OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "sandbox/linux/services/namespace_sandbox.h" | |
6 | |
7 #include <sched.h> | |
8 #include <stdlib.h> | |
9 #include <sys/types.h> | |
10 #include <unistd.h> | |
11 | |
12 #include <string> | |
13 #include <utility> | |
14 | |
15 #include "base/bind.h" | |
16 #include "base/command_line.h" | |
17 #include "base/environment.h" | |
18 #include "base/files/scoped_file.h" | |
19 #include "base/logging.h" | |
20 #include "base/posix/eintr_wrapper.h" | |
21 #include "base/process/launch.h" | |
22 #include "base/process/process.h" | |
23 #include "base/strings/stringprintf.h" | |
24 #include "sandbox/linux/services/namespace_utils.h" | |
25 | |
26 namespace sandbox { | |
27 | |
28 namespace { | |
29 const char kPipeValue = '\xcc'; | |
30 | |
31 class BlockOnPipeDelegate : public base::LaunchOptions::PreExecDelegate { | |
32 public: | |
33 explicit BlockOnPipeDelegate(int fd) : fd_(fd) {} | |
34 | |
35 ~BlockOnPipeDelegate() override {} | |
36 | |
37 void RunAsyncSafe() override { | |
38 char c; | |
39 RAW_CHECK(HANDLE_EINTR(read(fd_, &c, 1)) == 1); | |
40 RAW_CHECK(IGNORE_EINTR(close(fd_)) == 0); | |
41 RAW_CHECK(c == kPipeValue); | |
42 } | |
43 | |
44 private: | |
45 int fd_; | |
46 DISALLOW_COPY_AND_ASSIGN(BlockOnPipeDelegate); | |
47 }; | |
48 | |
49 void SetEnvironForNamespaceType(base::EnvironmentMap* environ, | |
50 base::NativeEnvironmentString env_var, | |
51 bool value) { | |
52 // An empty string causes the env var to be unset in the child process. | |
53 (*environ)[env_var] = value ? "1" : ""; | |
54 } | |
55 | |
56 const char kSandboxUSERNSEnvironmentVarName[] = "SBX_USER_NS"; | |
57 const char kSandboxPIDNSEnvironmentVarName[] = "SBX_PID_NS"; | |
58 const char kSandboxNETNSEnvironmentVarName[] = "SBX_NET_NS"; | |
59 | |
60 } // namespace | |
61 | |
62 NamespaceSandbox::NamespaceSandbox() : launch_called_(false) { | |
63 } | |
64 | |
65 NamespaceSandbox::~NamespaceSandbox() { | |
66 } | |
67 | |
68 void NamespaceSandbox::AddFdMapping(int from_fd, int to_fd) { | |
69 fds_to_remap_.push_back(std::make_pair(from_fd, to_fd)); | |
70 } | |
71 | |
72 base::Process NamespaceSandbox::Launch(const base::CommandLine& cmdline) { | |
73 CHECK(!launch_called_) << "NamespaceSandbox may only be used once."; | |
74 launch_called_ = true; | |
75 | |
76 int clone_flags = 0; | |
77 int ns_types[] = {CLONE_NEWUSER, CLONE_NEWPID, CLONE_NEWNET}; | |
78 for (const int ns_type : ns_types) { | |
79 if (NamespaceUtils::KernelSupportsUnprivilegedNamespace(ns_type)) { | |
80 clone_flags |= ns_type; | |
81 } | |
82 } | |
83 CHECK(clone_flags & CLONE_NEWUSER); | |
84 | |
85 int fds[2]; | |
86 PCHECK(pipe(fds) == 0); | |
87 read_fd_.reset(fds[0]); | |
88 write_fd_.reset(fds[1]); | |
89 fds_to_remap_.push_back(std::make_pair(read_fd_.get(), read_fd_.get())); | |
90 | |
91 BlockOnPipeDelegate block_on_pipe_delegate(read_fd_.get()); | |
92 launch_options_.pre_exec_delegate = &block_on_pipe_delegate; | |
93 launch_options_.fds_to_remap = &fds_to_remap_; | |
94 launch_options_.clone_flags = clone_flags; | |
95 | |
96 const std::pair<int, const char*> clone_flag_environ[] = { | |
97 std::make_pair(CLONE_NEWUSER, kSandboxUSERNSEnvironmentVarName), | |
98 std::make_pair(CLONE_NEWPID, kSandboxPIDNSEnvironmentVarName), | |
99 std::make_pair(CLONE_NEWNET, kSandboxNETNSEnvironmentVarName), | |
100 }; | |
101 | |
102 base::EnvironmentMap* environ = &launch_options_.environ; | |
103 for (const auto& entry : clone_flag_environ) { | |
104 const int flag = entry.first; | |
105 const char* environ_name = entry.second; | |
106 SetEnvironForNamespaceType(environ, environ_name, clone_flags & flag); | |
107 } | |
108 | |
109 base::Process process = base::LaunchProcess(cmdline, launch_options_); | |
110 read_fd_.reset(); | |
111 | |
112 if (!process.IsValid()) { | |
113 write_fd_.reset(); | |
jln (very slow on Chromium)
2015/01/30 20:12:28
Having to "remember" to do that is problematic.
r
rickyz (no longer on Chrome)
2015/01/31 02:33:53
Ah, that's much nicer, done
| |
114 return process.Pass(); | |
115 } | |
116 | |
117 WriteUidGidMapAndUnblockProcess(process.Pid()); | |
118 return process.Pass(); | |
119 } | |
120 | |
121 void NamespaceSandbox::WriteUidGidMapAndUnblockProcess(pid_t pid) { | |
122 const std::string uid_map_path = base::StringPrintf("/proc/%d/uid_map", pid); | |
123 const std::string gid_map_path = base::StringPrintf("/proc/%d/gid_map", pid); | |
124 NamespaceUtils::WriteToIdMapFile(uid_map_path.c_str(), getuid()); | |
125 NamespaceUtils::WriteToIdMapFile(gid_map_path.c_str(), getgid()); | |
126 | |
127 PCHECK(HANDLE_EINTR(write(write_fd_.get(), &kPipeValue, 1)) == 1); | |
jln (very slow on Chromium)
2015/01/30 20:12:28
If the child process gets killed or disappears for
rickyz (no longer on Chrome)
2015/01/31 02:33:53
Done.
| |
128 write_fd_.reset(); | |
129 } | |
130 | |
131 bool NamespaceSandbox::InNewUserNamespace() { | |
132 return getenv(kSandboxUSERNSEnvironmentVarName) != nullptr; | |
133 } | |
134 | |
135 bool NamespaceSandbox::InNewPidNamespace() { | |
136 return getenv(kSandboxPIDNSEnvironmentVarName) != nullptr; | |
137 } | |
138 | |
139 bool NamespaceSandbox::InNewNetNamespace() { | |
140 return getenv(kSandboxNETNSEnvironmentVarName) != nullptr; | |
141 } | |
142 | |
143 } // namespace sandbox | |
OLD | NEW |