mains/mosys.c - chromiumos/platform/mosys - Git at Google

 /* Copyright 2020 The Chromium OS Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */

 #include <chromeos/libminijail.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <linux/securebits.h>
 #include <sys/capability.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <unistd.h>

 #include "mosys/cli.h"

 #define MOSYS_CAPS CAP_TO_MASK(CAP_SYS_RAWIO) | CAP_TO_MASK(CAP_SYS_ADMIN)
 #define MOSYS_SECCOMP_POLICY_PATH "/usr/share/policy/mosys-seccomp.policy"

 static void setup_jail(void)
 {
 	int fd;
 	struct minijail *j;

 	/* Don't setup the minijail if we aren't running as root. */
 	if (geteuid() > 0)
 		return;

 	j = minijail_new();

 	/* TODO(crbug.com/1082531): see if we can remove this ifdef. */
 #ifndef CONFIG_PLATFORM_ARCH_ARMEL
 	minijail_use_caps(j, MOSYS_CAPS);
 	minijail_set_ambient_caps(j);

 	/* Don't set securebits because this may be inside another minijail.
 	   See b/112030238. */
 	minijail_skip_setting_securebits(j, SECURE_ALL_BITS | SECURE_ALL_LOCKS);
 	minijail_remount_proc_readonly(j);
 	minijail_namespace_net(j);
 #endif

 	minijail_no_new_privs(j);
 	minijail_set_seccomp_filter_tsync(j);

 	/* This file is expected to not be present in initramfs.  Only
 	   set the seccomp policy when it exists. */
 	fd = open(MOSYS_SECCOMP_POLICY_PATH, O_RDONLY);
 	if (fd >= 0) {
 		minijail_parse_seccomp_filters_from_fd(j, fd);
 		minijail_use_seccomp_filter(j);
 		close(fd);
 	}

 	minijail_enter(j);
 	minijail_destroy(j);
 }

 int main(int argc, char *argv[])
 {
 	setup_jail();
 	return mosys_main(argc, argv);
 }
	/* Copyright 2020 The Chromium OS Authors. All rights reserved.
	* Use of this source code is governed by a BSD-style license that can be
	* found in the LICENSE file.
	*/

	#include <chromeos/libminijail.h>
	#include <errno.h>
	#include <fcntl.h>
	#include <linux/securebits.h>
	#include <sys/capability.h>
	#include <sys/stat.h>
	#include <sys/types.h>
	#include <unistd.h>

	#include "mosys/cli.h"

	#define MOSYS_CAPS CAP_TO_MASK(CAP_SYS_RAWIO) \| CAP_TO_MASK(CAP_SYS_ADMIN)
	#define MOSYS_SECCOMP_POLICY_PATH "/usr/share/policy/mosys-seccomp.policy"

	static void setup_jail(void)
	{
	int fd;
	struct minijail *j;

	/* Don't setup the minijail if we aren't running as root. */
	if (geteuid() > 0)
	return;

	j = minijail_new();

	/* TODO(crbug.com/1082531): see if we can remove this ifdef. */
	#ifndef CONFIG_PLATFORM_ARCH_ARMEL
	minijail_use_caps(j, MOSYS_CAPS);
	minijail_set_ambient_caps(j);

	/* Don't set securebits because this may be inside another minijail.
	See b/112030238. */
	minijail_skip_setting_securebits(j, SECURE_ALL_BITS \| SECURE_ALL_LOCKS);
	minijail_remount_proc_readonly(j);
	minijail_namespace_net(j);
	#endif

	minijail_no_new_privs(j);
	minijail_set_seccomp_filter_tsync(j);

	/* This file is expected to not be present in initramfs. Only
	set the seccomp policy when it exists. */
	fd = open(MOSYS_SECCOMP_POLICY_PATH, O_RDONLY);
	if (fd >= 0) {
	minijail_parse_seccomp_filters_from_fd(j, fd);
	minijail_use_seccomp_filter(j);
	close(fd);
	}

	minijail_enter(j);
	minijail_destroy(j);
	}

	int main(int argc, char *argv[])
	{
	setup_jail();
	return mosys_main(argc, argv);
	}