    minijail_no_new_privs(jail.get());
    minijail_log_seccomp_filter_failures(jail.get());
    minijail_use_seccomp_filter(jail.get());
    // This closes |policy_fd|.
    minijail_parse_seccomp_filters_from_fd(jail.get(), policy_fd);
    minijail_enter(jail.get());
    return 0;
}
}