sandbox/linux/suid/client/setuid_sandbox_client.cc - Issue 2578483002: Namespace sandbox: add check for unprivileged use of CLONE_NEWUSER

Side by Side Diff: sandbox/linux/suid/client/setuid_sandbox_client.cc

Issue 2578483002: Namespace sandbox: add check for unprivileged use of CLONE_NEWUSER (Closed)

Patch Set: Created 4 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "sandbox/linux/suid/client/setuid_sandbox_client.h"	5 #include "sandbox/linux/suid/client/setuid_sandbox_client.h"

6	6

7 #include <fcntl.h>	7 #include <fcntl.h>

8 #include <sys/stat.h>	8 #include <sys/stat.h>

9 #include <sys/wait.h>	9 #include <sys/wait.h>

10 #include <unistd.h>	10 #include <unistd.h>

11	11

12 #include <string>	12 #include <string>

13 #include <utility>	13 #include <utility>

14	14

15 #include "base/environment.h"	15 #include "base/environment.h"

16 #include "base/files/scoped_file.h"	16 #include "base/files/scoped_file.h"

17 #include "base/logging.h"	17 #include "base/logging.h"

18 #include "base/posix/eintr_wrapper.h"	18 #include "base/posix/eintr_wrapper.h"

19 #include "base/strings/string_number_conversions.h"	19 #include "base/strings/string_number_conversions.h"

20 #include "sandbox/linux/suid/common/sandbox.h"	20 #include "sandbox/linux/suid/common/sandbox.h"

21	21

22 namespace {	22 namespace {

23	23

24 bool IsFileSystemAccessDenied() {	24 bool IsFileSystemAccessDenied() {

25 base::ScopedFD root_dir(HANDLE_EINTR(open("/", O_RDONLY)));	25 base::ScopedFD root_dir(HANDLE_EINTR(open("/proc/self/exe", O_RDONLY)));
	Tom (Use chromium acct) 2016/12/14 04:13:48 Without this, when running as root, IsFileSystemAc Without this, when running as root, IsFileSystemAccessDenied returns false. This was originally /proc/self/exe but was changed to / in https://chromium.googlesource.com/chromium/src/+/10feab647ef8b96609d087f9936e... I'm not sure why this makes it work, but I figured I'd see if you knew before I spent a lot of time debugging it. mdempsky 2016/12/14 05:11:11 Hm, so my best guess is that because with the setu Show quoted text On 2016/12/14 04:13:48, Tom Anderson wrote: > I'm not sure why this makes it work, but I figured I'd see if you knew before I > spent a lot of time debugging it. Hm, so my best guess is that because with the setuid sandbox, we end up with filesystem access, but chroot'd into an empty no-permissions directory. And then because root bypasses filesystem ACLs, we would be able to open "/" successfully. Are you able to confirm what UID the sandboxed processes are running as when you test it? However, if that's the case (i.e., renderers are running as root), that seems really bad to me. I'm not sure we actually want to support that case. Tom (Use chromium acct) 2016/12/14 21:10:26 ok that makes sense. Show quoted text On 2016/12/14 05:11:11, mdempsky wrote: > On 2016/12/14 04:13:48, Tom Anderson wrote: > > I'm not sure why this makes it work, but I figured I'd see if you knew before > I > > spent a lot of time debugging it. > > Hm, so my best guess is that because with the setuid sandbox, we end up with > filesystem access, but chroot'd into an empty no-permissions directory. And then > because root bypasses filesystem ACLs, we would be able to open "/" > successfully. > ok that makes sense. Show quoted text > Are you able to confirm what UID the sandboxed processes are running as when you > test it? > The renderers have uid and gid 0 Show quoted text > However, if that's the case (i.e., renderers are running as root), that seems > really bad to me. I'm not sure we actually want to support that case. Yes that does sound bad :( But we do have a check here: https://cs.chromium.org/chromium/src/chrome/browser/ui/views/chrome_browser_m... I like that check because it shows a dialog box rather than just exiting to the console so if chrome was launched using a gui, the user will know what's wrong. However the check lets you run chrome as root with the --user-data-dir flag. Maybe we could just unconditionally refuse to run as root? Also I'm not hitting that check when using the namespace sandbox, but I guess that's correct behavior?
26 return !root_dir.is_valid();	26 return !root_dir.is_valid();

27 }	27 }

28	28

29 int GetHelperApi(base::Environment* env) {	29 int GetHelperApi(base::Environment* env) {

30 std::string api_string;	30 std::string api_string;

31 int api_number = 0; // Assume API version 0 if no environment was found.	31 int api_number = 0; // Assume API version 0 if no environment was found.

32 if (env->GetVar(sandbox::kSandboxEnvironmentApiProvides, &api_string) &&	32 if (env->GetVar(sandbox::kSandboxEnvironmentApiProvides, &api_string) &&

33 !base::StringToInt(api_string, &api_number)) {	33 !base::StringToInt(api_string, &api_number)) {

34 // It's an error if we could not convert the API number.	34 // It's an error if we could not convert the API number.

35 api_number = -1;	35 api_number = -1;

(...skipping 106 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
142	142

143 bool SetuidSandboxClient::IsInNewNETNamespace() const {	143 bool SetuidSandboxClient::IsInNewNETNamespace() const {

144 return env_->HasVar(kSandboxNETNSEnvironmentVarName);	144 return env_->HasVar(kSandboxNETNSEnvironmentVarName);

145 }	145 }

146	146

147 bool SetuidSandboxClient::IsSandboxed() const {	147 bool SetuidSandboxClient::IsSandboxed() const {

148 return sandboxed_;	148 return sandboxed_;

149 }	149 }

150	150

151 } // namespace sandbox	151 } // namespace sandbox

OLD	NEW

« sandbox/linux/services/credentials.cc ('K') | « sandbox/linux/services/credentials.cc ('k') | no next file » | no next file with comments »