1*ec63e07aSXin Li // Copyright 2019 Google LLC 2*ec63e07aSXin Li // 3*ec63e07aSXin Li // Licensed under the Apache License, Version 2.0 (the "License"); 4*ec63e07aSXin Li // you may not use this file except in compliance with the License. 5*ec63e07aSXin Li // You may obtain a copy of the License at 6*ec63e07aSXin Li // 7*ec63e07aSXin Li // https://www.apache.org/licenses/LICENSE-2.0 8*ec63e07aSXin Li // 9*ec63e07aSXin Li // Unless required by applicable law or agreed to in writing, software 10*ec63e07aSXin Li // distributed under the License is distributed on an "AS IS" BASIS, 11*ec63e07aSXin Li // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12*ec63e07aSXin Li // See the License for the specific language governing permissions and 13*ec63e07aSXin Li // limitations under the License. 14*ec63e07aSXin Li 15*ec63e07aSXin Li // The sandbox2::Namespace class defines ways of inserting the sandboxed process 16*ec63e07aSXin Li // into Linux namespaces. 17*ec63e07aSXin Li 18*ec63e07aSXin Li #ifndef SANDBOXED_API_SANDBOX2_NAMESPACE_H_ 19*ec63e07aSXin Li #define SANDBOXED_API_SANDBOX2_NAMESPACE_H_ 20*ec63e07aSXin Li 21*ec63e07aSXin Li #include <sched.h> 22*ec63e07aSXin Li #include <sys/types.h> 23*ec63e07aSXin Li 24*ec63e07aSXin Li #include <cstdint> 25*ec63e07aSXin Li #include <string> 26*ec63e07aSXin Li 27*ec63e07aSXin Li #include "sandboxed_api/sandbox2/mounts.h" 28*ec63e07aSXin Li #include "sandboxed_api/sandbox2/violation.pb.h" 29*ec63e07aSXin Li 30*ec63e07aSXin Li namespace sandbox2 { 31*ec63e07aSXin Li 32*ec63e07aSXin Li class Namespace final { 33*ec63e07aSXin Li public: 34*ec63e07aSXin Li // Performs the namespace setup (mounts, write the uid_map, etc.). 35*ec63e07aSXin Li static void InitializeNamespaces(uid_t uid, gid_t gid, int32_t clone_flags, 36*ec63e07aSXin Li const Mounts& mounts, 37*ec63e07aSXin Li const std::string& hostname, 38*ec63e07aSXin Li bool avoid_pivot_root, 39*ec63e07aSXin Li bool allow_mount_propagation); 40*ec63e07aSXin Li static void InitializeInitialNamespaces(uid_t uid, gid_t gid); 41*ec63e07aSXin Li 42*ec63e07aSXin Li Namespace(bool allow_unrestricted_networking, Mounts mounts, 43*ec63e07aSXin Li std::string hostname, bool allow_mount_propagation); 44*ec63e07aSXin Li 45*ec63e07aSXin Li // Stores information about this namespace in the protobuf structure. 46*ec63e07aSXin Li void GetNamespaceDescription(NamespaceDescription* pb_description) const; 47*ec63e07aSXin Li clone_flags()48*ec63e07aSXin Li int32_t clone_flags() const { return clone_flags_; } 49*ec63e07aSXin Li mounts()50*ec63e07aSXin Li Mounts& mounts() { return mounts_; } mounts()51*ec63e07aSXin Li const Mounts& mounts() const { return mounts_; } 52*ec63e07aSXin Li hostname()53*ec63e07aSXin Li const std::string& hostname() const { return hostname_; } 54*ec63e07aSXin Li allow_mount_propagation()55*ec63e07aSXin Li bool allow_mount_propagation() const { return allow_mount_propagation_; } 56*ec63e07aSXin Li 57*ec63e07aSXin Li private: 58*ec63e07aSXin Li int32_t clone_flags_ = CLONE_NEWUSER | CLONE_NEWNS | CLONE_NEWUTS | 59*ec63e07aSXin Li CLONE_NEWPID | CLONE_NEWIPC | CLONE_NEWNET; 60*ec63e07aSXin Li Mounts mounts_; 61*ec63e07aSXin Li std::string hostname_; 62*ec63e07aSXin Li bool allow_mount_propagation_ = false; 63*ec63e07aSXin Li }; 64*ec63e07aSXin Li 65*ec63e07aSXin Li } // namespace sandbox2 66*ec63e07aSXin Li 67*ec63e07aSXin Li #endif // SANDBOXED_API_SANDBOX2_NAMESPACE_H_ 68