Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(141)

Unified Diff: sandbox/linux/services/namespace_sandbox.cc

Issue 881733002: Add namespace sandbox class. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Nested namespace sandboxes aren't supported. Created 5 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: sandbox/linux/services/namespace_sandbox.cc
diff --git a/sandbox/linux/services/namespace_sandbox.cc b/sandbox/linux/services/namespace_sandbox.cc
new file mode 100644
index 0000000000000000000000000000000000000000..2c48840d057efb0a2afdd27c910b13a7c00d1b6c
--- /dev/null
+++ b/sandbox/linux/services/namespace_sandbox.cc
@@ -0,0 +1,144 @@
+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "sandbox/linux/services/namespace_sandbox.h"
+
+#include <sched.h>
+#include <stdlib.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include <string>
+#include <utility>
+
+#include "base/bind.h"
+#include "base/command_line.h"
+#include "base/environment.h"
+#include "base/files/scoped_file.h"
+#include "base/logging.h"
+#include "base/posix/eintr_wrapper.h"
+#include "base/process/launch.h"
+#include "base/process/process.h"
+#include "base/strings/stringprintf.h"
+#include "sandbox/linux/services/namespace_utils.h"
+
+namespace sandbox {
+
+namespace {
+const char kPipeValue = '\xcc';
+
+class BlockOnPipeDelegate : public base::LaunchOptions::PreExecDelegate {
+ public:
+ explicit BlockOnPipeDelegate(int fd) : fd_(fd) {}
+
+ ~BlockOnPipeDelegate() override {}
+
+ void RunAsyncSafe() override {
+ char c;
+ RAW_CHECK(HANDLE_EINTR(read(fd_, &c, 1)) == 1);
+ RAW_CHECK(IGNORE_EINTR(close(fd_)) == 0);
+ RAW_CHECK(c == kPipeValue);
+ }
+
+ private:
+ int fd_;
+ DISALLOW_COPY_AND_ASSIGN(BlockOnPipeDelegate);
+};
+
+void SetEnvironForNamespaceType(base::EnvironmentMap* environ,
+ base::NativeEnvironmentString env_var,
+ bool value) {
+ // An empty string causes the env var to be unset in the child process.
+ (*environ)[env_var] = value ? "1" : "";
+}
+
+const char kSandboxUSERNSEnvironmentVarName[] = "SBX_USER_NS";
+const char kSandboxPIDNSEnvironmentVarName[] = "SBX_PID_NS";
+const char kSandboxNETNSEnvironmentVarName[] = "SBX_NET_NS";
+
+} // namespace
+
+NamespaceSandbox::NamespaceSandbox() : launch_called_(false) {
+}
+
+NamespaceSandbox::~NamespaceSandbox() {
+}
+
+void NamespaceSandbox::AddFdMapping(int from_fd, int to_fd) {
+ fds_to_remap_.push_back(std::make_pair(from_fd, to_fd));
+}
+
+base::Process NamespaceSandbox::Launch(const base::CommandLine& cmdline) {
+ CHECK(!launch_called_) << "NamespaceSandbox may only be used once.";
+ launch_called_ = true;
+
+ int clone_flags = 0;
+ int ns_types[] = {CLONE_NEWUSER, CLONE_NEWPID, CLONE_NEWNET};
+ for (const int ns_type : ns_types) {
+ if (NamespaceUtils::KernelSupportsUnprivilegedNamespace(ns_type)) {
+ clone_flags |= ns_type;
+ }
+ }
+ CHECK(clone_flags & CLONE_NEWUSER);
+
+ int fds[2];
+ PCHECK(socketpair(AF_UNIX, SOCK_STREAM, 0, fds) == 0);
+ PCHECK(shutdown(fds[0], SHUT_WR) == 0);
+ PCHECK(shutdown(fds[1], SHUT_RD) == 0);
+ base::ScopedFD read_fd(fds[0]);
+ base::ScopedFD write_fd(fds[1]);
+
+ fds_to_remap_.push_back(std::make_pair(read_fd.get(), read_fd.get()));
+
+ BlockOnPipeDelegate block_on_pipe_delegate(read_fd.get());
+ launch_options_.pre_exec_delegate = &block_on_pipe_delegate;
+ launch_options_.fds_to_remap = &fds_to_remap_;
+ launch_options_.clone_flags = clone_flags;
+
+ const std::pair<int, const char*> clone_flag_environ[] = {
+ std::make_pair(CLONE_NEWUSER, kSandboxUSERNSEnvironmentVarName),
+ std::make_pair(CLONE_NEWPID, kSandboxPIDNSEnvironmentVarName),
+ std::make_pair(CLONE_NEWNET, kSandboxNETNSEnvironmentVarName),
+ };
+
+ base::EnvironmentMap* environ = &launch_options_.environ;
+ for (const auto& entry : clone_flag_environ) {
+ const int flag = entry.first;
+ const char* environ_name = entry.second;
+ SetEnvironForNamespaceType(environ, environ_name, clone_flags & flag);
+ }
+
+ base::Process process = base::LaunchProcess(cmdline, launch_options_);
+ read_fd.reset();
+
+ if (process.IsValid()) {
+ WriteUidGidMapAndUnblockProcess(process.Pid(), write_fd.Pass());
+ }
+
+ return process.Pass();
+}
+
+void NamespaceSandbox::WriteUidGidMapAndUnblockProcess(pid_t pid,
+ base::ScopedFD fd) {
+ const std::string uid_map_path = base::StringPrintf("/proc/%d/uid_map", pid);
+ const std::string gid_map_path = base::StringPrintf("/proc/%d/gid_map", pid);
+ CHECK(NamespaceUtils::WriteToIdMapFile(uid_map_path.c_str(), getuid()));
+ CHECK(NamespaceUtils::WriteToIdMapFile(gid_map_path.c_str(), getgid()));
+ PCHECK(HANDLE_EINTR(send(fd.get(), &kPipeValue, 1, MSG_NOSIGNAL)) == 1);
+}
+
+bool NamespaceSandbox::InNewUserNamespace() {
+ return getenv(kSandboxUSERNSEnvironmentVarName) != nullptr;
+}
+
+bool NamespaceSandbox::InNewPidNamespace() {
+ return getenv(kSandboxPIDNSEnvironmentVarName) != nullptr;
+}
+
+bool NamespaceSandbox::InNewNetNamespace() {
+ return getenv(kSandboxNETNSEnvironmentVarName) != nullptr;
+}
+
+} // namespace sandbox

Powered by Google App Engine
This is Rietveld 408576698