flexibility for having extra policy files

    srcs: [

        "av_services_minijail_unittest.cpp",

    ],

    test_suites: ["device-tests"],

}

{

  "presubmit": [

    { "name": "libavservices_minijail_unittest" }

  ]

}

        "mmap: 1\n"

        "munmap: 1\n";

    const std::string third_policy_ =

        "open: 1\n"

        "close: 1\n";

    const std::string full_policy_ = base_policy_ + std::string("\n") + additional_policy_;

    const std::string triple_policy_ = base_policy_ +

                                       std::string("\n") + additional_policy_ +

                                       std::string("\n") + third_policy_;

};

TEST_F(WritePolicyTest, OneFile)

{

    std::string final_string;

    android::base::unique_fd fd(android::WritePolicyToPipe(base_policy_, std::string()));

    // vector with an empty pathname

    android::base::unique_fd fd(android::WritePolicyToPipe(base_policy_, {std::string()}));

    EXPECT_LE(0, fd.get());

    bool success = android::base::ReadFdToString(fd.get(), &final_string);

    EXPECT_TRUE(success);

    EXPECT_EQ(final_string, base_policy_);

}

TEST_F(WritePolicyTest, OneFileAlternate)

{

    std::string final_string;

    // empty vector

    android::base::unique_fd fd(android::WritePolicyToPipe(base_policy_, {}));

    EXPECT_LE(0, fd.get());

    bool success = android::base::ReadFdToString(fd.get(), &final_string);

    EXPECT_TRUE(success);

TEST_F(WritePolicyTest, TwoFiles)

{

    std::string final_string;

    android::base::unique_fd fd(android::WritePolicyToPipe(base_policy_, additional_policy_));

    android::base::unique_fd fd(android::WritePolicyToPipe(base_policy_, {additional_policy_}));

    EXPECT_LE(0, fd.get());

    bool success = android::base::ReadFdToString(fd.get(), &final_string);

    EXPECT_TRUE(success);

    EXPECT_EQ(final_string, full_policy_);

}

TEST_F(WritePolicyTest, ThreeFiles)

{

    std::string final_string;

    android::base::unique_fd fd(android::WritePolicyToPipe(base_policy_, {additional_policy_, third_policy_}));

    EXPECT_LE(0, fd.get());

    bool success = android::base::ReadFdToString(fd.get(), &final_string);

    EXPECT_TRUE(success);

    EXPECT_EQ(final_string, triple_policy_);

}

namespace android {

int WritePolicyToPipe(const std::string& base_policy_content,

                      const std::string& additional_policy_content)

                      const std::vector<std::string>& additional_policy_contents)

{

    int pipefd[2];

    if (pipe(pipefd) == -1) {

    base::unique_fd write_end(pipefd[1]);

    std::string content = base_policy_content;

    if (additional_policy_content.length() > 0) {

    for (auto one_content : additional_policy_contents) {

        if (one_content.length() > 0) {

            content += "\n";

        content += additional_policy_content;

            content += one_content;

        }

    }

    if (!base::WriteStringToFd(content, write_end.get())) {

    return pipefd[0];

}

void SetUpMinijail(const std::string& base_policy_path, const std::string& additional_policy_path)

void SetUpMinijail(const std::string& base_policy_path,

                   const std::string& additional_policy_path)

{

    SetUpMinijailList(base_policy_path, {additional_policy_path});

}

void SetUpMinijailList(const std::string& base_policy_path,

                   const std::vector<std::string>& additional_policy_paths)

{

    // No seccomp policy defined for this architecture.

    if (access(base_policy_path.c_str(), R_OK) == -1) {

        LOG(WARNING) << "No seccomp policy defined for this architecture.";

        // LOG(WARNING) << "No seccomp policy defined for this architecture.";

        LOG(WARNING) << "missing base seccomp_policy file '" << base_policy_path << "'";

        return;

    }

    std::string base_policy_content;

    std::string additional_policy_content;

    std::vector<std::string> additional_policy_contents;

    if (!base::ReadFileToString(base_policy_path, &base_policy_content,

                                false /* follow_symlinks */)) {

        LOG(FATAL) << "Could not read base policy file '" << base_policy_path << "'";

    }

    if (additional_policy_path.length() > 0 &&

        !base::ReadFileToString(additional_policy_path, &additional_policy_content,

    for (auto one_policy_path : additional_policy_paths) {

        std::string one_policy_content;

        if (one_policy_path.length() > 0 &&

                !base::ReadFileToString(one_policy_path, &one_policy_content,

                    false /* follow_symlinks */)) {

        LOG(WARNING) << "Could not read additional policy file '" << additional_policy_path << "'";

        additional_policy_content = std::string();

            LOG(WARNING) << "Could not read additional policy file '" << one_policy_path << "'";

        }

        additional_policy_contents.push_back(one_policy_content);

    }

    base::unique_fd policy_fd(WritePolicyToPipe(base_policy_content, additional_policy_content));

    base::unique_fd policy_fd(WritePolicyToPipe(base_policy_content, additional_policy_contents));

    if (policy_fd.get() == -1) {

        LOG(FATAL) << "Could not write seccomp policy to fd";

    }

#define AV_SERVICES_MINIJAIL_MINIJAIL

#include <string>

#include <vector>

namespace android {

int WritePolicyToPipe(const std::string& base_policy_content,

                      const std::string& additional_policy_content);

void SetUpMinijail(const std::string& base_policy_path, const std::string& additional_policy_path);

                      const std::vector<std::string>& additional_policy_contents);

void SetUpMinijail(const std::string& base_policy_path,

                   const std::string& additional_policy_path);

void SetUpMinijailList(const std::string& base_policy_path,

                       const std::vector<std::string>& additional_policy_paths);

}

#endif  // AV_SERVICES_MINIJAIL_MINIJAIL