OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "sandbox/linux/services/namespace_sandbox.h" | |
6 | |
7 #include <sched.h> | |
8 #include <stdlib.h> | |
9 #include <sys/types.h> | |
10 #include <unistd.h> | |
11 | |
12 #include <string> | |
13 #include <utility> | |
14 | |
15 #include "base/command_line.h" | |
16 #include "base/environment.h" | |
17 #include "base/files/scoped_file.h" | |
18 #include "base/logging.h" | |
19 #include "base/posix/eintr_wrapper.h" | |
20 #include "base/process/launch.h" | |
21 #include "base/process/process.h" | |
22 #include "sandbox/linux/services/namespace_utils.h" | |
23 | |
24 namespace sandbox { | |
25 | |
26 namespace { | |
27 | |
28 class WriteUidGidMapDelegate : public base::LaunchOptions::PreExecDelegate { | |
29 public: | |
30 explicit WriteUidGidMapDelegate() : uid_(getuid()), gid_(getgid()) {} | |
jln (very slow on Chromium)
2015/02/03 01:14:30
You can remove "explicit"
rickyz (no longer on Chrome)
2015/02/03 01:27:22
Done.
| |
31 | |
32 ~WriteUidGidMapDelegate() override {} | |
33 | |
34 void RunAsyncSafe() override { | |
35 RAW_CHECK(NamespaceUtils::WriteToIdMapFile("/proc/self/uid_map", uid_)); | |
36 RAW_CHECK(NamespaceUtils::WriteToIdMapFile("/proc/self/gid_map", gid_)); | |
37 } | |
38 | |
39 private: | |
40 uid_t uid_; | |
41 gid_t gid_; | |
42 DISALLOW_COPY_AND_ASSIGN(WriteUidGidMapDelegate); | |
43 }; | |
44 | |
45 void SetEnvironForNamespaceType(base::EnvironmentMap* environ, | |
46 base::NativeEnvironmentString env_var, | |
47 bool value) { | |
48 // An empty string causes the env var to be unset in the child process. | |
49 (*environ)[env_var] = value ? "1" : ""; | |
50 } | |
51 | |
52 const char kSandboxUSERNSEnvironmentVarName[] = "SBX_USER_NS"; | |
53 const char kSandboxPIDNSEnvironmentVarName[] = "SBX_PID_NS"; | |
54 const char kSandboxNETNSEnvironmentVarName[] = "SBX_NET_NS"; | |
55 | |
56 } // namespace | |
57 | |
58 NamespaceSandbox::NamespaceSandbox() : launch_called_(false) { | |
59 } | |
60 | |
61 NamespaceSandbox::~NamespaceSandbox() { | |
62 } | |
63 | |
64 base::Process NamespaceSandbox::Launch(const base::CommandLine& cmdline) { | |
65 CHECK(!launch_called_) << "NamespaceSandbox may only be used once."; | |
66 launch_called_ = true; | |
67 | |
68 int clone_flags = 0; | |
69 int ns_types[] = {CLONE_NEWUSER, CLONE_NEWPID, CLONE_NEWNET}; | |
70 for (const int ns_type : ns_types) { | |
71 if (NamespaceUtils::KernelSupportsUnprivilegedNamespace(ns_type)) { | |
72 clone_flags |= ns_type; | |
73 } | |
74 } | |
75 CHECK(clone_flags & CLONE_NEWUSER); | |
76 | |
77 // These fields may not be modified by the caller. | |
78 CHECK(launch_options_.pre_exec_delegate == nullptr); | |
79 CHECK_EQ(0, launch_options_.clone_flags); | |
80 | |
81 WriteUidGidMapDelegate write_uid_gid_map_delegate; | |
82 launch_options_.pre_exec_delegate = &write_uid_gid_map_delegate; | |
83 launch_options_.clone_flags = clone_flags; | |
84 | |
85 const std::pair<int, const char*> clone_flag_environ[] = { | |
86 std::make_pair(CLONE_NEWUSER, kSandboxUSERNSEnvironmentVarName), | |
87 std::make_pair(CLONE_NEWPID, kSandboxPIDNSEnvironmentVarName), | |
88 std::make_pair(CLONE_NEWNET, kSandboxNETNSEnvironmentVarName), | |
89 }; | |
90 | |
91 base::EnvironmentMap* environ = &launch_options_.environ; | |
92 for (const auto& entry : clone_flag_environ) { | |
93 const int flag = entry.first; | |
94 const char* environ_name = entry.second; | |
95 SetEnvironForNamespaceType(environ, environ_name, clone_flags & flag); | |
96 } | |
97 | |
98 return base::LaunchProcess(cmdline, launch_options_); | |
99 } | |
100 | |
101 bool NamespaceSandbox::InNewUserNamespace() { | |
102 return getenv(kSandboxUSERNSEnvironmentVarName) != nullptr; | |
103 } | |
104 | |
105 bool NamespaceSandbox::InNewPidNamespace() { | |
106 return getenv(kSandboxPIDNSEnvironmentVarName) != nullptr; | |
107 } | |
108 | |
109 bool NamespaceSandbox::InNewNetNamespace() { | |
110 return getenv(kSandboxNETNSEnvironmentVarName) != nullptr; | |
111 } | |
112 | |
113 } // namespace sandbox | |
OLD | NEW |