2020-01-17 21:05:03 +08:00
|
|
|
// Copyright 2019 Google LLC
|
2019-03-19 00:21:48 +08:00
|
|
|
//
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
//
|
2022-01-28 17:38:27 +08:00
|
|
|
// https://www.apache.org/licenses/LICENSE-2.0
|
2019-03-19 00:21:48 +08:00
|
|
|
//
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
// limitations under the License.
|
|
|
|
|
|
|
|
// The sandbox2::Namespace class defines ways of inserting the sandboxed process
|
|
|
|
// into Linux namespaces.
|
|
|
|
|
|
|
|
#ifndef SANDBOXED_API_SANDBOX2_NAMESPACE_H_
|
|
|
|
#define SANDBOXED_API_SANDBOX2_NAMESPACE_H_
|
|
|
|
|
|
|
|
#include <sys/types.h>
|
|
|
|
|
|
|
|
#include <cstdint>
|
|
|
|
#include <memory>
|
2019-03-26 22:54:02 +08:00
|
|
|
#include <string>
|
2019-03-19 00:21:48 +08:00
|
|
|
|
|
|
|
#include "absl/base/macros.h"
|
|
|
|
#include "sandboxed_api/sandbox2/mounts.h"
|
2019-03-20 20:19:28 +08:00
|
|
|
#include "sandboxed_api/sandbox2/violation.pb.h"
|
2019-03-19 00:21:48 +08:00
|
|
|
|
|
|
|
namespace sandbox2 {
|
|
|
|
|
|
|
|
class Namespace final {
|
|
|
|
public:
|
|
|
|
// Performs the namespace setup (mounts, write the uid_map, etc.).
|
|
|
|
static void InitializeNamespaces(uid_t uid, gid_t gid, int32_t clone_flags,
|
|
|
|
const Mounts& mounts, bool mount_proc,
|
2019-11-20 01:01:59 +08:00
|
|
|
const std::string& hostname,
|
|
|
|
bool avoid_pivot_root);
|
|
|
|
static void InitializeInitialNamespaces(uid_t uid, gid_t gid);
|
2019-03-19 00:21:48 +08:00
|
|
|
|
|
|
|
Namespace() = delete;
|
|
|
|
Namespace(const Namespace&) = delete;
|
|
|
|
Namespace& operator=(const Namespace&) = delete;
|
|
|
|
|
2019-03-26 22:54:02 +08:00
|
|
|
Namespace(bool allow_unrestricted_networking, Mounts mounts,
|
|
|
|
std::string hostname);
|
2019-03-19 00:21:48 +08:00
|
|
|
|
|
|
|
void DisableUserNamespace();
|
|
|
|
|
|
|
|
// Returns all needed CLONE_NEW* flags.
|
|
|
|
int32_t GetCloneFlags() const;
|
|
|
|
|
|
|
|
// Stores information about this namespace in the protobuf structure.
|
|
|
|
void GetNamespaceDescription(NamespaceDescription* pb_description);
|
|
|
|
|
|
|
|
Mounts& mounts() { return mounts_; }
|
|
|
|
const Mounts& mounts() const { return mounts_; }
|
|
|
|
|
|
|
|
const std::string& hostname() const { return hostname_; }
|
|
|
|
|
|
|
|
private:
|
|
|
|
friend class StackTracePeer;
|
|
|
|
|
|
|
|
int32_t clone_flags_;
|
|
|
|
Mounts mounts_;
|
|
|
|
std::string hostname_;
|
|
|
|
};
|
|
|
|
|
|
|
|
} // namespace sandbox2
|
|
|
|
|
|
|
|
#endif // SANDBOXED_API_SANDBOX2_NAMESPACE_H_
|