OLD | NEW |
---|---|
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "sandbox/linux/services/credentials.h" | 5 #include "sandbox/linux/services/credentials.h" |
6 | 6 |
7 #include <stdio.h> | 7 #include <stdio.h> |
8 #include <sys/capability.h> | 8 #include <sys/capability.h> |
9 | 9 |
10 #include "base/basictypes.h" | 10 #include "base/basictypes.h" |
11 #include "base/bind.h" | |
11 #include "base/logging.h" | 12 #include "base/logging.h" |
13 #include "base/strings/string_number_conversions.h" | |
14 #include "base/template_util.h" | |
15 #include "base/threading/thread.h" | |
12 | 16 |
13 namespace { | 17 namespace { |
14 | 18 |
15 struct CapFreeDeleter { | 19 struct CapFreeDeleter { |
16 inline void operator()(cap_t cap) const { | 20 inline void operator()(cap_t cap) const { |
17 int ret = cap_free(cap); | 21 int ret = cap_free(cap); |
18 CHECK_EQ(0, ret); | 22 CHECK_EQ(0, ret); |
19 } | 23 } |
20 }; | 24 }; |
21 | 25 |
22 // Wrapper to manage libcap2's cap_t type. | 26 // Wrapper to manage libcap2's cap_t type. |
23 typedef scoped_ptr<typeof(*((cap_t)0)), CapFreeDeleter> ScopedCap; | 27 typedef scoped_ptr<typeof(*((cap_t)0)), CapFreeDeleter> ScopedCap; |
24 | 28 |
25 struct CapTextFreeDeleter { | 29 struct CapTextFreeDeleter { |
26 inline void operator()(char* cap_text) const { | 30 inline void operator()(char* cap_text) const { |
27 int ret = cap_free(cap_text); | 31 int ret = cap_free(cap_text); |
28 CHECK_EQ(0, ret); | 32 CHECK_EQ(0, ret); |
29 } | 33 } |
30 }; | 34 }; |
31 | 35 |
32 // Wrapper to manage the result from libcap2's cap_from_text(). | 36 // Wrapper to manage the result from libcap2's cap_from_text(). |
33 typedef scoped_ptr<char, CapTextFreeDeleter> ScopedCapText; | 37 typedef scoped_ptr<char, CapTextFreeDeleter> ScopedCapText; |
34 | 38 |
39 struct FILECloser { | |
40 inline void operator()(FILE* f) const { | |
41 DCHECK(f); | |
42 PCHECK(0 == fclose(f)); | |
43 } | |
44 }; | |
45 | |
46 // Don't use ScopedFILE in base/file_util.h since it doesn't check fclose(). | |
47 // TODO(jln): fix base/. | |
48 typedef scoped_ptr<FILE, FILECloser> ScopedFILE; | |
49 | |
50 COMPILE_ASSERT((base::is_same<uid_t, gid_t>::value), UidAndGidAreSameType); | |
51 // generic_id_t can be used for either uid_t or gid_t. | |
52 typedef uid_t generic_id_t; | |
53 | |
54 // Write a uid or gid mapping from |id| to |id| in |map_file|. | |
55 bool WriteToIdMapFile(const char* map_file, generic_id_t id) { | |
56 ScopedFILE f(fopen(map_file, "w")); | |
57 PCHECK(f); | |
58 const uid_t inside_id = id; | |
59 const uid_t outside_id = id; | |
60 int num = fprintf(f.get(), "%d %d 1\n", inside_id, outside_id); | |
61 if (num < 0) return false; | |
62 // Manually call fflush() to catch permission failures. | |
63 int ret = fflush(f.get()); | |
64 if (ret) { | |
65 VLOG(1) << "Could not write to id map file"; | |
66 return false; | |
67 } | |
68 return true; | |
69 } | |
70 | |
71 // Checks that the set of RES-uids and the set of RES-gids have | |
72 // one element each and return that element in |resuid| and |resgid| | |
73 // respecitively. It's ok to pass NULL as one or both of the ids. | |
Jorge Lucangeli Obes
2013/11/05 00:44:51
respectively
jln (very slow on Chromium)
2013/11/05 00:54:42
Done.
| |
74 bool GetRESIds(uid_t* resuid, gid_t* resgid) { | |
75 uid_t ruid, euid, suid; | |
76 gid_t rgid, egid, sgid; | |
77 PCHECK(getresuid(&ruid, &euid, &suid) == 0); | |
78 PCHECK(getresgid(&rgid, &egid, &sgid) == 0); | |
79 const bool uids_are_equal = (ruid == euid) && (ruid == suid); | |
80 const bool gids_are_equal = (rgid == egid) && (rgid == sgid); | |
81 if (!uids_are_equal || !gids_are_equal) return false; | |
82 if (resuid) *resuid = euid; | |
83 if (resgid) *resgid = egid; | |
84 return true; | |
85 } | |
86 | |
87 // chroot() and chdir() to /proc/<tid>/fdinfo. | |
88 void ChrootToThreadFdInfo(base::PlatformThreadId tid, bool* result) { | |
89 DCHECK(result); | |
90 *result = false; | |
91 | |
92 COMPILE_ASSERT((base::is_same<base::PlatformThreadId, int>::value), | |
93 TidIsAnInt); | |
94 const std::string current_thread_fdinfo = "/proc/" + | |
95 base::IntToString(tid) + "/fdinfo/"; | |
96 | |
97 // Make extra sure that /proc/<tid>/fdinfo is unique to the thread. | |
98 CHECK(0 == unshare(CLONE_FILES)); | |
99 int chroot_ret = chroot(current_thread_fdinfo.c_str()); | |
100 if (chroot_ret) { | |
101 PLOG(ERROR) << "Could not chroot"; | |
102 return; | |
103 } | |
104 | |
105 // CWD is essentially an implicit file descriptor, so be careful to not leave | |
106 // it behind. | |
107 PCHECK(0 == chdir("/")); | |
108 | |
109 *result = true; | |
110 return; | |
111 } | |
112 | |
113 // chroot() to an empty dir that is "safe". To be safe, it must not contain | |
114 // any subdirectory (chroot-ing there would allow a chroot escape) and it must | |
115 // be impossible to create an empty directory there. | |
116 // We achieve this by doing the following: | |
117 // 1. We create a new thread, which will create a new /proc/<tid>/ directory | |
118 // 2. We chroot to /proc/<tid>/fdinfo/ | |
119 // This is already "safe", since fdinfo/ does not contain another directory and | |
120 // one cannot create another directory there. | |
121 // 3. The thread dies | |
122 // After (3) happens, the directory is not available anymore in /proc. | |
123 bool ChrootToSafeEmptyDir() { | |
124 base::Thread chrooter("sandbox_chrooter"); | |
125 if (!chrooter.Start()) return false; | |
126 bool is_chrooted = false; | |
127 chrooter.message_loop()->PostTask(FROM_HERE, | |
128 base::Bind(&ChrootToThreadFdInfo, chrooter.thread_id(), &is_chrooted)); | |
129 // Make sure our task has run before committing the return value. | |
130 chrooter.Stop(); | |
131 return is_chrooted; | |
132 } | |
133 | |
35 } // namespace. | 134 } // namespace. |
36 | 135 |
37 namespace sandbox { | 136 namespace sandbox { |
38 | 137 |
39 Credentials::Credentials() { | 138 Credentials::Credentials() { |
40 } | 139 } |
41 | 140 |
42 Credentials::~Credentials() { | 141 Credentials::~Credentials() { |
43 } | 142 } |
44 | 143 |
45 void Credentials::DropAllCapabilities() { | 144 bool Credentials::DropAllCapabilities() { |
46 ScopedCap cap(cap_init()); | 145 ScopedCap cap(cap_init()); |
47 CHECK(cap); | 146 CHECK(cap); |
48 PCHECK(0 == cap_set_proc(cap.get())); | 147 PCHECK(0 == cap_set_proc(cap.get())); |
148 // We never let this function fail. | |
149 return true; | |
49 } | 150 } |
50 | 151 |
51 bool Credentials::HasAnyCapability() { | 152 bool Credentials::HasAnyCapability() const { |
52 ScopedCap current_cap(cap_get_proc()); | 153 ScopedCap current_cap(cap_get_proc()); |
53 CHECK(current_cap); | 154 CHECK(current_cap); |
54 ScopedCap empty_cap(cap_init()); | 155 ScopedCap empty_cap(cap_init()); |
55 CHECK(empty_cap); | 156 CHECK(empty_cap); |
56 return cap_compare(current_cap.get(), empty_cap.get()) != 0; | 157 return cap_compare(current_cap.get(), empty_cap.get()) != 0; |
57 } | 158 } |
58 | 159 |
59 scoped_ptr<std::string> Credentials::GetCurrentCapString() { | 160 scoped_ptr<std::string> Credentials::GetCurrentCapString() const { |
60 ScopedCap current_cap(cap_get_proc()); | 161 ScopedCap current_cap(cap_get_proc()); |
61 CHECK(current_cap); | 162 CHECK(current_cap); |
62 ScopedCapText cap_text(cap_to_text(current_cap.get(), NULL)); | 163 ScopedCapText cap_text(cap_to_text(current_cap.get(), NULL)); |
63 CHECK(cap_text); | 164 CHECK(cap_text); |
64 return scoped_ptr<std::string> (new std::string(cap_text.get())); | 165 return scoped_ptr<std::string> (new std::string(cap_text.get())); |
65 } | 166 } |
66 | 167 |
168 bool Credentials::MoveToNewUserNS() { | |
169 uid_t uid; | |
170 gid_t gid; | |
171 if (!GetRESIds(&uid, &gid)) { | |
172 // If all the uids (or gids) are not equal to each other, the security | |
173 // model will most likely confuse the caller, abort. | |
174 DVLOG(1) << "Uids or Gids differ!"; | |
Jorge Lucangeli Obes
2013/11/05 00:44:51
uids/gids (you were not using caps above).
jln (very slow on Chromium)
2013/11/05 00:54:42
Done.
| |
175 return false; | |
176 } | |
177 int ret = unshare(CLONE_NEWUSER); | |
178 // EPERM can happen if already in a chroot. EUSERS if too many nested | |
179 // namespaces are used. EINVAL for kernels that don't support the feature. | |
180 PCHECK(!ret || errno == EPERM || errno == EUSERS || errno == EINVAL); | |
181 if (ret) { | |
182 VLOG(1) << "Looks like unprivileged CLONE_NEWUSER may not be available " | |
183 << "on this kernel."; | |
184 return false; | |
185 } | |
186 // The current {r,e,s}{u,g}id is now an overflow id (c.f. | |
187 // /proc/sys/kernel/overflowuid). Setup the uid and gid maps. | |
188 DCHECK(GetRESIds(NULL, NULL)); | |
189 const char kGidMapFile[] = "/proc/self/gid_map"; | |
190 const char kUidMapFile[] = "/proc/self/uid_map"; | |
191 CHECK(WriteToIdMapFile(kGidMapFile, gid)); | |
192 CHECK(WriteToIdMapFile(kUidMapFile, uid)); | |
193 DCHECK(GetRESIds(NULL, NULL)); | |
194 return true; | |
195 } | |
196 | |
197 bool Credentials::DropFileSystemAccess() { | |
198 return ChrootToSafeEmptyDir(); | |
199 } | |
200 | |
67 } // namespace sandbox. | 201 } // namespace sandbox. |
OLD | NEW |