| OLD | NEW |
|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/services/credentials.h" | 5 #include "sandbox/linux/services/credentials.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <limits.h> | 8 #include <limits.h> |
| 9 #include <signal.h> | 9 #include <signal.h> |
| 10 #include <stddef.h> | 10 #include <stddef.h> |
| (...skipping 132 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 143 case Credentials::Capability::SYS_CHROOT: | 143 case Credentials::Capability::SYS_CHROOT: |
| 144 return CAP_SYS_CHROOT; | 144 return CAP_SYS_CHROOT; |
| 145 case Credentials::Capability::SYS_ADMIN: | 145 case Credentials::Capability::SYS_ADMIN: |
| 146 return CAP_SYS_ADMIN; | 146 return CAP_SYS_ADMIN; |
| 147 } | 147 } |
| 148 | 148 |
| 149 LOG(FATAL) << "Invalid Capability: " << static_cast<int>(cap); | 149 LOG(FATAL) << "Invalid Capability: " << static_cast<int>(cap); |
| 150 return 0; | 150 return 0; |
| 151 } | 151 } |
| 152 | 152 |
| 153 void SetGidAndUidMaps(gid_t gid, uid_t uid) { |
| 154 if (NamespaceUtils::KernelSupportsDenySetgroups()) { |
| 155 PCHECK(NamespaceUtils::DenySetgroups()); |
| 156 } |
| 157 DCHECK(GetRESIds(NULL, NULL)); |
| 158 const char kGidMapFile[] = "/proc/self/gid_map"; |
| 159 const char kUidMapFile[] = "/proc/self/uid_map"; |
| 160 PCHECK(NamespaceUtils::WriteToIdMapFile(kGidMapFile, gid)); |
| 161 PCHECK(NamespaceUtils::WriteToIdMapFile(kUidMapFile, uid)); |
| 162 DCHECK(GetRESIds(NULL, NULL)); |
| 163 } |
| 164 |
| 153 } // namespace. | 165 } // namespace. |
| 154 | 166 |
| 155 // static | 167 // static |
| 156 bool Credentials::DropAllCapabilities(int proc_fd) { | 168 bool Credentials::DropAllCapabilities(int proc_fd) { |
| 157 if (!SetCapabilities(proc_fd, std::vector<Capability>())) { | 169 if (!SetCapabilities(proc_fd, std::vector<Capability>())) { |
| 158 return false; | 170 return false; |
| 159 } | 171 } |
| 160 | 172 |
| 161 CHECK(!HasAnyCapability()); | 173 CHECK(!HasAnyCapability()); |
| 162 return true; | 174 return true; |
| (...skipping 83 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 246 if (IsRunningOnValgrind()) { | 258 if (IsRunningOnValgrind()) { |
| 247 return false; | 259 return false; |
| 248 } | 260 } |
| 249 | 261 |
| 250 #if defined(THREAD_SANITIZER) | 262 #if defined(THREAD_SANITIZER) |
| 251 // With TSAN, processes will always have threads running and can never | 263 // With TSAN, processes will always have threads running and can never |
| 252 // enter a new user namespace with MoveToNewUserNS(). | 264 // enter a new user namespace with MoveToNewUserNS(). |
| 253 return false; | 265 return false; |
| 254 #endif | 266 #endif |
| 255 | 267 |
| 256 // This is roughly a fork(). | 268 uid_t uid; |
| 257 const pid_t pid = sys_clone(CLONE_NEWUSER | SIGCHLD, 0, 0, 0, 0); | 269 gid_t gid; |
| 270 if (!GetRESIds(&uid, &gid)) { |
| 271 return false; |
| 272 } |
| 273 |
| 274 const pid_t pid = |
| 275 base::ForkWithFlags(CLONE_NEWUSER | SIGCHLD, nullptr, nullptr); |
| 258 | 276 |
| 259 if (pid == -1) { | 277 if (pid == -1) { |
| 260 CheckCloneNewUserErrno(errno); | 278 CheckCloneNewUserErrno(errno); |
| 261 return false; | 279 return false; |
| 262 } | 280 } |
| 263 | 281 |
| 264 // The parent process could have had threads. In the child, these threads | 282 // The parent process could have had threads. In the child, these threads |
| 265 // have disappeared. Make sure to not do anything in the child, as this is a | 283 // have disappeared. |
| 266 // fragile execution environment. | |
| 267 if (pid == 0) { | 284 if (pid == 0) { |
| 285 // unshare() requires the effective uid and gid to have a mapping in the |
| 286 // parent namespace. |
| 287 SetGidAndUidMaps(gid, uid); |
| 288 |
| 289 // Make sure we drop CAP_SYS_ADMIN. |
| 290 CHECK(sandbox::Credentials::DropAllCapabilities()); |
| 291 |
| 292 // Ensure we have unprivileged use of CLONE_NEWUSER. Debian |
| 293 // Jessie explicitly forbids this case. See: |
| 294 // add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch |
| 295 PCHECK(0 == sys_unshare(CLONE_NEWUSER)); |
| 268 _exit(kExitSuccess); | 296 _exit(kExitSuccess); |
| 269 } | 297 } |
| 270 | 298 |
| 271 // Always reap the child. | 299 // Always reap the child. |
| 272 int status = -1; | 300 int status = -1; |
| 273 PCHECK(HANDLE_EINTR(waitpid(pid, &status, 0)) == pid); | 301 PCHECK(HANDLE_EINTR(waitpid(pid, &status, 0)) == pid); |
| 274 CHECK(WIFEXITED(status)); | |
| 275 CHECK_EQ(kExitSuccess, WEXITSTATUS(status)); | |
| 276 | 302 |
| 277 // clone(2) succeeded, we can use CLONE_NEWUSER. | 303 // clone(2) succeeded. Now return true only if the system grants |
| 278 return true; | 304 // unprivileged use of CLONE_NEWUSER as well. |
| 305 return WIFEXITED(status) && WEXITSTATUS(status) == kExitSuccess; |
| 279 } | 306 } |
| 280 | 307 |
| 281 bool Credentials::MoveToNewUserNS() { | 308 bool Credentials::MoveToNewUserNS() { |
| 282 uid_t uid; | 309 uid_t uid; |
| 283 gid_t gid; | 310 gid_t gid; |
| 284 if (!GetRESIds(&uid, &gid)) { | 311 if (!GetRESIds(&uid, &gid)) { |
| 285 // If all the uids (or gids) are not equal to each other, the security | 312 // If all the uids (or gids) are not equal to each other, the security |
| 286 // model will most likely confuse the caller, abort. | 313 // model will most likely confuse the caller, abort. |
| 287 DVLOG(1) << "uids or gids differ!"; | 314 DVLOG(1) << "uids or gids differ!"; |
| 288 return false; | 315 return false; |
| 289 } | 316 } |
| 290 int ret = sys_unshare(CLONE_NEWUSER); | 317 int ret = sys_unshare(CLONE_NEWUSER); |
| 291 if (ret) { | 318 if (ret) { |
| 292 const int unshare_errno = errno; | 319 const int unshare_errno = errno; |
| 293 VLOG(1) << "Looks like unprivileged CLONE_NEWUSER may not be available " | 320 VLOG(1) << "Looks like unprivileged CLONE_NEWUSER may not be available " |
| 294 << "on this kernel."; | 321 << "on this kernel."; |
| 295 CheckCloneNewUserErrno(unshare_errno); | 322 CheckCloneNewUserErrno(unshare_errno); |
| 296 return false; | 323 return false; |
| 297 } | 324 } |
| 298 | 325 |
| 299 if (NamespaceUtils::KernelSupportsDenySetgroups()) { | |
| 300 PCHECK(NamespaceUtils::DenySetgroups()); | |
| 301 } | |
| 302 | |
| 303 // The current {r,e,s}{u,g}id is now an overflow id (c.f. | 326 // The current {r,e,s}{u,g}id is now an overflow id (c.f. |
| 304 // /proc/sys/kernel/overflowuid). Setup the uid and gid maps. | 327 // /proc/sys/kernel/overflowuid). Setup the uid and gid maps. |
| 305 DCHECK(GetRESIds(NULL, NULL)); | 328 SetGidAndUidMaps(gid, uid); |
| 306 const char kGidMapFile[] = "/proc/self/gid_map"; | |
| 307 const char kUidMapFile[] = "/proc/self/uid_map"; | |
| 308 PCHECK(NamespaceUtils::WriteToIdMapFile(kGidMapFile, gid)); | |
| 309 PCHECK(NamespaceUtils::WriteToIdMapFile(kUidMapFile, uid)); | |
| 310 DCHECK(GetRESIds(NULL, NULL)); | |
| 311 return true; | 329 return true; |
| 312 } | 330 } |
| 313 | 331 |
| 314 bool Credentials::DropFileSystemAccess(int proc_fd) { | 332 bool Credentials::DropFileSystemAccess(int proc_fd) { |
| 315 CHECK_LE(0, proc_fd); | 333 CHECK_LE(0, proc_fd); |
| 316 | 334 |
| 317 CHECK(ChrootToSafeEmptyDir()); | 335 CHECK(ChrootToSafeEmptyDir()); |
| 318 CHECK(!HasFileSystemAccess()); | 336 CHECK(!HasFileSystemAccess()); |
| 319 CHECK(!ProcUtil::HasOpenDirectory(proc_fd)); | 337 CHECK(!ProcUtil::HasOpenDirectory(proc_fd)); |
| 320 // We never let this function fail. | 338 // We never let this function fail. |
| 321 return true; | 339 return true; |
| 322 } | 340 } |
| 323 | 341 |
| 324 bool Credentials::HasFileSystemAccess() { | 342 bool Credentials::HasFileSystemAccess() { |
| 325 return base::DirectoryExists(base::FilePath("/proc")); | 343 return base::DirectoryExists(base::FilePath("/proc")); |
| 326 } | 344 } |
| 327 | 345 |
| 328 pid_t Credentials::ForkAndDropCapabilitiesInChild() { | 346 pid_t Credentials::ForkAndDropCapabilitiesInChild() { |
| 329 pid_t pid = fork(); | 347 pid_t pid = fork(); |
| 330 if (pid != 0) { | 348 if (pid != 0) { |
| 331 return pid; | 349 return pid; |
| 332 } | 350 } |
| 333 | 351 |
| 334 // Since we just forked, we are single threaded. | 352 // Since we just forked, we are single threaded. |
| 335 PCHECK(DropAllCapabilitiesOnCurrentThread()); | 353 PCHECK(DropAllCapabilitiesOnCurrentThread()); |
| 336 return 0; | 354 return 0; |
| 337 } | 355 } |
| 338 | 356 |
| 339 } // namespace sandbox. | 357 } // namespace sandbox. |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2578483002:
Namespace sandbox: add check for unprivileged use of CLONE_NEWUSER (Closed)
