OLD | NEW |
---|---|
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "sandbox/linux/services/namespace_sandbox.h" | 5 #include "sandbox/linux/services/namespace_sandbox.h" |
6 | 6 |
7 #include <sched.h> | 7 #include <sched.h> |
8 #include <signal.h> | 8 #include <signal.h> |
9 #include <stdlib.h> | 9 #include <stdlib.h> |
10 #include <sys/types.h> | 10 #include <sys/types.h> |
11 #include <unistd.h> | 11 #include <unistd.h> |
12 | 12 |
13 #include <string> | 13 #include <string> |
14 #include <utility> | 14 #include <utility> |
15 #include <vector> | 15 #include <vector> |
16 | 16 |
17 #include "base/command_line.h" | 17 #include "base/command_line.h" |
18 #include "base/environment.h" | 18 #include "base/environment.h" |
19 #include "base/files/scoped_file.h" | 19 #include "base/files/scoped_file.h" |
20 #include "base/logging.h" | 20 #include "base/logging.h" |
21 #include "base/macros.h" | 21 #include "base/macros.h" |
22 #include "base/posix/eintr_wrapper.h" | 22 #include "base/posix/eintr_wrapper.h" |
23 #include "base/process/launch.h" | 23 #include "base/process/launch.h" |
24 #include "base/process/process.h" | 24 #include "base/process/process.h" |
25 #include "sandbox/linux/services/credentials.h" | 25 #include "sandbox/linux/services/credentials.h" |
26 #include "sandbox/linux/services/namespace_utils.h" | 26 #include "sandbox/linux/services/namespace_utils.h" |
27 #include "sandbox/linux/system_headers/linux_signal.h" | |
27 | 28 |
28 namespace sandbox { | 29 namespace sandbox { |
29 | 30 |
30 namespace { | 31 namespace { |
31 | 32 |
32 const char kSandboxUSERNSEnvironmentVarName[] = "SBX_USER_NS"; | 33 const char kSandboxUSERNSEnvironmentVarName[] = "SBX_USER_NS"; |
33 const char kSandboxPIDNSEnvironmentVarName[] = "SBX_PID_NS"; | 34 const char kSandboxPIDNSEnvironmentVarName[] = "SBX_PID_NS"; |
34 const char kSandboxNETNSEnvironmentVarName[] = "SBX_NET_NS"; | 35 const char kSandboxNETNSEnvironmentVarName[] = "SBX_NET_NS"; |
35 | 36 |
36 #if !defined(OS_NACL_NONSFI) | 37 #if !defined(OS_NACL_NONSFI) |
(...skipping 21 matching lines...) Expand all Loading... | |
58 const bool supports_deny_setgroups_; | 59 const bool supports_deny_setgroups_; |
59 DISALLOW_COPY_AND_ASSIGN(WriteUidGidMapDelegate); | 60 DISALLOW_COPY_AND_ASSIGN(WriteUidGidMapDelegate); |
60 }; | 61 }; |
61 | 62 |
62 void SetEnvironForNamespaceType(base::EnvironmentMap* environ, | 63 void SetEnvironForNamespaceType(base::EnvironmentMap* environ, |
63 base::NativeEnvironmentString env_var, | 64 base::NativeEnvironmentString env_var, |
64 bool value) { | 65 bool value) { |
65 // An empty string causes the env var to be unset in the child process. | 66 // An empty string causes the env var to be unset in the child process. |
66 (*environ)[env_var] = value ? "1" : ""; | 67 (*environ)[env_var] = value ? "1" : ""; |
67 } | 68 } |
69 #endif // !defined(OS_NACL_NONSFI) | |
68 | 70 |
69 // Linux supports up to 64 signals. This should be updated if that ever changes. | 71 // Linux supports up to 64 signals. This should be updated if that ever changes. |
70 int g_signal_exit_codes[64]; | 72 int g_signal_exit_codes[64]; |
71 | 73 |
72 void TerminationSignalHandler(int sig) { | 74 void TerminationSignalHandler(int sig) { |
73 // Return a special exit code so that the process is detected as terminated by | 75 // Return a special exit code so that the process is detected as terminated by |
74 // a signal. | 76 // a signal. |
75 const size_t sig_idx = static_cast<size_t>(sig); | 77 const size_t sig_idx = static_cast<size_t>(sig); |
76 if (sig_idx < arraysize(g_signal_exit_codes)) { | 78 if (sig_idx < arraysize(g_signal_exit_codes)) { |
77 _exit(g_signal_exit_codes[sig_idx]); | 79 _exit(g_signal_exit_codes[sig_idx]); |
78 } | 80 } |
79 | 81 |
80 _exit(NamespaceSandbox::kDefaultExitCode); | 82 _exit(NamespaceSandbox::kDefaultExitCode); |
81 } | 83 } |
82 #endif // !defined(OS_NACL_NONSFI) | |
83 | 84 |
84 } // namespace | 85 } // namespace |
85 | 86 |
86 #if !defined(OS_NACL_NONSFI) | 87 #if !defined(OS_NACL_NONSFI) |
87 // static | 88 // static |
88 base::Process NamespaceSandbox::LaunchProcess( | 89 base::Process NamespaceSandbox::LaunchProcess( |
89 const base::CommandLine& cmdline, | 90 const base::CommandLine& cmdline, |
90 const base::LaunchOptions& options) { | 91 const base::LaunchOptions& options) { |
91 return LaunchProcess(cmdline.argv(), options); | 92 return LaunchProcess(cmdline.argv(), options); |
92 } | 93 } |
(...skipping 29 matching lines...) Expand all Loading... | |
122 | 123 |
123 base::EnvironmentMap* environ = &launch_options.environ; | 124 base::EnvironmentMap* environ = &launch_options.environ; |
124 for (const auto& entry : clone_flag_environ) { | 125 for (const auto& entry : clone_flag_environ) { |
125 const int flag = entry.first; | 126 const int flag = entry.first; |
126 const char* environ_name = entry.second; | 127 const char* environ_name = entry.second; |
127 SetEnvironForNamespaceType(environ, environ_name, clone_flags & flag); | 128 SetEnvironForNamespaceType(environ, environ_name, clone_flags & flag); |
128 } | 129 } |
129 | 130 |
130 return base::LaunchProcess(argv, launch_options); | 131 return base::LaunchProcess(argv, launch_options); |
131 } | 132 } |
133 #endif // !defined(OS_NACL_NONSFI) | |
132 | 134 |
133 // static | 135 // static |
134 pid_t NamespaceSandbox::ForkInNewPidNamespace(bool drop_capabilities_in_child) { | 136 pid_t NamespaceSandbox::ForkInNewPidNamespace(bool drop_capabilities_in_child) { |
135 const pid_t pid = | 137 const pid_t pid = |
136 base::ForkWithFlags(CLONE_NEWPID | SIGCHLD, nullptr, nullptr); | 138 base::ForkWithFlags(CLONE_NEWPID | LINUX_SIGCHLD, nullptr, nullptr); |
137 if (pid < 0) { | 139 if (pid < 0) { |
138 return pid; | 140 return pid; |
139 } | 141 } |
140 | 142 |
141 if (pid == 0) { | 143 if (pid == 0) { |
142 DCHECK_EQ(1, getpid()); | 144 DCHECK_EQ(1, getpid()); |
143 if (drop_capabilities_in_child) { | 145 if (drop_capabilities_in_child) { |
144 // Since we just forked, we are single-threaded, so this should be safe. | 146 // Since we just forked, we are single-threaded, so this should be safe. |
145 CHECK(Credentials::DropAllCapabilitiesOnCurrentThread()); | 147 CHECK(Credentials::DropAllCapabilitiesOnCurrentThread()); |
146 } | 148 } |
147 return 0; | 149 return 0; |
148 } | 150 } |
149 | 151 |
150 return pid; | 152 return pid; |
151 } | 153 } |
152 | 154 |
153 // static | 155 // static |
154 void NamespaceSandbox::InstallDefaultTerminationSignalHandlers() { | 156 void NamespaceSandbox::InstallDefaultTerminationSignalHandlers() { |
155 static const int kDefaultTermSignals[] = { | 157 static const int kDefaultTermSignals[] = { |
156 SIGHUP, SIGINT, SIGABRT, SIGQUIT, SIGPIPE, SIGTERM, SIGUSR1, SIGUSR2, | 158 SIGHUP, SIGINT, SIGABRT, SIGQUIT, SIGPIPE, SIGTERM, SIGUSR1, SIGUSR2, |
hidehiko
2015/06/16 05:41:53
These values are incompatible with Linux ABIs unde
rickyz (no longer on Chrome)
2015/06/16 20:57:06
Oops, thanks!
| |
157 }; | 159 }; |
158 | 160 |
159 for (const int sig : kDefaultTermSignals) { | 161 for (const int sig : kDefaultTermSignals) { |
160 InstallTerminationSignalHandler(sig, kDefaultExitCode); | 162 InstallTerminationSignalHandler(sig, kDefaultExitCode); |
161 } | 163 } |
162 } | 164 } |
163 | 165 |
164 // static | 166 // static |
165 bool NamespaceSandbox::InstallTerminationSignalHandler( | 167 bool NamespaceSandbox::InstallTerminationSignalHandler( |
166 int sig, | 168 int sig, |
167 int exit_code) { | 169 int exit_code) { |
168 struct sigaction old_action; | 170 struct sigaction old_action; |
169 PCHECK(sigaction(sig, nullptr, &old_action) == 0); | 171 PCHECK(sigaction(sig, nullptr, &old_action) == 0); |
hidehiko
2015/06/16 05:41:53
Youl'll need to call sys_sigaction instead. Ditto
rickyz (no longer on Chrome)
2015/06/16 20:57:07
Oops, done - do you know whether we need our own d
| |
170 | 172 |
173 #if !defined(OS_NACL_NONSFI) | |
171 if (old_action.sa_flags & SA_SIGINFO && | 174 if (old_action.sa_flags & SA_SIGINFO && |
172 old_action.sa_sigaction != nullptr) { | 175 old_action.sa_sigaction != nullptr) { |
173 return false; | 176 return false; |
174 } else if (old_action.sa_handler != SIG_DFL) { | 177 } else |
hidehiko
2015/06/16 05:41:53
nit: you don't need "else"
rickyz (no longer on Chrome)
2015/06/16 20:57:06
Done.
| |
178 #endif | |
179 if (old_action.sa_handler != SIG_DFL) { | |
hidehiko
2015/06/16 05:41:53
SIG_DFL needs to be LINUX_SIG_DFL.
rickyz (no longer on Chrome)
2015/06/16 20:57:06
Done.
| |
175 return false; | 180 return false; |
176 } | 181 } |
177 | 182 |
178 const size_t sig_idx = static_cast<size_t>(sig); | 183 const size_t sig_idx = static_cast<size_t>(sig); |
179 CHECK_LT(sig_idx, arraysize(g_signal_exit_codes)); | 184 CHECK_LT(sig_idx, arraysize(g_signal_exit_codes)); |
180 | 185 |
181 DCHECK_GE(exit_code, 0); | 186 DCHECK_GE(exit_code, 0); |
182 DCHECK_LT(exit_code, 256); | 187 DCHECK_LT(exit_code, 256); |
183 | 188 |
184 g_signal_exit_codes[sig_idx] = exit_code; | 189 g_signal_exit_codes[sig_idx] = exit_code; |
185 | 190 |
186 struct sigaction action = {}; | 191 struct sigaction action = {}; |
187 action.sa_handler = &TerminationSignalHandler; | 192 action.sa_handler = &TerminationSignalHandler; |
188 PCHECK(sigaction(sig, &action, nullptr) == 0); | 193 PCHECK(sigaction(sig, &action, nullptr) == 0); |
189 return true; | 194 return true; |
190 } | 195 } |
191 #endif // !defined(OS_NACL_NONSFI) | |
192 | 196 |
193 // static | 197 // static |
194 bool NamespaceSandbox::InNewUserNamespace() { | 198 bool NamespaceSandbox::InNewUserNamespace() { |
195 return getenv(kSandboxUSERNSEnvironmentVarName) != nullptr; | 199 return getenv(kSandboxUSERNSEnvironmentVarName) != nullptr; |
196 } | 200 } |
197 | 201 |
198 // static | 202 // static |
199 bool NamespaceSandbox::InNewPidNamespace() { | 203 bool NamespaceSandbox::InNewPidNamespace() { |
200 return getenv(kSandboxPIDNSEnvironmentVarName) != nullptr; | 204 return getenv(kSandboxPIDNSEnvironmentVarName) != nullptr; |
201 } | 205 } |
202 | 206 |
203 // static | 207 // static |
204 bool NamespaceSandbox::InNewNetNamespace() { | 208 bool NamespaceSandbox::InNewNetNamespace() { |
205 return getenv(kSandboxNETNSEnvironmentVarName) != nullptr; | 209 return getenv(kSandboxNETNSEnvironmentVarName) != nullptr; |
206 } | 210 } |
207 | 211 |
208 } // namespace sandbox | 212 } // namespace sandbox |
OLD | NEW |