// Copyright 2019 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // https://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // The sandbox2::Namespace class defines ways of inserting the sandboxed process // into Linux namespaces. #ifndef SANDBOXED_API_SANDBOX2_NAMESPACE_H_ #define SANDBOXED_API_SANDBOX2_NAMESPACE_H_ #include #include #include #include #include "sandboxed_api/sandbox2/mounts.h" #include "sandboxed_api/sandbox2/violation.pb.h" namespace sandbox2 { class Namespace final { public: // Performs the namespace setup (mounts, write the uid_map, etc.). static void InitializeNamespaces(uid_t uid, gid_t gid, int32_t clone_flags, const Mounts& mounts, const std::string& hostname, bool avoid_pivot_root, bool allow_mount_propagation); static void InitializeInitialNamespaces(uid_t uid, gid_t gid); Namespace(bool allow_unrestricted_networking, Mounts mounts, std::string hostname, bool allow_mount_propagation); // Stores information about this namespace in the protobuf structure. void GetNamespaceDescription(NamespaceDescription* pb_description) const; int32_t clone_flags() const { return clone_flags_; } Mounts& mounts() { return mounts_; } const Mounts& mounts() const { return mounts_; } const std::string& hostname() const { return hostname_; } bool allow_mount_propagation() const { return allow_mount_propagation_; } private: int32_t clone_flags_ = CLONE_NEWUSER | CLONE_NEWNS | CLONE_NEWUTS | CLONE_NEWPID | CLONE_NEWIPC | CLONE_NEWNET; Mounts mounts_; std::string hostname_; bool allow_mount_propagation_ = false; }; } // namespace sandbox2 #endif // SANDBOXED_API_SANDBOX2_NAMESPACE_H_