| // Copyright 2019 The Chromium OS Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #ifndef ARC_NETWORK_MINIJAILED_PROCESS_RUNNER_H_ |
| #define ARC_NETWORK_MINIJAILED_PROCESS_RUNNER_H_ |
| |
| #include <string> |
| #include <vector> |
| |
| #include <brillo/minijail/minijail.h> |
| |
| namespace arc_networkd { |
| |
| // These match what is used in iptables.cc in firewalld. |
| const char kBrctlPath[] = "/sbin/brctl"; |
| const char kIfConfigPath[] = "/bin/ifconfig"; |
| const char kIpPath[] = "/bin/ip"; |
| const char kIpTablesPath[] = "/sbin/iptables"; |
| const char kIp6TablesPath[] = "/sbin/ip6tables"; |
| |
| // Runs the current process with minimal privileges. This function is expected |
| // to be used by child processes that need only CAP_NET_RAW and to run as the |
| // arc-networkd user. |
| void EnterChildProcessJail(); |
| |
| // Enforces the expected processes are run with the correct privileges. |
| class MinijailedProcessRunner { |
| public: |
| // Ownership of |mj| is not assumed and must be managed by the caller. |
| // If |mj| is null, the default instance will be used. |
| explicit MinijailedProcessRunner(brillo::Minijail* mj = nullptr); |
| virtual ~MinijailedProcessRunner() = default; |
| |
| // Runs a process (argv[0]) with optional arguments (argv[1]...) |
| // in a minijail as an unprivileged user with CAP_NET_ADMIN and |
| // CAP_NET_RAW capabilities. |
| virtual int Run(const std::vector<std::string>& argv, |
| bool log_failures = true); |
| |
| // Moves interface |host_ifname| into the container designated by |con_pid| |
| // as interface |con_ifname| and assigns it's |con_ipv4_addr|. This method |
| // does NOT bring up the interface. |
| virtual int AddInterfaceToContainer(const std::string& host_ifname, |
| const std::string& con_ifname, |
| const std::string& con_ipv4, |
| const std::string& con_nmask, |
| bool enable_multicast, |
| const std::string& con_pid); |
| |
| // Writes out a file that the ARC boot process uses to discover when |
| // the host networking is ready. |
| virtual int WriteSentinelToContainer(const std::string& con_pid); |
| |
| // Installs all |modules| via modprobe. |
| virtual int ModprobeAll(const std::vector<std::string>& modules); |
| |
| // Updates kernel parameter |key| to |value| using sysctl. |
| virtual int SysctlWrite(const std::string& key, const std::string& value); |
| |
| // Runs chown to update file ownership. |
| virtual int Chown(const std::string& uid, |
| const std::string& gid, |
| const std::string& file); |
| |
| private: |
| brillo::Minijail* mj_; |
| |
| DISALLOW_COPY_AND_ASSIGN(MinijailedProcessRunner); |
| }; |
| |
| } // namespace arc_networkd |
| |
| #endif // ARC_NETWORK_MINIJAILED_PROCESS_RUNNER_H_ |