1*dd0948b3SAndroid Build Coastguard Worker /* 2*dd0948b3SAndroid Build Coastguard Worker * Copyright (C) 2023 The Android Open Source Project 3*dd0948b3SAndroid Build Coastguard Worker * 4*dd0948b3SAndroid Build Coastguard Worker * Licensed under the Apache License, Version 2.0 (the "License"); 5*dd0948b3SAndroid Build Coastguard Worker * you may not use this file except in compliance with the License. 6*dd0948b3SAndroid Build Coastguard Worker * You may obtain a copy of the License at 7*dd0948b3SAndroid Build Coastguard Worker * 8*dd0948b3SAndroid Build Coastguard Worker * http://www.apache.org/licenses/LICENSE-2.0 9*dd0948b3SAndroid Build Coastguard Worker * 10*dd0948b3SAndroid Build Coastguard Worker * Unless required by applicable law or agreed to in writing, software 11*dd0948b3SAndroid Build Coastguard Worker * distributed under the License is distributed on an "AS IS" BASIS, 12*dd0948b3SAndroid Build Coastguard Worker * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13*dd0948b3SAndroid Build Coastguard Worker * See the License for the specific language governing permissions and 14*dd0948b3SAndroid Build Coastguard Worker * limitations under the License. 15*dd0948b3SAndroid Build Coastguard Worker */ 16*dd0948b3SAndroid Build Coastguard Worker 17*dd0948b3SAndroid Build Coastguard Worker #ifndef SHELL_AS_CONTEXT_H_ 18*dd0948b3SAndroid Build Coastguard Worker #define SHELL_AS_CONTEXT_H_ 19*dd0948b3SAndroid Build Coastguard Worker 20*dd0948b3SAndroid Build Coastguard Worker #include <selinux/selinux.h> 21*dd0948b3SAndroid Build Coastguard Worker #include <sys/capability.h> 22*dd0948b3SAndroid Build Coastguard Worker 23*dd0948b3SAndroid Build Coastguard Worker #include <memory> 24*dd0948b3SAndroid Build Coastguard Worker #include <optional> 25*dd0948b3SAndroid Build Coastguard Worker #include <vector> 26*dd0948b3SAndroid Build Coastguard Worker 27*dd0948b3SAndroid Build Coastguard Worker namespace shell_as { 28*dd0948b3SAndroid Build Coastguard Worker 29*dd0948b3SAndroid Build Coastguard Worker // Enumeration of the possible seccomp filters that Android may apply to a 30*dd0948b3SAndroid Build Coastguard Worker // process. 31*dd0948b3SAndroid Build Coastguard Worker // 32*dd0948b3SAndroid Build Coastguard Worker // This should be kept in sync with the policies defined in: 33*dd0948b3SAndroid Build Coastguard Worker // bionic/libc/seccomp/include/seccomp_policy.h 34*dd0948b3SAndroid Build Coastguard Worker enum SeccompFilter { 35*dd0948b3SAndroid Build Coastguard Worker kAppFilter = 0, 36*dd0948b3SAndroid Build Coastguard Worker kAppZygoteFilter = 1, 37*dd0948b3SAndroid Build Coastguard Worker kSystemFilter = 2, 38*dd0948b3SAndroid Build Coastguard Worker }; 39*dd0948b3SAndroid Build Coastguard Worker 40*dd0948b3SAndroid Build Coastguard Worker typedef struct SecurityContext { 41*dd0948b3SAndroid Build Coastguard Worker std::optional<uid_t> user_id; 42*dd0948b3SAndroid Build Coastguard Worker std::optional<gid_t> group_id; 43*dd0948b3SAndroid Build Coastguard Worker std::optional<std::vector<gid_t>> supplementary_group_ids; 44*dd0948b3SAndroid Build Coastguard Worker std::optional<char *> selinux_context; 45*dd0948b3SAndroid Build Coastguard Worker std::optional<SeccompFilter> seccomp_filter; 46*dd0948b3SAndroid Build Coastguard Worker std::optional<cap_t> capabilities; 47*dd0948b3SAndroid Build Coastguard Worker } SecurityContext; 48*dd0948b3SAndroid Build Coastguard Worker 49*dd0948b3SAndroid Build Coastguard Worker // Infers the appropriate seccomp filter from a user ID. 50*dd0948b3SAndroid Build Coastguard Worker // 51*dd0948b3SAndroid Build Coastguard Worker // This mimics the behavior of the zygote process and provides a sane default 52*dd0948b3SAndroid Build Coastguard Worker // method of picking a filter. However, it is not 100% accurate since it does 53*dd0948b3SAndroid Build Coastguard Worker // not assign the app zygote filter and would not return an appropriate value 54*dd0948b3SAndroid Build Coastguard Worker // for processes not started by the zygote. 55*dd0948b3SAndroid Build Coastguard Worker SeccompFilter SeccompFilterFromUserId(uid_t user_id); 56*dd0948b3SAndroid Build Coastguard Worker 57*dd0948b3SAndroid Build Coastguard Worker // Derives a complete security context from a given process. 58*dd0948b3SAndroid Build Coastguard Worker // 59*dd0948b3SAndroid Build Coastguard Worker // If unable to determine any field of the context this method will return false 60*dd0948b3SAndroid Build Coastguard Worker // and not modify the given context. 61*dd0948b3SAndroid Build Coastguard Worker bool SecurityContextFromProcess(pid_t process_id, SecurityContext* context); 62*dd0948b3SAndroid Build Coastguard Worker 63*dd0948b3SAndroid Build Coastguard Worker // Derives a complete security context from the bundled test app. 64*dd0948b3SAndroid Build Coastguard Worker // 65*dd0948b3SAndroid Build Coastguard Worker // If unable to determine any field of the context this method will return false 66*dd0948b3SAndroid Build Coastguard Worker // and not modify the given context. 67*dd0948b3SAndroid Build Coastguard Worker bool SecurityContextFromTestApp(SecurityContext* context); 68*dd0948b3SAndroid Build Coastguard Worker 69*dd0948b3SAndroid Build Coastguard Worker } // namespace shell_as 70*dd0948b3SAndroid Build Coastguard Worker 71*dd0948b3SAndroid Build Coastguard Worker #endif // SHELL_AS_CONTEXT_H_ 72