OLD | NEW |
---|---|
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "sandbox/linux/services/credentials.h" | 5 #include "sandbox/linux/services/credentials.h" |
6 | 6 |
7 #include <dirent.h> | 7 #include <dirent.h> |
8 #include <errno.h> | 8 #include <errno.h> |
9 #include <fcntl.h> | 9 #include <fcntl.h> |
10 #include <signal.h> | |
10 #include <stdio.h> | 11 #include <stdio.h> |
11 #include <sys/capability.h> | 12 #include <sys/capability.h> |
12 #include <sys/stat.h> | 13 #include <sys/stat.h> |
14 #include <sys/syscall.h> | |
13 #include <sys/types.h> | 15 #include <sys/types.h> |
16 #include <sys/wait.h> | |
14 #include <unistd.h> | 17 #include <unistd.h> |
15 | 18 |
16 #include "base/basictypes.h" | 19 #include "base/basictypes.h" |
17 #include "base/bind.h" | 20 #include "base/bind.h" |
18 #include "base/logging.h" | 21 #include "base/logging.h" |
22 #include "base/posix/eintr_wrapper.h" | |
19 #include "base/strings/string_number_conversions.h" | 23 #include "base/strings/string_number_conversions.h" |
20 #include "base/template_util.h" | 24 #include "base/template_util.h" |
25 #include "base/third_party/valgrind/valgrind.h" | |
21 #include "base/threading/thread.h" | 26 #include "base/threading/thread.h" |
22 | 27 |
23 namespace { | 28 namespace { |
24 | 29 |
30 bool IsRunningOnValgrind() { return RUNNING_ON_VALGRIND; } | |
Jorge Lucangeli Obes
2014/02/28 22:59:58
At some point we should make a header with these f
| |
31 | |
25 struct CapFreeDeleter { | 32 struct CapFreeDeleter { |
26 inline void operator()(cap_t cap) const { | 33 inline void operator()(cap_t cap) const { |
27 int ret = cap_free(cap); | 34 int ret = cap_free(cap); |
28 CHECK_EQ(0, ret); | 35 CHECK_EQ(0, ret); |
29 } | 36 } |
30 }; | 37 }; |
31 | 38 |
32 // Wrapper to manage libcap2's cap_t type. | 39 // Wrapper to manage libcap2's cap_t type. |
33 typedef scoped_ptr<typeof(*((cap_t)0)), CapFreeDeleter> ScopedCap; | 40 typedef scoped_ptr<typeof(*((cap_t)0)), CapFreeDeleter> ScopedCap; |
34 | 41 |
(...skipping 104 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
139 base::Thread chrooter("sandbox_chrooter"); | 146 base::Thread chrooter("sandbox_chrooter"); |
140 if (!chrooter.Start()) return false; | 147 if (!chrooter.Start()) return false; |
141 bool is_chrooted = false; | 148 bool is_chrooted = false; |
142 chrooter.message_loop()->PostTask(FROM_HERE, | 149 chrooter.message_loop()->PostTask(FROM_HERE, |
143 base::Bind(&ChrootToThreadFdInfo, chrooter.thread_id(), &is_chrooted)); | 150 base::Bind(&ChrootToThreadFdInfo, chrooter.thread_id(), &is_chrooted)); |
144 // Make sure our task has run before committing the return value. | 151 // Make sure our task has run before committing the return value. |
145 chrooter.Stop(); | 152 chrooter.Stop(); |
146 return is_chrooted; | 153 return is_chrooted; |
147 } | 154 } |
148 | 155 |
156 // CHECK() that an attempt to move to a new user namespace raised an expected | |
157 // errno. | |
158 void CheckCloneNewUserErrno() { | |
159 // EPERM can happen if already in a chroot. EUSERS if too many nested | |
160 // namespaces are used. EINVAL for kernels that don't support the feature. | |
161 // Valgrind will ENOSYS unshare(). | |
162 PCHECK(errno == EPERM || errno == EUSERS || errno == EINVAL || | |
163 errno == ENOSYS); | |
164 } | |
165 | |
149 } // namespace. | 166 } // namespace. |
150 | 167 |
151 namespace sandbox { | 168 namespace sandbox { |
152 | 169 |
153 Credentials::Credentials() { | 170 Credentials::Credentials() { |
154 } | 171 } |
155 | 172 |
156 Credentials::~Credentials() { | 173 Credentials::~Credentials() { |
157 } | 174 } |
158 | 175 |
(...skipping 65 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
224 } | 241 } |
225 | 242 |
226 scoped_ptr<std::string> Credentials::GetCurrentCapString() const { | 243 scoped_ptr<std::string> Credentials::GetCurrentCapString() const { |
227 ScopedCap current_cap(cap_get_proc()); | 244 ScopedCap current_cap(cap_get_proc()); |
228 CHECK(current_cap); | 245 CHECK(current_cap); |
229 ScopedCapText cap_text(cap_to_text(current_cap.get(), NULL)); | 246 ScopedCapText cap_text(cap_to_text(current_cap.get(), NULL)); |
230 CHECK(cap_text); | 247 CHECK(cap_text); |
231 return scoped_ptr<std::string> (new std::string(cap_text.get())); | 248 return scoped_ptr<std::string> (new std::string(cap_text.get())); |
232 } | 249 } |
233 | 250 |
251 // static | |
252 bool Credentials::SupportsNewUserNS() { | |
253 // Valgrind will let clone(2) pass-through, but doesn't support unshare(), | |
254 // so always consider UserNS unsupported there. | |
255 if (IsRunningOnValgrind()) { | |
256 return false; | |
257 } | |
258 | |
259 // This is roughly a fork(). | |
260 const pid_t pid = syscall(__NR_clone, CLONE_NEWUSER | SIGCHLD, 0, 0, 0); | |
261 | |
262 if (pid == -1) { | |
263 CheckCloneNewUserErrno(); | |
264 return false; | |
265 } | |
266 | |
267 // The parent process could have had threads. In the child, these threads | |
268 // have disappeared. Make sure to not do anything in the child, as this is a | |
269 // fragile execution environment. | |
270 if (pid == 0) { | |
271 _exit(0); | |
272 } | |
273 | |
274 // Always reap the child. | |
275 siginfo_t infop; | |
276 PCHECK(0 == HANDLE_EINTR(waitid(P_PID, pid, &infop, WEXITED))); | |
277 | |
278 // clone(2) succeeded, we can use CLONE_NEWUSER. | |
279 return true; | |
280 } | |
281 | |
234 bool Credentials::MoveToNewUserNS() { | 282 bool Credentials::MoveToNewUserNS() { |
235 uid_t uid; | 283 uid_t uid; |
236 gid_t gid; | 284 gid_t gid; |
237 if (!GetRESIds(&uid, &gid)) { | 285 if (!GetRESIds(&uid, &gid)) { |
238 // If all the uids (or gids) are not equal to each other, the security | 286 // If all the uids (or gids) are not equal to each other, the security |
239 // model will most likely confuse the caller, abort. | 287 // model will most likely confuse the caller, abort. |
240 DVLOG(1) << "uids or gids differ!"; | 288 DVLOG(1) << "uids or gids differ!"; |
241 return false; | 289 return false; |
242 } | 290 } |
243 int ret = unshare(CLONE_NEWUSER); | 291 int ret = unshare(CLONE_NEWUSER); |
244 // EPERM can happen if already in a chroot. EUSERS if too many nested | |
245 // namespaces are used. EINVAL for kernels that don't support the feature. | |
246 // Valgrind will ENOSYS unshare(). | |
247 PCHECK(!ret || errno == EPERM || errno == EUSERS || errno == EINVAL || | |
248 errno == ENOSYS); | |
249 if (ret) { | 292 if (ret) { |
250 VLOG(1) << "Looks like unprivileged CLONE_NEWUSER may not be available " | 293 VLOG(1) << "Looks like unprivileged CLONE_NEWUSER may not be available " |
251 << "on this kernel."; | 294 << "on this kernel."; |
295 CheckCloneNewUserErrno(); | |
mdempsky
2014/02/28 22:44:59
Is the VLOG line guaranteed to not clobber errno?
jln (very slow on Chromium)
2014/02/28 23:30:18
Good point, that's a fragile construct. Fixed.
| |
252 return false; | 296 return false; |
253 } | 297 } |
298 | |
254 // The current {r,e,s}{u,g}id is now an overflow id (c.f. | 299 // The current {r,e,s}{u,g}id is now an overflow id (c.f. |
255 // /proc/sys/kernel/overflowuid). Setup the uid and gid maps. | 300 // /proc/sys/kernel/overflowuid). Setup the uid and gid maps. |
256 DCHECK(GetRESIds(NULL, NULL)); | 301 DCHECK(GetRESIds(NULL, NULL)); |
257 const char kGidMapFile[] = "/proc/self/gid_map"; | 302 const char kGidMapFile[] = "/proc/self/gid_map"; |
258 const char kUidMapFile[] = "/proc/self/uid_map"; | 303 const char kUidMapFile[] = "/proc/self/uid_map"; |
259 CHECK(WriteToIdMapFile(kGidMapFile, gid)); | 304 CHECK(WriteToIdMapFile(kGidMapFile, gid)); |
260 CHECK(WriteToIdMapFile(kUidMapFile, uid)); | 305 CHECK(WriteToIdMapFile(kUidMapFile, uid)); |
261 DCHECK(GetRESIds(NULL, NULL)); | 306 DCHECK(GetRESIds(NULL, NULL)); |
262 return true; | 307 return true; |
263 } | 308 } |
264 | 309 |
265 bool Credentials::DropFileSystemAccess() { | 310 bool Credentials::DropFileSystemAccess() { |
266 // Chrooting to a safe empty dir will only be safe if no directory file | 311 // Chrooting to a safe empty dir will only be safe if no directory file |
267 // descriptor is available to the process. | 312 // descriptor is available to the process. |
268 DCHECK(!HasOpenDirectory(-1)); | 313 DCHECK(!HasOpenDirectory(-1)); |
269 return ChrootToSafeEmptyDir(); | 314 return ChrootToSafeEmptyDir(); |
270 } | 315 } |
271 | 316 |
272 } // namespace sandbox. | 317 } // namespace sandbox. |
OLD | NEW |