| OLD | NEW |
|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/services/credentials.h" | 5 #include "sandbox/linux/services/credentials.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <signal.h> | 8 #include <signal.h> |
| 9 #include <stdio.h> | 9 #include <stdio.h> |
| 10 #include <sys/capability.h> | 10 #include <sys/capability.h> |
| 11 #include <sys/syscall.h> | 11 #include <sys/syscall.h> |
| 12 #include <sys/types.h> | 12 #include <sys/types.h> |
| 13 #include <sys/wait.h> | 13 #include <sys/wait.h> |
| 14 #include <unistd.h> | 14 #include <unistd.h> |
| 15 | 15 |
| 16 #include "base/basictypes.h" | 16 #include "base/basictypes.h" |
| 17 #include "base/bind.h" | 17 #include "base/bind.h" |
| 18 #include "base/files/file_path.h" | 18 #include "base/files/file_path.h" |
| 19 #include "base/files/file_util.h" | 19 #include "base/files/file_util.h" |
| 20 #include "base/logging.h" | 20 #include "base/logging.h" |
| 21 #include "base/posix/eintr_wrapper.h" | 21 #include "base/posix/eintr_wrapper.h" |
| 22 #include "base/process/launch.h" | 22 #include "base/process/launch.h" |
| 23 #include "base/template_util.h" | 23 #include "base/template_util.h" |
| 24 #include "base/third_party/valgrind/valgrind.h" | 24 #include "base/third_party/valgrind/valgrind.h" |
| 25 #include "sandbox/linux/services/syscall_wrappers.h" | 25 #include "sandbox/linux/services/syscall_wrappers.h" |
| 26 | 26 |
| 27 namespace sandbox { |
| 28 |
| 27 namespace { | 29 namespace { |
| 28 | 30 |
| 29 bool IsRunningOnValgrind() { return RUNNING_ON_VALGRIND; } | 31 bool IsRunningOnValgrind() { return RUNNING_ON_VALGRIND; } |
| 30 | 32 |
| 31 struct CapFreeDeleter { | 33 struct CapFreeDeleter { |
| 32 inline void operator()(cap_t cap) const { | 34 inline void operator()(cap_t cap) const { |
| 33 int ret = cap_free(cap); | 35 int ret = cap_free(cap); |
| 34 CHECK_EQ(0, ret); | 36 CHECK_EQ(0, ret); |
| 35 } | 37 } |
| 36 }; | 38 }; |
| (...skipping 53 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 90 PCHECK(getresuid(&ruid, &euid, &suid) == 0); | 92 PCHECK(getresuid(&ruid, &euid, &suid) == 0); |
| 91 PCHECK(getresgid(&rgid, &egid, &sgid) == 0); | 93 PCHECK(getresgid(&rgid, &egid, &sgid) == 0); |
| 92 const bool uids_are_equal = (ruid == euid) && (ruid == suid); | 94 const bool uids_are_equal = (ruid == euid) && (ruid == suid); |
| 93 const bool gids_are_equal = (rgid == egid) && (rgid == sgid); | 95 const bool gids_are_equal = (rgid == egid) && (rgid == sgid); |
| 94 if (!uids_are_equal || !gids_are_equal) return false; | 96 if (!uids_are_equal || !gids_are_equal) return false; |
| 95 if (resuid) *resuid = euid; | 97 if (resuid) *resuid = euid; |
| 96 if (resgid) *resgid = egid; | 98 if (resgid) *resgid = egid; |
| 97 return true; | 99 return true; |
| 98 } | 100 } |
| 99 | 101 |
| 102 const int kExitSuccess = 0; |
| 103 |
| 104 int ChrootToSelfFdinfo(void*) { |
| 105 RAW_CHECK(chroot("/proc/self/fdinfo/") == 0); |
| 106 |
| 107 // CWD is essentially an implicit file descriptor, so be careful to not |
| 108 // leave it behind. |
| 109 RAW_CHECK(chdir("/") == 0); |
| 110 _exit(kExitSuccess); |
| 111 } |
| 112 |
| 100 // chroot() to an empty dir that is "safe". To be safe, it must not contain | 113 // chroot() to an empty dir that is "safe". To be safe, it must not contain |
| 101 // any subdirectory (chroot-ing there would allow a chroot escape) and it must | 114 // any subdirectory (chroot-ing there would allow a chroot escape) and it must |
| 102 // be impossible to create an empty directory there. | 115 // be impossible to create an empty directory there. |
| 103 // We achieve this by doing the following: | 116 // We achieve this by doing the following: |
| 104 // 1. We create a new process sharing file system information. | 117 // 1. We create a new process sharing file system information. |
| 105 // 2. In the child, we chroot to /proc/self/fdinfo/ | 118 // 2. In the child, we chroot to /proc/self/fdinfo/ |
| 106 // This is already "safe", since fdinfo/ does not contain another directory and | 119 // This is already "safe", since fdinfo/ does not contain another directory and |
| 107 // one cannot create another directory there. | 120 // one cannot create another directory there. |
| 108 // 3. The process dies | 121 // 3. The process dies |
| 109 // After (3) happens, the directory is not available anymore in /proc. | 122 // After (3) happens, the directory is not available anymore in /proc. |
| 110 bool ChrootToSafeEmptyDir() { | 123 bool ChrootToSafeEmptyDir() { |
| 111 // We do not use a thread because when we are in a PID namespace, we cannot | 124 // We need to chroot to a fdinfo that is unique to a process and have that |
| 112 // easily get a handle to the /proc/tid directory for the thread (since /proc | 125 // process die. |
| 113 // may not be aware of the PID namespace). With a process, we can just use | 126 // 1. We don't want to simply fork() because duplicating the page tables is |
| 114 // /proc/self. | 127 // slow with a big address space. |
| 115 pid_t pid = base::ForkWithFlags(SIGCHLD | CLONE_FS, nullptr, nullptr); | 128 // 2. We do not use a regular thread (that would unshare CLONE_FILES) because |
| 129 // when we are in a PID namespace, we cannot easily get a handle to the |
| 130 // /proc/tid directory for the thread (since /proc may not be aware of the |
| 131 // PID namespace). With a process, we can just use /proc/self. |
| 132 pid_t pid = -1; |
| 133 char stack_buf[PTHREAD_STACK_MIN]; |
| 134 #if defined(ARCH_CPU_X86_FAMILY) || defined(ARCH_CPU_ARM_FAMILY) || \ |
| 135 defined(ARCH_CPU_MIPS64_FAMILY) || defined(ARCH_CPU_MIPS_FAMILY) |
| 136 // The stack grows downward. |
| 137 void* stack = stack_buf + sizeof(stack_buf); |
| 138 #else |
| 139 #error "Unsupported architecture" |
| 140 #endif |
| 141 pid = clone(ChrootToSelfFdinfo, stack, |
| 142 CLONE_VM | CLONE_VFORK | CLONE_FS | SIGCHLD, nullptr, nullptr, |
| 143 nullptr, nullptr); |
| 116 PCHECK(pid != -1); | 144 PCHECK(pid != -1); |
| 117 if (pid == 0) { | |
| 118 RAW_CHECK(chroot("/proc/self/fdinfo/") == 0); | |
| 119 | |
| 120 // CWD is essentially an implicit file descriptor, so be careful to not | |
| 121 // leave it behind. | |
| 122 RAW_CHECK(chdir("/") == 0); | |
| 123 _exit(0); | |
| 124 } | |
| 125 | 145 |
| 126 int status = -1; | 146 int status = -1; |
| 127 PCHECK(HANDLE_EINTR(waitpid(pid, &status, 0)) == pid); | 147 PCHECK(HANDLE_EINTR(waitpid(pid, &status, 0)) == pid); |
| 128 | 148 |
| 129 return status == 0; | 149 return kExitSuccess == status; |
| 130 } | 150 } |
| 131 | 151 |
| 132 // CHECK() that an attempt to move to a new user namespace raised an expected | 152 // CHECK() that an attempt to move to a new user namespace raised an expected |
| 133 // errno. | 153 // errno. |
| 134 void CheckCloneNewUserErrno(int error) { | 154 void CheckCloneNewUserErrno(int error) { |
| 135 // EPERM can happen if already in a chroot. EUSERS if too many nested | 155 // EPERM can happen if already in a chroot. EUSERS if too many nested |
| 136 // namespaces are used. EINVAL for kernels that don't support the feature. | 156 // namespaces are used. EINVAL for kernels that don't support the feature. |
| 137 // Valgrind will ENOSYS unshare(). | 157 // Valgrind will ENOSYS unshare(). |
| 138 PCHECK(error == EPERM || error == EUSERS || error == EINVAL || | 158 PCHECK(error == EPERM || error == EUSERS || error == EINVAL || |
| 139 error == ENOSYS); | 159 error == ENOSYS); |
| 140 } | 160 } |
| 141 | 161 |
| 142 } // namespace. | 162 } // namespace. |
| 143 | 163 |
| 144 namespace sandbox { | |
| 145 | |
| 146 bool Credentials::DropAllCapabilities() { | 164 bool Credentials::DropAllCapabilities() { |
| 147 ScopedCap cap(cap_init()); | 165 ScopedCap cap(cap_init()); |
| 148 CHECK(cap); | 166 CHECK(cap); |
| 149 PCHECK(0 == cap_set_proc(cap.get())); | 167 PCHECK(0 == cap_set_proc(cap.get())); |
| 150 CHECK(!HasAnyCapability()); | 168 CHECK(!HasAnyCapability()); |
| 151 // We never let this function fail. | 169 // We never let this function fail. |
| 152 return true; | 170 return true; |
| 153 } | 171 } |
| 154 | 172 |
| 155 bool Credentials::HasAnyCapability() { | 173 bool Credentials::HasAnyCapability() { |
| (...skipping 73 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 229 } | 247 } |
| 230 | 248 |
| 231 bool Credentials::DropFileSystemAccess() { | 249 bool Credentials::DropFileSystemAccess() { |
| 232 CHECK(ChrootToSafeEmptyDir()); | 250 CHECK(ChrootToSafeEmptyDir()); |
| 233 CHECK(!base::DirectoryExists(base::FilePath("/proc"))); | 251 CHECK(!base::DirectoryExists(base::FilePath("/proc"))); |
| 234 // We never let this function fail. | 252 // We never let this function fail. |
| 235 return true; | 253 return true; |
| 236 } | 254 } |
| 237 | 255 |
| 238 } // namespace sandbox. | 256 } // namespace sandbox. |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 863933004:
Linux sandbox: Make ChrootToSafeEmptyDir() faster. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master