| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright (c) 2009 The Chromium OS Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 // Some portions Copyright (c) 2009 The Chromium Authors. |
| 5 // |
| 6 // Default implementation of the Env interface. |
| 7 |
| 8 #include "minijail/env.h" |
| 9 |
| 10 #include <asm/unistd.h> |
| 11 #include <errno.h> |
| 12 #include <fcntl.h> |
| 13 #include <grp.h> |
| 14 #include <sched.h> |
| 15 #include <signal.h> |
| 16 #include <stdarg.h> |
| 17 #include <stdbool.h> |
| 18 #include <stdio.h> |
| 19 #include <stdlib.h> |
| 20 #include <string.h> |
| 21 #include <sys/capability.h> |
| 22 #include <sys/mount.h> |
| 23 #include <sys/prctl.h> |
| 24 #include <sys/resource.h> |
| 25 #include <sys/socket.h> |
| 26 #include <sys/stat.h> |
| 27 #include <sys/time.h> |
| 28 #include <sys/types.h> |
| 29 #include <unistd.h> |
| 30 |
| 31 #include <base/logging.h> |
| 32 |
| 33 // prctl constants that are still missing in the headers. |
| 34 #define PR_GET_KEEPCAPS 7 |
| 35 #define PR_SET_KEEPCAPS 8 |
| 36 #define PR_CAPBSET_READ 23 |
| 37 #define PR_CAPBSET_DROP 24 |
| 38 #define PR_GET_SECUREBITS 27 |
| 39 #define PR_SET_SECUREBITS 28 |
| 40 |
| 41 namespace chromeos { |
| 42 |
| 43 namespace minijail { |
| 44 |
| 45 bool Env::DisableTracing() const { |
| 46 DLOG(INFO) << "Disabling DUMPABLE..."; |
| 47 if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0)) { |
| 48 PLOG(FATAL) << "Failed to set PR_SET_KEEPCAPS"; |
| 49 } |
| 50 if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) { |
| 51 LOG(FATAL) << "PR_SET_DUMPABLE could not be set"; |
| 52 } |
| 53 DLOG(INFO) << "Success"; |
| 54 return true; |
| 55 } |
| 56 |
| 57 bool Env::KeepRootCapabilities() const { |
| 58 DLOG(INFO) << "Enabling KEEPCAPS..."; |
| 59 if (prctl(PR_SET_KEEPCAPS, 1) < 0) { |
| 60 PLOG(FATAL) << "Failed to set PR_SET_KEEPCAPS"; |
| 61 } |
| 62 if (prctl(PR_GET_KEEPCAPS, 0) != 1) { |
| 63 LOG(FATAL) << "PR_GET_KEEPCAPS could not be set"; |
| 64 } |
| 65 |
| 66 DLOG(INFO) << "Success."; |
| 67 return true; |
| 68 } |
| 69 |
| 70 bool Env::DisableDefaultRootPrivileges() const { |
| 71 DLOG(INFO) << "Enabling SECURE_ALL..."; |
| 72 // From: kernel/include/linux/securebits.h: |
| 73 // http://git.chromium.org/cgi-bin/gitweb.cgi?p=kernel.git;a=blob;f=include/li
nux/securebits.h |
| 74 const int kSecureBitsAllLocked = 0x3f; |
| 75 if (prctl(PR_SET_SECUREBITS, kSecureBitsAllLocked)) { |
| 76 PLOG(FATAL) << "Failed to set PR_SET_SECUREBITS"; |
| 77 } |
| 78 DLOG(INFO) << "Success."; |
| 79 return true; |
| 80 } |
| 81 |
| 82 bool Env::ChangeUser(uid_t uid, gid_t gid) const { |
| 83 // TODO(wad) support supplemental groups |
| 84 DLOG(INFO) << "Dropping root..."; |
| 85 if (setgroups(0, NULL)) { |
| 86 PLOG(FATAL) << "Failed to drop supplementary groups"; |
| 87 } |
| 88 if (setresgid(gid, gid, gid)) { |
| 89 PLOG(FATAL) << "Failed to change to gid " << gid; |
| 90 } |
| 91 if (setresuid(uid, uid, uid)) { |
| 92 PLOG(FATAL) << "Failed to change to uid " << uid; |
| 93 } |
| 94 DLOG(INFO) << "Success."; |
| 95 return true; |
| 96 } |
| 97 |
| 98 // At present, the total number of capabilities is less than 32. We |
| 99 // will just pack them into a bitmask to save on effort. |
| 100 bool Env::SanitizeBoundingSet(uint64 cap_mask) const { |
| 101 unsigned int cap; |
| 102 DLOG(INFO) << "Cleaning the bounding set..."; |
| 103 // XXX: we read until prctl complains but that may not |
| 104 // match CAP_LAST_CAP. We'll just drop the excess if it turns up. |
| 105 // We mustnĀ“t drop CAP_SETPCAP on the way though. |
| 106 static const uint32 kBitsInAByte = 8; |
| 107 static const uint32 kMaxCaps = sizeof(cap_mask) * kBitsInAByte; |
| 108 for (cap = 0; cap < kMaxCaps && prctl(PR_CAPBSET_READ, cap) >= 0; ++cap) { |
| 109 if (cap == CAP_SETPCAP) { |
| 110 continue; |
| 111 } |
| 112 if (cap_mask & (1ULL << (cap))) { |
| 113 DLOG(INFO) << "Leaving cap " << cap << " in bounding set"; |
| 114 continue; |
| 115 } |
| 116 if (prctl(PR_CAPBSET_DROP, cap)) { |
| 117 PLOG(FATAL) << "Failed to clean the bounding set of cap " << cap; |
| 118 } |
| 119 } |
| 120 DLOG(INFO) << "Success."; |
| 121 return true; |
| 122 } |
| 123 |
| 124 bool Env::SanitizeCapabilities(uint64 effective_capmask) const { |
| 125 DLOG(INFO) << "Dropping capabilities..."; |
| 126 unsigned int cap; |
| 127 cap_t caps = cap_get_proc(); |
| 128 cap_value_t raise_flag[1]; |
| 129 if (!caps) { |
| 130 PLOG(FATAL) << "cap_get_proc failed"; |
| 131 } |
| 132 if (cap_clear_flag(caps, CAP_INHERITABLE)) { |
| 133 PLOG(FATAL) << "Failed to clear all inheritable caps"; |
| 134 } |
| 135 if (cap_clear_flag(caps, CAP_EFFECTIVE)) { |
| 136 PLOG(FATAL) << "Failed to clear all effective caps"; |
| 137 } |
| 138 if (cap_clear_flag(caps, CAP_PERMITTED)) { |
| 139 PLOG(FATAL) << "Failed to clear all permitted caps"; |
| 140 } |
| 141 for (cap = 0; cap < sizeof(effective_capmask)*8; ++cap) { |
| 142 // In a secure_noroot jail, cap_setpcap is safe. |
| 143 if (cap == CAP_SETPCAP || |
| 144 effective_capmask & (1 << cap)) { |
| 145 raise_flag[0] = cap; |
| 146 DLOG(INFO) << "Adding cap " << cap << "=eip"; |
| 147 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, raise_flag, CAP_SET)) { |
| 148 PLOG(FATAL) << "Failed to add cap " << cap << " to the effective set"; |
| 149 } |
| 150 if (cap_set_flag(caps, CAP_PERMITTED, 1, raise_flag, CAP_SET)) { |
| 151 PLOG(FATAL) << "Failed to add cap " << cap << " to the permitted set"; |
| 152 } |
| 153 if (cap_set_flag(caps, CAP_INHERITABLE, 1, raise_flag, CAP_SET)) { |
| 154 PLOG(FATAL) << "Failed to add cap " << cap << " to the inherite set"; |
| 155 } |
| 156 } |
| 157 } |
| 158 if (cap_set_proc(caps)) { |
| 159 PLOG(FATAL) << "Failed to apply cleaned capset"; |
| 160 } |
| 161 cap_free(caps); |
| 162 DLOG(INFO) << "Success."; |
| 163 return true; |
| 164 } |
| 165 |
| 166 bool Env::FilterSyscallsBySource() const { |
| 167 DLOG(INFO) << "Calling seccomp(2)"; |
| 168 if (prctl(PR_SET_SECCOMP, 2)) { |
| 169 PLOG(FATAL) << "Failed to enabled seccomp(2)"; |
| 170 } |
| 171 DLOG(INFO) << "System calls now filtered by source"; |
| 172 return true; |
| 173 } |
| 174 |
| 175 bool Env::FilterSyscallsBenchmarkOnly() const { |
| 176 DLOG(INFO) << "Calling seccomp(3)"; |
| 177 if (prctl(PR_SET_SECCOMP, 3)) { |
| 178 PLOG(FATAL) << "Failed to enabled seccomp(3)"; |
| 179 } |
| 180 DLOG(INFO) << "System calls now nop filtered"; |
| 181 return true; |
| 182 } |
| 183 |
| 184 bool Env::EnterNamespace(int namespaces) const { |
| 185 if (namespaces == 0) { |
| 186 DLOG(INFO) << "No namespacing to be done."; |
| 187 return true; |
| 188 } |
| 189 DLOG(INFO) << "Entering namespaces " << namespaces; |
| 190 // TODO(wad) support namespace args |
| 191 const pid_t pid = syscall( |
| 192 __NR_clone, namespaces | CLONE_VFORK | SIGCHLD, 0, 0, 0); |
| 193 if (pid == -1) { |
| 194 PLOG(FATAL) << "Could not use PID namespacing"; |
| 195 return false; |
| 196 } |
| 197 if (pid) { |
| 198 // Kill the original process without atexit handlers. |
| 199 DLOG(INFO) << "original process death:" << pid; |
| 200 _exit(0); |
| 201 } |
| 202 DLOG(INFO) << "Success: " << getpid(); |
| 203 return true; |
| 204 } |
| 205 |
| 206 bool Env::Mount() const { |
| 207 DLOG(INFO) << "Attempting to mount /proc RO."; |
| 208 if (mount("proc", |
| 209 "/proc", |
| 210 "proc", |
| 211 MS_NODEV|MS_NOEXEC|MS_NOSUID|MS_RDONLY, |
| 212 "")) { |
| 213 PLOG(FATAL) << "Failed to mount a local /proc"; |
| 214 } |
| 215 DLOG(INFO) << "Success."; |
| 216 return true; |
| 217 } |
| 218 |
| 219 bool Env::Run(const char *path, char * const *argv, char * const *envp) const { |
| 220 // TODO(wad) log-pid option |
| 221 DLOG(INFO) << "Executing: " << path << " with args: "; |
| 222 for (char * const* arg = argv; *arg; ++arg) { |
| 223 DLOG(INFO) << "-> " << *arg; |
| 224 } |
| 225 execve(path, argv, envp); |
| 226 PLOG(FATAL) << "failed to execute " << path; |
| 227 return false; |
| 228 } |
| 229 |
| 230 } // namespace minijail |
| 231 } // namespace chromeos |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 466049:
Baseline minijail with a commandline switch driven main. (Closed)
