gugelfrei
/
android_frameworks_av
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge "flexibility for having extra policy files" into rvc-dev

Browse Source
gugelfrei
Steven Moreland 4 years ago committed by Android (Google) Code Review
parent cc39f3d7fe d03d42b547
commit b27ef83f2c
5 changed files with 69 additions and 17 deletions
Show Stats Download Patch File Download Diff File

1
services/minijail/Android.bp
Unescape View File

@ -39,4 +39,5 @@ cc_test {
srcs: [ srcs: [
"av_services_minijail_unittest.cpp", "av_services_minijail_unittest.cpp",
], ],
test_suites: ["device-tests"],
} }

5
services/minijail/TEST_MAPPING
Unescape View File

@ -0,0 +1,5 @@
{
"presubmit": [
{ "name": "libavservices_minijail_unittest" }
]
}

33
services/minijail/av_services_minijail_unittest.cpp
Unescape View File

@ -34,13 +34,32 @@ class WritePolicyTest : public ::testing::Test
"mmap: 1\n" "mmap: 1\n"
"munmap: 1\n"; "munmap: 1\n";
const std::string third_policy_ =
"open: 1\n"
"close: 1\n";
const std::string full_policy_ = base_policy_ + std::string("\n") + additional_policy_; const std::string full_policy_ = base_policy_ + std::string("\n") + additional_policy_;
const std::string triple_policy_ = base_policy_ +
std::string("\n") + additional_policy_ +
std::string("\n") + third_policy_;
}; };
TEST_F(WritePolicyTest, OneFile) TEST_F(WritePolicyTest, OneFile)
{ {
std::string final_string; std::string final_string;
android::base::unique_fd fd(android::WritePolicyToPipe(base_policy_, std::string())); // vector with an empty pathname
android::base::unique_fd fd(android::WritePolicyToPipe(base_policy_, {std::string()}));
EXPECT_LE(0, fd.get());
bool success = android::base::ReadFdToString(fd.get(), &final_string);
EXPECT_TRUE(success);
EXPECT_EQ(final_string, base_policy_);
}
TEST_F(WritePolicyTest, OneFileAlternate)
{
std::string final_string;
// empty vector
android::base::unique_fd fd(android::WritePolicyToPipe(base_policy_, {}));
EXPECT_LE(0, fd.get()); EXPECT_LE(0, fd.get());
bool success = android::base::ReadFdToString(fd.get(), &final_string); bool success = android::base::ReadFdToString(fd.get(), &final_string);
EXPECT_TRUE(success); EXPECT_TRUE(success);
@ -50,9 +69,19 @@ TEST_F(WritePolicyTest, OneFile)
TEST_F(WritePolicyTest, TwoFiles) TEST_F(WritePolicyTest, TwoFiles)
{ {
std::string final_string; std::string final_string;
android::base::unique_fd fd(android::WritePolicyToPipe(base_policy_, additional_policy_)); android::base::unique_fd fd(android::WritePolicyToPipe(base_policy_, {additional_policy_}));
EXPECT_LE(0, fd.get()); EXPECT_LE(0, fd.get());
bool success = android::base::ReadFdToString(fd.get(), &final_string); bool success = android::base::ReadFdToString(fd.get(), &final_string);
EXPECT_TRUE(success); EXPECT_TRUE(success);
EXPECT_EQ(final_string, full_policy_); EXPECT_EQ(final_string, full_policy_);
} }
TEST_F(WritePolicyTest, ThreeFiles)
{
std::string final_string;
android::base::unique_fd fd(android::WritePolicyToPipe(base_policy_, {additional_policy_, third_policy_}));
EXPECT_LE(0, fd.get());
bool success = android::base::ReadFdToString(fd.get(), &final_string);
EXPECT_TRUE(success);
EXPECT_EQ(final_string, triple_policy_);
}

39
services/minijail/minijail.cpp
Unescape View File

@ -29,7 +29,7 @@
namespace android { namespace android {
int WritePolicyToPipe(const std::string& base_policy_content, int WritePolicyToPipe(const std::string& base_policy_content,
const std::string& additional_policy_content) const std::vector<std::string>& additional_policy_contents)
{ {
int pipefd[2]; int pipefd[2];
if (pipe(pipefd) == -1) { if (pipe(pipefd) == -1) {
@ -40,9 +40,11 @@ int WritePolicyToPipe(const std::string& base_policy_content,
base::unique_fd write_end(pipefd[1]); base::unique_fd write_end(pipefd[1]);
std::string content = base_policy_content; std::string content = base_policy_content;
if (additional_policy_content.length() > 0) { for (auto one_content : additional_policy_contents) {
content += "\n"; if (one_content.length() > 0) {
content += additional_policy_content; content += "\n";
content += one_content;
}
} }
if (!base::WriteStringToFd(content, write_end.get())) { if (!base::WriteStringToFd(content, write_end.get())) {
@ -53,29 +55,40 @@ int WritePolicyToPipe(const std::string& base_policy_content,
return pipefd[0]; return pipefd[0];
} }
void SetUpMinijail(const std::string& base_policy_path, const std::string& additional_policy_path) void SetUpMinijail(const std::string& base_policy_path,
const std::string& additional_policy_path)
{
SetUpMinijailList(base_policy_path, {additional_policy_path});
}
void SetUpMinijailList(const std::string& base_policy_path,
const std::vector<std::string>& additional_policy_paths)
{ {
// No seccomp policy defined for this architecture. // No seccomp policy defined for this architecture.
if (access(base_policy_path.c_str(), R_OK) == -1) { if (access(base_policy_path.c_str(), R_OK) == -1) {
LOG(WARNING) << "No seccomp policy defined for this architecture."; // LOG(WARNING) << "No seccomp policy defined for this architecture.";
LOG(WARNING) << "missing base seccomp_policy file '" << base_policy_path << "'";
return; return;
} }
std::string base_policy_content; std::string base_policy_content;
std::string additional_policy_content; std::vector<std::string> additional_policy_contents;
if (!base::ReadFileToString(base_policy_path, &base_policy_content, if (!base::ReadFileToString(base_policy_path, &base_policy_content,
false /* follow_symlinks */)) { false /* follow_symlinks */)) {
LOG(FATAL) << "Could not read base policy file '" << base_policy_path << "'"; LOG(FATAL) << "Could not read base policy file '" << base_policy_path << "'";
} }
if (additional_policy_path.length() > 0 && for (auto one_policy_path : additional_policy_paths) {
!base::ReadFileToString(additional_policy_path, &additional_policy_content, std::string one_policy_content;
false /* follow_symlinks */)) { if (one_policy_path.length() > 0 &&
LOG(WARNING) << "Could not read additional policy file '" << additional_policy_path << "'"; !base::ReadFileToString(one_policy_path, &one_policy_content,
additional_policy_content = std::string(); false /* follow_symlinks */)) {
LOG(WARNING) << "Could not read additional policy file '" << one_policy_path << "'";
}
additional_policy_contents.push_back(one_policy_content);
} }
base::unique_fd policy_fd(WritePolicyToPipe(base_policy_content, additional_policy_content)); base::unique_fd policy_fd(WritePolicyToPipe(base_policy_content, additional_policy_contents));
if (policy_fd.get() == -1) { if (policy_fd.get() == -1) {
LOG(FATAL) << "Could not write seccomp policy to fd"; LOG(FATAL) << "Could not write seccomp policy to fd";
} }

8
services/minijail/minijail.h
Unescape View File

@ -16,11 +16,15 @@
#define AV_SERVICES_MINIJAIL_MINIJAIL #define AV_SERVICES_MINIJAIL_MINIJAIL
#include <string> #include <string>
#include <vector>
namespace android { namespace android {
int WritePolicyToPipe(const std::string& base_policy_content, int WritePolicyToPipe(const std::string& base_policy_content,
const std::string& additional_policy_content); const std::vector<std::string>& additional_policy_contents);
void SetUpMinijail(const std::string& base_policy_path, const std::string& additional_policy_path); void SetUpMinijail(const std::string& base_policy_path,
const std::string& additional_policy_path);
void SetUpMinijailList(const std::string& base_policy_path,
const std::vector<std::string>& additional_policy_paths);
} }
#endif // AV_SERVICES_MINIJAIL_MINIJAIL #endif // AV_SERVICES_MINIJAIL_MINIJAIL

Write Preview
Loading…
Cancel
Save