Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 42b9254f authored by Jeff Vander Stoep's avatar Jeff Vander Stoep Committed by Dan Willemsen
Browse files

Add libhwminijail for sandboxing with seccomp filters 

This is a partial cherry-pick of the internal change, including just
libhwminijail. The user does not exist in AOSP yet.

Bug: 36453956
Test: mmma hardware/interface/minijail
Merged-In: Iab014ff357b7329085a5e18a92f51838d2c72371
Change-Id: I46b030efba25aac3c09cef9bfb782ecdc7187e70
parent 26a0bb27

minijail/Android.mk

0 → 100644
+14 −0
Original line number Diff line number Diff line 
LOCAL_PATH := $(call my-dir)



include $(CLEAR_VARS)

LOCAL_MODULE := libhwminijail

LOCAL_PROPRIETARY_MODULE := true

LOCAL_EXPORT_C_INCLUDE_DIRS := $(LOCAL_PATH)/include

LOCAL_C_INCLUDES := $(LOCAL_PATH)/include

LOCAL_SRC_FILES := HardwareMinijail.cpp



LOCAL_SHARED_LIBRARIES := \

    libbase \

    libminijail_vendor



include $(BUILD_SHARED_LIBRARY)

minijail/HardwareMinijail.cpp

0 → 100644
+45 −0
Original line number Diff line number Diff line 
//

// Copyright (C) 2017 The Android Open Source Project

//

// Licensed under the Apache License, Version 2.0 (the "License");

// you may not use this file except in compliance with the License.

// You may obtain a copy of the License at

//

//      http://www.apache.org/licenses/LICENSE-2.0

//

// Unless required by applicable law or agreed to in writing, software

// distributed under the License is distributed on an "AS IS" BASIS,

// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

// See the License for the specific language governing permissions and

// limitations under the License.

//



#include <android-base/logging.h>

#include <libminijail.h>



#include <hwminijail/HardwareMinijail.h>



namespace android {

namespace hardware {



void SetupMinijail(const std::string& seccomp_policy_path) {

    if (access(seccomp_policy_path.c_str(), R_OK) == -1) {

        LOG(WARNING) << "Could not find seccomp policy file at: " << seccomp_policy_path;

        return;

    }



    struct minijail* jail = minijail_new();

    if (jail == NULL) {

        LOG(FATAL) << "Failed to create minijail.";

    }



    minijail_no_new_privs(jail);

    minijail_log_seccomp_filter_failures(jail);

    minijail_use_seccomp_filter(jail);

    minijail_parse_seccomp_filters(jail, seccomp_policy_path.c_str());

    minijail_enter(jail);

    minijail_destroy(jail);

}



}  // namespace hardware

}  // namespace android

minijail/include/hwminijail/HardwareMinijail.h

0 → 100644
+30 −0
Original line number Diff line number Diff line 
//

// Copyright (C) 2017 The Android Open Source Project

//

// Licensed under the Apache License, Version 2.0 (the "License");

// you may not use this file except in compliance with the License.

// You may obtain a copy of the License at

//

//      http://www.apache.org/licenses/LICENSE-2.0

//

// Unless required by applicable law or agreed to in writing, software

// distributed under the License is distributed on an "AS IS" BASIS,

// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

// See the License for the specific language governing permissions and

// limitations under the License.

//



#ifndef ANDROID_HARDWARE_CONFIGSTORE_MINIJAIL_H

#define ANDROID_HARDWARE_CONFIGSTORE_MINIJAIL_H



#include <string>



namespace android {

namespace hardware {



void SetupMinijail(const std::string& seccomp_policy_path);



}  // namespace hardware

}  // namespace android



#endif  // ANDROID_HARDWARE_CONFIGSTORE_UTILS_H