diff options
| author | Jennifer Pullman <jpullman@google.com> | 2016-05-03 18:27:04 +0000 |
|---|---|---|
| committer | android-build-merger <android-build-merger@google.com> | 2016-05-03 18:27:04 +0000 |
| commit | accc54a007d8b02d256baf1af0f86bca21ebd46f (patch) | |
| tree | 794e88b3e660dc44e83035db84b547ac9b6ea9e8 | |
| parent | 87136aa7a233fbdbaeebf291c9598876adaa11b2 (diff) | |
| parent | 8ed6084aa6bd1d8cab5dbbd29cf7d9d85207bf9f (diff) | |
| download | webservd-accc54a007d8b02d256baf1af0f86bca21ebd46f.tar.gz | |
Created seccomp policy for webservd and modified webservd startup.
am: 8ed6084aa6
* commit '8ed6084aa6bd1d8cab5dbbd29cf7d9d85207bf9f':
Created seccomp policy for webservd and modified webservd startup.
Change-Id: I0215218618ac1f04ff8875f22364df82167cb3f4
| -rw-r--r-- | webservd/etc/init/webservd.conf | 5 | ||||
| -rw-r--r-- | webservd/main.cc | 19 | ||||
| -rw-r--r-- | webservd/usr/share/filters/webservd-seccomp.policy | 85 |
3 files changed, 90 insertions, 19 deletions
diff --git a/webservd/etc/init/webservd.conf b/webservd/etc/init/webservd.conf index ef05d03..10ef9dd 100644 --- a/webservd/etc/init/webservd.conf +++ b/webservd/etc/init/webservd.conf @@ -28,7 +28,10 @@ pre-start script chown webservd:webservd /var/log/webservd end script -exec /usr/bin/webservd \ +# CAP_NET_RAW, CAP_NET_BIND_SERVICE +exec /sbin/minijail0 -c 0x2400 -u webservd -g webservd -G -L -n \ + -S /usr/share/filters/webservd-seccomp.policy \ + /usr/bin/webservd \ --v="${WEBSERVD_LOG_LEVEL}" \ --config_path="${WEBSERVD_CONFIG_PATH}" \ --debug="${WEBSERVD_DEBUG}" \ diff --git a/webservd/main.cc b/webservd/main.cc index fe0dac8..ab86ef1 100644 --- a/webservd/main.cc +++ b/webservd/main.cc @@ -27,7 +27,6 @@ #include <brillo/dbus/async_event_sequencer.h> #include <brillo/dbus/exported_object_manager.h> #include <brillo/daemons/dbus_daemon.h> -#include <brillo/minijail/minijail.h> #endif // __ANDROID__ #include <brillo/flag_helper.h> #include <brillo/syslog_logging.h> @@ -175,8 +174,7 @@ int main(int argc, char* argv[]) { } // For protocol handlers bound to specific network interfaces, we need root - // access to create those bound sockets. Do that here before we drop - // privileges. + // access to create those bound sockets. for (auto& handler_config : config.protocol_handlers) { if (!handler_config.interface_name.empty()) { int socket_fd = @@ -193,20 +191,5 @@ int main(int argc, char* argv[]) { config.use_debug = FLAGS_debug; Daemon daemon{std::move(config)}; - // TODO: Re-enable this for Android once minijail works with libcap-ng. -#if !defined(__ANDROID__) - // Drop privileges and use 'webservd' user. We need to do this after Daemon - // object is constructed since it creates an instance of base::AtExitManager - // which is required for brillo::Minijail::GetInstance() to work. - brillo::Minijail* minijail_instance = brillo::Minijail::GetInstance(); - minijail* jail = minijail_instance->New(); - minijail_instance->DropRoot(jail, kWebServerUserName, kWebServerGroupName); - // Permissions needed for the daemon to allow it to bind to ports like TCP - // 80. - minijail_instance->UseCapabilities(jail, CAP_TO_MASK(CAP_NET_BIND_SERVICE)); - minijail_enter(jail); - minijail_instance->Destroy(jail); -#endif // !defined(__ANDROID__) - return daemon.Run(); } diff --git a/webservd/usr/share/filters/webservd-seccomp.policy b/webservd/usr/share/filters/webservd-seccomp.policy new file mode 100644 index 0000000..6cd8865 --- /dev/null +++ b/webservd/usr/share/filters/webservd-seccomp.policy @@ -0,0 +1,85 @@ +# Copyright 2016 The Android Open Source Project +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +accept4: 1 +access: 1 +bind: 1 +brk: 1 +capget: 1 +capset: 1 +clock_getres: 1 +clock_gettime: 1 +close: 1 +connect: 1 +dup: 1 +epoll_create: 1 +epoll_ctl: 1 +epoll_wait: 1 +exit_group: 1 +fcntl64: 1 +fstat64: 1 +futex: 1 +getdents64: 1 +getegid32: 1 +geteuid32: 1 +getgid32: 1 +getresgid32: 1 +getresuid32: 1 +# arm +ugetrlimit: 1 +getrusage: 1 +getsockname: 1 +gettid: 1 +gettimeofday: 1 +getuid32: 1 +listen: 1 +lstat64: 1 +mmap2: 1 +mprotect: 1 +munmap: 1 +open: 1 +openat: 1 +pipe: 1 +poll: 1 +prctl: 1 +read: 1 +readlink: 1 +recv: 1 +recvmsg: 1 +rename: 1 +rt_sigaction: 1 +rt_sigprocmask: 1 +# arm +_newselect: 1 +send: 1 +sendmsg: 1 +set_robust_list: 1 +set_tid_address: 1 +# arm +ARM_set_tls: 1 +setgroups32: 1 +setresgid32: 1 +setresuid32: 1 +setsockopt: 1 +shutdown: 1 +signalfd4: 1 +# socket: arg0 == PF_LOCAL || arg0 == PF_INET6 || arg0 == PF_INET +socket: arg0 == 0x1 || arg0 == 0xa || arg0 == 0x2 +# socketpair: arg0 == PF_LOCAL +socketpair: arg0 == 0x1 +stat64: 1 +tgkill: 1 +uname: 1 +unlink: 1 +write: 1 |