Created seccomp policy for webservd and modified webservd startup.
webservd is also now run under minijail instead of using
libminijail.
This was manually tested under strace and minijail with the -L flag. The next step is dogfood.
Change-Id: If7b62014f0e932977985be4070a5d8ec2b9bf3f2
diff --git a/webservd/etc/init/webservd.conf b/webservd/etc/init/webservd.conf
index ef05d03..10ef9dd 100644
--- a/webservd/etc/init/webservd.conf
+++ b/webservd/etc/init/webservd.conf
@@ -28,7 +28,10 @@
chown webservd:webservd /var/log/webservd
end script
-exec /usr/bin/webservd \
+# CAP_NET_RAW, CAP_NET_BIND_SERVICE
+exec /sbin/minijail0 -c 0x2400 -u webservd -g webservd -G -L -n \
+ -S /usr/share/filters/webservd-seccomp.policy \
+ /usr/bin/webservd \
--v="${WEBSERVD_LOG_LEVEL}" \
--config_path="${WEBSERVD_CONFIG_PATH}" \
--debug="${WEBSERVD_DEBUG}" \
diff --git a/webservd/main.cc b/webservd/main.cc
index fe0dac8..ab86ef1 100644
--- a/webservd/main.cc
+++ b/webservd/main.cc
@@ -27,7 +27,6 @@
#include <brillo/dbus/async_event_sequencer.h>
#include <brillo/dbus/exported_object_manager.h>
#include <brillo/daemons/dbus_daemon.h>
-#include <brillo/minijail/minijail.h>
#endif // __ANDROID__
#include <brillo/flag_helper.h>
#include <brillo/syslog_logging.h>
@@ -175,8 +174,7 @@
}
// For protocol handlers bound to specific network interfaces, we need root
- // access to create those bound sockets. Do that here before we drop
- // privileges.
+ // access to create those bound sockets.
for (auto& handler_config : config.protocol_handlers) {
if (!handler_config.interface_name.empty()) {
int socket_fd =
@@ -193,20 +191,5 @@
config.use_debug = FLAGS_debug;
Daemon daemon{std::move(config)};
- // TODO: Re-enable this for Android once minijail works with libcap-ng.
-#if !defined(__ANDROID__)
- // Drop privileges and use 'webservd' user. We need to do this after Daemon
- // object is constructed since it creates an instance of base::AtExitManager
- // which is required for brillo::Minijail::GetInstance() to work.
- brillo::Minijail* minijail_instance = brillo::Minijail::GetInstance();
- minijail* jail = minijail_instance->New();
- minijail_instance->DropRoot(jail, kWebServerUserName, kWebServerGroupName);
- // Permissions needed for the daemon to allow it to bind to ports like TCP
- // 80.
- minijail_instance->UseCapabilities(jail, CAP_TO_MASK(CAP_NET_BIND_SERVICE));
- minijail_enter(jail);
- minijail_instance->Destroy(jail);
-#endif // !defined(__ANDROID__)
-
return daemon.Run();
}
diff --git a/webservd/usr/share/filters/webservd-seccomp.policy b/webservd/usr/share/filters/webservd-seccomp.policy
new file mode 100644
index 0000000..6cd8865
--- /dev/null
+++ b/webservd/usr/share/filters/webservd-seccomp.policy
@@ -0,0 +1,85 @@
+# Copyright 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+accept4: 1
+access: 1
+bind: 1
+brk: 1
+capget: 1
+capset: 1
+clock_getres: 1
+clock_gettime: 1
+close: 1
+connect: 1
+dup: 1
+epoll_create: 1
+epoll_ctl: 1
+epoll_wait: 1
+exit_group: 1
+fcntl64: 1
+fstat64: 1
+futex: 1
+getdents64: 1
+getegid32: 1
+geteuid32: 1
+getgid32: 1
+getresgid32: 1
+getresuid32: 1
+# arm
+ugetrlimit: 1
+getrusage: 1
+getsockname: 1
+gettid: 1
+gettimeofday: 1
+getuid32: 1
+listen: 1
+lstat64: 1
+mmap2: 1
+mprotect: 1
+munmap: 1
+open: 1
+openat: 1
+pipe: 1
+poll: 1
+prctl: 1
+read: 1
+readlink: 1
+recv: 1
+recvmsg: 1
+rename: 1
+rt_sigaction: 1
+rt_sigprocmask: 1
+# arm
+_newselect: 1
+send: 1
+sendmsg: 1
+set_robust_list: 1
+set_tid_address: 1
+# arm
+ARM_set_tls: 1
+setgroups32: 1
+setresgid32: 1
+setresuid32: 1
+setsockopt: 1
+shutdown: 1
+signalfd4: 1
+# socket: arg0 == PF_LOCAL || arg0 == PF_INET6 || arg0 == PF_INET
+socket: arg0 == 0x1 || arg0 == 0xa || arg0 == 0x2
+# socketpair: arg0 == PF_LOCAL
+socketpair: arg0 == 0x1
+stat64: 1
+tgkill: 1
+uname: 1
+unlink: 1
+write: 1
