OLD | NEW |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "sandbox/linux/suid/client/setuid_sandbox_host.h" | 5 #include "sandbox/linux/suid/client/setuid_sandbox_host.h" |
6 | 6 |
7 #include <fcntl.h> | 7 #include <fcntl.h> |
8 #include <stdlib.h> | 8 #include <stdlib.h> |
9 #include <sys/stat.h> | 9 #include <sys/stat.h> |
10 #include <unistd.h> | 10 #include <unistd.h> |
(...skipping 112 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
123 base::FilePath sandbox_binary; | 123 base::FilePath sandbox_binary; |
124 base::FilePath exe_dir; | 124 base::FilePath exe_dir; |
125 if (PathService::Get(base::DIR_EXE, &exe_dir)) { | 125 if (PathService::Get(base::DIR_EXE, &exe_dir)) { |
126 base::FilePath sandbox_candidate = exe_dir.AppendASCII("chrome-sandbox"); | 126 base::FilePath sandbox_candidate = exe_dir.AppendASCII("chrome-sandbox"); |
127 if (base::PathExists(sandbox_candidate)) | 127 if (base::PathExists(sandbox_candidate)) |
128 sandbox_binary = sandbox_candidate; | 128 sandbox_binary = sandbox_candidate; |
129 } | 129 } |
130 | 130 |
131 // In user-managed builds, including development builds, an environment | 131 // In user-managed builds, including development builds, an environment |
132 // variable is required to enable the sandbox. See | 132 // variable is required to enable the sandbox. See |
133 // http://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment | 133 // https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_san
dbox_development.md |
134 struct stat st; | 134 struct stat st; |
135 if (sandbox_binary.empty() && stat(base::kProcSelfExe, &st) == 0 && | 135 if (sandbox_binary.empty() && stat(base::kProcSelfExe, &st) == 0 && |
136 st.st_uid == getuid()) { | 136 st.st_uid == getuid()) { |
137 const char* devel_sandbox_path = GetDevelSandboxPath(); | 137 const char* devel_sandbox_path = GetDevelSandboxPath(); |
138 if (devel_sandbox_path) { | 138 if (devel_sandbox_path) { |
139 sandbox_binary = base::FilePath(devel_sandbox_path); | 139 sandbox_binary = base::FilePath(devel_sandbox_path); |
140 } | 140 } |
141 } | 141 } |
142 | 142 |
143 return sandbox_binary; | 143 return sandbox_binary; |
144 } | 144 } |
145 | 145 |
146 void SetuidSandboxHost::PrependWrapper(base::CommandLine* cmd_line) { | 146 void SetuidSandboxHost::PrependWrapper(base::CommandLine* cmd_line) { |
147 std::string sandbox_binary(GetSandboxBinaryPath().value()); | 147 std::string sandbox_binary(GetSandboxBinaryPath().value()); |
148 struct stat st; | 148 struct stat st; |
149 if (sandbox_binary.empty() || stat(sandbox_binary.c_str(), &st) != 0) { | 149 if (sandbox_binary.empty() || stat(sandbox_binary.c_str(), &st) != 0) { |
150 LOG(FATAL) << "The SUID sandbox helper binary is missing: " | 150 LOG(FATAL) << "The SUID sandbox helper binary is missing: " |
151 << sandbox_binary << " Aborting now. See " | 151 << sandbox_binary << " Aborting now. See " |
152 "https://code.google.com/p/chromium/wiki/" | 152 "https://chromium.googlesource.com/" |
153 "LinuxSUIDSandboxDevelopment."; | 153 "chromium/src/+/master/docs/" |
| 154 "linux_suid_sandbox_development.md."; |
154 } | 155 } |
155 | 156 |
156 if (access(sandbox_binary.c_str(), X_OK) != 0 || (st.st_uid != 0) || | 157 if (access(sandbox_binary.c_str(), X_OK) != 0 || (st.st_uid != 0) || |
157 ((st.st_mode & S_ISUID) == 0) || ((st.st_mode & S_IXOTH)) == 0) { | 158 ((st.st_mode & S_ISUID) == 0) || ((st.st_mode & S_IXOTH)) == 0) { |
158 LOG(FATAL) << "The SUID sandbox helper binary was found, but is not " | 159 LOG(FATAL) << "The SUID sandbox helper binary was found, but is not " |
159 "configured correctly. Rather than run without sandboxing " | 160 "configured correctly. Rather than run without sandboxing " |
160 "I'm aborting now. You need to make sure that " | 161 "I'm aborting now. You need to make sure that " |
161 << sandbox_binary << " is owned by root and has mode 4755."; | 162 << sandbox_binary << " is owned by root and has mode 4755."; |
162 } | 163 } |
163 | 164 |
(...skipping 22 matching lines...) Expand all Loading... |
186 // kZygoteIdFd. Fixing this requires a sandbox API change. :( | 187 // kZygoteIdFd. Fixing this requires a sandbox API change. :( |
187 fds_to_remap->push_back(std::make_pair(dummy_fd->get(), kZygoteIdFd)); | 188 fds_to_remap->push_back(std::make_pair(dummy_fd->get(), kZygoteIdFd)); |
188 } | 189 } |
189 | 190 |
190 void SetuidSandboxHost::SetupLaunchEnvironment() { | 191 void SetuidSandboxHost::SetupLaunchEnvironment() { |
191 SaveSUIDUnsafeEnvironmentVariables(env_.get()); | 192 SaveSUIDUnsafeEnvironmentVariables(env_.get()); |
192 SetSandboxAPIEnvironmentVariable(env_.get()); | 193 SetSandboxAPIEnvironmentVariable(env_.get()); |
193 } | 194 } |
194 | 195 |
195 } // namespace sandbox | 196 } // namespace sandbox |
OLD | NEW |