xref: /aosp_15_r20/external/minijail/system.h (revision 4b9c6d91573e8b3a96609339b46361b5476dd0f9) 
1*4b9c6d91SCole Faust /* Copyright 2017 The ChromiumOS Authors
2*4b9c6d91SCole Faust  * Use of this source code is governed by a BSD-style license that can be
3*4b9c6d91SCole Faust  * found in the LICENSE file.
4*4b9c6d91SCole Faust  *
5*4b9c6d91SCole Faust  * Wrappers for system functionality.
6*4b9c6d91SCole Faust  */
7*4b9c6d91SCole Faust 
8*4b9c6d91SCole Faust #ifndef _SYSTEM_H_
9*4b9c6d91SCole Faust #define _SYSTEM_H_
10*4b9c6d91SCole Faust 
11*4b9c6d91SCole Faust #include <stdbool.h>
12*4b9c6d91SCole Faust #include <sys/capability.h>
13*4b9c6d91SCole Faust #include <sys/prctl.h>
14*4b9c6d91SCole Faust #include <sys/types.h>
15*4b9c6d91SCole Faust 
16*4b9c6d91SCole Faust #ifdef __cplusplus
17*4b9c6d91SCole Faust extern "C" {
18*4b9c6d91SCole Faust #endif
19*4b9c6d91SCole Faust 
20*4b9c6d91SCole Faust /* Control the ambient capability set. */
21*4b9c6d91SCole Faust #ifndef PR_CAP_AMBIENT
22*4b9c6d91SCole Faust #define PR_CAP_AMBIENT 47
23*4b9c6d91SCole Faust #endif
24*4b9c6d91SCole Faust 
25*4b9c6d91SCole Faust #ifndef PR_CAP_AMBIENT_IS_SET
26*4b9c6d91SCole Faust #define PR_CAP_AMBIENT_IS_SET 1
27*4b9c6d91SCole Faust #endif
28*4b9c6d91SCole Faust 
29*4b9c6d91SCole Faust #ifndef PR_CAP_AMBIENT_RAISE
30*4b9c6d91SCole Faust #define PR_CAP_AMBIENT_RAISE 2
31*4b9c6d91SCole Faust #endif
32*4b9c6d91SCole Faust 
33*4b9c6d91SCole Faust #ifndef PR_CAP_AMBIENT_LOWER
34*4b9c6d91SCole Faust #define PR_CAP_AMBIENT_LOWER 3
35*4b9c6d91SCole Faust #endif
36*4b9c6d91SCole Faust 
37*4b9c6d91SCole Faust #ifndef PR_CAP_AMBIENT_CLEAR_ALL
38*4b9c6d91SCole Faust #define PR_CAP_AMBIENT_CLEAR_ALL 4
39*4b9c6d91SCole Faust #endif
40*4b9c6d91SCole Faust 
41*4b9c6d91SCole Faust int secure_noroot_set_and_locked(uint64_t mask);
42*4b9c6d91SCole Faust int lock_securebits(uint64_t skip_mask, bool require_keep_caps);
43*4b9c6d91SCole Faust 
44*4b9c6d91SCole Faust unsigned int get_last_valid_cap(void);
45*4b9c6d91SCole Faust int cap_ambient_supported(void);
46*4b9c6d91SCole Faust 
47*4b9c6d91SCole Faust int config_net_loopback(void);
48*4b9c6d91SCole Faust 
49*4b9c6d91SCole Faust int write_pid_to_path(pid_t pid, const char *path);
50*4b9c6d91SCole Faust int write_proc_file(pid_t pid, const char *content, const char *basename);
51*4b9c6d91SCole Faust 
52*4b9c6d91SCole Faust int mkdir_p(const char *path, mode_t mode, bool isdir);
53*4b9c6d91SCole Faust 
54*4b9c6d91SCole Faust int get_mount_flags(const char *source, unsigned long *mnt_flags);
55*4b9c6d91SCole Faust 
56*4b9c6d91SCole Faust int setup_mount_destination(const char *source, const char *dest, uid_t uid,
57*4b9c6d91SCole Faust 			    uid_t gid, bool bind);
58*4b9c6d91SCole Faust 
59*4b9c6d91SCole Faust int lookup_user(const char *user, uid_t *uid, gid_t *gid);
60*4b9c6d91SCole Faust int lookup_group(const char *group, gid_t *gid);
61*4b9c6d91SCole Faust 
62*4b9c6d91SCole Faust int seccomp_ret_log_available(void);
63*4b9c6d91SCole Faust int seccomp_ret_kill_process_available(void);
64*4b9c6d91SCole Faust bool seccomp_filter_flags_available(unsigned int flags);
65*4b9c6d91SCole Faust 
66*4b9c6d91SCole Faust /*
67*4b9c6d91SCole Faust  * is_canonical_path: checks whether @path is a canonical path.
68*4b9c6d91SCole Faust  * This means:
69*4b9c6d91SCole Faust  * -Absolute.
70*4b9c6d91SCole Faust  * -No symlinks.
71*4b9c6d91SCole Faust  * -No /./, /../, or extra '/'.
72*4b9c6d91SCole Faust  * -Single trailing '/' is OK.
73*4b9c6d91SCole Faust  */
74*4b9c6d91SCole Faust bool is_canonical_path(const char *path);
75*4b9c6d91SCole Faust 
76*4b9c6d91SCole Faust #ifdef __cplusplus
77*4b9c6d91SCole Faust }; /* extern "C" */
78*4b9c6d91SCole Faust #endif
79*4b9c6d91SCole Faust 
80*4b9c6d91SCole Faust #endif /* _SYSTEM_H_ */
81