From 42b9254f234976455812d77aa6189a6f950b2dc9 Mon Sep 17 00:00:00 2001 From: Jeff Vander Stoep Date: Thu, 6 Jul 2017 22:29:12 -0700 Subject: [PATCH] Add libhwminijail for sandboxing with seccomp filters This is a partial cherry-pick of the internal change, including just libhwminijail. The user does not exist in AOSP yet. Bug: 36453956 Test: mmma hardware/interface/minijail Merged-In: Iab014ff357b7329085a5e18a92f51838d2c72371 Change-Id: I46b030efba25aac3c09cef9bfb782ecdc7187e70 --- minijail/Android.mk | 14 ++++++ minijail/HardwareMinijail.cpp | 45 +++++++++++++++++++ .../include/hwminijail/HardwareMinijail.h | 30 +++++++++++++ 3 files changed, 89 insertions(+) create mode 100644 minijail/Android.mk create mode 100644 minijail/HardwareMinijail.cpp create mode 100644 minijail/include/hwminijail/HardwareMinijail.h diff --git a/minijail/Android.mk b/minijail/Android.mk new file mode 100644 index 0000000000..272bb0ef1f --- /dev/null +++ b/minijail/Android.mk @@ -0,0 +1,14 @@ +LOCAL_PATH := $(call my-dir) + +include $(CLEAR_VARS) +LOCAL_MODULE := libhwminijail +LOCAL_PROPRIETARY_MODULE := true +LOCAL_EXPORT_C_INCLUDE_DIRS := $(LOCAL_PATH)/include +LOCAL_C_INCLUDES := $(LOCAL_PATH)/include +LOCAL_SRC_FILES := HardwareMinijail.cpp + +LOCAL_SHARED_LIBRARIES := \ + libbase \ + libminijail_vendor + +include $(BUILD_SHARED_LIBRARY) diff --git a/minijail/HardwareMinijail.cpp b/minijail/HardwareMinijail.cpp new file mode 100644 index 0000000000..e6b11440c6 --- /dev/null +++ b/minijail/HardwareMinijail.cpp @@ -0,0 +1,45 @@ +// +// Copyright (C) 2017 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +#include +#include + +#include + +namespace android { +namespace hardware { + +void SetupMinijail(const std::string& seccomp_policy_path) { + if (access(seccomp_policy_path.c_str(), R_OK) == -1) { + LOG(WARNING) << "Could not find seccomp policy file at: " << seccomp_policy_path; + return; + } + + struct minijail* jail = minijail_new(); + if (jail == NULL) { + LOG(FATAL) << "Failed to create minijail."; + } + + minijail_no_new_privs(jail); + minijail_log_seccomp_filter_failures(jail); + minijail_use_seccomp_filter(jail); + minijail_parse_seccomp_filters(jail, seccomp_policy_path.c_str()); + minijail_enter(jail); + minijail_destroy(jail); +} + +} // namespace hardware +} // namespace android diff --git a/minijail/include/hwminijail/HardwareMinijail.h b/minijail/include/hwminijail/HardwareMinijail.h new file mode 100644 index 0000000000..8fcf007bfb --- /dev/null +++ b/minijail/include/hwminijail/HardwareMinijail.h @@ -0,0 +1,30 @@ +// +// Copyright (C) 2017 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +#ifndef ANDROID_HARDWARE_CONFIGSTORE_MINIJAIL_H +#define ANDROID_HARDWARE_CONFIGSTORE_MINIJAIL_H + +#include + +namespace android { +namespace hardware { + +void SetupMinijail(const std::string& seccomp_policy_path); + +} // namespace hardware +} // namespace android + +#endif // ANDROID_HARDWARE_CONFIGSTORE_UTILS_H