Calling clone(CLONE_NEWPID) results in the new pid namespace getting a new "init" process.

sandbox/linux/suid/sandbox.c

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // http://code.google.com/p/chromium/wiki/LinuxSUIDSandbox
 
 #define _GNU_SOURCE
 #include <asm/unistd.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <limits.h>
 #include <sched.h>
 #include <signal.h>
 #include <stdarg.h>
 #include <stdbool.h>
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/prctl.h>
 #include <sys/resource.h>
 #include <sys/socket.h>
 #include <sys/stat.h>
 #include <sys/time.h>
 #include <sys/types.h>
 #include <sys/vfs.h>
 #include <unistd.h>
 
+#include "init_process.h"
 #include "linux_util.h"
 #include "process_util.h"
 #include "suid_unsafe_environment_variables.h"
 
 #if !defined(CLONE_NEWPID)
 #define CLONE_NEWPID 0x20000000
 #endif
 #if !defined(CLONE_NEWNET)
 #define CLONE_NEWNET 0x40000000
 #endif
@@ skipping 10 matching lines @@
 static void FatalError(const char *msg, ...)
     __attribute__((noreturn, format(printf, 1, 2)));
 
 static void FatalError(const char *msg, ...) {
   va_list ap;
   va_start(ap, msg);
 
   vfprintf(stderr, msg, ap);
   fprintf(stderr, ": %s\n", strerror(errno));
   fflush(stderr);
-  exit(1);
+  _exit(1);
 }
 
 // We will chroot() to the helper's /proc/self directory. Anything there will
 // not exist anymore if we make sure to wait() for the helper.
 //
 // /proc/self/fdinfo or /proc/self/fd are especially safe and will be empty
 // even if the helper survives as a zombie.
 //
 // There is very little reason to use fdinfo/ instead of fd/ but we are
 // paranoid. fdinfo/ only exists since 2.6.22 so we allow fallback to fd/
 #define SAFE_DIR "/proc/self/fdinfo"
 #define SAFE_DIR2 "/proc/self/fd"
 
-static bool SpawnChrootHelper() {
+static bool DropRoot() {
+  if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0)) {
+    perror("prctl(PR_SET_DUMPABLE)");
+    return false;
+  }
+
+  if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) {
+    perror("Still dumpable after prctl(PR_SET_DUMPABLE)");
+    return false;
+  }
+
+  gid_t rgid, egid, sgid;
+  if (getresgid(&rgid, &egid, &sgid)) {
+    perror("getresgid");
+    return false;
+  }
+
+  if (setresgid(rgid, rgid, rgid)) {
+    perror("setresgid");
+    return false;
+  }
+
+  uid_t ruid, euid, suid;
+  if (getresuid(&ruid, &euid, &suid)) {
+    perror("getresuid");
+    return false;
+  }
+
+  if (setresuid(ruid, ruid, ruid)) {
+    perror("setresuid");
+    return false;
+  }
+
+  return true;
+}
+
+static int SpawnChrootHelper() {
   int sv[2];
   if (socketpair(AF_UNIX, SOCK_STREAM, 0, sv) == -1) {
     perror("socketpair");
-    return false;
+    return -1;
   }
 
   char *safedir = NULL;
   struct stat sdir_stat;
   if (!stat(SAFE_DIR, &sdir_stat) && S_ISDIR(sdir_stat.st_mode))
     safedir = SAFE_DIR;
   else
     if (!stat(SAFE_DIR2, &sdir_stat) && S_ISDIR(sdir_stat.st_mode))
       safedir = SAFE_DIR2;
     else {
       fprintf(stderr, "Could not find %s\n", SAFE_DIR2);
-      return false;
+      return -1;
     }
 
   const pid_t pid = syscall(
       __NR_clone, CLONE_FS | SIGCHLD, 0, 0, 0);
 
   if (pid == -1) {
     perror("clone");
     close(sv[0]);
     close(sv[1]);
-    return false;
+    return -1;
   }
 
   if (pid == 0) {
     // We share our files structure with an untrusted process. As a security in
     // depth measure, we make sure that we can't open anything by mistake.
     // TODO(agl): drop CAP_SYS_RESOURCE / use SECURE_NOROOT
 
     const struct rlimit nofile = {0, 0};
     if (setrlimit(RLIMIT_NOFILE, &nofile))
       FatalError("Setting RLIMIT_NOFILE");
 
     if (close(sv[1]))
       FatalError("close");
 
     // wait for message
     char msg;
     ssize_t bytes;
     do {
       bytes = read(sv[0], &msg, 1);
     } while (bytes == -1 && errno == EINTR);
 
     if (bytes == 0)
       _exit(0);
     if (bytes != 1)
       FatalError("read");
 
     // do chrooting
+    errno = 0;
     if (msg != kMsgChrootMe)
       FatalError("Unknown message from sandboxed process");
 
     // sanity check
     if (chdir(safedir))
       FatalError("Cannot chdir into /proc/ directory");
 
     if (chroot(safedir))
       FatalError("Cannot chroot into /proc/ directory");
 
@@ skipping 12 matching lines @@
     // We now become a zombie. /proc/self/fd(info) is now an empty dir and we
     // are chrooted there.
     // Our (unprivileged) parent should not even be able to open "." or "/"
     // since they would need to pass the ptrace() check. If our parent wait()
     // for us, our root directory will completely disappear.
   }
 
   if (close(sv[0])) {
     close(sv[1]);
     perror("close");
-    return false;
+    return -1;
   }
 
   // In the parent process, we install an environment variable containing the
   // number of the file descriptor.
   char desc_str[64];
   int printed = snprintf(desc_str, sizeof(desc_str), "%u", sv[1]);
   if (printed < 0 || printed >= (int)sizeof(desc_str)) {
     fprintf(stderr, "Failed to snprintf\n");

[agl, 2012/01/27 15:14:32]

I note that we fail to close sv[1] in this path.

[Markus (顧孟勤), 2012/01/27 17:44:09]

Done

-    return false;
+    return -1;
   }
 
   if (setenv(kSandboxDescriptorEnvironmentVarName, desc_str, 1)) {
     perror("setenv");
     close(sv[1]);
-    return false;
+    return -1;
   }
 
   // We also install an environment variable containing the pid of the child
   char helper_pid_str[64];
   printed = snprintf(helper_pid_str, sizeof(helper_pid_str), "%u", pid);
   if (printed < 0 || printed >= (int)sizeof(helper_pid_str)) {
     fprintf(stderr, "Failed to snprintf\n");

[agl, 2012/01/27 15:14:32]

... and this one.

[Markus (顧孟勤), 2012/01/27 17:44:09]

Done

-    return false;
+    return -1;
   }
 
   if (setenv(kSandboxHelperPidEnvironmentVarName, helper_pid_str, 1)) {
     perror("setenv");
     close(sv[1]);
+    return -1;
+  }
+
+  return sv[1];
+}
+
+static bool JailMe() {
+  int fd = SpawnChrootHelper();
+  if (fd < 0) {
     return false;
   }
-
+  if (!DropRoot()) {
+    close(fd);

[agl, 2012/01/27 15:14:32]

this close isn't reflecting in the other error paths. (Maybe we don't care.)

[Markus (顧孟勤), 2012/01/27 17:44:09]

I don't know what happened. Sorry about that. That was a genuine (albeit
probably benign) bug.

+    return false;
+  }
+  ssize_t bytes;
+  char ch = kMsgChrootMe;
+  do {
+    errno = 0;
+    bytes = write(fd, &ch, 1);
+  } while (bytes == -1 && errno == EINTR);
+  if (bytes != 1) {
+    perror("write");
+    return false;
+  }
+  do {
+    errno = 0;
+    bytes = read(fd, &ch, 1);
+  } while (bytes == -1 && errno == EINTR);
+  if (bytes != 1) {
+    perror("read");
+    return false;
+  }
+  if (ch != kMsgChrootSuccessful) {
+    return false;
+  }
   return true;
 }
 
 static bool MoveToNewNamespaces() {
   // These are the sets of flags which we'll try, in order.
   const int kCloneExtraFlags[] = {
     CLONE_NEWPID | CLONE_NEWNET,
     CLONE_NEWPID,
   };
 
   for (size_t i = 0;
        i < sizeof(kCloneExtraFlags) / sizeof(kCloneExtraFlags[0]);
        i++) {
     pid_t pid = syscall(__NR_clone, SIGCHLD | kCloneExtraFlags[i], 0, 0, 0);
 
     if (pid > 0)
       _exit(0);
 
     if (pid == 0) {
+      if (syscall(__NR_getpid) == 1) {
+        int fds[2];
+        char ch = 0;
+        if (pipe(fds)) {
+          perror("Failed to create pipe");
+          _exit(1);
+        }
+        pid = fork();
+        if (pid > 0) {
+          // The very first process in the new namespace takes on the
+          // role of the traditional "init" process. It must reap exit
+          // codes of daemon processes until the namespace is completely
+          // empty.
+          // We have to be careful that this "init" process doesn't
+          // provide a new attack surface. So, we also move it into
+          // a separate chroot and we drop all privileges. It does
+          // still need to access "/proc" and "/dev/null", though. So,
+          // we have to provide it with a file handles to these resources.
+          // These file handle are not accessible by any other processes in
+          // the sandbox and thus safe.
+          close(fds[0]);
+          int proc_fd = open("/proc", O_RDONLY | O_DIRECTORY);
+          int null_fd = open("/dev/null", O_RDWR);
+          if (!JailMe()) {
+            FatalError("Could not remove privileges from "
+                       "new \"init\" process");
+          }
+          SystemInitProcess(fds[1], pid, proc_fd, null_fd);
+        } else if (pid != 0) {
+          perror("Failed to fork");
+          _exit(1);
+        }
+        // Wait for the "init" process to complete initialization.
+        close(fds[1]);
+        errno = 0;
+        while (read(fds[0], &ch, 1) < 0 && errno == EINTR) {
+        }
+        close(fds[0]);
+        if (ch != ' ') {
+          // We'll likely never get here. If the "init" process fails, it's
+          // death typically takes everyone of its children with it.
+          FatalError("Failed to set up new \"init\" process inside sandbox");
+        }
+      }
+
       if (kCloneExtraFlags[i] & CLONE_NEWPID) {
         setenv("SBX_PID_NS", "", 1 /* overwrite */);
       } else {
         unsetenv("SBX_PID_NS");
       }
 
       if (kCloneExtraFlags[i] & CLONE_NEWNET) {
         setenv("SBX_NET_NS", "", 1 /* overwrite */);
       } else {
         unsetenv("SBX_NET_NS");
       }
 
       break;
     }
 
     if (errno != EINVAL) {
       perror("Failed to move to new PID namespace");
       return false;
     }
   }
 
   // If the system doesn't support NEWPID then we carry on anyway.
   return true;
 }
 
-static bool DropRoot() {
-  if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0)) {
-    perror("prctl(PR_SET_DUMPABLE)");
-    return false;
-  }
-
-  if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) {
-    perror("Still dumpable after prctl(PR_SET_DUMPABLE)");
-    return false;
-  }
-
-  gid_t rgid, egid, sgid;
-  if (getresgid(&rgid, &egid, &sgid)) {
-    perror("getresgid");
-    return false;
-  }
-
-  if (setresgid(rgid, rgid, rgid)) {
-    perror("setresgid");
-    return false;
-  }
-
-  uid_t ruid, euid, suid;
-  if (getresuid(&ruid, &euid, &suid)) {
-    perror("getresuid");
-    return false;
-  }
-
-  if (setresuid(ruid, ruid, ruid)) {
-    perror("setresuid");
-    return false;
-  }
-
-  return true;
-}
-
 static bool SetupChildEnvironment() {
   unsigned i;
 
   // ld.so may have cleared several environment variables because we are SUID.
   // However, the child process might need them so zygote_host_linux.cc saves a
   // copy in SANDBOX_$x. This is safe because we have dropped root by this
   // point, so we can only exec a binary with the permissions of the user who
   // ran us in the first place.
 
   for (i = 0; kSUIDUnsafeEnvironmentVariables[i]; ++i) {
@@ skipping 55 matching lines @@
       return 1;
     pid_t pid = pid_ul;
     score = strtol(argv[3], &endptr, 10);
     if (score == LONG_MAX || score == LONG_MIN || *endptr)
       return 1;
     return AdjustOOMScore(pid, score);
   }
 
   if (!MoveToNewNamespaces())
     return 1;
-  if (!SpawnChrootHelper())
+  if (SpawnChrootHelper() < 0)
     return 1;
   if (!DropRoot())
     return 1;
   if (!SetupChildEnvironment())
     return 1;
 
   execv(argv[1], &argv[1]);
   FatalError("execv failed");
 
   return 1;
 }