Namespace sandbox: add important security checks

content/common/sandbox_linux/sandbox_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <dirent.h>
 #include <fcntl.h>
 #include <sys/resource.h>
 #include <sys/stat.h>
 #include <sys/time.h>
 #include <sys/types.h>
@@ skipping 10 matching lines @@
 #include "base/files/scoped_file.h"
 #include "base/logging.h"
 #include "base/macros.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/memory/singleton.h"
 #include "base/posix/eintr_wrapper.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/sys_info.h"
 #include "base/time/time.h"
 #include "build/build_config.h"
+#include "content/common/sandbox_linux/sandbox_debug_handling_linux.h"
 #include "content/common/sandbox_linux/sandbox_linux.h"
 #include "content/common/sandbox_linux/sandbox_seccomp_bpf_linux.h"
 #include "content/public/common/content_switches.h"
 #include "content/public/common/sandbox_linux.h"
+#include "sandbox/linux/services/credentials.h"
+#include "sandbox/linux/services/namespace_sandbox.h"
 #include "sandbox/linux/services/proc_util.h"
 #include "sandbox/linux/services/thread_helpers.h"
 #include "sandbox/linux/services/yama.h"
 #include "sandbox/linux/suid/client/setuid_sandbox_client.h"
 
 #if defined(ANY_OF_AMTLU_SANITIZER)
 #include <sanitizer/common_interface_defs.h>
 #endif
 
 using sandbox::Yama;
@@ skipping 130 matching lines @@
   }
 
   // Yama is a "global", system-level status. We assume it will not regress
   // after startup.
   const int yama_status = Yama::GetStatus();
   yama_is_enforcing_ = (yama_status & Yama::STATUS_PRESENT) &&
                        (yama_status & Yama::STATUS_ENFORCING);
   pre_initialized_ = true;
 }
 
+void LinuxSandbox::EngageNamespaceSandbox() {
+  CHECK(pre_initialized_);
+  // Check being in a new PID namespace created by the namespace sandbox and
+  // being the init process.
+  CHECK(sandbox::NamespaceSandbox::InNewPidNamespace());
+  const pid_t pid = getpid();
+  CHECK_EQ(1, pid);
+
+  CHECK(sandbox::Credentials::MoveToNewUserNS());
+  // Note: this requires SealSandbox() to be called later in this process to be
+  // safe, as this class is purposedly keeping a file descriptor to /proc.

[rickyz (no longer on Chrome), 2015/02/11 22:59:56]

nit: purposely (or just remove if you prefer)

[jln (very slow on Chromium), 2015/02/11 23:13:06]

Done.

+  CHECK(!HasOpenDirectories());
+  CHECK(sandbox::Credentials::DropFileSystemAccess());
+  CHECK(IsSingleThreaded());
+  CHECK(sandbox::Credentials::DropAllCapabilities());
+
+  // This needs to happen after moving to a new user NS, since doing so involves
+  // writing the UID/GID map.
+  CHECK(SandboxDebugHandling::SetDumpableStatusAndHandlers());
+}
+
 std::vector<int> LinuxSandbox::GetFileDescriptorsToClose() {
   std::vector<int> fds;
   if (proc_fd_ >= 0) {
     fds.push_back(proc_fd_);
   }
   return fds;
 }
 
 bool LinuxSandbox::InitializeSandbox() {
   LinuxSandbox* linux_sandbox = LinuxSandbox::GetInstance();
@@ skipping 240 matching lines @@
 
 void LinuxSandbox::StopThreadAndEnsureNotCounted(base::Thread* thread) const {
   DCHECK(thread);
   base::ScopedFD proc_self_task(OpenProcTaskFd(proc_fd_));
   PCHECK(proc_self_task.is_valid());
   CHECK(sandbox::ThreadHelpers::StopThreadAndWatchProcFS(proc_self_task.get(),
                                                          thread));
 }
 
 }  // namespace content