Namespace sandbox: add check for unprivileged use of CLONE_NEWUSER

sandbox/linux/services/credentials.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/services/credentials.h"
 
 #include <errno.h>
 #include <limits.h>
 #include <signal.h>
 #include <stddef.h>
@@ skipping 132 matching lines @@
     case Credentials::Capability::SYS_CHROOT:
       return CAP_SYS_CHROOT;
     case Credentials::Capability::SYS_ADMIN:
       return CAP_SYS_ADMIN;
   }
 
   LOG(FATAL) << "Invalid Capability: " << static_cast<int>(cap);
   return 0;
 }
 
+void SetGidAndUidMaps(gid_t gid, uid_t uid) {
+  if (NamespaceUtils::KernelSupportsDenySetgroups()) {
+    PCHECK(NamespaceUtils::DenySetgroups());
+  }
+  DCHECK(GetRESIds(NULL, NULL));
+  const char kGidMapFile[] = "/proc/self/gid_map";
+  const char kUidMapFile[] = "/proc/self/uid_map";
+  PCHECK(NamespaceUtils::WriteToIdMapFile(kGidMapFile, gid));
+  PCHECK(NamespaceUtils::WriteToIdMapFile(kUidMapFile, uid));
+  DCHECK(GetRESIds(NULL, NULL));
+}
+
 }  // namespace.
 
 // static
 bool Credentials::DropAllCapabilities(int proc_fd) {
   if (!SetCapabilities(proc_fd, std::vector<Capability>())) {
     return false;
   }
 
   CHECK(!HasAnyCapability());
   return true;
@@ skipping 83 matching lines @@
   if (IsRunningOnValgrind()) {
     return false;
   }
 
 #if defined(THREAD_SANITIZER)
   // With TSAN, processes will always have threads running and can never
   // enter a new user namespace with MoveToNewUserNS().
   return false;
 #endif
 
+  uid_t uid;
+  gid_t gid;
+  if (!GetRESIds(&uid, &gid)) {
+    return false;
+  }
+
   // This is roughly a fork().
   const pid_t pid = sys_clone(CLONE_NEWUSER | SIGCHLD, 0, 0, 0, 0);
 
   if (pid == -1) {
     CheckCloneNewUserErrno(errno);
     return false;
   }
 
   // The parent process could have had threads. In the child, these threads
   // have disappeared. Make sure to not do anything in the child, as this is a
   // fragile execution environment.
   if (pid == 0) {
-    _exit(kExitSuccess);
+    // unshare() requires the effective uid and gid to have a mapping in the
+    // parent namespace.
+    SetGidAndUidMaps(gid, uid);
+
+    // Make sure we drop CAP_SYS_ADMIN.
+    auto proc_fd = sandbox::ProcUtil::OpenProc();
+    CHECK(sandbox::Credentials::DropAllCapabilities(proc_fd.get()));
+
+    // Ensure we have unprivileged use of CLONE_NEWUSER.  Debian
+    // Jessie explicitly forbids this case.  See:
+    // add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
+    int ret = sys_unshare(CLONE_NEWUSER);

[mdempsky, 2016/12/14 05:11:11]

I would probably do:

    PCHECK(sys_unshare(CLONE_NEWUSER));
    _exit(kExitSuccess);

and then below:

    return WIFEXITED(status) && WEXITSTATUS(status) == kExitSuccess;

[Tom (Use chromium acct), 2016/12/14 21:10:26]

Done.  But when I run this as root on Debian, I get the CHECK stack trace
printed to the console now.

Also I needed to change sys_clone to base::ForkWithFlags.  For some reason, when
using sys_clone, the parent process would exit too.

+    _exit(!!ret);
   }
 
   // Always reap the child.
   int status = -1;
   PCHECK(HANDLE_EINTR(waitpid(pid, &status, 0)) == pid);
   CHECK(WIFEXITED(status));
-  CHECK_EQ(kExitSuccess, WEXITSTATUS(status));
 
-  // clone(2) succeeded, we can use CLONE_NEWUSER.
-  return true;
+  // clone(2) succeeded.  Now return true only if the system grants
+  // unprivileged use of CLONE_NEWUSER as well.
+  return !status;
 }
 
 bool Credentials::MoveToNewUserNS() {
   uid_t uid;
   gid_t gid;
   if (!GetRESIds(&uid, &gid)) {
     // If all the uids (or gids) are not equal to each other, the security
     // model will most likely confuse the caller, abort.
     DVLOG(1) << "uids or gids differ!";
     return false;
   }
   int ret = sys_unshare(CLONE_NEWUSER);
   if (ret) {
     const int unshare_errno = errno;
     VLOG(1) << "Looks like unprivileged CLONE_NEWUSER may not be available "
             << "on this kernel.";
     CheckCloneNewUserErrno(unshare_errno);
     return false;
   }
 
-  if (NamespaceUtils::KernelSupportsDenySetgroups()) {
-    PCHECK(NamespaceUtils::DenySetgroups());
-  }
-
   // The current {r,e,s}{u,g}id is now an overflow id (c.f.
   // /proc/sys/kernel/overflowuid). Setup the uid and gid maps.
-  DCHECK(GetRESIds(NULL, NULL));
-  const char kGidMapFile[] = "/proc/self/gid_map";
-  const char kUidMapFile[] = "/proc/self/uid_map";
-  PCHECK(NamespaceUtils::WriteToIdMapFile(kGidMapFile, gid));
-  PCHECK(NamespaceUtils::WriteToIdMapFile(kUidMapFile, uid));
-  DCHECK(GetRESIds(NULL, NULL));
+  SetGidAndUidMaps(gid, uid);
   return true;
 }
 
 bool Credentials::DropFileSystemAccess(int proc_fd) {
   CHECK_LE(0, proc_fd);
 
   CHECK(ChrootToSafeEmptyDir());
   CHECK(!HasFileSystemAccess());
   CHECK(!ProcUtil::HasOpenDirectory(proc_fd));
   // We never let this function fail.
   return true;
 }
 
 bool Credentials::HasFileSystemAccess() {
   return base::DirectoryExists(base::FilePath("/proc"));
 }
 
 pid_t Credentials::ForkAndDropCapabilitiesInChild() {
   pid_t pid = fork();
   if (pid != 0) {
     return pid;
   }
 
   // Since we just forked, we are single threaded.
   PCHECK(DropAllCapabilitiesOnCurrentThread());
   return 0;
 }
 
 }  // namespace sandbox.