OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "sandbox/linux/services/namespace_sandbox.h" | |
6 | |
7 #include <errno.h> | |
8 #include <fcntl.h> | |
9 #include <sched.h> | |
10 #include <stdlib.h> | |
11 #include <unistd.h> | |
12 | |
13 #include <string> | |
14 | |
15 #include "base/bind.h" | |
16 #include "base/environment.h" | |
17 #include "base/logging.h" | |
18 #include "base/posix/eintr_wrapper.h" | |
19 #include "base/strings/stringprintf.h" | |
20 #include "sandbox/linux/services/namespace_utils.h" | |
21 | |
22 namespace sandbox { | |
23 | |
24 namespace { | |
25 const char kPipeValue = '\xcc'; | |
26 | |
27 void SetEnvironForNamespaceType(base::EnvironmentMap* environ, | |
28 base::NativeEnvironmentString env_var, | |
29 bool value) { | |
30 // An empty string causes the env var to be unset in the child process. | |
31 (*environ)[env_var] = value ? "1" : ""; | |
32 } | |
33 | |
34 const char kSandboxUSERNSEnvironmentVarName[] = "SBX_USER_NS"; | |
35 const char kSandboxPIDNSEnvironmentVarName[] = "SBX_PID_NS"; | |
36 const char kSandboxNETNSEnvironmentVarName[] = "SBX_NET_NS"; | |
37 | |
38 } // namespace | |
39 | |
40 NamespaceSandbox::NamespaceSandbox() { | |
41 } | |
42 | |
43 NamespaceSandbox::~NamespaceSandbox() { | |
44 } | |
45 | |
46 void NamespaceSandbox::SetupLaunchOptions( | |
47 base::LaunchOptions* options, | |
48 base::FileHandleMappingVector* fds_to_remap) { | |
49 int clone_flags = 0; | |
50 int ns_types[] = {CLONE_NEWUSER, CLONE_NEWPID, CLONE_NEWNET}; | |
51 for (const int ns_type : ns_types) { | |
52 if (NamespaceUtils::KernelSupportsUnprivilegedNamespace(ns_type)) { | |
53 clone_flags |= ns_type; | |
54 } | |
55 } | |
56 | |
57 CHECK(clone_flags & CLONE_NEWUSER); | |
58 | |
59 base::EnvironmentMap* environ = &options->environ; | |
60 SetEnvironForNamespaceType(environ, kSandboxUSERNSEnvironmentVarName, | |
rickyz (no longer on Chrome)
2015/01/27 07:51:57
If environmental variables are a little ugly, we c
| |
61 clone_flags & CLONE_NEWUSER); | |
62 SetEnvironForNamespaceType(environ, kSandboxPIDNSEnvironmentVarName, | |
63 clone_flags & CLONE_NEWPID); | |
64 SetEnvironForNamespaceType(environ, kSandboxNETNSEnvironmentVarName, | |
65 clone_flags & CLONE_NEWNET); | |
66 | |
67 int fds[2]; | |
68 PCHECK(pipe(fds) == 0); | |
69 read_fd_.reset(fds[0]); | |
70 write_fd_.reset(fds[1]); | |
71 fds_to_remap->push_back(std::make_pair(read_fd_.get(), read_fd_.get())); | |
72 read_from_pipe_delegate_.set_fd(read_fd_.get()); | |
73 options->pre_exec_delegate = &read_from_pipe_delegate_; | |
74 options->clone_flags = clone_flags; | |
75 } | |
76 | |
77 void NamespaceSandbox::PrepareSandboxedProcess(base::ProcessId pid) { | |
78 read_fd_.reset(); | |
79 | |
80 const std::string uid_map_path = base::StringPrintf("/proc/%d/uid_map", pid); | |
81 const std::string gid_map_path = base::StringPrintf("/proc/%d/gid_map", pid); | |
82 NamespaceUtils::WriteToIdMapFile(uid_map_path.c_str(), getuid()); | |
83 NamespaceUtils::WriteToIdMapFile(gid_map_path.c_str(), getgid()); | |
84 | |
85 PCHECK(HANDLE_EINTR(write(write_fd_.get(), &kPipeValue, 1)) == 1); | |
86 write_fd_.reset(); | |
87 } | |
88 | |
89 bool NamespaceSandbox::InNewUserNamespace() { | |
90 return getenv(kSandboxUSERNSEnvironmentVarName) != nullptr; | |
91 } | |
92 | |
93 bool NamespaceSandbox::InNewPidNamespace() { | |
94 return getenv(kSandboxPIDNSEnvironmentVarName) != nullptr; | |
95 } | |
96 | |
97 bool NamespaceSandbox::InNewNetNamespace() { | |
98 return getenv(kSandboxNETNSEnvironmentVarName) != nullptr; | |
99 } | |
100 | |
101 NamespaceSandbox::ReadFromPipeDelegate::ReadFromPipeDelegate() : fd_(-1) { | |
102 } | |
103 | |
104 NamespaceSandbox::ReadFromPipeDelegate::~ReadFromPipeDelegate() { | |
105 } | |
106 | |
107 void NamespaceSandbox::ReadFromPipeDelegate::RunAsyncSafe() { | |
108 char c; | |
109 RAW_CHECK(HANDLE_EINTR(read(fd_, &c, 1)) == 1); | |
110 RAW_CHECK(IGNORE_EINTR(close(fd_)) == 0); | |
111 RAW_CHECK(c == kPipeValue); | |
112 } | |
113 | |
114 void NamespaceSandbox::ReadFromPipeDelegate::set_fd(int fd) { | |
115 fd_ = fd; | |
116 } | |
117 | |
118 } // namespace sandbox | |
OLD | NEW |