OLD | NEW |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "sandbox/linux/services/credentials.h" | 5 #include "sandbox/linux/services/credentials.h" |
6 | 6 |
7 #include <dirent.h> | |
8 #include <errno.h> | 7 #include <errno.h> |
9 #include <fcntl.h> | |
10 #include <stdio.h> | 8 #include <stdio.h> |
11 #include <sys/capability.h> | 9 #include <sys/capability.h> |
12 #include <sys/stat.h> | |
13 #include <sys/types.h> | |
14 #include <unistd.h> | 10 #include <unistd.h> |
15 | 11 |
16 #include "base/basictypes.h" | 12 #include "base/basictypes.h" |
17 #include "base/bind.h" | 13 #include "base/bind.h" |
18 #include "base/logging.h" | 14 #include "base/logging.h" |
19 #include "base/strings/string_number_conversions.h" | 15 #include "base/strings/string_number_conversions.h" |
20 #include "base/template_util.h" | 16 #include "base/template_util.h" |
21 #include "base/threading/thread.h" | 17 #include "base/threading/thread.h" |
22 | 18 |
23 namespace { | 19 namespace { |
(...skipping 22 matching lines...) Expand all Loading... |
46 inline void operator()(FILE* f) const { | 42 inline void operator()(FILE* f) const { |
47 DCHECK(f); | 43 DCHECK(f); |
48 PCHECK(0 == fclose(f)); | 44 PCHECK(0 == fclose(f)); |
49 } | 45 } |
50 }; | 46 }; |
51 | 47 |
52 // Don't use ScopedFILE in base/file_util.h since it doesn't check fclose(). | 48 // Don't use ScopedFILE in base/file_util.h since it doesn't check fclose(). |
53 // TODO(jln): fix base/. | 49 // TODO(jln): fix base/. |
54 typedef scoped_ptr<FILE, FILECloser> ScopedFILE; | 50 typedef scoped_ptr<FILE, FILECloser> ScopedFILE; |
55 | 51 |
56 struct DIRCloser { | |
57 void operator()(DIR* d) const { | |
58 DCHECK(d); | |
59 PCHECK(0 == closedir(d)); | |
60 } | |
61 }; | |
62 | |
63 typedef scoped_ptr<DIR, DIRCloser> ScopedDIR; | |
64 | |
65 COMPILE_ASSERT((base::is_same<uid_t, gid_t>::value), UidAndGidAreSameType); | 52 COMPILE_ASSERT((base::is_same<uid_t, gid_t>::value), UidAndGidAreSameType); |
66 // generic_id_t can be used for either uid_t or gid_t. | 53 // generic_id_t can be used for either uid_t or gid_t. |
67 typedef uid_t generic_id_t; | 54 typedef uid_t generic_id_t; |
68 | 55 |
69 // Write a uid or gid mapping from |id| to |id| in |map_file|. | 56 // Write a uid or gid mapping from |id| to |id| in |map_file|. |
70 bool WriteToIdMapFile(const char* map_file, generic_id_t id) { | 57 bool WriteToIdMapFile(const char* map_file, generic_id_t id) { |
71 ScopedFILE f(fopen(map_file, "w")); | 58 ScopedFILE f(fopen(map_file, "w")); |
72 PCHECK(f); | 59 PCHECK(f); |
73 const uid_t inside_id = id; | 60 const uid_t inside_id = id; |
74 const uid_t outside_id = id; | 61 const uid_t outside_id = id; |
(...skipping 74 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
149 } // namespace. | 136 } // namespace. |
150 | 137 |
151 namespace sandbox { | 138 namespace sandbox { |
152 | 139 |
153 Credentials::Credentials() { | 140 Credentials::Credentials() { |
154 } | 141 } |
155 | 142 |
156 Credentials::~Credentials() { | 143 Credentials::~Credentials() { |
157 } | 144 } |
158 | 145 |
159 bool Credentials::HasOpenDirectory(int proc_fd) { | |
160 int proc_self_fd = -1; | |
161 if (proc_fd >= 0) { | |
162 proc_self_fd = openat(proc_fd, "self/fd", O_DIRECTORY | O_RDONLY); | |
163 } else { | |
164 proc_self_fd = openat(AT_FDCWD, "/proc/self/fd", O_DIRECTORY | O_RDONLY); | |
165 if (proc_self_fd < 0) { | |
166 // If not available, guess false. | |
167 // TODO(mostynb@opera.com): add a CHECK_EQ(ENOENT, errno); Figure out what | |
168 // other situations are here. http://crbug.com/314985 | |
169 return false; | |
170 } | |
171 } | |
172 CHECK_GE(proc_self_fd, 0); | |
173 | |
174 // Ownership of proc_self_fd is transferred here, it must not be closed | |
175 // or modified afterwards except via dir. | |
176 ScopedDIR dir(fdopendir(proc_self_fd)); | |
177 CHECK(dir); | |
178 | |
179 struct dirent e; | |
180 struct dirent* de; | |
181 while (!readdir_r(dir.get(), &e, &de) && de) { | |
182 if (strcmp(e.d_name, ".") == 0 || strcmp(e.d_name, "..") == 0) { | |
183 continue; | |
184 } | |
185 | |
186 int fd_num; | |
187 CHECK(base::StringToInt(e.d_name, &fd_num)); | |
188 if (fd_num == proc_fd || fd_num == proc_self_fd) { | |
189 continue; | |
190 } | |
191 | |
192 struct stat s; | |
193 // It's OK to use proc_self_fd here, fstatat won't modify it. | |
194 CHECK(fstatat(proc_self_fd, e.d_name, &s, 0) == 0); | |
195 if (S_ISDIR(s.st_mode)) { | |
196 return true; | |
197 } | |
198 } | |
199 | |
200 // No open unmanaged directories found. | |
201 return false; | |
202 } | |
203 | |
204 bool Credentials::DropAllCapabilities() { | 146 bool Credentials::DropAllCapabilities() { |
205 ScopedCap cap(cap_init()); | 147 ScopedCap cap(cap_init()); |
206 CHECK(cap); | 148 CHECK(cap); |
207 PCHECK(0 == cap_set_proc(cap.get())); | 149 PCHECK(0 == cap_set_proc(cap.get())); |
208 // We never let this function fail. | 150 // We never let this function fail. |
209 return true; | 151 return true; |
210 } | 152 } |
211 | 153 |
212 bool Credentials::HasAnyCapability() const { | 154 bool Credentials::HasAnyCapability() const { |
213 ScopedCap current_cap(cap_get_proc()); | 155 ScopedCap current_cap(cap_get_proc()); |
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
250 DCHECK(GetRESIds(NULL, NULL)); | 192 DCHECK(GetRESIds(NULL, NULL)); |
251 const char kGidMapFile[] = "/proc/self/gid_map"; | 193 const char kGidMapFile[] = "/proc/self/gid_map"; |
252 const char kUidMapFile[] = "/proc/self/uid_map"; | 194 const char kUidMapFile[] = "/proc/self/uid_map"; |
253 CHECK(WriteToIdMapFile(kGidMapFile, gid)); | 195 CHECK(WriteToIdMapFile(kGidMapFile, gid)); |
254 CHECK(WriteToIdMapFile(kUidMapFile, uid)); | 196 CHECK(WriteToIdMapFile(kUidMapFile, uid)); |
255 DCHECK(GetRESIds(NULL, NULL)); | 197 DCHECK(GetRESIds(NULL, NULL)); |
256 return true; | 198 return true; |
257 } | 199 } |
258 | 200 |
259 bool Credentials::DropFileSystemAccess() { | 201 bool Credentials::DropFileSystemAccess() { |
260 // Chrooting to a safe empty dir will only be safe if no directory file | |
261 // descriptor is available to the process. | |
262 DCHECK(!HasOpenDirectory(-1)); | |
263 return ChrootToSafeEmptyDir(); | 202 return ChrootToSafeEmptyDir(); |
264 } | 203 } |
265 | 204 |
266 } // namespace sandbox. | 205 } // namespace sandbox. |
OLD | NEW |