1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
|
/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*/
/*
* The general pattern of use here:
* 1) Construct a minijail with minijail_new()
* 2) Apply the desired restrictions to it
* 3) Enter it, which locks the current process inside it, or:
* 3) Run a process inside it
* 4) Destroy it.
*/
#ifndef _LIBMINIJAIL_H_
#define _LIBMINIJAIL_H_
#include <stdint.h>
#include <sys/types.h>
#ifdef __cplusplus
extern "C" {
#endif
enum {
MINIJAIL_ERR_PRELOAD = 252,
MINIJAIL_ERR_JAIL = 253,
MINIJAIL_ERR_INIT = 254,
};
struct minijail;
/* Allocates a new minijail with no restrictions. */
struct minijail *minijail_new(void);
/*
* These functions add restrictions to the minijail. They are not applied until
* minijail_enter() is called. See the documentation in minijail0.1 for
* explanations in detail of what the restrictions do.
*/
void minijail_change_uid(struct minijail *j, uid_t uid);
void minijail_change_gid(struct minijail *j, gid_t gid);
/* Copies |list|. */
void minijail_set_supplementary_gids(struct minijail *j, size_t size,
const gid_t *list);
void minijail_keep_supplementary_gids(struct minijail *j);
/* Stores user to change to and copies |user| for internal consistency. */
int minijail_change_user(struct minijail *j, const char *user);
/* Does not take ownership of |group|. */
int minijail_change_group(struct minijail *j, const char *group);
void minijail_use_seccomp(struct minijail *j);
void minijail_no_new_privs(struct minijail *j);
void minijail_use_seccomp_filter(struct minijail *j);
void minijail_set_seccomp_filter_tsync(struct minijail *j);
void minijail_parse_seccomp_filters(struct minijail *j, const char *path);
void minijail_parse_seccomp_filters_from_fd(struct minijail *j, int fd);
void minijail_log_seccomp_filter_failures(struct minijail *j);
/* 'minijail_use_caps' and 'minijail_capbset_drop' are mutually exclusive. */
void minijail_use_caps(struct minijail *j, uint64_t capmask);
void minijail_capbset_drop(struct minijail *j, uint64_t capmask);
/* 'minijail_set_ambient_caps' requires 'minijail_use_caps'. */
void minijail_set_ambient_caps(struct minijail *j);
void minijail_reset_signal_mask(struct minijail *j);
void minijail_namespace_vfs(struct minijail *j);
void minijail_namespace_enter_vfs(struct minijail *j, const char *ns_path);
void minijail_new_session_keyring(struct minijail *j);
/*
* This option is *dangerous* as it negates most of the functionality of
* minijail_namespace_vfs(). You very likely don't need this.
*/
void minijail_skip_remount_private(struct minijail *j);
void minijail_namespace_ipc(struct minijail *j);
void minijail_namespace_net(struct minijail *j);
void minijail_namespace_enter_net(struct minijail *j, const char *ns_path);
void minijail_namespace_cgroups(struct minijail *j);
/* Closes all open file descriptors after forking. */
void minijail_close_open_fds(struct minijail *j);
/*
* Implies namespace_vfs and remount_proc_readonly.
* WARNING: this is NOT THREAD SAFE. See the block comment in </libminijail.c>.
*/
void minijail_namespace_pids(struct minijail *j);
void minijail_namespace_user(struct minijail *j);
void minijail_namespace_user_disable_setgroups(struct minijail *j);
int minijail_uidmap(struct minijail *j, const char *uidmap);
int minijail_gidmap(struct minijail *j, const char *gidmap);
void minijail_remount_proc_readonly(struct minijail *j);
void minijail_run_as_init(struct minijail *j);
int minijail_write_pid_file(struct minijail *j, const char *path);
void minijail_inherit_usergroups(struct minijail *j);
/*
* Changes the jailed process's syscall table to the alt_syscall table
* named |table|.
*/
int minijail_use_alt_syscall(struct minijail *j, const char *table);
/*
* Adds the jailed process to the cgroup given by |path|. |path| should be the
* full path to the cgroups "tasks" file.
* Example: /sys/fs/cgroup/cpu/jailed_procs/tasks adds to the "jailed_procs" cpu
* cgroup.
*/
int minijail_add_to_cgroup(struct minijail *j, const char *path);
/*
* minijail_enter_chroot: enables chroot() restriction for @j
* @j minijail to apply restriction to
* @dir directory to chroot() to. Owned by caller.
*
* Enters @dir, binding all bind mounts specified with minijail_bind() into
* place. Requires @dir to contain all necessary directories for bind mounts
* (i.e., if you have requested a bind mount at /etc, /etc must exist in @dir.)
*
* Returns 0 on success.
*/
int minijail_enter_chroot(struct minijail *j, const char *dir);
int minijail_enter_pivot_root(struct minijail *j, const char *dir);
/*
* minijail_get_original_path: returns the path of a given file outside of the
* chroot.
* @j minijail to obtain the path from.
* @chroot_path path inside of the chroot() to.
*
* When executing a binary in a chroot or pivot_root, return path to the binary
* outside of the chroot.
*
* Returns a string containing the path. This must be freed by the caller.
*/
char *minijail_get_original_path(struct minijail *j, const char *chroot_path);
/*
* minijail_mount_tmp: enables mounting of a 64M tmpfs filesystem on /tmp.
* As be rules of bind mounts, /tmp must exist in chroot.
*/
void minijail_mount_tmp(struct minijail *j);
/*
* minijail_mount_tmp_size: enables mounting of a tmpfs filesystem on /tmp.
* As be rules of bind mounts, /tmp must exist in chroot. Size is in bytes.
*/
void minijail_mount_tmp_size(struct minijail *j, size_t size);
/*
* minijail_mount_with_data: when entering minijail @j,
* mounts @src at @dst with @flags and @data.
* @j minijail to bind inside
* @src source to bind
* @dest location to bind (inside chroot)
* @type type of filesystem
* @flags flags passed to mount
* @data data arguments passed to mount(2), e.g. "mode=755"
*
* This may be called multiple times; all mounts will be applied in the order
* of minijail_mount() calls.
*/
int minijail_mount_with_data(struct minijail *j, const char *src,
const char *dest, const char *type,
unsigned long flags, const char *data);
/*
* minijail_mount: when entering minijail @j, mounts @src at @dst with @flags
* @j minijail to bind inside
* @src source to bind
* @dest location to bind (inside chroot)
* @type type of filesystem
* @flags flags passed to mount
*
* This may be called multiple times; all mounts will be applied in the order
* of minijail_mount() calls.
*/
int minijail_mount(struct minijail *j, const char *src, const char *dest,
const char *type, unsigned long flags);
/*
* minijail_bind: bind-mounts @src into @j as @dest, optionally writeable
* @j minijail to bind inside
* @src source to bind
* @dest location to bind (inside chroot)
* @writeable 1 if the bind mount should be writeable
*
* This may be called multiple times; all bindings will be applied in the order
* of minijail_bind() calls.
*/
int minijail_bind(struct minijail *j, const char *src, const char *dest,
int writeable);
/*
* Lock this process into the given minijail. Note that this procedure cannot
* fail, since there is no way to undo privilege-dropping; therefore, if any
* part of the privilege-drop fails, minijail_enter() will abort the entire
* process.
*
* Some restrictions cannot be enabled this way (pid namespaces) and attempting
* to do so will cause an abort.
*/
void minijail_enter(const struct minijail *j);
/*
* Run the specified command in the given minijail, execve(2)-style. This is
* required if minijail_namespace_pids() was used.
*/
int minijail_run(struct minijail *j, const char *filename,
char *const argv[]);
/*
* Run the specified command in the given minijail, execve(2)-style.
* Used with static binaries, or on systems without support for LD_PRELOAD.
*/
int minijail_run_no_preload(struct minijail *j, const char *filename,
char *const argv[]);
/*
* Run the specified command in the given minijail, execve(2)-style.
* Update |*pchild_pid| with the pid of the child.
*/
int minijail_run_pid(struct minijail *j, const char *filename,
char *const argv[], pid_t *pchild_pid);
/*
* Run the specified command in the given minijail, execve(2)-style.
* Update |*pstdin_fd| with a fd that allows writing to the child's
* standard input.
*/
int minijail_run_pipe(struct minijail *j, const char *filename,
char *const argv[], int *pstdin_fd);
/*
* Run the specified command in the given minijail, execve(2)-style.
* Update |*pchild_pid| with the pid of the child.
* Update |*pstdin_fd| with a fd that allows writing to the child's
* standard input.
* Update |*pstdout_fd| with a fd that allows reading from the child's
* standard output.
* Update |*pstderr_fd| with a fd that allows reading from the child's
* standard error.
*/
int minijail_run_pid_pipes(struct minijail *j, const char *filename,
char *const argv[], pid_t *pchild_pid,
int *pstdin_fd, int *pstdout_fd, int *pstderr_fd);
/*
* Run the specified command in the given minijail, execve(2)-style.
* Update |*pchild_pid| with the pid of the child.
* Update |*pstdin_fd| with a fd that allows writing to the child's
* standard input.
* Update |*pstdout_fd| with a fd that allows reading from the child's
* standard output.
* Update |*pstderr_fd| with a fd that allows reading from the child's
* standard error.
* Used with static binaries, or on systems without support for LD_PRELOAD.
*/
int minijail_run_pid_pipes_no_preload(struct minijail *j, const char *filename,
char *const argv[], pid_t *pchild_pid,
int *pstdin_fd, int *pstdout_fd,
int *pstderr_fd);
/*
* Kill the specified minijail. The minijail must have been created with pid
* namespacing; if it was, all processes inside it are atomically killed.
*/
int minijail_kill(struct minijail *j);
/*
* Wait for all processes in the specified minijail to exit. Returns the exit
* status of the _first_ process spawned in the jail.
*/
int minijail_wait(struct minijail *j);
/*
* Frees the given minijail. It does not matter if the process is inside the
* minijail or not.
*/
void minijail_destroy(struct minijail *j);
#ifdef __cplusplus
}; /* extern "C" */
#endif
#endif /* !_LIBMINIJAIL_H_ */
|
