Chromium Code Reviews Chromium Code Reviews
Issue 54643010:
Linux: add basic unprivileged namespace support. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/services/credentials.h" | 5 #include "sandbox/linux/services/credentials.h" |
| 6 | 6 |
| 7 #include <stdio.h> | 7 #include <stdio.h> |
| 8 #include <sys/capability.h> | 8 #include <sys/capability.h> |
| 9 | 9 |
| 10 #include "base/basictypes.h" | 10 #include "base/basictypes.h" |
| 11 #include "base/bind.h" | |
| 11 #include "base/logging.h" | 12 #include "base/logging.h" |
| 13 #include "base/strings/string_number_conversions.h" | |
| 14 #include "base/template_util.h" | |
| 15 #include "base/threading/thread.h" | |
| 12 | 16 |
| 13 namespace { | 17 namespace { |
| 14 | 18 |
| 15 struct CapFreeDeleter { | 19 struct CapFreeDeleter { |
| 16 inline void operator()(cap_t cap) const { | 20 inline void operator()(cap_t cap) const { |
| 17 int ret = cap_free(cap); | 21 int ret = cap_free(cap); |
| 18 CHECK_EQ(0, ret); | 22 CHECK_EQ(0, ret); |
| 19 } | 23 } |
| 20 }; | 24 }; |
| 21 | 25 |
| 22 // Wrapper to manage libcap2's cap_t type. | 26 // Wrapper to manage libcap2's cap_t type. |
| 23 typedef scoped_ptr<typeof(*((cap_t)0)), CapFreeDeleter> ScopedCap; | 27 typedef scoped_ptr<typeof(*((cap_t)0)), CapFreeDeleter> ScopedCap; |
| 24 | 28 |
| 25 struct CapTextFreeDeleter { | 29 struct CapTextFreeDeleter { |
| 26 inline void operator()(char* cap_text) const { | 30 inline void operator()(char* cap_text) const { |
| 27 int ret = cap_free(cap_text); | 31 int ret = cap_free(cap_text); |
| 28 CHECK_EQ(0, ret); | 32 CHECK_EQ(0, ret); |
| 29 } | 33 } |
| 30 }; | 34 }; |
| 31 | 35 |
| 32 // Wrapper to manage the result from libcap2's cap_from_text(). | 36 // Wrapper to manage the result from libcap2's cap_from_text(). |
| 33 typedef scoped_ptr<char, CapTextFreeDeleter> ScopedCapText; | 37 typedef scoped_ptr<char, CapTextFreeDeleter> ScopedCapText; |
| 34 | 38 |
| 39 struct FILECloser { | |
| 40 inline void operator()(FILE* f) const { | |
| 41 DCHECK(f); | |
| 42 PCHECK(0 == fclose(f)); | |
| 43 } | |
| 44 }; | |
| 45 | |
| 46 // Don't use ScopedFILE in base/file_util.h since it doesn't check fclose(). | |
| 47 // TODO(jln): fix base/. | |
| 48 typedef scoped_ptr<FILE, FILECloser> ScopedFILE; | |
| 49 | |
| 50 COMPILE_ASSERT((base::is_same<uid_t, gid_t>::value), UidAndGidAreSameType); | |
| 51 // generic_id_t can be used for either uid_t or gid_t. | |
| 52 typedef uid_t generic_id_t; | |
| 53 | |
| 54 // Write a uid or gid mapping from |id| to |id| in |map_file|. | |
| 55 bool WriteToIdMapFile(const char* map_file, generic_id_t id) { | |
| 56 ScopedFILE f(fopen(map_file, "w")); | |
| 57 PCHECK(f); | |
| 58 const uid_t inside_id = id; | |
| 59 const uid_t outside_id = id; | |
| 60 int num = fprintf(f.get(), "%d %d 1\n", inside_id, outside_id); | |
| 61 if (num < 0) return false; | |
| 62 // Manually call fflush() to catch permission failures. | |
| 63 int ret = fflush(f.get()); | |
| 64 if (ret) { | |
| 65 VLOG(1) << "Could not write to id map file"; | |
| 66 return false; | |
| 67 } | |
| 68 return true; | |
| 69 } | |
| 70 | |
| 71 // Checks that the set of RES-uids and the set of RES-gids have | |
| 72 // one element each and return that element in |resuid| and |resgid| | |
| 73 // respecitively. It's ok to pass NULL as one or both of the ids. | |
|
Jorge Lucangeli Obes
2013/11/05 00:44:51
respectively
jln (very slow on Chromium)
2013/11/05 00:54:42
Done.
| |
| 74 bool GetRESIds(uid_t* resuid, gid_t* resgid) { | |
| 75 uid_t ruid, euid, suid; | |
| 76 gid_t rgid, egid, sgid; | |
| 77 PCHECK(getresuid(&ruid, &euid, &suid) == 0); | |
| 78 PCHECK(getresgid(&rgid, &egid, &sgid) == 0); | |
| 79 const bool uids_are_equal = (ruid == euid) && (ruid == suid); | |
| 80 const bool gids_are_equal = (rgid == egid) && (rgid == sgid); | |
| 81 if (!uids_are_equal || !gids_are_equal) return false; | |
| 82 if (resuid) *resuid = euid; | |
| 83 if (resgid) *resgid = egid; | |
| 84 return true; | |
| 85 } | |
| 86 | |
| 87 // chroot() and chdir() to /proc/<tid>/fdinfo. | |
| 88 void ChrootToThreadFdInfo(base::PlatformThreadId tid, bool* result) { | |
| 89 DCHECK(result); | |
| 90 *result = false; | |
| 91 | |
| 92 COMPILE_ASSERT((base::is_same<base::PlatformThreadId, int>::value), | |
| 93 TidIsAnInt); | |
| 94 const std::string current_thread_fdinfo = "/proc/" + | |
| 95 base::IntToString(tid) + "/fdinfo/"; | |
| 96 | |
| 97 // Make extra sure that /proc/<tid>/fdinfo is unique to the thread. | |
| 98 CHECK(0 == unshare(CLONE_FILES)); | |
| 99 int chroot_ret = chroot(current_thread_fdinfo.c_str()); | |
| 100 if (chroot_ret) { | |
| 101 PLOG(ERROR) << "Could not chroot"; | |
| 102 return; | |
| 103 } | |
| 104 | |
| 105 // CWD is essentially an implicit file descriptor, so be careful to not leave | |
| 106 // it behind. | |
| 107 PCHECK(0 == chdir("/")); | |
| 108 | |
| 109 *result = true; | |
| 110 return; | |
| 111 } | |
| 112 | |
| 113 // chroot() to an empty dir that is "safe". To be safe, it must not contain | |
| 114 // any subdirectory (chroot-ing there would allow a chroot escape) and it must | |
| 115 // be impossible to create an empty directory there. | |
| 116 // We achieve this by doing the following: | |
| 117 // 1. We create a new thread, which will create a new /proc/<tid>/ directory | |
| 118 // 2. We chroot to /proc/<tid>/fdinfo/ | |
| 119 // This is already "safe", since fdinfo/ does not contain another directory and | |
| 120 // one cannot create another directory there. | |
| 121 // 3. The thread dies | |
| 122 // After (3) happens, the directory is not available anymore in /proc. | |
| 123 bool ChrootToSafeEmptyDir() { | |
| 124 base::Thread chrooter("sandbox_chrooter"); | |
| 125 if (!chrooter.Start()) return false; | |
| 126 bool is_chrooted = false; | |
| 127 chrooter.message_loop()->PostTask(FROM_HERE, | |
| 128 base::Bind(&ChrootToThreadFdInfo, chrooter.thread_id(), &is_chrooted)); | |
| 129 // Make sure our task has run before committing the return value. | |
| 130 chrooter.Stop(); | |
| 131 return is_chrooted; | |
| 132 } | |
| 133 | |
| 35 } // namespace. | 134 } // namespace. |
| 36 | 135 |
| 37 namespace sandbox { | 136 namespace sandbox { |
| 38 | 137 |
| 39 Credentials::Credentials() { | 138 Credentials::Credentials() { |
| 40 } | 139 } |
| 41 | 140 |
| 42 Credentials::~Credentials() { | 141 Credentials::~Credentials() { |
| 43 } | 142 } |
| 44 | 143 |
| 45 void Credentials::DropAllCapabilities() { | 144 bool Credentials::DropAllCapabilities() { |
| 46 ScopedCap cap(cap_init()); | 145 ScopedCap cap(cap_init()); |
| 47 CHECK(cap); | 146 CHECK(cap); |
| 48 PCHECK(0 == cap_set_proc(cap.get())); | 147 PCHECK(0 == cap_set_proc(cap.get())); |
| 148 // We never let this function fail. | |
| 149 return true; | |
| 49 } | 150 } |
| 50 | 151 |
| 51 bool Credentials::HasAnyCapability() { | 152 bool Credentials::HasAnyCapability() const { |
| 52 ScopedCap current_cap(cap_get_proc()); | 153 ScopedCap current_cap(cap_get_proc()); |
| 53 CHECK(current_cap); | 154 CHECK(current_cap); |
| 54 ScopedCap empty_cap(cap_init()); | 155 ScopedCap empty_cap(cap_init()); |
| 55 CHECK(empty_cap); | 156 CHECK(empty_cap); |
| 56 return cap_compare(current_cap.get(), empty_cap.get()) != 0; | 157 return cap_compare(current_cap.get(), empty_cap.get()) != 0; |
| 57 } | 158 } |
| 58 | 159 |
| 59 scoped_ptr<std::string> Credentials::GetCurrentCapString() { | 160 scoped_ptr<std::string> Credentials::GetCurrentCapString() const { |
| 60 ScopedCap current_cap(cap_get_proc()); | 161 ScopedCap current_cap(cap_get_proc()); |
| 61 CHECK(current_cap); | 162 CHECK(current_cap); |
| 62 ScopedCapText cap_text(cap_to_text(current_cap.get(), NULL)); | 163 ScopedCapText cap_text(cap_to_text(current_cap.get(), NULL)); |
| 63 CHECK(cap_text); | 164 CHECK(cap_text); |
| 64 return scoped_ptr<std::string> (new std::string(cap_text.get())); | 165 return scoped_ptr<std::string> (new std::string(cap_text.get())); |
| 65 } | 166 } |
| 66 | 167 |
| 168 bool Credentials::MoveToNewUserNS() { | |
| 169 uid_t uid; | |
| 170 gid_t gid; | |
| 171 if (!GetRESIds(&uid, &gid)) { | |
| 172 // If all the uids (or gids) are not equal to each other, the security | |
| 173 // model will most likely confuse the caller, abort. | |
| 174 DVLOG(1) << "Uids or Gids differ!"; | |
|
Jorge Lucangeli Obes
2013/11/05 00:44:51
uids/gids (you were not using caps above).
jln (very slow on Chromium)
2013/11/05 00:54:42
Done.
| |
| 175 return false; | |
| 176 } | |
| 177 int ret = unshare(CLONE_NEWUSER); | |
| 178 // EPERM can happen if already in a chroot. EUSERS if too many nested | |
| 179 // namespaces are used. EINVAL for kernels that don't support the feature. | |
| 180 PCHECK(!ret || errno == EPERM || errno == EUSERS || errno == EINVAL); | |
| 181 if (ret) { | |
| 182 VLOG(1) << "Looks like unprivileged CLONE_NEWUSER may not be available " | |
| 183 << "on this kernel."; | |
| 184 return false; | |
| 185 } | |
| 186 // The current {r,e,s}{u,g}id is now an overflow id (c.f. | |
| 187 // /proc/sys/kernel/overflowuid). Setup the uid and gid maps. | |
| 188 DCHECK(GetRESIds(NULL, NULL)); | |
| 189 const char kGidMapFile[] = "/proc/self/gid_map"; | |
| 190 const char kUidMapFile[] = "/proc/self/uid_map"; | |
| 191 CHECK(WriteToIdMapFile(kGidMapFile, gid)); | |
| 192 CHECK(WriteToIdMapFile(kUidMapFile, uid)); | |
| 193 DCHECK(GetRESIds(NULL, NULL)); | |
| 194 return true; | |
| 195 } | |
| 196 | |
| 197 bool Credentials::DropFileSystemAccess() { | |
| 198 return ChrootToSafeEmptyDir(); | |
| 199 } | |
| 200 | |
| 67 } // namespace sandbox. | 201 } // namespace sandbox. |
| OLD | NEW |
