Roll Chrome into Mojo.

sandbox/linux/services/credentials.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/services/credentials.h"
 
 #include <errno.h>
 #include <signal.h>
 #include <stdio.h>
 #include <sys/capability.h>
 #include <sys/syscall.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <unistd.h>
 
 #include "base/basictypes.h"
 #include "base/bind.h"
 #include "base/files/file_path.h"
 #include "base/files/file_util.h"
 #include "base/logging.h"
 #include "base/posix/eintr_wrapper.h"
 #include "base/process/launch.h"
 #include "base/template_util.h"
 #include "base/third_party/valgrind/valgrind.h"
+#include "sandbox/linux/services/namespace_utils.h"
 #include "sandbox/linux/services/syscall_wrappers.h"
 
+namespace sandbox {
+
 namespace {
 
 bool IsRunningOnValgrind() { return RUNNING_ON_VALGRIND; }
 
 struct CapFreeDeleter {
   inline void operator()(cap_t cap) const {
     int ret = cap_free(cap);
     CHECK_EQ(0, ret);
   }
 };
 
 // Wrapper to manage libcap2's cap_t type.
 typedef scoped_ptr<typeof(*((cap_t)0)), CapFreeDeleter> ScopedCap;
 
 struct CapTextFreeDeleter {
   inline void operator()(char* cap_text) const {
     int ret = cap_free(cap_text);
     CHECK_EQ(0, ret);
   }
 };
 
 // Wrapper to manage the result from libcap2's cap_from_text().
 typedef scoped_ptr<char, CapTextFreeDeleter> ScopedCapText;
 
-struct FILECloser {
-  inline void operator()(FILE* f) const {
-    DCHECK(f);
-    PCHECK(0 == fclose(f));
-  }
-};
-
-// Don't use ScopedFILE in base since it doesn't check fclose().
-// TODO(jln): fix base/.
-typedef scoped_ptr<FILE, FILECloser> ScopedFILE;
-
-static_assert((base::is_same<uid_t, gid_t>::value),
-              "uid_t and gid_t should be the same type");
-// generic_id_t can be used for either uid_t or gid_t.
-typedef uid_t generic_id_t;
-
-// Write a uid or gid mapping from |id| to |id| in |map_file|.
-bool WriteToIdMapFile(const char* map_file, generic_id_t id) {
-  ScopedFILE f(fopen(map_file, "w"));
-  PCHECK(f);
-  const uid_t inside_id = id;
-  const uid_t outside_id = id;
-  int num = fprintf(f.get(), "%d %d 1\n", inside_id, outside_id);
-  if (num < 0) return false;
-  // Manually call fflush() to catch permission failures.
-  int ret = fflush(f.get());
-  if (ret) {
-    VLOG(1) << "Could not write to id map file";
-    return false;
-  }
-  return true;
-}
-
 // Checks that the set of RES-uids and the set of RES-gids have
 // one element each and return that element in |resuid| and |resgid|
 // respectively. It's ok to pass NULL as one or both of the ids.
 bool GetRESIds(uid_t* resuid, gid_t* resgid) {
   uid_t ruid, euid, suid;
   gid_t rgid, egid, sgid;
   PCHECK(getresuid(&ruid, &euid, &suid) == 0);
   PCHECK(getresgid(&rgid, &egid, &sgid) == 0);
   const bool uids_are_equal = (ruid == euid) && (ruid == suid);
   const bool gids_are_equal = (rgid == egid) && (rgid == sgid);
   if (!uids_are_equal || !gids_are_equal) return false;
   if (resuid) *resuid = euid;
   if (resgid) *resgid = egid;
   return true;
 }
 
+const int kExitSuccess = 0;
+
+int ChrootToSelfFdinfo(void*) {
+  RAW_CHECK(chroot("/proc/self/fdinfo/") == 0);
+
+  // CWD is essentially an implicit file descriptor, so be careful to not
+  // leave it behind.
+  RAW_CHECK(chdir("/") == 0);
+  _exit(kExitSuccess);
+}
+
 // chroot() to an empty dir that is "safe". To be safe, it must not contain
 // any subdirectory (chroot-ing there would allow a chroot escape) and it must
 // be impossible to create an empty directory there.
 // We achieve this by doing the following:
 // 1. We create a new process sharing file system information.
 // 2. In the child, we chroot to /proc/self/fdinfo/
 // This is already "safe", since fdinfo/ does not contain another directory and
 // one cannot create another directory there.
 // 3. The process dies
 // After (3) happens, the directory is not available anymore in /proc.
 bool ChrootToSafeEmptyDir() {
-  // We do not use a thread because when we are in a PID namespace, we cannot
-  // easily get a handle to the /proc/tid directory for the thread (since /proc
-  // may not be aware of the PID namespace). With a process, we can just use
-  // /proc/self.
-  pid_t pid = base::ForkWithFlags(SIGCHLD | CLONE_FS, nullptr, nullptr);
+  // We need to chroot to a fdinfo that is unique to a process and have that
+  // process die.
+  // 1. We don't want to simply fork() because duplicating the page tables is
+  // slow with a big address space.
+  // 2. We do not use a regular thread (that would unshare CLONE_FILES) because
+  // when we are in a PID namespace, we cannot easily get a handle to the
+  // /proc/tid directory for the thread (since /proc may not be aware of the
+  // PID namespace). With a process, we can just use /proc/self.
+  pid_t pid = -1;
+  char stack_buf[PTHREAD_STACK_MIN];
+#if defined(ARCH_CPU_X86_FAMILY) || defined(ARCH_CPU_ARM_FAMILY) || \
+    defined(ARCH_CPU_MIPS64_FAMILY) || defined(ARCH_CPU_MIPS_FAMILY)
+  // The stack grows downward.
+  void* stack = stack_buf + sizeof(stack_buf);
+#else
+#error "Unsupported architecture"
+#endif
+  pid = clone(ChrootToSelfFdinfo, stack,
+              CLONE_VM | CLONE_VFORK | CLONE_FS | SIGCHLD, nullptr, nullptr,
+              nullptr, nullptr);
   PCHECK(pid != -1);
-  if (pid == 0) {
-    RAW_CHECK(chroot("/proc/self/fdinfo/") == 0);
-
-    // CWD is essentially an implicit file descriptor, so be careful to not
-    // leave it behind.
-    RAW_CHECK(chdir("/") == 0);
-    _exit(0);
-  }
 
   int status = -1;
   PCHECK(HANDLE_EINTR(waitpid(pid, &status, 0)) == pid);
 
-  return status == 0;
+  return kExitSuccess == status;
 }
 
 // CHECK() that an attempt to move to a new user namespace raised an expected
 // errno.
 void CheckCloneNewUserErrno(int error) {
   // EPERM can happen if already in a chroot. EUSERS if too many nested
   // namespaces are used. EINVAL for kernels that don't support the feature.
   // Valgrind will ENOSYS unshare().
   PCHECK(error == EPERM || error == EUSERS || error == EINVAL ||
          error == ENOSYS);
 }
 
 }  // namespace.
 
-namespace sandbox {
-
 bool Credentials::DropAllCapabilities() {
   ScopedCap cap(cap_init());
   CHECK(cap);
   PCHECK(0 == cap_set_proc(cap.get()));
   CHECK(!HasAnyCapability());
   // We never let this function fail.
   return true;
 }
 
 bool Credentials::HasAnyCapability() {
   ScopedCap current_cap(cap_get_proc());
   CHECK(current_cap);
   ScopedCap empty_cap(cap_init());
   CHECK(empty_cap);
   return cap_compare(current_cap.get(), empty_cap.get()) != 0;
 }
 
 scoped_ptr<std::string> Credentials::GetCurrentCapString() {
   ScopedCap current_cap(cap_get_proc());
   CHECK(current_cap);
   ScopedCapText cap_text(cap_to_text(current_cap.get(), NULL));
   CHECK(cap_text);
   return scoped_ptr<std::string> (new std::string(cap_text.get()));
 }
 
 // static
-bool Credentials::SupportsNewUserNS() {
+bool Credentials::CanCreateProcessInNewUserNS() {
   // Valgrind will let clone(2) pass-through, but doesn't support unshare(),
   // so always consider UserNS unsupported there.
   if (IsRunningOnValgrind()) {
     return false;
   }
 
   // This is roughly a fork().
   const pid_t pid = sys_clone(CLONE_NEWUSER | SIGCHLD, 0, 0, 0, 0);
 
   if (pid == -1) {
@@ skipping 32 matching lines @@
             << "on this kernel.";
     CheckCloneNewUserErrno(unshare_errno);
     return false;
   }
 
   // The current {r,e,s}{u,g}id is now an overflow id (c.f.
   // /proc/sys/kernel/overflowuid). Setup the uid and gid maps.
   DCHECK(GetRESIds(NULL, NULL));
   const char kGidMapFile[] = "/proc/self/gid_map";
   const char kUidMapFile[] = "/proc/self/uid_map";
-  CHECK(WriteToIdMapFile(kGidMapFile, gid));
-  CHECK(WriteToIdMapFile(kUidMapFile, uid));
+  CHECK(NamespaceUtils::WriteToIdMapFile(kGidMapFile, gid));
+  CHECK(NamespaceUtils::WriteToIdMapFile(kUidMapFile, uid));
   DCHECK(GetRESIds(NULL, NULL));
   return true;
 }
 
 bool Credentials::DropFileSystemAccess() {
   CHECK(ChrootToSafeEmptyDir());
   CHECK(!base::DirectoryExists(base::FilePath("/proc")));
   // We never let this function fail.
   return true;
 }
 
 }  // namespace sandbox.