| Index: sandbox/linux/services/namespace_sandbox.cc
|
| diff --git a/sandbox/linux/services/namespace_sandbox.cc b/sandbox/linux/services/namespace_sandbox.cc
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..2c48840d057efb0a2afdd27c910b13a7c00d1b6c
|
| --- /dev/null
|
| +++ b/sandbox/linux/services/namespace_sandbox.cc
|
| @@ -0,0 +1,144 @@
|
| +// Copyright 2015 The Chromium Authors. All rights reserved.
|
| +// Use of this source code is governed by a BSD-style license that can be
|
| +// found in the LICENSE file.
|
| +
|
| +#include "sandbox/linux/services/namespace_sandbox.h"
|
| +
|
| +#include <sched.h>
|
| +#include <stdlib.h>
|
| +#include <sys/socket.h>
|
| +#include <sys/types.h>
|
| +#include <unistd.h>
|
| +
|
| +#include <string>
|
| +#include <utility>
|
| +
|
| +#include "base/bind.h"
|
| +#include "base/command_line.h"
|
| +#include "base/environment.h"
|
| +#include "base/files/scoped_file.h"
|
| +#include "base/logging.h"
|
| +#include "base/posix/eintr_wrapper.h"
|
| +#include "base/process/launch.h"
|
| +#include "base/process/process.h"
|
| +#include "base/strings/stringprintf.h"
|
| +#include "sandbox/linux/services/namespace_utils.h"
|
| +
|
| +namespace sandbox {
|
| +
|
| +namespace {
|
| +const char kPipeValue = '\xcc';
|
| +
|
| +class BlockOnPipeDelegate : public base::LaunchOptions::PreExecDelegate {
|
| + public:
|
| + explicit BlockOnPipeDelegate(int fd) : fd_(fd) {}
|
| +
|
| + ~BlockOnPipeDelegate() override {}
|
| +
|
| + void RunAsyncSafe() override {
|
| + char c;
|
| + RAW_CHECK(HANDLE_EINTR(read(fd_, &c, 1)) == 1);
|
| + RAW_CHECK(IGNORE_EINTR(close(fd_)) == 0);
|
| + RAW_CHECK(c == kPipeValue);
|
| + }
|
| +
|
| + private:
|
| + int fd_;
|
| + DISALLOW_COPY_AND_ASSIGN(BlockOnPipeDelegate);
|
| +};
|
| +
|
| +void SetEnvironForNamespaceType(base::EnvironmentMap* environ,
|
| + base::NativeEnvironmentString env_var,
|
| + bool value) {
|
| + // An empty string causes the env var to be unset in the child process.
|
| + (*environ)[env_var] = value ? "1" : "";
|
| +}
|
| +
|
| +const char kSandboxUSERNSEnvironmentVarName[] = "SBX_USER_NS";
|
| +const char kSandboxPIDNSEnvironmentVarName[] = "SBX_PID_NS";
|
| +const char kSandboxNETNSEnvironmentVarName[] = "SBX_NET_NS";
|
| +
|
| +} // namespace
|
| +
|
| +NamespaceSandbox::NamespaceSandbox() : launch_called_(false) {
|
| +}
|
| +
|
| +NamespaceSandbox::~NamespaceSandbox() {
|
| +}
|
| +
|
| +void NamespaceSandbox::AddFdMapping(int from_fd, int to_fd) {
|
| + fds_to_remap_.push_back(std::make_pair(from_fd, to_fd));
|
| +}
|
| +
|
| +base::Process NamespaceSandbox::Launch(const base::CommandLine& cmdline) {
|
| + CHECK(!launch_called_) << "NamespaceSandbox may only be used once.";
|
| + launch_called_ = true;
|
| +
|
| + int clone_flags = 0;
|
| + int ns_types[] = {CLONE_NEWUSER, CLONE_NEWPID, CLONE_NEWNET};
|
| + for (const int ns_type : ns_types) {
|
| + if (NamespaceUtils::KernelSupportsUnprivilegedNamespace(ns_type)) {
|
| + clone_flags |= ns_type;
|
| + }
|
| + }
|
| + CHECK(clone_flags & CLONE_NEWUSER);
|
| +
|
| + int fds[2];
|
| + PCHECK(socketpair(AF_UNIX, SOCK_STREAM, 0, fds) == 0);
|
| + PCHECK(shutdown(fds[0], SHUT_WR) == 0);
|
| + PCHECK(shutdown(fds[1], SHUT_RD) == 0);
|
| + base::ScopedFD read_fd(fds[0]);
|
| + base::ScopedFD write_fd(fds[1]);
|
| +
|
| + fds_to_remap_.push_back(std::make_pair(read_fd.get(), read_fd.get()));
|
| +
|
| + BlockOnPipeDelegate block_on_pipe_delegate(read_fd.get());
|
| + launch_options_.pre_exec_delegate = &block_on_pipe_delegate;
|
| + launch_options_.fds_to_remap = &fds_to_remap_;
|
| + launch_options_.clone_flags = clone_flags;
|
| +
|
| + const std::pair<int, const char*> clone_flag_environ[] = {
|
| + std::make_pair(CLONE_NEWUSER, kSandboxUSERNSEnvironmentVarName),
|
| + std::make_pair(CLONE_NEWPID, kSandboxPIDNSEnvironmentVarName),
|
| + std::make_pair(CLONE_NEWNET, kSandboxNETNSEnvironmentVarName),
|
| + };
|
| +
|
| + base::EnvironmentMap* environ = &launch_options_.environ;
|
| + for (const auto& entry : clone_flag_environ) {
|
| + const int flag = entry.first;
|
| + const char* environ_name = entry.second;
|
| + SetEnvironForNamespaceType(environ, environ_name, clone_flags & flag);
|
| + }
|
| +
|
| + base::Process process = base::LaunchProcess(cmdline, launch_options_);
|
| + read_fd.reset();
|
| +
|
| + if (process.IsValid()) {
|
| + WriteUidGidMapAndUnblockProcess(process.Pid(), write_fd.Pass());
|
| + }
|
| +
|
| + return process.Pass();
|
| +}
|
| +
|
| +void NamespaceSandbox::WriteUidGidMapAndUnblockProcess(pid_t pid,
|
| + base::ScopedFD fd) {
|
| + const std::string uid_map_path = base::StringPrintf("/proc/%d/uid_map", pid);
|
| + const std::string gid_map_path = base::StringPrintf("/proc/%d/gid_map", pid);
|
| + CHECK(NamespaceUtils::WriteToIdMapFile(uid_map_path.c_str(), getuid()));
|
| + CHECK(NamespaceUtils::WriteToIdMapFile(gid_map_path.c_str(), getgid()));
|
| + PCHECK(HANDLE_EINTR(send(fd.get(), &kPipeValue, 1, MSG_NOSIGNAL)) == 1);
|
| +}
|
| +
|
| +bool NamespaceSandbox::InNewUserNamespace() {
|
| + return getenv(kSandboxUSERNSEnvironmentVarName) != nullptr;
|
| +}
|
| +
|
| +bool NamespaceSandbox::InNewPidNamespace() {
|
| + return getenv(kSandboxPIDNSEnvironmentVarName) != nullptr;
|
| +}
|
| +
|
| +bool NamespaceSandbox::InNewNetNamespace() {
|
| + return getenv(kSandboxNETNSEnvironmentVarName) != nullptr;
|
| +}
|
| +
|
| +} // namespace sandbox
|
|
|
Chromium Code Reviews
Issue 881733002:
Add namespace sandbox class. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master