Chromium Code Reviews Chromium Code Reviews
Issue 881733002:
Add namespace sandbox class. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "sandbox/linux/services/namespace_sandbox.h" | |
| 6 | |
| 7 #include <errno.h> | |
| 8 #include <fcntl.h> | |
| 9 #include <sched.h> | |
| 10 #include <stdlib.h> | |
| 11 #include <unistd.h> | |
| 12 | |
| 13 #include <string> | |
| 14 | |
| 15 #include "base/bind.h" | |
| 16 #include "base/environment.h" | |
| 17 #include "base/logging.h" | |
| 18 #include "base/posix/eintr_wrapper.h" | |
| 19 #include "base/strings/stringprintf.h" | |
| 20 #include "sandbox/linux/services/namespace_utils.h" | |
| 21 | |
| 22 namespace sandbox { | |
| 23 | |
| 24 namespace { | |
| 25 const char kPipeValue = '\xcc'; | |
| 26 | |
| 27 void SetEnvironForNamespaceType(base::EnvironmentMap* environ, | |
| 28 base::NativeEnvironmentString env_var, | |
| 29 bool value) { | |
| 30 // An empty string causes the env var to be unset in the child process. | |
| 31 (*environ)[env_var] = value ? "1" : ""; | |
| 32 } | |
| 33 | |
| 34 const char kSandboxUSERNSEnvironmentVarName[] = "SBX_USER_NS"; | |
| 35 const char kSandboxPIDNSEnvironmentVarName[] = "SBX_PID_NS"; | |
| 36 const char kSandboxNETNSEnvironmentVarName[] = "SBX_NET_NS"; | |
| 37 | |
| 38 } // namespace | |
| 39 | |
| 40 NamespaceSandbox::NamespaceSandbox() { | |
| 41 } | |
| 42 | |
| 43 NamespaceSandbox::~NamespaceSandbox() { | |
| 44 } | |
| 45 | |
| 46 void NamespaceSandbox::SetupLaunchOptions( | |
| 47 base::LaunchOptions* options, | |
| 48 base::FileHandleMappingVector* fds_to_remap) { | |
| 49 int clone_flags = 0; | |
| 50 int ns_types[] = {CLONE_NEWUSER, CLONE_NEWPID, CLONE_NEWNET}; | |
| 51 for (const int ns_type : ns_types) { | |
| 52 if (NamespaceUtils::KernelSupportsUnprivilegedNamespace(ns_type)) { | |
| 53 clone_flags |= ns_type; | |
| 54 } | |
| 55 } | |
| 56 | |
| 57 CHECK(clone_flags & CLONE_NEWUSER); | |
| 58 | |
| 59 base::EnvironmentMap* environ = &options->environ; | |
| 60 SetEnvironForNamespaceType(environ, kSandboxUSERNSEnvironmentVarName, | |
|
rickyz (no longer on Chrome)
2015/01/27 07:51:57
If environmental variables are a little ugly, we c
| |
| 61 clone_flags & CLONE_NEWUSER); | |
| 62 SetEnvironForNamespaceType(environ, kSandboxPIDNSEnvironmentVarName, | |
| 63 clone_flags & CLONE_NEWPID); | |
| 64 SetEnvironForNamespaceType(environ, kSandboxNETNSEnvironmentVarName, | |
| 65 clone_flags & CLONE_NEWNET); | |
| 66 | |
| 67 int fds[2]; | |
| 68 PCHECK(pipe(fds) == 0); | |
| 69 read_fd_.reset(fds[0]); | |
| 70 write_fd_.reset(fds[1]); | |
| 71 fds_to_remap->push_back(std::make_pair(read_fd_.get(), read_fd_.get())); | |
| 72 read_from_pipe_delegate_.set_fd(read_fd_.get()); | |
| 73 options->pre_exec_delegate = &read_from_pipe_delegate_; | |
| 74 options->clone_flags = clone_flags; | |
| 75 } | |
| 76 | |
| 77 void NamespaceSandbox::PrepareSandboxedProcess(base::ProcessId pid) { | |
| 78 read_fd_.reset(); | |
| 79 | |
| 80 const std::string uid_map_path = base::StringPrintf("/proc/%d/uid_map", pid); | |
| 81 const std::string gid_map_path = base::StringPrintf("/proc/%d/gid_map", pid); | |
| 82 NamespaceUtils::WriteToIdMapFile(uid_map_path.c_str(), getuid()); | |
| 83 NamespaceUtils::WriteToIdMapFile(gid_map_path.c_str(), getgid()); | |
| 84 | |
| 85 PCHECK(HANDLE_EINTR(write(write_fd_.get(), &kPipeValue, 1)) == 1); | |
| 86 write_fd_.reset(); | |
| 87 } | |
| 88 | |
| 89 bool NamespaceSandbox::InNewUserNamespace() { | |
| 90 return getenv(kSandboxUSERNSEnvironmentVarName) != nullptr; | |
| 91 } | |
| 92 | |
| 93 bool NamespaceSandbox::InNewPidNamespace() { | |
| 94 return getenv(kSandboxPIDNSEnvironmentVarName) != nullptr; | |
| 95 } | |
| 96 | |
| 97 bool NamespaceSandbox::InNewNetNamespace() { | |
| 98 return getenv(kSandboxNETNSEnvironmentVarName) != nullptr; | |
| 99 } | |
| 100 | |
| 101 NamespaceSandbox::ReadFromPipeDelegate::ReadFromPipeDelegate() : fd_(-1) { | |
| 102 } | |
| 103 | |
| 104 NamespaceSandbox::ReadFromPipeDelegate::~ReadFromPipeDelegate() { | |
| 105 } | |
| 106 | |
| 107 void NamespaceSandbox::ReadFromPipeDelegate::RunAsyncSafe() { | |
| 108 char c; | |
| 109 RAW_CHECK(HANDLE_EINTR(read(fd_, &c, 1)) == 1); | |
| 110 RAW_CHECK(IGNORE_EINTR(close(fd_)) == 0); | |
| 111 RAW_CHECK(c == kPipeValue); | |
| 112 } | |
| 113 | |
| 114 void NamespaceSandbox::ReadFromPipeDelegate::set_fd(int fd) { | |
| 115 fd_ = fd; | |
| 116 } | |
| 117 | |
| 118 } // namespace sandbox | |
| OLD | NEW |
