| OLD | NEW |
|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/services/credentials.h" | 5 #include "sandbox/linux/services/credentials.h" |
| 6 | 6 |
| 7 #include <dirent.h> | |
| 8 #include <errno.h> | 7 #include <errno.h> |
| 9 #include <fcntl.h> | |
| 10 #include <signal.h> | 8 #include <signal.h> |
| 11 #include <stdio.h> | 9 #include <stdio.h> |
| 12 #include <sys/capability.h> | 10 #include <sys/capability.h> |
| 13 #include <sys/stat.h> | |
| 14 #include <sys/syscall.h> | 11 #include <sys/syscall.h> |
| 15 #include <sys/types.h> | 12 #include <sys/types.h> |
| 16 #include <sys/wait.h> | 13 #include <sys/wait.h> |
| 17 #include <unistd.h> | 14 #include <unistd.h> |
| 18 | 15 |
| 19 #include "base/basictypes.h" | 16 #include "base/basictypes.h" |
| 20 #include "base/bind.h" | 17 #include "base/bind.h" |
| 21 #include "base/logging.h" | 18 #include "base/logging.h" |
| 22 #include "base/posix/eintr_wrapper.h" | 19 #include "base/posix/eintr_wrapper.h" |
| 23 #include "base/strings/string_number_conversions.h" | 20 #include "base/strings/string_number_conversions.h" |
| 24 #include "base/template_util.h" | 21 #include "base/template_util.h" |
| 25 #include "base/third_party/valgrind/valgrind.h" | 22 #include "base/third_party/valgrind/valgrind.h" |
| 26 #include "base/threading/thread.h" | 23 #include "base/threading/thread.h" |
| 24 #include "sandbox/linux/services/proc_util.h" |
| 27 #include "sandbox/linux/services/syscall_wrappers.h" | 25 #include "sandbox/linux/services/syscall_wrappers.h" |
| 28 | 26 |
| 29 namespace { | 27 namespace { |
| 30 | 28 |
| 31 bool IsRunningOnValgrind() { return RUNNING_ON_VALGRIND; } | 29 bool IsRunningOnValgrind() { return RUNNING_ON_VALGRIND; } |
| 32 | 30 |
| 33 struct CapFreeDeleter { | 31 struct CapFreeDeleter { |
| 34 inline void operator()(cap_t cap) const { | 32 inline void operator()(cap_t cap) const { |
| 35 int ret = cap_free(cap); | 33 int ret = cap_free(cap); |
| 36 CHECK_EQ(0, ret); | 34 CHECK_EQ(0, ret); |
| (...skipping 17 matching lines...) Expand all Loading... |
| 54 inline void operator()(FILE* f) const { | 52 inline void operator()(FILE* f) const { |
| 55 DCHECK(f); | 53 DCHECK(f); |
| 56 PCHECK(0 == fclose(f)); | 54 PCHECK(0 == fclose(f)); |
| 57 } | 55 } |
| 58 }; | 56 }; |
| 59 | 57 |
| 60 // Don't use ScopedFILE in base since it doesn't check fclose(). | 58 // Don't use ScopedFILE in base since it doesn't check fclose(). |
| 61 // TODO(jln): fix base/. | 59 // TODO(jln): fix base/. |
| 62 typedef scoped_ptr<FILE, FILECloser> ScopedFILE; | 60 typedef scoped_ptr<FILE, FILECloser> ScopedFILE; |
| 63 | 61 |
| 64 struct DIRCloser { | |
| 65 void operator()(DIR* d) const { | |
| 66 DCHECK(d); | |
| 67 PCHECK(0 == closedir(d)); | |
| 68 } | |
| 69 }; | |
| 70 | |
| 71 typedef scoped_ptr<DIR, DIRCloser> ScopedDIR; | |
| 72 | |
| 73 COMPILE_ASSERT((base::is_same<uid_t, gid_t>::value), UidAndGidAreSameType); | 62 COMPILE_ASSERT((base::is_same<uid_t, gid_t>::value), UidAndGidAreSameType); |
| 74 // generic_id_t can be used for either uid_t or gid_t. | 63 // generic_id_t can be used for either uid_t or gid_t. |
| 75 typedef uid_t generic_id_t; | 64 typedef uid_t generic_id_t; |
| 76 | 65 |
| 77 // Write a uid or gid mapping from |id| to |id| in |map_file|. | 66 // Write a uid or gid mapping from |id| to |id| in |map_file|. |
| 78 bool WriteToIdMapFile(const char* map_file, generic_id_t id) { | 67 bool WriteToIdMapFile(const char* map_file, generic_id_t id) { |
| 79 ScopedFILE f(fopen(map_file, "w")); | 68 ScopedFILE f(fopen(map_file, "w")); |
| 80 PCHECK(f); | 69 PCHECK(f); |
| 81 const uid_t inside_id = id; | 70 const uid_t inside_id = id; |
| 82 const uid_t outside_id = id; | 71 const uid_t outside_id = id; |
| (...skipping 84 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 167 } // namespace. | 156 } // namespace. |
| 168 | 157 |
| 169 namespace sandbox { | 158 namespace sandbox { |
| 170 | 159 |
| 171 Credentials::Credentials() { | 160 Credentials::Credentials() { |
| 172 } | 161 } |
| 173 | 162 |
| 174 Credentials::~Credentials() { | 163 Credentials::~Credentials() { |
| 175 } | 164 } |
| 176 | 165 |
| 177 int Credentials::CountOpenFds(int proc_fd) { | |
| 178 DCHECK_LE(0, proc_fd); | |
| 179 int proc_self_fd = openat(proc_fd, "self/fd", O_DIRECTORY | O_RDONLY); | |
| 180 PCHECK(0 <= proc_self_fd); | |
| 181 | |
| 182 // Ownership of proc_self_fd is transferred here, it must not be closed | |
| 183 // or modified afterwards except via dir. | |
| 184 ScopedDIR dir(fdopendir(proc_self_fd)); | |
| 185 CHECK(dir); | |
| 186 | |
| 187 int count = 0; | |
| 188 struct dirent e; | |
| 189 struct dirent* de; | |
| 190 while (!readdir_r(dir.get(), &e, &de) && de) { | |
| 191 if (strcmp(e.d_name, ".") == 0 || strcmp(e.d_name, "..") == 0) { | |
| 192 continue; | |
| 193 } | |
| 194 | |
| 195 int fd_num; | |
| 196 CHECK(base::StringToInt(e.d_name, &fd_num)); | |
| 197 if (fd_num == proc_fd || fd_num == proc_self_fd) { | |
| 198 continue; | |
| 199 } | |
| 200 | |
| 201 ++count; | |
| 202 } | |
| 203 return count; | |
| 204 } | |
| 205 | |
| 206 bool Credentials::HasOpenDirectory(int proc_fd) { | |
| 207 int proc_self_fd = -1; | |
| 208 if (proc_fd >= 0) { | |
| 209 proc_self_fd = openat(proc_fd, "self/fd", O_DIRECTORY | O_RDONLY); | |
| 210 } else { | |
| 211 proc_self_fd = openat(AT_FDCWD, "/proc/self/fd", O_DIRECTORY | O_RDONLY); | |
| 212 if (proc_self_fd < 0) { | |
| 213 // If this process has been chrooted (eg into /proc/self/fdinfo) then | |
| 214 // the new root dir will not have directory listing permissions for us | |
| 215 // (hence EACCES). And if we do have this permission, then /proc won't | |
| 216 // exist anyway (hence ENOENT). | |
| 217 DPCHECK(errno == EACCES || errno == ENOENT) | |
| 218 << "Unexpected failure when trying to open /proc/self/fd: (" | |
| 219 << errno << ") " << strerror(errno); | |
| 220 | |
| 221 // If not available, guess false. | |
| 222 return false; | |
| 223 } | |
| 224 } | |
| 225 PCHECK(0 <= proc_self_fd); | |
| 226 | |
| 227 // Ownership of proc_self_fd is transferred here, it must not be closed | |
| 228 // or modified afterwards except via dir. | |
| 229 ScopedDIR dir(fdopendir(proc_self_fd)); | |
| 230 CHECK(dir); | |
| 231 | |
| 232 struct dirent e; | |
| 233 struct dirent* de; | |
| 234 while (!readdir_r(dir.get(), &e, &de) && de) { | |
| 235 if (strcmp(e.d_name, ".") == 0 || strcmp(e.d_name, "..") == 0) { | |
| 236 continue; | |
| 237 } | |
| 238 | |
| 239 int fd_num; | |
| 240 CHECK(base::StringToInt(e.d_name, &fd_num)); | |
| 241 if (fd_num == proc_fd || fd_num == proc_self_fd) { | |
| 242 continue; | |
| 243 } | |
| 244 | |
| 245 struct stat s; | |
| 246 // It's OK to use proc_self_fd here, fstatat won't modify it. | |
| 247 CHECK(fstatat(proc_self_fd, e.d_name, &s, 0) == 0); | |
| 248 if (S_ISDIR(s.st_mode)) { | |
| 249 return true; | |
| 250 } | |
| 251 } | |
| 252 | |
| 253 // No open unmanaged directories found. | |
| 254 return false; | |
| 255 } | |
| 256 | |
| 257 bool Credentials::DropAllCapabilities() { | 166 bool Credentials::DropAllCapabilities() { |
| 258 ScopedCap cap(cap_init()); | 167 ScopedCap cap(cap_init()); |
| 259 CHECK(cap); | 168 CHECK(cap); |
| 260 PCHECK(0 == cap_set_proc(cap.get())); | 169 PCHECK(0 == cap_set_proc(cap.get())); |
| 261 // We never let this function fail. | 170 // We never let this function fail. |
| 262 return true; | 171 return true; |
| 263 } | 172 } |
| 264 | 173 |
| 265 bool Credentials::HasAnyCapability() const { | 174 bool Credentials::HasAnyCapability() const { |
| 266 ScopedCap current_cap(cap_get_proc()); | 175 ScopedCap current_cap(cap_get_proc()); |
| (...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 334 const char kUidMapFile[] = "/proc/self/uid_map"; | 243 const char kUidMapFile[] = "/proc/self/uid_map"; |
| 335 CHECK(WriteToIdMapFile(kGidMapFile, gid)); | 244 CHECK(WriteToIdMapFile(kGidMapFile, gid)); |
| 336 CHECK(WriteToIdMapFile(kUidMapFile, uid)); | 245 CHECK(WriteToIdMapFile(kUidMapFile, uid)); |
| 337 DCHECK(GetRESIds(NULL, NULL)); | 246 DCHECK(GetRESIds(NULL, NULL)); |
| 338 return true; | 247 return true; |
| 339 } | 248 } |
| 340 | 249 |
| 341 bool Credentials::DropFileSystemAccess() { | 250 bool Credentials::DropFileSystemAccess() { |
| 342 // Chrooting to a safe empty dir will only be safe if no directory file | 251 // Chrooting to a safe empty dir will only be safe if no directory file |
| 343 // descriptor is available to the process. | 252 // descriptor is available to the process. |
| 344 DCHECK(!HasOpenDirectory(-1)); | 253 DCHECK(!ProcUtil::HasOpenDirectory(-1)); |
| 345 return ChrootToSafeEmptyDir(); | 254 return ChrootToSafeEmptyDir(); |
| 346 } | 255 } |
| 347 | 256 |
| 348 } // namespace sandbox. | 257 } // namespace sandbox. |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 761903003:
Update from https://crrev.com/306655 (Closed)
Base URL: git@github.com:domokit/mojo.git@master