| OLD | NEW |
|---|
| 1 // Copyright (c) 2009 The Chromium OS Authors. All rights reserved. | 1 // Copyright (c) 2009 The Chromium OS Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 // Some portions Copyright (c) 2009 The Chromium Authors. | 4 // Some portions Copyright (c) 2009 The Chromium Authors. |
| 5 // | 5 // |
| 6 // Default implementation of the Env interface. | 6 // Default implementation of the Env interface. |
| 7 | 7 |
| 8 #include "minijail/env.h" | 8 #include "minijail/env.h" |
| 9 | 9 |
| 10 #include <asm/unistd.h> | 10 #include <asm/unistd.h> |
| 11 #include <errno.h> | 11 #include <errno.h> |
| 12 #include <fcntl.h> | 12 #include <fcntl.h> |
| 13 #include <grp.h> | 13 #include <grp.h> |
| 14 #include <pwd.h> |
| 14 #include <sched.h> | 15 #include <sched.h> |
| 15 #include <signal.h> | 16 #include <signal.h> |
| 16 #include <stdarg.h> | 17 #include <stdarg.h> |
| 17 #include <stdbool.h> | 18 #include <stdbool.h> |
| 18 #include <stdio.h> | 19 #include <stdio.h> |
| 19 #include <stdlib.h> | 20 #include <stdlib.h> |
| 20 #include <string.h> | 21 #include <string.h> |
| 21 #include <sys/capability.h> | 22 #include <sys/capability.h> |
| 22 #include <sys/mount.h> | 23 #include <sys/mount.h> |
| 23 #include <sys/prctl.h> | 24 #include <sys/prctl.h> |
| (...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 75 if (prctl(PR_SET_SECUREBITS, kSecureBitsAllLocked)) { | 76 if (prctl(PR_SET_SECUREBITS, kSecureBitsAllLocked)) { |
| 76 PLOG(FATAL) << "Failed to set PR_SET_SECUREBITS"; | 77 PLOG(FATAL) << "Failed to set PR_SET_SECUREBITS"; |
| 77 } | 78 } |
| 78 DLOG(INFO) << "Success."; | 79 DLOG(INFO) << "Success."; |
| 79 return true; | 80 return true; |
| 80 } | 81 } |
| 81 | 82 |
| 82 bool Env::ChangeUser(uid_t uid, gid_t gid) const { | 83 bool Env::ChangeUser(uid_t uid, gid_t gid) const { |
| 83 // TODO(wad) support supplemental groups | 84 // TODO(wad) support supplemental groups |
| 84 DLOG(INFO) << "Dropping root..."; | 85 DLOG(INFO) << "Dropping root..."; |
| 85 if (setgroups(0, NULL)) { | 86 struct passwd* entry = getpwuid(uid); |
| 86 PLOG(FATAL) << "Failed to drop supplementary groups"; | 87 endpwent(); |
| 88 if (!entry) { |
| 89 LOG(INFO) << "UID is unknown. Clearing all supplemental groups"; |
| 90 PLOG_IF(FATAL, setgroups(0, NULL)) |
| 91 << "Failed to clear supplementary groups"; |
| 92 } else { |
| 93 PLOG_IF(FATAL, initgroups(entry->pw_name, entry->pw_gid)) |
| 94 << "Failed to set supplementary groups"; |
| 87 } | 95 } |
| 88 if (setresgid(gid, gid, gid)) { | 96 if (setresgid(gid, gid, gid)) { |
| 89 PLOG(FATAL) << "Failed to change to gid " << gid; | 97 PLOG(FATAL) << "Failed to change to gid " << gid; |
| 90 } | 98 } |
| 91 if (setresuid(uid, uid, uid)) { | 99 if (setresuid(uid, uid, uid)) { |
| 92 PLOG(FATAL) << "Failed to change to uid " << uid; | 100 PLOG(FATAL) << "Failed to change to uid " << uid; |
| 93 } | 101 } |
| 94 DLOG(INFO) << "Success."; | 102 DLOG(INFO) << "Success."; |
| 95 return true; | 103 return true; |
| 96 } | 104 } |
| (...skipping 125 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 222 for (char * const* arg = argv; *arg; ++arg) { | 230 for (char * const* arg = argv; *arg; ++arg) { |
| 223 DLOG(INFO) << "-> " << *arg; | 231 DLOG(INFO) << "-> " << *arg; |
| 224 } | 232 } |
| 225 execve(path, argv, envp); | 233 execve(path, argv, envp); |
| 226 PLOG(FATAL) << "failed to execute " << path; | 234 PLOG(FATAL) << "failed to execute " << path; |
| 227 return false; | 235 return false; |
| 228 } | 236 } |
| 229 | 237 |
| 230 } // namespace minijail | 238 } // namespace minijail |
| 231 } // namespace chromeos | 239 } // namespace chromeos |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 561069:
Make minijail respect the groups of the uid provided on the command line. (Closed)
