1 files changed, 35 insertions, 1 deletions

diff --git a/libminijail.h b/libminijail.h
index 9eefe0a..cfd42d2 100644
--- a/libminijail.h
+++ b/libminijail.h
@@ -42,6 +42,9 @@ enum {
 	/* (MINIJAIL_ERR_SIG_BASE + n) if process killed by signal n != SIGSYS */
 	MINIJAIL_ERR_SIG_BASE = 128,
 
+	/* Cannot mount a file or folder in mount namespace */
+	MINIJAIL_ERR_MOUNT = 251,
+
 	MINIJAIL_ERR_PRELOAD = 252,
 
 	/* Process killed by SIGSYS */
@@ -103,6 +106,15 @@ void minijail_use_seccomp(struct minijail *j);
 void minijail_no_new_privs(struct minijail *j);
 void minijail_use_seccomp_filter(struct minijail *j);
 void minijail_set_seccomp_filter_tsync(struct minijail *j);
+/*
+ * Allow speculative execution features that may cause data leaks across
+ * processes, by setting the SECCOMP_FILTER_FLAG_SPEC_ALLOW seccomp flag.
+ *
+ * WARNING: Enabling this may make the process vulnerable to speculative
+ * execution attacks (Branch Target Injection, and Speculative Store Bypass).
+ * This is only safe to use for processes that do not execute untrusted code.
+ */
+void minijail_set_seccomp_filter_allow_speculation(struct minijail *j);
 /* Does not take ownership of |filter|. */
 void minijail_set_seccomp_filters(struct minijail *j,
 				  const struct sock_fprog *filter);
@@ -278,6 +290,18 @@ int minijail_bind(struct minijail *j, const char *src, const char *dest,
 		  int writeable);
 
 /*
+ * minijail_add_remount: when entering minijail @j, remounts @mount_name and all
+ * subdirectories as @remount_mode rather than the default MS_PRIVATE
+ * @j             minijail to bind inside
+ * @mount_name    mount to remount
+ * @remount_mode  remount mode to use
+ *
+ * This may be called multiple times; this overrides |j->remount_mode| for the
+ * given mount.
+ */
+int minijail_add_remount(struct minijail *j, const char *mount_name,
+			 unsigned long remount_mode);
+/*
  * minijail_add_hook: adds @hook to the list of hooks that will be
  * invoked when @event is reached during minijail setup. The caller is
  * responsible for the lifetime of @payload.
@@ -460,6 +484,16 @@ int minijail_wait(struct minijail *j);
 void minijail_destroy(struct minijail *j);
 
 /*
+ * Deep copies the minijail in |from| to |out| providing two identical jails
+ * that can be used to contain separate children created with minijail_fork().
+ *
+ * Duplicating a jail is invalid after a jail has been passed to
+ * minijail_fork(). Many minijail_*() calls will yield undefined
+ * results when called on a jail duplicated post-fork.
+ */
+int minijail_copy_jail(const struct minijail *from, struct minijail *out);
+
+/*
  * minijail_log_to_fd: redirects the module-wide logging to an FD instead of
  * syslog.
  * @fd           FD to log to. Caller must ensure this is available after
@@ -470,7 +504,7 @@ void minijail_destroy(struct minijail *j);
 void minijail_log_to_fd(int fd, int min_priority);
 
 #ifdef __cplusplus
-}; /* extern "C" */
+} /* extern "C" */
 #endif
 
 #endif /* !_LIBMINIJAIL_H_ */