| OLD | NEW |
|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/services/credentials.h" | 5 #include "sandbox/linux/services/credentials.h" |
| 6 | 6 |
| 7 #include <errno.h> |
| 7 #include <stdio.h> | 8 #include <stdio.h> |
| 8 #include <sys/capability.h> | 9 #include <sys/capability.h> |
| 10 #include <unistd.h> |
| 9 | 11 |
| 10 #include "base/basictypes.h" | 12 #include "base/basictypes.h" |
| 13 #include "base/bind.h" |
| 11 #include "base/logging.h" | 14 #include "base/logging.h" |
| 15 #include "base/strings/string_number_conversions.h" |
| 16 #include "base/template_util.h" |
| 17 #include "base/threading/thread.h" |
| 12 | 18 |
| 13 namespace { | 19 namespace { |
| 14 | 20 |
| 15 struct CapFreeDeleter { | 21 struct CapFreeDeleter { |
| 16 inline void operator()(cap_t cap) const { | 22 inline void operator()(cap_t cap) const { |
| 17 int ret = cap_free(cap); | 23 int ret = cap_free(cap); |
| 18 CHECK_EQ(0, ret); | 24 CHECK_EQ(0, ret); |
| 19 } | 25 } |
| 20 }; | 26 }; |
| 21 | 27 |
| 22 // Wrapper to manage libcap2's cap_t type. | 28 // Wrapper to manage libcap2's cap_t type. |
| 23 typedef scoped_ptr<typeof(*((cap_t)0)), CapFreeDeleter> ScopedCap; | 29 typedef scoped_ptr<typeof(*((cap_t)0)), CapFreeDeleter> ScopedCap; |
| 24 | 30 |
| 25 struct CapTextFreeDeleter { | 31 struct CapTextFreeDeleter { |
| 26 inline void operator()(char* cap_text) const { | 32 inline void operator()(char* cap_text) const { |
| 27 int ret = cap_free(cap_text); | 33 int ret = cap_free(cap_text); |
| 28 CHECK_EQ(0, ret); | 34 CHECK_EQ(0, ret); |
| 29 } | 35 } |
| 30 }; | 36 }; |
| 31 | 37 |
| 32 // Wrapper to manage the result from libcap2's cap_from_text(). | 38 // Wrapper to manage the result from libcap2's cap_from_text(). |
| 33 typedef scoped_ptr<char, CapTextFreeDeleter> ScopedCapText; | 39 typedef scoped_ptr<char, CapTextFreeDeleter> ScopedCapText; |
| 34 | 40 |
| 41 struct FILECloser { |
| 42 inline void operator()(FILE* f) const { |
| 43 DCHECK(f); |
| 44 PCHECK(0 == fclose(f)); |
| 45 } |
| 46 }; |
| 47 |
| 48 // Don't use ScopedFILE in base/file_util.h since it doesn't check fclose(). |
| 49 // TODO(jln): fix base/. |
| 50 typedef scoped_ptr<FILE, FILECloser> ScopedFILE; |
| 51 |
| 52 COMPILE_ASSERT((base::is_same<uid_t, gid_t>::value), UidAndGidAreSameType); |
| 53 // generic_id_t can be used for either uid_t or gid_t. |
| 54 typedef uid_t generic_id_t; |
| 55 |
| 56 // Write a uid or gid mapping from |id| to |id| in |map_file|. |
| 57 bool WriteToIdMapFile(const char* map_file, generic_id_t id) { |
| 58 ScopedFILE f(fopen(map_file, "w")); |
| 59 PCHECK(f); |
| 60 const uid_t inside_id = id; |
| 61 const uid_t outside_id = id; |
| 62 int num = fprintf(f.get(), "%d %d 1\n", inside_id, outside_id); |
| 63 if (num < 0) return false; |
| 64 // Manually call fflush() to catch permission failures. |
| 65 int ret = fflush(f.get()); |
| 66 if (ret) { |
| 67 VLOG(1) << "Could not write to id map file"; |
| 68 return false; |
| 69 } |
| 70 return true; |
| 71 } |
| 72 |
| 73 // Checks that the set of RES-uids and the set of RES-gids have |
| 74 // one element each and return that element in |resuid| and |resgid| |
| 75 // respectively. It's ok to pass NULL as one or both of the ids. |
| 76 bool GetRESIds(uid_t* resuid, gid_t* resgid) { |
| 77 uid_t ruid, euid, suid; |
| 78 gid_t rgid, egid, sgid; |
| 79 PCHECK(getresuid(&ruid, &euid, &suid) == 0); |
| 80 PCHECK(getresgid(&rgid, &egid, &sgid) == 0); |
| 81 const bool uids_are_equal = (ruid == euid) && (ruid == suid); |
| 82 const bool gids_are_equal = (rgid == egid) && (rgid == sgid); |
| 83 if (!uids_are_equal || !gids_are_equal) return false; |
| 84 if (resuid) *resuid = euid; |
| 85 if (resgid) *resgid = egid; |
| 86 return true; |
| 87 } |
| 88 |
| 89 // chroot() and chdir() to /proc/<tid>/fdinfo. |
| 90 void ChrootToThreadFdInfo(base::PlatformThreadId tid, bool* result) { |
| 91 DCHECK(result); |
| 92 *result = false; |
| 93 |
| 94 COMPILE_ASSERT((base::is_same<base::PlatformThreadId, int>::value), |
| 95 TidIsAnInt); |
| 96 const std::string current_thread_fdinfo = "/proc/" + |
| 97 base::IntToString(tid) + "/fdinfo/"; |
| 98 |
| 99 // Make extra sure that /proc/<tid>/fdinfo is unique to the thread. |
| 100 CHECK(0 == unshare(CLONE_FILES)); |
| 101 int chroot_ret = chroot(current_thread_fdinfo.c_str()); |
| 102 if (chroot_ret) { |
| 103 PLOG(ERROR) << "Could not chroot"; |
| 104 return; |
| 105 } |
| 106 |
| 107 // CWD is essentially an implicit file descriptor, so be careful to not leave |
| 108 // it behind. |
| 109 PCHECK(0 == chdir("/")); |
| 110 |
| 111 *result = true; |
| 112 return; |
| 113 } |
| 114 |
| 115 // chroot() to an empty dir that is "safe". To be safe, it must not contain |
| 116 // any subdirectory (chroot-ing there would allow a chroot escape) and it must |
| 117 // be impossible to create an empty directory there. |
| 118 // We achieve this by doing the following: |
| 119 // 1. We create a new thread, which will create a new /proc/<tid>/ directory |
| 120 // 2. We chroot to /proc/<tid>/fdinfo/ |
| 121 // This is already "safe", since fdinfo/ does not contain another directory and |
| 122 // one cannot create another directory there. |
| 123 // 3. The thread dies |
| 124 // After (3) happens, the directory is not available anymore in /proc. |
| 125 bool ChrootToSafeEmptyDir() { |
| 126 base::Thread chrooter("sandbox_chrooter"); |
| 127 if (!chrooter.Start()) return false; |
| 128 bool is_chrooted = false; |
| 129 chrooter.message_loop()->PostTask(FROM_HERE, |
| 130 base::Bind(&ChrootToThreadFdInfo, chrooter.thread_id(), &is_chrooted)); |
| 131 // Make sure our task has run before committing the return value. |
| 132 chrooter.Stop(); |
| 133 return is_chrooted; |
| 134 } |
| 135 |
| 35 } // namespace. | 136 } // namespace. |
| 36 | 137 |
| 37 namespace sandbox { | 138 namespace sandbox { |
| 38 | 139 |
| 39 Credentials::Credentials() { | 140 Credentials::Credentials() { |
| 40 } | 141 } |
| 41 | 142 |
| 42 Credentials::~Credentials() { | 143 Credentials::~Credentials() { |
| 43 } | 144 } |
| 44 | 145 |
| 45 void Credentials::DropAllCapabilities() { | 146 bool Credentials::DropAllCapabilities() { |
| 46 ScopedCap cap(cap_init()); | 147 ScopedCap cap(cap_init()); |
| 47 CHECK(cap); | 148 CHECK(cap); |
| 48 PCHECK(0 == cap_set_proc(cap.get())); | 149 PCHECK(0 == cap_set_proc(cap.get())); |
| 150 // We never let this function fail. |
| 151 return true; |
| 49 } | 152 } |
| 50 | 153 |
| 51 bool Credentials::HasAnyCapability() { | 154 bool Credentials::HasAnyCapability() const { |
| 52 ScopedCap current_cap(cap_get_proc()); | 155 ScopedCap current_cap(cap_get_proc()); |
| 53 CHECK(current_cap); | 156 CHECK(current_cap); |
| 54 ScopedCap empty_cap(cap_init()); | 157 ScopedCap empty_cap(cap_init()); |
| 55 CHECK(empty_cap); | 158 CHECK(empty_cap); |
| 56 return cap_compare(current_cap.get(), empty_cap.get()) != 0; | 159 return cap_compare(current_cap.get(), empty_cap.get()) != 0; |
| 57 } | 160 } |
| 58 | 161 |
| 59 scoped_ptr<std::string> Credentials::GetCurrentCapString() { | 162 scoped_ptr<std::string> Credentials::GetCurrentCapString() const { |
| 60 ScopedCap current_cap(cap_get_proc()); | 163 ScopedCap current_cap(cap_get_proc()); |
| 61 CHECK(current_cap); | 164 CHECK(current_cap); |
| 62 ScopedCapText cap_text(cap_to_text(current_cap.get(), NULL)); | 165 ScopedCapText cap_text(cap_to_text(current_cap.get(), NULL)); |
| 63 CHECK(cap_text); | 166 CHECK(cap_text); |
| 64 return scoped_ptr<std::string> (new std::string(cap_text.get())); | 167 return scoped_ptr<std::string> (new std::string(cap_text.get())); |
| 65 } | 168 } |
| 66 | 169 |
| 170 bool Credentials::MoveToNewUserNS() { |
| 171 uid_t uid; |
| 172 gid_t gid; |
| 173 if (!GetRESIds(&uid, &gid)) { |
| 174 // If all the uids (or gids) are not equal to each other, the security |
| 175 // model will most likely confuse the caller, abort. |
| 176 DVLOG(1) << "uids or gids differ!"; |
| 177 return false; |
| 178 } |
| 179 int ret = unshare(CLONE_NEWUSER); |
| 180 // EPERM can happen if already in a chroot. EUSERS if too many nested |
| 181 // namespaces are used. EINVAL for kernels that don't support the feature. |
| 182 // Valgrind will ENOSYS unshare(). |
| 183 PCHECK(!ret || errno == EPERM || errno == EUSERS || errno == EINVAL || |
| 184 errno == ENOSYS); |
| 185 if (ret) { |
| 186 VLOG(1) << "Looks like unprivileged CLONE_NEWUSER may not be available " |
| 187 << "on this kernel."; |
| 188 return false; |
| 189 } |
| 190 // The current {r,e,s}{u,g}id is now an overflow id (c.f. |
| 191 // /proc/sys/kernel/overflowuid). Setup the uid and gid maps. |
| 192 DCHECK(GetRESIds(NULL, NULL)); |
| 193 const char kGidMapFile[] = "/proc/self/gid_map"; |
| 194 const char kUidMapFile[] = "/proc/self/uid_map"; |
| 195 CHECK(WriteToIdMapFile(kGidMapFile, gid)); |
| 196 CHECK(WriteToIdMapFile(kUidMapFile, uid)); |
| 197 DCHECK(GetRESIds(NULL, NULL)); |
| 198 return true; |
| 199 } |
| 200 |
| 201 bool Credentials::DropFileSystemAccess() { |
| 202 return ChrootToSafeEmptyDir(); |
| 203 } |
| 204 |
| 67 } // namespace sandbox. | 205 } // namespace sandbox. |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 54643010:
Linux: add basic unprivileged namespace support. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src