OLD | NEW |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "sandbox/linux/services/credentials.h" | 5 #include "sandbox/linux/services/credentials.h" |
6 | 6 |
| 7 #include <dirent.h> |
7 #include <errno.h> | 8 #include <errno.h> |
| 9 #include <fcntl.h> |
8 #include <stdio.h> | 10 #include <stdio.h> |
9 #include <sys/capability.h> | 11 #include <sys/capability.h> |
| 12 #include <sys/stat.h> |
| 13 #include <sys/types.h> |
10 #include <unistd.h> | 14 #include <unistd.h> |
11 | 15 |
12 #include "base/basictypes.h" | 16 #include "base/basictypes.h" |
13 #include "base/bind.h" | 17 #include "base/bind.h" |
14 #include "base/logging.h" | 18 #include "base/logging.h" |
15 #include "base/strings/string_number_conversions.h" | 19 #include "base/strings/string_number_conversions.h" |
16 #include "base/template_util.h" | 20 #include "base/template_util.h" |
17 #include "base/threading/thread.h" | 21 #include "base/threading/thread.h" |
18 | 22 |
19 namespace { | 23 namespace { |
(...skipping 22 matching lines...) Expand all Loading... |
42 inline void operator()(FILE* f) const { | 46 inline void operator()(FILE* f) const { |
43 DCHECK(f); | 47 DCHECK(f); |
44 PCHECK(0 == fclose(f)); | 48 PCHECK(0 == fclose(f)); |
45 } | 49 } |
46 }; | 50 }; |
47 | 51 |
48 // Don't use ScopedFILE in base/file_util.h since it doesn't check fclose(). | 52 // Don't use ScopedFILE in base/file_util.h since it doesn't check fclose(). |
49 // TODO(jln): fix base/. | 53 // TODO(jln): fix base/. |
50 typedef scoped_ptr<FILE, FILECloser> ScopedFILE; | 54 typedef scoped_ptr<FILE, FILECloser> ScopedFILE; |
51 | 55 |
| 56 struct DIRCloser { |
| 57 void operator()(DIR* d) const { |
| 58 DCHECK(d); |
| 59 PCHECK(0 == closedir(d)); |
| 60 } |
| 61 }; |
| 62 |
| 63 typedef scoped_ptr<DIR, DIRCloser> ScopedDIR; |
| 64 |
52 COMPILE_ASSERT((base::is_same<uid_t, gid_t>::value), UidAndGidAreSameType); | 65 COMPILE_ASSERT((base::is_same<uid_t, gid_t>::value), UidAndGidAreSameType); |
53 // generic_id_t can be used for either uid_t or gid_t. | 66 // generic_id_t can be used for either uid_t or gid_t. |
54 typedef uid_t generic_id_t; | 67 typedef uid_t generic_id_t; |
55 | 68 |
56 // Write a uid or gid mapping from |id| to |id| in |map_file|. | 69 // Write a uid or gid mapping from |id| to |id| in |map_file|. |
57 bool WriteToIdMapFile(const char* map_file, generic_id_t id) { | 70 bool WriteToIdMapFile(const char* map_file, generic_id_t id) { |
58 ScopedFILE f(fopen(map_file, "w")); | 71 ScopedFILE f(fopen(map_file, "w")); |
59 PCHECK(f); | 72 PCHECK(f); |
60 const uid_t inside_id = id; | 73 const uid_t inside_id = id; |
61 const uid_t outside_id = id; | 74 const uid_t outside_id = id; |
(...skipping 74 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
136 } // namespace. | 149 } // namespace. |
137 | 150 |
138 namespace sandbox { | 151 namespace sandbox { |
139 | 152 |
140 Credentials::Credentials() { | 153 Credentials::Credentials() { |
141 } | 154 } |
142 | 155 |
143 Credentials::~Credentials() { | 156 Credentials::~Credentials() { |
144 } | 157 } |
145 | 158 |
| 159 bool Credentials::HasOpenDirectory(int proc_fd) { |
| 160 int proc_self_fd = -1; |
| 161 if (proc_fd >= 0) { |
| 162 proc_self_fd = openat(proc_fd, "self/fd", O_DIRECTORY | O_RDONLY); |
| 163 } else { |
| 164 proc_self_fd = openat(AT_FDCWD, "/proc/self/fd", O_DIRECTORY | O_RDONLY); |
| 165 if (proc_self_fd < 0) { |
| 166 // If not available, guess false. |
| 167 // TODO(mostynb@opera.com): add a CHECK_EQ(ENOENT, errno); Figure out what |
| 168 // other situations are here. http://crbug.com/314985 |
| 169 return false; |
| 170 } |
| 171 } |
| 172 CHECK_GE(proc_self_fd, 0); |
| 173 |
| 174 // Ownership of proc_self_fd is transferred here, it must not be closed |
| 175 // or modified afterwards except via dir. |
| 176 ScopedDIR dir(fdopendir(proc_self_fd)); |
| 177 CHECK(dir); |
| 178 |
| 179 struct dirent e; |
| 180 struct dirent* de; |
| 181 while (!readdir_r(dir.get(), &e, &de) && de) { |
| 182 if (strcmp(e.d_name, ".") == 0 || strcmp(e.d_name, "..") == 0) { |
| 183 continue; |
| 184 } |
| 185 |
| 186 int fd_num; |
| 187 CHECK(base::StringToInt(e.d_name, &fd_num)); |
| 188 if (fd_num == proc_fd || fd_num == proc_self_fd) { |
| 189 continue; |
| 190 } |
| 191 |
| 192 struct stat s; |
| 193 // It's OK to use proc_self_fd here, fstatat won't modify it. |
| 194 CHECK(fstatat(proc_self_fd, e.d_name, &s, 0) == 0); |
| 195 if (S_ISDIR(s.st_mode)) { |
| 196 return true; |
| 197 } |
| 198 } |
| 199 |
| 200 // No open unmanaged directories found. |
| 201 return false; |
| 202 } |
| 203 |
146 bool Credentials::DropAllCapabilities() { | 204 bool Credentials::DropAllCapabilities() { |
147 ScopedCap cap(cap_init()); | 205 ScopedCap cap(cap_init()); |
148 CHECK(cap); | 206 CHECK(cap); |
149 PCHECK(0 == cap_set_proc(cap.get())); | 207 PCHECK(0 == cap_set_proc(cap.get())); |
150 // We never let this function fail. | 208 // We never let this function fail. |
151 return true; | 209 return true; |
152 } | 210 } |
153 | 211 |
154 bool Credentials::HasAnyCapability() const { | 212 bool Credentials::HasAnyCapability() const { |
155 ScopedCap current_cap(cap_get_proc()); | 213 ScopedCap current_cap(cap_get_proc()); |
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
192 DCHECK(GetRESIds(NULL, NULL)); | 250 DCHECK(GetRESIds(NULL, NULL)); |
193 const char kGidMapFile[] = "/proc/self/gid_map"; | 251 const char kGidMapFile[] = "/proc/self/gid_map"; |
194 const char kUidMapFile[] = "/proc/self/uid_map"; | 252 const char kUidMapFile[] = "/proc/self/uid_map"; |
195 CHECK(WriteToIdMapFile(kGidMapFile, gid)); | 253 CHECK(WriteToIdMapFile(kGidMapFile, gid)); |
196 CHECK(WriteToIdMapFile(kUidMapFile, uid)); | 254 CHECK(WriteToIdMapFile(kUidMapFile, uid)); |
197 DCHECK(GetRESIds(NULL, NULL)); | 255 DCHECK(GetRESIds(NULL, NULL)); |
198 return true; | 256 return true; |
199 } | 257 } |
200 | 258 |
201 bool Credentials::DropFileSystemAccess() { | 259 bool Credentials::DropFileSystemAccess() { |
| 260 // Chrooting to a safe empty dir will only be safe if no directory file |
| 261 // descriptor is available to the process. |
| 262 DCHECK(!HasOpenDirectory(-1)); |
202 return ChrootToSafeEmptyDir(); | 263 return ChrootToSafeEmptyDir(); |
203 } | 264 } |
204 | 265 |
205 } // namespace sandbox. | 266 } // namespace sandbox. |
OLD | NEW |