diagnostics/cros_healthd/minijail/minijail_configuration.cc - mirrors/cros/chromiumos/platform2 - Git at Google

 // Copyright 2020 The Chromium OS Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #include "diagnostics/cros_healthd/minijail/minijail_configuration.h"

 #include <sys/mount.h>

 #include <string>

 #include <base/files/file_path.h>
 #include <base/files/file_util.h>
 #include <libminijail.h>
 #include <scoped_minijail.h>

 namespace diagnostics {

 namespace {

 // User and group to run as.
 constexpr char kCrosHealthdUserName[] = "cros_healthd";
 constexpr char kCrosHealthdGroupName[] = "cros_healthd";

 // Path to the SECCOMP filter to apply.
 constexpr char kSeccompFilterPath[] =
     "/usr/share/policy/cros_healthd-seccomp.policy";

 // Checks to see if |file_path| exists on the device. If it does, it will be
 // bind-mounted inside |jail| at the same path it exists outside the minijail,
 // and it will not be writeable from inside |jail|.
 void BindMountIfPathExists(struct minijail* jail,
                            const base::FilePath& file_path) {
   if (!base::PathExists(file_path))
     return;

   const char* path_string = file_path.value().c_str();
   minijail_bind(jail, path_string, path_string, 0);
 }

 }  // namespace

 void ConfigureAndEnterMinijail() {
   ScopedMinijail jail(minijail_new());
   minijail_no_new_privs(jail.get());           // The no_new_privs bit.
   minijail_remount_proc_readonly(jail.get());  // Remount /proc readonly.
   minijail_namespace_ipc(jail.get());          // New IPC namespace.
   minijail_namespace_net(jail.get());          // New network namespace.
   minijail_namespace_uts(jail.get());          // New UTS namespace.
   minijail_namespace_vfs(jail.get());          // New VFS namespace.
   minijail_mount_tmp(jail.get());              // Mount new tmpfs.
   minijail_enter_pivot_root(jail.get(),
                             "/mnt/empty");  // Set /mnt/empty as rootfs.

   // Bind-mount /, /dev and /proc. /dev is necessary to send ioctls to the
   // system's block devices.
   minijail_bind(jail.get(), "/", "/", 0);
   minijail_bind(jail.get(), "/dev", "/dev", 0);
   minijail_bind(jail.get(), "/proc", "/proc", 0);

   // Create a new tmpfs filesystem for /run and mount necessary files.
   minijail_mount_with_data(jail.get(), "tmpfs", "/run", "tmpfs", 0, "");
   minijail_bind(jail.get(), "/run/dbus", "/run/dbus",
                 0);  // Shared socket file for talking to the D-Bus daemon.
   minijail_bind(jail.get(), "/run/systemd/journal", "/run/systemd/journal",
                 0);  // Needed for logging.
   minijail_bind(jail.get(), "/run/chromeos-config/v1",
                 "/run/chromeos-config/v1",
                 0);  // Needed for access to chromeos-config.

   // Create a new tmpfs filesystem for /sys and mount necessary files.
   minijail_mount_with_data(jail.get(), "tmpfs", "/sys", "tmpfs", 0, "");
   minijail_bind(jail.get(), "/sys/block", "/sys/block",
                 0);  // Files related to the system's block devices.
   minijail_bind(jail.get(), "/sys/devices", "/sys/devices",
                 0);  // Needed to get the names of the block device dev nodes.
   minijail_bind(
       jail.get(), "/sys/devices/system/cpu", "/sys/devices/system/cpu",
       0);  // Used by the stressapptest diagnostic. TODO: Do we need this?
   // The following sysfs paths don't exist on every device, so test for their
   // existence and bind-mount them if they do exist.
   BindMountIfPathExists(
       jail.get(),
       base::FilePath("/sys/class/backlight"));  // Files related to the system's
                                                 // backlights.
   BindMountIfPathExists(
       jail.get(),
       base::FilePath("/sys/class/chromeos"));  // Files related to Chrome OS
                                                // hardware devices.

   BindMountIfPathExists(
       jail.get(),
       base::FilePath("/sys/class/hwmon"));  // Files related to Chrome OS
                                             // hardware monitors.

   BindMountIfPathExists(
       jail.get(),
       base::FilePath("/sys/class/power_supply"));  // Files related to the
                                                    // system's power supplies.
   BindMountIfPathExists(
       jail.get(),
       base::FilePath("/sys/firmware/vpd/ro"));  // Files with R/O cached VPD.

   BindMountIfPathExists(
       jail.get(),
       base::FilePath("/sys/firmware/vpd/rw"));  // Files with R/W cached VPD.

   BindMountIfPathExists(
       jail.get(),
       base::FilePath("/sys/class/dmi/id"));  // Files related to the
                                              // system's DMI information.

   // Create a new tmpfs filesystem for /var and mount necessary files.
   minijail_mount_with_data(jail.get(), "tmpfs", "/var", "tmpfs", 0, "");
   minijail_bind(jail.get(), "/var/lib/timezone", "/var/lib/timezone",
                 0);  // Symlink for reading the timezone file.
   minijail_bind(jail.get(), "/var/cache/diagnostics", "/var/cache/diagnostics",
                 1);  // Diagnostics can create test files in this directory.

   // Bind-mount other necessary files.
   minijail_bind(
       jail.get(), "/dev/shm", "/dev/shm",
       1);  // Allows creation of shared memory files that are used to set up
            // mojo::ScopedHandles which can be returned by GetRoutineUpdate.
   minijail_bind(jail.get(), "/mnt/stateful_partition",
                 "/mnt/stateful_partition",
                 0);  // Needed by the StatefulPartition probe.
   minijail_bind(jail.get(), "/usr/share/zoneinfo", "/usr/share/zoneinfo",
                 0);  // Directory holding timezone files.

   // Run as the cros_healthd user and group. Inherit supplementary groups to
   // allow cros_healthd access to disk files.
   CHECK_EQ(0, minijail_change_user(jail.get(), kCrosHealthdUserName));
   CHECK_EQ(0, minijail_change_group(jail.get(), kCrosHealthdGroupName));
   minijail_inherit_usergroups(jail.get());

   // Apply SECCOMP filtering.
   minijail_use_seccomp_filter(jail.get());
   minijail_parse_seccomp_filters(jail.get(), kSeccompFilterPath);

   minijail_enter(jail.get());
 }

 void NewMountNamespace() {
   ScopedMinijail j(minijail_new());

   // Create a minimalistic mount namespace with just the bare minimum required.
   minijail_namespace_vfs(j.get());
   minijail_mount_tmp(j.get());
   if (minijail_enter_pivot_root(j.get(), "/mnt/empty"))
     LOG(FATAL) << "minijail_enter_pivot_root() failed";

   minijail_bind(j.get(), "/", "/", 0);

   if (minijail_mount_with_data(j.get(), "none", "/proc", "proc",
                                MS_NOSUID | MS_NOEXEC | MS_NODEV, nullptr)) {
     LOG(FATAL) << "minijail_mount_with_data(\"/proc\") failed";
   }

   if (minijail_mount_with_data(j.get(), "tmpfs", "/run", "tmpfs",
                                MS_NOSUID | MS_NOEXEC | MS_NODEV, nullptr)) {
     LOG(FATAL) << "minijail_mount_with_data(\"/run\") failed";
   }

   // Mount /run/systemd/journal to be able to log to journald.
   if (minijail_bind(j.get(), "/run/systemd/journal", "/run/systemd/journal", 0))
     LOG(FATAL) << "minijail_bind(\"/run/systemd/journal\") failed";

   if (minijail_mount_with_data(j.get(), "/dev", "/dev", "bind",
                                MS_BIND | MS_REC, nullptr)) {
     LOG(FATAL) << "minijail_mount_with_data(\"/dev\") failed";
   }

   minijail_enter(j.get());
 }

 }  // namespace diagnostics
	// Copyright 2020 The Chromium OS Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#include "diagnostics/cros_healthd/minijail/minijail_configuration.h"

	#include <sys/mount.h>

	#include <string>

	#include <base/files/file_path.h>
	#include <base/files/file_util.h>
	#include <libminijail.h>
	#include <scoped_minijail.h>

	namespace diagnostics {

	namespace {

	// User and group to run as.
	constexpr char kCrosHealthdUserName[] = "cros_healthd";
	constexpr char kCrosHealthdGroupName[] = "cros_healthd";

	// Path to the SECCOMP filter to apply.
	constexpr char kSeccompFilterPath[] =
	"/usr/share/policy/cros_healthd-seccomp.policy";

	// Checks to see if \|file_path\| exists on the device. If it does, it will be
	// bind-mounted inside \|jail\| at the same path it exists outside the minijail,
	// and it will not be writeable from inside \|jail\|.
	void BindMountIfPathExists(struct minijail* jail,
	const base::FilePath& file_path) {
	if (!base::PathExists(file_path))
	return;

	const char* path_string = file_path.value().c_str();
	minijail_bind(jail, path_string, path_string, 0);
	}

	} // namespace

	void ConfigureAndEnterMinijail() {
	ScopedMinijail jail(minijail_new());
	minijail_no_new_privs(jail.get()); // The no_new_privs bit.
	minijail_remount_proc_readonly(jail.get()); // Remount /proc readonly.
	minijail_namespace_ipc(jail.get()); // New IPC namespace.
	minijail_namespace_net(jail.get()); // New network namespace.
	minijail_namespace_uts(jail.get()); // New UTS namespace.
	minijail_namespace_vfs(jail.get()); // New VFS namespace.
	minijail_mount_tmp(jail.get()); // Mount new tmpfs.
	minijail_enter_pivot_root(jail.get(),
	"/mnt/empty"); // Set /mnt/empty as rootfs.

	// Bind-mount /, /dev and /proc. /dev is necessary to send ioctls to the
	// system's block devices.
	minijail_bind(jail.get(), "/", "/", 0);
	minijail_bind(jail.get(), "/dev", "/dev", 0);
	minijail_bind(jail.get(), "/proc", "/proc", 0);

	// Create a new tmpfs filesystem for /run and mount necessary files.
	minijail_mount_with_data(jail.get(), "tmpfs", "/run", "tmpfs", 0, "");
	minijail_bind(jail.get(), "/run/dbus", "/run/dbus",
	0); // Shared socket file for talking to the D-Bus daemon.
	minijail_bind(jail.get(), "/run/systemd/journal", "/run/systemd/journal",
	0); // Needed for logging.
	minijail_bind(jail.get(), "/run/chromeos-config/v1",
	"/run/chromeos-config/v1",
	0); // Needed for access to chromeos-config.

	// Create a new tmpfs filesystem for /sys and mount necessary files.
	minijail_mount_with_data(jail.get(), "tmpfs", "/sys", "tmpfs", 0, "");
	minijail_bind(jail.get(), "/sys/block", "/sys/block",
	0); // Files related to the system's block devices.
	minijail_bind(jail.get(), "/sys/devices", "/sys/devices",
	0); // Needed to get the names of the block device dev nodes.
	minijail_bind(
	jail.get(), "/sys/devices/system/cpu", "/sys/devices/system/cpu",
	0); // Used by the stressapptest diagnostic. TODO: Do we need this?
	// The following sysfs paths don't exist on every device, so test for their
	// existence and bind-mount them if they do exist.
	BindMountIfPathExists(
	jail.get(),
	base::FilePath("/sys/class/backlight")); // Files related to the system's
	// backlights.
	BindMountIfPathExists(
	jail.get(),
	base::FilePath("/sys/class/chromeos")); // Files related to Chrome OS
	// hardware devices.

	BindMountIfPathExists(
	jail.get(),
	base::FilePath("/sys/class/hwmon")); // Files related to Chrome OS
	// hardware monitors.

	BindMountIfPathExists(
	jail.get(),
	base::FilePath("/sys/class/power_supply")); // Files related to the
	// system's power supplies.
	BindMountIfPathExists(
	jail.get(),
	base::FilePath("/sys/firmware/vpd/ro")); // Files with R/O cached VPD.

	BindMountIfPathExists(
	jail.get(),
	base::FilePath("/sys/firmware/vpd/rw")); // Files with R/W cached VPD.

	BindMountIfPathExists(
	jail.get(),
	base::FilePath("/sys/class/dmi/id")); // Files related to the
	// system's DMI information.

	// Create a new tmpfs filesystem for /var and mount necessary files.
	minijail_mount_with_data(jail.get(), "tmpfs", "/var", "tmpfs", 0, "");
	minijail_bind(jail.get(), "/var/lib/timezone", "/var/lib/timezone",
	0); // Symlink for reading the timezone file.
	minijail_bind(jail.get(), "/var/cache/diagnostics", "/var/cache/diagnostics",
	1); // Diagnostics can create test files in this directory.

	// Bind-mount other necessary files.
	minijail_bind(
	jail.get(), "/dev/shm", "/dev/shm",
	1); // Allows creation of shared memory files that are used to set up
	// mojo::ScopedHandles which can be returned by GetRoutineUpdate.
	minijail_bind(jail.get(), "/mnt/stateful_partition",
	"/mnt/stateful_partition",
	0); // Needed by the StatefulPartition probe.
	minijail_bind(jail.get(), "/usr/share/zoneinfo", "/usr/share/zoneinfo",
	0); // Directory holding timezone files.

	// Run as the cros_healthd user and group. Inherit supplementary groups to
	// allow cros_healthd access to disk files.
	CHECK_EQ(0, minijail_change_user(jail.get(), kCrosHealthdUserName));
	CHECK_EQ(0, minijail_change_group(jail.get(), kCrosHealthdGroupName));
	minijail_inherit_usergroups(jail.get());

	// Apply SECCOMP filtering.
	minijail_use_seccomp_filter(jail.get());
	minijail_parse_seccomp_filters(jail.get(), kSeccompFilterPath);

	minijail_enter(jail.get());
	}

	void NewMountNamespace() {
	ScopedMinijail j(minijail_new());

	// Create a minimalistic mount namespace with just the bare minimum required.
	minijail_namespace_vfs(j.get());
	minijail_mount_tmp(j.get());
	if (minijail_enter_pivot_root(j.get(), "/mnt/empty"))
	LOG(FATAL) << "minijail_enter_pivot_root() failed";

	minijail_bind(j.get(), "/", "/", 0);

	if (minijail_mount_with_data(j.get(), "none", "/proc", "proc",
	MS_NOSUID \| MS_NOEXEC \| MS_NODEV, nullptr)) {
	LOG(FATAL) << "minijail_mount_with_data(\"/proc\") failed";
	}

	if (minijail_mount_with_data(j.get(), "tmpfs", "/run", "tmpfs",
	MS_NOSUID \| MS_NOEXEC \| MS_NODEV, nullptr)) {
	LOG(FATAL) << "minijail_mount_with_data(\"/run\") failed";
	}

	// Mount /run/systemd/journal to be able to log to journald.
	if (minijail_bind(j.get(), "/run/systemd/journal", "/run/systemd/journal", 0))
	LOG(FATAL) << "minijail_bind(\"/run/systemd/journal\") failed";

	if (minijail_mount_with_data(j.get(), "/dev", "/dev", "bind",
	MS_BIND \| MS_REC, nullptr)) {
	LOG(FATAL) << "minijail_mount_with_data(\"/dev\") failed";
	}

	minijail_enter(j.get());
	}

	} // namespace diagnostics