sandbox/linux/suid/sandbox.c - Issue 197213015: [Linux] Use PR_SET_NO_NEW_PRIVS by default in base/process/launch.h.

Side by Side Diff: sandbox/linux/suid/sandbox.c

Issue 197213015: [Linux] Use PR_SET_NO_NEW_PRIVS by default in base/process/launch.h. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Address jln's comments Created 6 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 // http://code.google.com/p/chromium/wiki/LinuxSUIDSandbox	5 // http://code.google.com/p/chromium/wiki/LinuxSUIDSandbox

6	6

7 #include "common/sandbox.h"	7 #include "common/sandbox.h"

8	8

9 #define _GNU_SOURCE	9 #define _GNU_SOURCE

10 #include <asm/unistd.h>	10 #include <asm/unistd.h>

(...skipping 285 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
296	296

297 break;	297 break;

298 }	298 }

299	299

300 // If EINVAL then the system doesn't support the requested flags, so	300 // If EINVAL then the system doesn't support the requested flags, so

301 // continue to try a different set.	301 // continue to try a different set.

302 // On any other errno value the system does support these flags but	302 // On any other errno value the system does support these flags but

303 // something went wrong, hence we bail with an error message rather then	303 // something went wrong, hence we bail with an error message rather then

304 // provide less security.	304 // provide less security.

305 if (errno != EINVAL) {	305 if (errno != EINVAL) {

	306 fprintf(stderr, "Failed to move to new namespace:");

306 if (kCloneExtraFlags[i] & CLONE_NEWPID) {	307 if (kCloneExtraFlags[i] & CLONE_NEWPID) {

307 fprintf(stderr, " PID namespaces supported");	308 fprintf(stderr, " PID namespaces supported,");

308 }	309 }

309 if (kCloneExtraFlags[i] & CLONE_NEWNET) {	310 if (kCloneExtraFlags[i] & CLONE_NEWNET) {

310 fprintf(stderr, " Network namespace supported");	311 fprintf(stderr, " Network namespace supported,");

311 }	312 }

312 fprintf(stderr, "but failed: errno = %s\n", strerror(clone_errno));	313 fprintf(stderr, " but failed: errno = %s\n", strerror(clone_errno));

313 return false;	314 return false;

314 }	315 }

315 }	316 }

316	317

317 // If the system doesn't support NEWPID then we carry on anyway.	318 // If the system doesn't support NEWPID then we carry on anyway.

318 return true;	319 return true;

319 }	320 }

320	321

321 static bool DropRoot() {	322 static bool DropRoot() {

322 if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0)) {	323 if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0)) {

(...skipping 156 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
479 !endptr \|\| *endptr \|\| errno != 0)	480 !endptr \|\| *endptr \|\| errno != 0)

480 return 1;	481 return 1;

481 return AdjustOOMScore(pid, score);	482 return AdjustOOMScore(pid, score);

482 }	483 }

483	484

484 // Protect the core setuid sandbox functionality with an API version	485 // Protect the core setuid sandbox functionality with an API version

485 if (!CheckAndExportApiVersion()) {	486 if (!CheckAndExportApiVersion()) {

486 return 1;	487 return 1;

487 }	488 }

488	489

	490 if (geteuid() != 0) {

	491 fprintf(stderr, "The setuid sandbox is not running as root. Did the parent "
	jln (very slow on Chromium) 2014/04/02 19:06:55 Nit: s/the parent/a parent/ ? Nit: s/the parent/a parent/ ? Robert Sesek 2014/04/02 19:57:05 Done. Show quoted text On 2014/04/02 19:06:55, jln wrote: > Nit: s/the parent/a parent/ ? Done.
	492 "process prctl(PR_SET_NO_NEW_PRIVS, ...)?\n");
	jln (very slow on Chromium) 2014/04/02 19:06:55 Could you add something such as: "Are you using a Could you add something such as: "Are you using a debugger?" (which is the most common case for this problem). Robert Sesek 2014/04/02 19:57:05 Done. Show quoted text On 2014/04/02 19:06:55, jln wrote: > Could you add something such as: "Are you using a debugger?" (which is the most > common case for this problem). Done.
	493 }

	494

489 if (!MoveToNewNamespaces())	495 if (!MoveToNewNamespaces())

490 return 1;	496 return 1;

491 if (!SpawnChrootHelper())	497 if (!SpawnChrootHelper())

492 return 1;	498 return 1;

493 if (!DropRoot())	499 if (!DropRoot())

494 return 1;	500 return 1;

495 if (!SetupChildEnvironment())	501 if (!SetupChildEnvironment())

496 return 1;	502 return 1;

497	503

498 execv(argv[1], &argv[1]);	504 execv(argv[1], &argv[1]);

499 FatalError("execv failed");	505 FatalError("execv failed");

500	506

501 return 1;	507 return 1;

502 }	508 }

OLD	NEW

« no previous file with comments | « content/browser/zygote_host/zygote_host_impl_linux.cc ('k') | no next file » | no next file with comments »