jail/src/helpers.rs

*bb4ee6a4SAndroid Build Coastguard Worker// Copyright 2017 The ChromiumOS Authors
*bb4ee6a4SAndroid Build Coastguard Worker// Use of this source code is governed by a BSD-style license that can be
*bb4ee6a4SAndroid Build Coastguard Worker// found in the LICENSE file.
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker#![deny(missing_docs)]
*bb4ee6a4SAndroid Build Coastguard Worker#![allow(dead_code)]
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Workeruse std::path::Path;
*bb4ee6a4SAndroid Build Coastguard Workeruse std::str;
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Workeruse anyhow::bail;
*bb4ee6a4SAndroid Build Coastguard Workeruse anyhow::Context;
*bb4ee6a4SAndroid Build Coastguard Workeruse anyhow::Result;
*bb4ee6a4SAndroid Build Coastguard Worker#[cfg(feature = "seccomp_trace")]
*bb4ee6a4SAndroid Build Coastguard Workeruse base::debug;
*bb4ee6a4SAndroid Build Coastguard Workeruse base::getegid;
*bb4ee6a4SAndroid Build Coastguard Workeruse base::geteuid;
*bb4ee6a4SAndroid Build Coastguard Worker#[cfg(feature = "seccomp_trace")]
*bb4ee6a4SAndroid Build Coastguard Workeruse base::warn;
*bb4ee6a4SAndroid Build Coastguard Workeruse libc::c_ulong;
*bb4ee6a4SAndroid Build Coastguard Workeruse minijail::Minijail;
*bb4ee6a4SAndroid Build Coastguard Worker#[cfg(not(feature = "seccomp_trace"))]
*bb4ee6a4SAndroid Build Coastguard Workeruse once_cell::sync::Lazy;
*bb4ee6a4SAndroid Build Coastguard Worker#[cfg(feature = "seccomp_trace")]
*bb4ee6a4SAndroid Build Coastguard Workeruse static_assertions::assert_eq_size;
*bb4ee6a4SAndroid Build Coastguard Worker#[cfg(feature = "seccomp_trace")]
*bb4ee6a4SAndroid Build Coastguard Workeruse zerocopy::AsBytes;
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Workeruse crate::config::JailConfig;
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker// ANDROID: b/246968493
*bb4ee6a4SAndroid Build Coastguard Worker#[cfg(not(feature = "seccomp_trace"))]
*bb4ee6a4SAndroid Build Coastguard Workerstatic EMBEDDED_BPFS: Lazy<std::collections::HashMap<&str, Vec<u8>>> =
*bb4ee6a4SAndroid Build Coastguard Worker    Lazy::new(|| std::collections::HashMap::<&str, Vec<u8>>::new());
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker/// Most devices don't need to open many fds.
*bb4ee6a4SAndroid Build Coastguard Workerpub const MAX_OPEN_FILES_DEFAULT: u64 = 1024;
*bb4ee6a4SAndroid Build Coastguard Worker/// The max open files for gpu processes.
*bb4ee6a4SAndroid Build Coastguard Workerconst MAX_OPEN_FILES_FOR_GPU: u64 = 32768;
*bb4ee6a4SAndroid Build Coastguard Worker/// The max open files for jail warden, matching FD_RAW_FAILURE.
*bb4ee6a4SAndroid Build Coastguard Workerpub const MAX_OPEN_FILES_FOR_JAIL_WARDEN: u64 = 65536;
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker/// The user in the jail to run as.
*bb4ee6a4SAndroid Build Coastguard Workerpub enum RunAsUser {
*bb4ee6a4SAndroid Build Coastguard Worker    /// Do not specify the user
*bb4ee6a4SAndroid Build Coastguard Worker    Unspecified,
*bb4ee6a4SAndroid Build Coastguard Worker    /// Runs as the same user in the jail as the current user.
*bb4ee6a4SAndroid Build Coastguard Worker    CurrentUser,
*bb4ee6a4SAndroid Build Coastguard Worker    /// Runs as the root user in the jail.
*bb4ee6a4SAndroid Build Coastguard Worker    Root,
*bb4ee6a4SAndroid Build Coastguard Worker    /// Runs as the specified uid and gid.
*bb4ee6a4SAndroid Build Coastguard Worker    /// This requires `SandboxConfig::ugid_map` to be set.
*bb4ee6a4SAndroid Build Coastguard Worker    Specified(u32, u32),
*bb4ee6a4SAndroid Build Coastguard Worker}
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker/// Config for the sandbox to be created by [Minijail].
*bb4ee6a4SAndroid Build Coastguard Workerpub struct SandboxConfig<'a> {
*bb4ee6a4SAndroid Build Coastguard Worker    /// Whether or not to drop all capabilities in the sandbox.
*bb4ee6a4SAndroid Build Coastguard Worker    pub limit_caps: bool,
*bb4ee6a4SAndroid Build Coastguard Worker    log_failures: bool,
*bb4ee6a4SAndroid Build Coastguard Worker    seccomp_policy_dir: Option<&'a Path>,
*bb4ee6a4SAndroid Build Coastguard Worker    seccomp_policy_name: &'a str,
*bb4ee6a4SAndroid Build Coastguard Worker    /// The pair of `uid_map` and `gid_map`.
*bb4ee6a4SAndroid Build Coastguard Worker    pub ugid_map: Option<(&'a str, &'a str)>,
*bb4ee6a4SAndroid Build Coastguard Worker    /// The remount mode instead of default MS_PRIVATE.
*bb4ee6a4SAndroid Build Coastguard Worker    pub remount_mode: Option<c_ulong>,
*bb4ee6a4SAndroid Build Coastguard Worker    /// Whether to use empty net namespace. Enabled by default.
*bb4ee6a4SAndroid Build Coastguard Worker    pub namespace_net: bool,
*bb4ee6a4SAndroid Build Coastguard Worker    /// Whether or not to configure the jail to support bind-mounts.
*bb4ee6a4SAndroid Build Coastguard Worker    ///
*bb4ee6a4SAndroid Build Coastguard Worker    /// Note that most device processes deny `open(2)` and `openat(2)` by seccomp policy and just
*bb4ee6a4SAndroid Build Coastguard Worker    /// returns `ENOENT`. Passing opened file descriptors is recommended over opening files in the
*bb4ee6a4SAndroid Build Coastguard Worker    /// sandbox.
*bb4ee6a4SAndroid Build Coastguard Worker    pub bind_mounts: bool,
*bb4ee6a4SAndroid Build Coastguard Worker    /// Specify the user in the jail to run as.
*bb4ee6a4SAndroid Build Coastguard Worker    pub run_as: RunAsUser,
*bb4ee6a4SAndroid Build Coastguard Worker}
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Workerimpl<'a> SandboxConfig<'a> {
*bb4ee6a4SAndroid Build Coastguard Worker    /// Creates [SandboxConfig].
*bb4ee6a4SAndroid Build Coastguard Worker    pub fn new(jail_config: &'a JailConfig, policy: &'a str) -> Self {
*bb4ee6a4SAndroid Build Coastguard Worker        Self {
*bb4ee6a4SAndroid Build Coastguard Worker            limit_caps: true,
*bb4ee6a4SAndroid Build Coastguard Worker            log_failures: jail_config.seccomp_log_failures,
*bb4ee6a4SAndroid Build Coastguard Worker            seccomp_policy_dir: jail_config.seccomp_policy_dir.as_ref().map(Path::new),
*bb4ee6a4SAndroid Build Coastguard Worker            seccomp_policy_name: policy,
*bb4ee6a4SAndroid Build Coastguard Worker            ugid_map: None,
*bb4ee6a4SAndroid Build Coastguard Worker            remount_mode: None,
*bb4ee6a4SAndroid Build Coastguard Worker            namespace_net: true,
*bb4ee6a4SAndroid Build Coastguard Worker            bind_mounts: false,
*bb4ee6a4SAndroid Build Coastguard Worker            run_as: RunAsUser::Unspecified,
*bb4ee6a4SAndroid Build Coastguard Worker        }
*bb4ee6a4SAndroid Build Coastguard Worker    }
*bb4ee6a4SAndroid Build Coastguard Worker}
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker/// Wrapper that cleans up a [Minijail] when it is dropped
*bb4ee6a4SAndroid Build Coastguard Workerpub struct ScopedMinijail(pub Minijail);
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Workerimpl Drop for ScopedMinijail {
*bb4ee6a4SAndroid Build Coastguard Worker    fn drop(&mut self) {
*bb4ee6a4SAndroid Build Coastguard Worker        let _ = self.0.kill();
*bb4ee6a4SAndroid Build Coastguard Worker    }
*bb4ee6a4SAndroid Build Coastguard Worker}
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker/// Creates a [Minijail] instance which just changes the root using pivot_root(2) path and
*bb4ee6a4SAndroid Build Coastguard Worker/// `max_open_files` using `RLIMIT_NOFILE`.
*bb4ee6a4SAndroid Build Coastguard Worker///
*bb4ee6a4SAndroid Build Coastguard Worker/// If `root` path is "/", the minijail don't change the root.
*bb4ee6a4SAndroid Build Coastguard Worker///
*bb4ee6a4SAndroid Build Coastguard Worker/// # Arguments
*bb4ee6a4SAndroid Build Coastguard Worker///
*bb4ee6a4SAndroid Build Coastguard Worker/// * `root` - The root path to be changed to by minijail.
*bb4ee6a4SAndroid Build Coastguard Worker/// * `max_open_files` - The maximum number of file descriptors to allow a jailed process to open.
*bb4ee6a4SAndroid Build Coastguard Worker#[allow(clippy::unnecessary_cast)]
*bb4ee6a4SAndroid Build Coastguard Workerpub fn create_base_minijail(root: &Path, max_open_files: u64) -> Result<Minijail> {
*bb4ee6a4SAndroid Build Coastguard Worker    // Validate new root directory. Path::is_dir() also checks the existence.
*bb4ee6a4SAndroid Build Coastguard Worker    if !root.is_dir() {
*bb4ee6a4SAndroid Build Coastguard Worker        bail!("{:?} is not a directory, cannot create jail", root);
*bb4ee6a4SAndroid Build Coastguard Worker    }
*bb4ee6a4SAndroid Build Coastguard Worker    // chroot accepts absolute path only.
*bb4ee6a4SAndroid Build Coastguard Worker    if !root.is_absolute() {
*bb4ee6a4SAndroid Build Coastguard Worker        bail!("{:?} is not absolute path", root);
*bb4ee6a4SAndroid Build Coastguard Worker    }
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker    let mut jail = Minijail::new().context("failed to jail device")?;
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker    // Only pivot_root if we are not re-using the current root directory.
*bb4ee6a4SAndroid Build Coastguard Worker    if root != Path::new("/") {
*bb4ee6a4SAndroid Build Coastguard Worker        // Run in a new mount namespace.
*bb4ee6a4SAndroid Build Coastguard Worker        jail.namespace_vfs();
*bb4ee6a4SAndroid Build Coastguard Worker        jail.enter_pivot_root(root)
*bb4ee6a4SAndroid Build Coastguard Worker            .context("failed to pivot root device")?;
*bb4ee6a4SAndroid Build Coastguard Worker    }
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker    jail.set_rlimit(libc::RLIMIT_NOFILE as i32, max_open_files, max_open_files)
*bb4ee6a4SAndroid Build Coastguard Worker        .context("error setting max open files")?;
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker    Ok(jail)
*bb4ee6a4SAndroid Build Coastguard Worker}
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker/// Creates a [Minijail] instance which just invokes a jail process and sets
*bb4ee6a4SAndroid Build Coastguard Worker/// `max_open_files` using `RLIMIT_NOFILE`. This is helpful with crosvm process
*bb4ee6a4SAndroid Build Coastguard Worker/// runs as a non-root user without SYS_ADMIN capabilities.
*bb4ee6a4SAndroid Build Coastguard Worker///
*bb4ee6a4SAndroid Build Coastguard Worker/// Unlike `create_base_minijail`, this function doesn't call `pivot_root`
*bb4ee6a4SAndroid Build Coastguard Worker/// and `mount namespace`. So, it runs as a non-root user without
*bb4ee6a4SAndroid Build Coastguard Worker/// SYS_ADMIN capabilities.
*bb4ee6a4SAndroid Build Coastguard Worker///
*bb4ee6a4SAndroid Build Coastguard Worker/// Note that since there is no file system isolation provided by this function,
*bb4ee6a4SAndroid Build Coastguard Worker/// caller of this function should enforce other security mechanisum such as selinux
*bb4ee6a4SAndroid Build Coastguard Worker/// on the host to protect directories.
*bb4ee6a4SAndroid Build Coastguard Worker///
*bb4ee6a4SAndroid Build Coastguard Worker/// # Arguments
*bb4ee6a4SAndroid Build Coastguard Worker///
*bb4ee6a4SAndroid Build Coastguard Worker/// * `root` - The root path to checked before the process is jailed
*bb4ee6a4SAndroid Build Coastguard Worker/// * `max_open_files` - The maximum number of file descriptors to allow a jailed process to open.
*bb4ee6a4SAndroid Build Coastguard Worker#[allow(clippy::unnecessary_cast)]
*bb4ee6a4SAndroid Build Coastguard Workerpub fn create_base_minijail_without_pivot_root(
*bb4ee6a4SAndroid Build Coastguard Worker    root: &Path,
*bb4ee6a4SAndroid Build Coastguard Worker    max_open_files: u64,
*bb4ee6a4SAndroid Build Coastguard Worker) -> Result<Minijail> {
*bb4ee6a4SAndroid Build Coastguard Worker    // Validate new root directory. Path::is_dir() also checks the existence.
*bb4ee6a4SAndroid Build Coastguard Worker    if !root.is_dir() {
*bb4ee6a4SAndroid Build Coastguard Worker        bail!("{:?} is not a directory, cannot create jail", root);
*bb4ee6a4SAndroid Build Coastguard Worker    }
*bb4ee6a4SAndroid Build Coastguard Worker    if !root.is_absolute() {
*bb4ee6a4SAndroid Build Coastguard Worker        bail!("{:?} is not absolute path", root);
*bb4ee6a4SAndroid Build Coastguard Worker    }
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker    let mut jail = Minijail::new().context("failed to jail device")?;
*bb4ee6a4SAndroid Build Coastguard Worker    jail.set_rlimit(libc::RLIMIT_NOFILE as i32, max_open_files, max_open_files)
*bb4ee6a4SAndroid Build Coastguard Worker        .context("error setting max open files")?;
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker    Ok(jail)
*bb4ee6a4SAndroid Build Coastguard Worker}
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker/// Creates a [Minijail] instance which creates a sandbox.
*bb4ee6a4SAndroid Build Coastguard Worker///
*bb4ee6a4SAndroid Build Coastguard Worker/// # Arguments
*bb4ee6a4SAndroid Build Coastguard Worker///
*bb4ee6a4SAndroid Build Coastguard Worker/// * `root` - The root path to be changed to by minijail.
*bb4ee6a4SAndroid Build Coastguard Worker/// * `max_open_files` - The maximum number of file descriptors to allow a jailed process to open.
*bb4ee6a4SAndroid Build Coastguard Worker/// * `config` - The [SandboxConfig] to control details of the sandbox.
*bb4ee6a4SAndroid Build Coastguard Workerpub fn create_sandbox_minijail(
*bb4ee6a4SAndroid Build Coastguard Worker    root: &Path,
*bb4ee6a4SAndroid Build Coastguard Worker    max_open_files: u64,
*bb4ee6a4SAndroid Build Coastguard Worker    config: &SandboxConfig,
*bb4ee6a4SAndroid Build Coastguard Worker) -> Result<Minijail> {
*bb4ee6a4SAndroid Build Coastguard Worker    let mut jail = create_base_minijail(root, max_open_files)?;
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker    jail.namespace_pids();
*bb4ee6a4SAndroid Build Coastguard Worker    jail.namespace_user();
*bb4ee6a4SAndroid Build Coastguard Worker    jail.namespace_user_disable_setgroups();
*bb4ee6a4SAndroid Build Coastguard Worker    if config.limit_caps {
*bb4ee6a4SAndroid Build Coastguard Worker        // Don't need any capabilities.
*bb4ee6a4SAndroid Build Coastguard Worker        jail.use_caps(0);
*bb4ee6a4SAndroid Build Coastguard Worker    }
*bb4ee6a4SAndroid Build Coastguard Worker    match config.run_as {
*bb4ee6a4SAndroid Build Coastguard Worker        RunAsUser::Unspecified => {
*bb4ee6a4SAndroid Build Coastguard Worker            if config.bind_mounts && config.ugid_map.is_none() {
*bb4ee6a4SAndroid Build Coastguard Worker                // Minijail requires to set user/group map to mount extra directories.
*bb4ee6a4SAndroid Build Coastguard Worker                add_current_user_to_jail(&mut jail)?;
*bb4ee6a4SAndroid Build Coastguard Worker            }
*bb4ee6a4SAndroid Build Coastguard Worker        }
*bb4ee6a4SAndroid Build Coastguard Worker        RunAsUser::CurrentUser => {
*bb4ee6a4SAndroid Build Coastguard Worker            add_current_user_to_jail(&mut jail)?;
*bb4ee6a4SAndroid Build Coastguard Worker        }
*bb4ee6a4SAndroid Build Coastguard Worker        RunAsUser::Root => {
*bb4ee6a4SAndroid Build Coastguard Worker            // Add the current user as root in the jail.
*bb4ee6a4SAndroid Build Coastguard Worker            let crosvm_uid = geteuid();
*bb4ee6a4SAndroid Build Coastguard Worker            let crosvm_gid = getegid();
*bb4ee6a4SAndroid Build Coastguard Worker            jail.uidmap(&format!("0 {} 1", crosvm_uid))
*bb4ee6a4SAndroid Build Coastguard Worker                .context("error setting UID map")?;
*bb4ee6a4SAndroid Build Coastguard Worker            jail.gidmap(&format!("0 {} 1", crosvm_gid))
*bb4ee6a4SAndroid Build Coastguard Worker                .context("error setting GID map")?;
*bb4ee6a4SAndroid Build Coastguard Worker        }
*bb4ee6a4SAndroid Build Coastguard Worker        RunAsUser::Specified(uid, gid) => {
*bb4ee6a4SAndroid Build Coastguard Worker            if uid != 0 {
*bb4ee6a4SAndroid Build Coastguard Worker                jail.change_uid(uid)
*bb4ee6a4SAndroid Build Coastguard Worker            }
*bb4ee6a4SAndroid Build Coastguard Worker            if gid != 0 {
*bb4ee6a4SAndroid Build Coastguard Worker                jail.change_gid(gid)
*bb4ee6a4SAndroid Build Coastguard Worker            }
*bb4ee6a4SAndroid Build Coastguard Worker        }
*bb4ee6a4SAndroid Build Coastguard Worker    }
*bb4ee6a4SAndroid Build Coastguard Worker    if config.bind_mounts {
*bb4ee6a4SAndroid Build Coastguard Worker        // Create a tmpfs in the device's root directory so that we can bind mount files.
*bb4ee6a4SAndroid Build Coastguard Worker        // The size=67108864 is size=64*1024*1024 or size=64MB.
*bb4ee6a4SAndroid Build Coastguard Worker        // TODO(b/267581374): Use appropriate size for tmpfs.
*bb4ee6a4SAndroid Build Coastguard Worker        jail.mount_with_data(
*bb4ee6a4SAndroid Build Coastguard Worker            Path::new("none"),
*bb4ee6a4SAndroid Build Coastguard Worker            Path::new("/"),
*bb4ee6a4SAndroid Build Coastguard Worker            "tmpfs",
*bb4ee6a4SAndroid Build Coastguard Worker            (libc::MS_NOSUID | libc::MS_NODEV | libc::MS_NOEXEC) as usize,
*bb4ee6a4SAndroid Build Coastguard Worker            "size=67108864",
*bb4ee6a4SAndroid Build Coastguard Worker        )?;
*bb4ee6a4SAndroid Build Coastguard Worker    }
*bb4ee6a4SAndroid Build Coastguard Worker    if let Some((uid_map, gid_map)) = config.ugid_map {
*bb4ee6a4SAndroid Build Coastguard Worker        jail.uidmap(uid_map).context("error setting UID map")?;
*bb4ee6a4SAndroid Build Coastguard Worker        jail.gidmap(gid_map).context("error setting GID map")?;
*bb4ee6a4SAndroid Build Coastguard Worker    }
*bb4ee6a4SAndroid Build Coastguard Worker    // Run in a new mount namespace.
*bb4ee6a4SAndroid Build Coastguard Worker    jail.namespace_vfs();
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker    if config.namespace_net {
*bb4ee6a4SAndroid Build Coastguard Worker        // Run in an empty network namespace.
*bb4ee6a4SAndroid Build Coastguard Worker        jail.namespace_net();
*bb4ee6a4SAndroid Build Coastguard Worker    }
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker    // Don't allow the device to gain new privileges.
*bb4ee6a4SAndroid Build Coastguard Worker    jail.no_new_privs();
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker    #[cfg(feature = "seccomp_trace")]
*bb4ee6a4SAndroid Build Coastguard Worker    {
*bb4ee6a4SAndroid Build Coastguard Worker        #[repr(C)]
*bb4ee6a4SAndroid Build Coastguard Worker        #[derive(AsBytes)]
*bb4ee6a4SAndroid Build Coastguard Worker        struct sock_filter {
*bb4ee6a4SAndroid Build Coastguard Worker            /* Filter block */
*bb4ee6a4SAndroid Build Coastguard Worker            code: u16, /* Actual filter code */
*bb4ee6a4SAndroid Build Coastguard Worker            jt: u8,    /* Jump true */
*bb4ee6a4SAndroid Build Coastguard Worker            jf: u8,    /* Jump false */
*bb4ee6a4SAndroid Build Coastguard Worker            k: u32,    /* Generic multiuse field */
*bb4ee6a4SAndroid Build Coastguard Worker        }
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker        // BPF constant is defined in https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/bpf_common.h
*bb4ee6a4SAndroid Build Coastguard Worker        // BPF parser/assembler is defined in https://elixir.bootlin.com/linux/v4.9/source/tools/net/bpf_exp.y
*bb4ee6a4SAndroid Build Coastguard Worker        const SECCOMP_RET_TRACE: u32 = 0x7ff00000;
*bb4ee6a4SAndroid Build Coastguard Worker        const SECCOMP_RET_LOG: u32 = 0x7ffc0000;
*bb4ee6a4SAndroid Build Coastguard Worker        const BPF_RET: u16 = 0x06;
*bb4ee6a4SAndroid Build Coastguard Worker        const BPF_K: u16 = 0x00;
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker        // return SECCOMP_RET_LOG for all syscalls
*bb4ee6a4SAndroid Build Coastguard Worker        const FILTER_RET_LOG_BLOCK: sock_filter = sock_filter {
*bb4ee6a4SAndroid Build Coastguard Worker            code: BPF_RET | BPF_K,
*bb4ee6a4SAndroid Build Coastguard Worker            jt: 0,
*bb4ee6a4SAndroid Build Coastguard Worker            jf: 0,
*bb4ee6a4SAndroid Build Coastguard Worker            k: SECCOMP_RET_LOG,
*bb4ee6a4SAndroid Build Coastguard Worker        };
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker        warn!("The running crosvm is compiled with seccomp_trace feature, and is striclty used for debugging purpose only. DO NOT USE IN PRODUCTION!!!");
*bb4ee6a4SAndroid Build Coastguard Worker        debug!(
*bb4ee6a4SAndroid Build Coastguard Worker            "seccomp_trace {{\"event\": \"minijail_create\", \"name\": \"{}\", \"jail_addr\": \"0x{:x}\"}}",
*bb4ee6a4SAndroid Build Coastguard Worker            config.seccomp_policy_name,
*bb4ee6a4SAndroid Build Coastguard Worker            read_jail_addr(&jail),
*bb4ee6a4SAndroid Build Coastguard Worker        );
*bb4ee6a4SAndroid Build Coastguard Worker        jail.parse_seccomp_bytes(FILTER_RET_LOG_BLOCK.as_bytes())
*bb4ee6a4SAndroid Build Coastguard Worker            .unwrap();
*bb4ee6a4SAndroid Build Coastguard Worker    }
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker    #[cfg(not(feature = "seccomp_trace"))]
*bb4ee6a4SAndroid Build Coastguard Worker    if let Some(seccomp_policy_dir) = config.seccomp_policy_dir {
*bb4ee6a4SAndroid Build Coastguard Worker        let seccomp_policy_path = seccomp_policy_dir.join(config.seccomp_policy_name);
*bb4ee6a4SAndroid Build Coastguard Worker        // By default we'll prioritize using the pre-compiled .bpf over the .policy file (the .bpf
*bb4ee6a4SAndroid Build Coastguard Worker        // is expected to be compiled using "trap" as the failure behavior instead of the default
*bb4ee6a4SAndroid Build Coastguard Worker        // "kill" behavior) when a policy path is supplied in the command line arugments. Otherwise
*bb4ee6a4SAndroid Build Coastguard Worker        // the built-in pre-compiled policies will be used.
*bb4ee6a4SAndroid Build Coastguard Worker        // Refer to the code comment for the "seccomp-log-failures" command-line parameter for an
*bb4ee6a4SAndroid Build Coastguard Worker        // explanation about why the |log_failures| flag forces the use of .policy files (and the
*bb4ee6a4SAndroid Build Coastguard Worker        // build-time alternative to this run-time flag).
*bb4ee6a4SAndroid Build Coastguard Worker        let bpf_policy_file = seccomp_policy_path.with_extension("bpf");
*bb4ee6a4SAndroid Build Coastguard Worker        if bpf_policy_file.exists() && !config.log_failures {
*bb4ee6a4SAndroid Build Coastguard Worker            jail.parse_seccomp_program(&bpf_policy_file)
*bb4ee6a4SAndroid Build Coastguard Worker                .with_context(|| {
*bb4ee6a4SAndroid Build Coastguard Worker                    format!(
*bb4ee6a4SAndroid Build Coastguard Worker                        "failed to parse precompiled seccomp policy: {}",
*bb4ee6a4SAndroid Build Coastguard Worker                        bpf_policy_file.display()
*bb4ee6a4SAndroid Build Coastguard Worker                    )
*bb4ee6a4SAndroid Build Coastguard Worker                })?;
*bb4ee6a4SAndroid Build Coastguard Worker        } else {
*bb4ee6a4SAndroid Build Coastguard Worker            // Use TSYNC only for the side effect of it using SECCOMP_RET_TRAP, which will correctly
*bb4ee6a4SAndroid Build Coastguard Worker            // kill the entire device process if a worker thread commits a seccomp violation.
*bb4ee6a4SAndroid Build Coastguard Worker            jail.set_seccomp_filter_tsync();
*bb4ee6a4SAndroid Build Coastguard Worker            if config.log_failures {
*bb4ee6a4SAndroid Build Coastguard Worker                jail.log_seccomp_filter_failures();
*bb4ee6a4SAndroid Build Coastguard Worker            }
*bb4ee6a4SAndroid Build Coastguard Worker            let bpf_policy_file = seccomp_policy_path.with_extension("policy");
*bb4ee6a4SAndroid Build Coastguard Worker            jail.parse_seccomp_filters(&bpf_policy_file)
*bb4ee6a4SAndroid Build Coastguard Worker                .with_context(|| {
*bb4ee6a4SAndroid Build Coastguard Worker                    format!(
*bb4ee6a4SAndroid Build Coastguard Worker                        "failed to parse seccomp policy: {}",
*bb4ee6a4SAndroid Build Coastguard Worker                        bpf_policy_file.display()
*bb4ee6a4SAndroid Build Coastguard Worker                    )
*bb4ee6a4SAndroid Build Coastguard Worker                })?;
*bb4ee6a4SAndroid Build Coastguard Worker        }
*bb4ee6a4SAndroid Build Coastguard Worker    } else {
*bb4ee6a4SAndroid Build Coastguard Worker        set_embedded_bpf_program(&mut jail, config.seccomp_policy_name)?;
*bb4ee6a4SAndroid Build Coastguard Worker    }
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker    jail.use_seccomp_filter();
*bb4ee6a4SAndroid Build Coastguard Worker    // Don't do init setup.
*bb4ee6a4SAndroid Build Coastguard Worker    jail.run_as_init();
*bb4ee6a4SAndroid Build Coastguard Worker    // Set up requested remount mode instead of default MS_PRIVATE.
*bb4ee6a4SAndroid Build Coastguard Worker    if let Some(mode) = config.remount_mode {
*bb4ee6a4SAndroid Build Coastguard Worker        jail.set_remount_mode(mode);
*bb4ee6a4SAndroid Build Coastguard Worker    }
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker    Ok(jail)
*bb4ee6a4SAndroid Build Coastguard Worker}
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker/// Creates a basic [Minijail] if `jail_config` is present.
*bb4ee6a4SAndroid Build Coastguard Worker///
*bb4ee6a4SAndroid Build Coastguard Worker/// Returns `None` if `jail_config` is none.
*bb4ee6a4SAndroid Build Coastguard Workerpub fn simple_jail(jail_config: &Option<JailConfig>, policy: &str) -> Result<Option<Minijail>> {
*bb4ee6a4SAndroid Build Coastguard Worker    if let Some(jail_config) = jail_config {
*bb4ee6a4SAndroid Build Coastguard Worker        let config = SandboxConfig::new(jail_config, policy);
*bb4ee6a4SAndroid Build Coastguard Worker        Ok(Some(create_sandbox_minijail(
*bb4ee6a4SAndroid Build Coastguard Worker            &jail_config.pivot_root,
*bb4ee6a4SAndroid Build Coastguard Worker            MAX_OPEN_FILES_DEFAULT,
*bb4ee6a4SAndroid Build Coastguard Worker            &config,
*bb4ee6a4SAndroid Build Coastguard Worker        )?))
*bb4ee6a4SAndroid Build Coastguard Worker    } else {
*bb4ee6a4SAndroid Build Coastguard Worker        Ok(None)
*bb4ee6a4SAndroid Build Coastguard Worker    }
*bb4ee6a4SAndroid Build Coastguard Worker}
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker/// Creates [Minijail] for gpu processes.
*bb4ee6a4SAndroid Build Coastguard Workerpub fn create_gpu_minijail(
*bb4ee6a4SAndroid Build Coastguard Worker    root: &Path,
*bb4ee6a4SAndroid Build Coastguard Worker    config: &SandboxConfig,
*bb4ee6a4SAndroid Build Coastguard Worker    render_node_only: bool,
*bb4ee6a4SAndroid Build Coastguard Worker) -> Result<Minijail> {
*bb4ee6a4SAndroid Build Coastguard Worker    let mut jail = create_sandbox_minijail(root, MAX_OPEN_FILES_FOR_GPU, config)?;
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker    // Device nodes required for DRM.
*bb4ee6a4SAndroid Build Coastguard Worker    let sys_dev_char_path = Path::new("/sys/dev/char");
*bb4ee6a4SAndroid Build Coastguard Worker    jail.mount_bind(sys_dev_char_path, sys_dev_char_path, false)?;
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker    // Necessary for CGROUP control of the vGPU threads
*bb4ee6a4SAndroid Build Coastguard Worker    // This is not necessary UNLESS one wants to make use
*bb4ee6a4SAndroid Build Coastguard Worker    // of the gpu cgroup command line options.
*bb4ee6a4SAndroid Build Coastguard Worker    let sys_cpuset_path = Path::new("/sys/fs/cgroup/cpuset");
*bb4ee6a4SAndroid Build Coastguard Worker    if sys_cpuset_path.exists() {
*bb4ee6a4SAndroid Build Coastguard Worker        jail.mount_bind(sys_cpuset_path, sys_cpuset_path, true)?;
*bb4ee6a4SAndroid Build Coastguard Worker    }
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker    let sys_devices_path = Path::new("/sys/devices");
*bb4ee6a4SAndroid Build Coastguard Worker    jail.mount_bind(sys_devices_path, sys_devices_path, false)?;
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker    jail_mount_bind_drm(&mut jail, render_node_only)?;
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker    // If the ARM specific devices exist on the host, bind mount them in.
*bb4ee6a4SAndroid Build Coastguard Worker    let mali0_path = Path::new("/dev/mali0");
*bb4ee6a4SAndroid Build Coastguard Worker    if mali0_path.exists() {
*bb4ee6a4SAndroid Build Coastguard Worker        jail.mount_bind(mali0_path, mali0_path, true)?;
*bb4ee6a4SAndroid Build Coastguard Worker    }
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker    let pvr_sync_path = Path::new("/dev/pvr_sync");
*bb4ee6a4SAndroid Build Coastguard Worker    if pvr_sync_path.exists() {
*bb4ee6a4SAndroid Build Coastguard Worker        jail.mount_bind(pvr_sync_path, pvr_sync_path, true)?;
*bb4ee6a4SAndroid Build Coastguard Worker    }
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker    // If the udmabuf driver exists on the host, bind mount it in.
*bb4ee6a4SAndroid Build Coastguard Worker    let udmabuf_path = Path::new("/dev/udmabuf");
*bb4ee6a4SAndroid Build Coastguard Worker    if udmabuf_path.exists() {
*bb4ee6a4SAndroid Build Coastguard Worker        jail.mount_bind(udmabuf_path, udmabuf_path, true)?;
*bb4ee6a4SAndroid Build Coastguard Worker    }
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker    // Libraries that are required when mesa drivers are dynamically loaded.
*bb4ee6a4SAndroid Build Coastguard Worker    jail_mount_bind_if_exists(
*bb4ee6a4SAndroid Build Coastguard Worker        &mut jail,
*bb4ee6a4SAndroid Build Coastguard Worker        &[
*bb4ee6a4SAndroid Build Coastguard Worker            "/usr/lib",
*bb4ee6a4SAndroid Build Coastguard Worker            "/usr/lib64",
*bb4ee6a4SAndroid Build Coastguard Worker            "/lib",
*bb4ee6a4SAndroid Build Coastguard Worker            "/lib64",
*bb4ee6a4SAndroid Build Coastguard Worker            "/usr/share/drirc.d",
*bb4ee6a4SAndroid Build Coastguard Worker            "/usr/share/glvnd",
*bb4ee6a4SAndroid Build Coastguard Worker            "/usr/share/libdrm",
*bb4ee6a4SAndroid Build Coastguard Worker            "/usr/share/vulkan",
*bb4ee6a4SAndroid Build Coastguard Worker        ],
*bb4ee6a4SAndroid Build Coastguard Worker    )?;
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker    // pvr driver requires read access to /proc/self/task/*/comm.
*bb4ee6a4SAndroid Build Coastguard Worker    mount_proc(&mut jail)?;
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker    // To enable perfetto tracing, we need to give access to the perfetto service IPC
*bb4ee6a4SAndroid Build Coastguard Worker    // endpoints.
*bb4ee6a4SAndroid Build Coastguard Worker    let perfetto_path = Path::new("/run/perfetto");
*bb4ee6a4SAndroid Build Coastguard Worker    if perfetto_path.exists() {
*bb4ee6a4SAndroid Build Coastguard Worker        jail.mount_bind(perfetto_path, perfetto_path, true)?;
*bb4ee6a4SAndroid Build Coastguard Worker    }
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker    Ok(jail)
*bb4ee6a4SAndroid Build Coastguard Worker}
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker/// Selectively bind mount drm nodes into `jail` based on `render_node_only`
*bb4ee6a4SAndroid Build Coastguard Worker///
*bb4ee6a4SAndroid Build Coastguard Worker/// This function will not return an error if drm nodes don't exist
*bb4ee6a4SAndroid Build Coastguard Workerpub fn jail_mount_bind_drm(jail: &mut Minijail, render_node_only: bool) -> Result<()> {
*bb4ee6a4SAndroid Build Coastguard Worker    if render_node_only {
*bb4ee6a4SAndroid Build Coastguard Worker        const DRM_NUM_NODES: u32 = 63;
*bb4ee6a4SAndroid Build Coastguard Worker        const DRM_RENDER_NODE_START: u32 = 128;
*bb4ee6a4SAndroid Build Coastguard Worker        for offset in 0..DRM_NUM_NODES {
*bb4ee6a4SAndroid Build Coastguard Worker            let path_str = format!("/dev/dri/renderD{}", DRM_RENDER_NODE_START + offset);
*bb4ee6a4SAndroid Build Coastguard Worker            let drm_dri_path = Path::new(&path_str);
*bb4ee6a4SAndroid Build Coastguard Worker            if !drm_dri_path.exists() {
*bb4ee6a4SAndroid Build Coastguard Worker                break;
*bb4ee6a4SAndroid Build Coastguard Worker            }
*bb4ee6a4SAndroid Build Coastguard Worker            jail.mount_bind(drm_dri_path, drm_dri_path, false)?;
*bb4ee6a4SAndroid Build Coastguard Worker        }
*bb4ee6a4SAndroid Build Coastguard Worker    } else {
*bb4ee6a4SAndroid Build Coastguard Worker        let drm_dri_path = Path::new("/dev/dri");
*bb4ee6a4SAndroid Build Coastguard Worker        if drm_dri_path.exists() {
*bb4ee6a4SAndroid Build Coastguard Worker            jail.mount_bind(drm_dri_path, drm_dri_path, false)?;
*bb4ee6a4SAndroid Build Coastguard Worker        }
*bb4ee6a4SAndroid Build Coastguard Worker    }
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker    Ok(())
*bb4ee6a4SAndroid Build Coastguard Worker}
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker/// Mirror-mount all the directories in `dirs` into `jail` on a best-effort basis.
*bb4ee6a4SAndroid Build Coastguard Worker///
*bb4ee6a4SAndroid Build Coastguard Worker/// This function will not return an error if any of the directories in `dirs` is missing.
*bb4ee6a4SAndroid Build Coastguard Workerpub fn jail_mount_bind_if_exists<P: AsRef<std::ffi::OsStr>>(
*bb4ee6a4SAndroid Build Coastguard Worker    jail: &mut Minijail,
*bb4ee6a4SAndroid Build Coastguard Worker    dirs: &[P],
*bb4ee6a4SAndroid Build Coastguard Worker) -> Result<()> {
*bb4ee6a4SAndroid Build Coastguard Worker    for dir in dirs {
*bb4ee6a4SAndroid Build Coastguard Worker        let dir_path = Path::new(dir);
*bb4ee6a4SAndroid Build Coastguard Worker        if dir_path.exists() {
*bb4ee6a4SAndroid Build Coastguard Worker            jail.mount_bind(dir_path, dir_path, false)?;
*bb4ee6a4SAndroid Build Coastguard Worker        }
*bb4ee6a4SAndroid Build Coastguard Worker    }
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker    Ok(())
*bb4ee6a4SAndroid Build Coastguard Worker}
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker/// Mount proc in the sandbox.
*bb4ee6a4SAndroid Build Coastguard Workerpub fn mount_proc(jail: &mut Minijail) -> Result<()> {
*bb4ee6a4SAndroid Build Coastguard Worker    jail.mount(
*bb4ee6a4SAndroid Build Coastguard Worker        Path::new("proc"),
*bb4ee6a4SAndroid Build Coastguard Worker        Path::new("/proc"),
*bb4ee6a4SAndroid Build Coastguard Worker        "proc",
*bb4ee6a4SAndroid Build Coastguard Worker        (libc::MS_NOSUID | libc::MS_NODEV | libc::MS_NOEXEC | libc::MS_RDONLY) as usize,
*bb4ee6a4SAndroid Build Coastguard Worker    )?;
*bb4ee6a4SAndroid Build Coastguard Worker    Ok(())
*bb4ee6a4SAndroid Build Coastguard Worker}
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker/// Read minijail internal struct address for uniquely identifying and tracking jail's lifetime
*bb4ee6a4SAndroid Build Coastguard Worker#[cfg(feature = "seccomp_trace")]
*bb4ee6a4SAndroid Build Coastguard Workerpub fn read_jail_addr(jail: &Minijail) -> usize {
*bb4ee6a4SAndroid Build Coastguard Worker    // We can only hope minijail's rust object will always only contain a pointer to C jail struct
*bb4ee6a4SAndroid Build Coastguard Worker    assert_eq_size!(Minijail, usize);
*bb4ee6a4SAndroid Build Coastguard Worker    // Safe because it's only doing a read within bound checked by static assert
*bb4ee6a4SAndroid Build Coastguard Worker    unsafe { *(jail as *const Minijail as *const usize) }
*bb4ee6a4SAndroid Build Coastguard Worker}
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker/// Set the uid/gid for the jailed process and give a basic id map. This is
*bb4ee6a4SAndroid Build Coastguard Worker/// required for bind mounts to work.
*bb4ee6a4SAndroid Build Coastguard Workerfn add_current_user_to_jail(jail: &mut Minijail) -> Result<()> {
*bb4ee6a4SAndroid Build Coastguard Worker    let crosvm_uid = geteuid();
*bb4ee6a4SAndroid Build Coastguard Worker    let crosvm_gid = getegid();
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker    jail.uidmap(&format!("{0} {0} 1", crosvm_uid))
*bb4ee6a4SAndroid Build Coastguard Worker        .context("error setting UID map")?;
*bb4ee6a4SAndroid Build Coastguard Worker    jail.gidmap(&format!("{0} {0} 1", crosvm_gid))
*bb4ee6a4SAndroid Build Coastguard Worker        .context("error setting GID map")?;
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker    if crosvm_uid != 0 {
*bb4ee6a4SAndroid Build Coastguard Worker        jail.change_uid(crosvm_uid);
*bb4ee6a4SAndroid Build Coastguard Worker    }
*bb4ee6a4SAndroid Build Coastguard Worker    if crosvm_gid != 0 {
*bb4ee6a4SAndroid Build Coastguard Worker        jail.change_gid(crosvm_gid);
*bb4ee6a4SAndroid Build Coastguard Worker    }
*bb4ee6a4SAndroid Build Coastguard Worker    Ok(())
*bb4ee6a4SAndroid Build Coastguard Worker}
*bb4ee6a4SAndroid Build Coastguard Worker
*bb4ee6a4SAndroid Build Coastguard Worker/// Set the seccomp policy for a jail from embedded bpfs
*bb4ee6a4SAndroid Build Coastguard Workerpub fn set_embedded_bpf_program(jail: &mut Minijail, seccomp_policy_name: &str) -> Result<()> {
*bb4ee6a4SAndroid Build Coastguard Worker    let bpf_program = EMBEDDED_BPFS.get(seccomp_policy_name).with_context(|| {
*bb4ee6a4SAndroid Build Coastguard Worker        format!(
*bb4ee6a4SAndroid Build Coastguard Worker            "failed to find embedded seccomp policy: {}",
*bb4ee6a4SAndroid Build Coastguard Worker            seccomp_policy_name
*bb4ee6a4SAndroid Build Coastguard Worker        )
*bb4ee6a4SAndroid Build Coastguard Worker    })?;
*bb4ee6a4SAndroid Build Coastguard Worker    jail.parse_seccomp_bytes(bpf_program).with_context(|| {
*bb4ee6a4SAndroid Build Coastguard Worker        format!(
*bb4ee6a4SAndroid Build Coastguard Worker            "failed to parse embedded seccomp policy: {}",
*bb4ee6a4SAndroid Build Coastguard Worker            seccomp_policy_name
*bb4ee6a4SAndroid Build Coastguard Worker        )
*bb4ee6a4SAndroid Build Coastguard Worker    })?;
*bb4ee6a4SAndroid Build Coastguard Worker    Ok(())
*bb4ee6a4SAndroid Build Coastguard Worker}