| Index: sandbox/linux/suid/sandbox.c
|
| ===================================================================
|
| --- sandbox/linux/suid/sandbox.c (revision 119157)
|
| +++ sandbox/linux/suid/sandbox.c (working copy)
|
| @@ -26,6 +26,7 @@
|
| #include <sys/vfs.h>
|
| #include <unistd.h>
|
|
|
| +#include "init_process.h"
|
| #include "linux_util.h"
|
| #include "process_util.h"
|
| #include "suid_unsafe_environment_variables.h"
|
| @@ -56,7 +57,7 @@
|
| vfprintf(stderr, msg, ap);
|
| fprintf(stderr, ": %s\n", strerror(errno));
|
| fflush(stderr);
|
| - exit(1);
|
| + _exit(1);
|
| }
|
|
|
| // We will chroot() to the helper's /proc/self directory. Anything there will
|
| @@ -70,11 +71,47 @@
|
| #define SAFE_DIR "/proc/self/fdinfo"
|
| #define SAFE_DIR2 "/proc/self/fd"
|
|
|
| -static bool SpawnChrootHelper() {
|
| +static bool DropRoot() {
|
| + if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0)) {
|
| + perror("prctl(PR_SET_DUMPABLE)");
|
| + return false;
|
| + }
|
| +
|
| + if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) {
|
| + perror("Still dumpable after prctl(PR_SET_DUMPABLE)");
|
| + return false;
|
| + }
|
| +
|
| + gid_t rgid, egid, sgid;
|
| + if (getresgid(&rgid, &egid, &sgid)) {
|
| + perror("getresgid");
|
| + return false;
|
| + }
|
| +
|
| + if (setresgid(rgid, rgid, rgid)) {
|
| + perror("setresgid");
|
| + return false;
|
| + }
|
| +
|
| + uid_t ruid, euid, suid;
|
| + if (getresuid(&ruid, &euid, &suid)) {
|
| + perror("getresuid");
|
| + return false;
|
| + }
|
| +
|
| + if (setresuid(ruid, ruid, ruid)) {
|
| + perror("setresuid");
|
| + return false;
|
| + }
|
| +
|
| + return true;
|
| +}
|
| +
|
| +static int SpawnChrootHelper() {
|
| int sv[2];
|
| if (socketpair(AF_UNIX, SOCK_STREAM, 0, sv) == -1) {
|
| perror("socketpair");
|
| - return false;
|
| + return -1;
|
| }
|
|
|
| char *safedir = NULL;
|
| @@ -86,7 +123,7 @@
|
| safedir = SAFE_DIR2;
|
| else {
|
| fprintf(stderr, "Could not find %s\n", SAFE_DIR2);
|
| - return false;
|
| + return -1;
|
| }
|
|
|
| const pid_t pid = syscall(
|
| @@ -96,7 +133,7 @@
|
| perror("clone");
|
| close(sv[0]);
|
| close(sv[1]);
|
| - return false;
|
| + return -1;
|
| }
|
|
|
| if (pid == 0) {
|
| @@ -124,6 +161,7 @@
|
| FatalError("read");
|
|
|
| // do chrooting
|
| + errno = 0;
|
| if (msg != kMsgChrootMe)
|
| FatalError("Unknown message from sandboxed process");
|
|
|
| @@ -156,7 +194,7 @@
|
| if (close(sv[0])) {
|
| close(sv[1]);
|
| perror("close");
|
| - return false;
|
| + return -1;
|
| }
|
|
|
| // In the parent process, we install an environment variable containing the
|
| @@ -165,13 +203,14 @@
|
| int printed = snprintf(desc_str, sizeof(desc_str), "%u", sv[1]);
|
| if (printed < 0 || printed >= (int)sizeof(desc_str)) {
|
| fprintf(stderr, "Failed to snprintf\n");
|
| - return false;
|
| + close(sv[1]);
|
| + return -1;
|
| }
|
|
|
| if (setenv(kSandboxDescriptorEnvironmentVarName, desc_str, 1)) {
|
| perror("setenv");
|
| close(sv[1]);
|
| - return false;
|
| + return -1;
|
| }
|
|
|
| // We also install an environment variable containing the pid of the child
|
| @@ -179,15 +218,51 @@
|
| printed = snprintf(helper_pid_str, sizeof(helper_pid_str), "%u", pid);
|
| if (printed < 0 || printed >= (int)sizeof(helper_pid_str)) {
|
| fprintf(stderr, "Failed to snprintf\n");
|
| - return false;
|
| + close(sv[1]);
|
| + return -1;
|
| }
|
|
|
| if (setenv(kSandboxHelperPidEnvironmentVarName, helper_pid_str, 1)) {
|
| perror("setenv");
|
| close(sv[1]);
|
| + return -1;
|
| + }
|
| +
|
| + return sv[1];
|
| +}
|
| +
|
| +static bool JailMe() {
|
| + int fd = SpawnChrootHelper();
|
| + if (fd < 0) {
|
| return false;
|
| }
|
| -
|
| + if (!DropRoot()) {
|
| + close(fd);
|
| + return false;
|
| + }
|
| + ssize_t bytes;
|
| + char ch = kMsgChrootMe;
|
| + do {
|
| + errno = 0;
|
| + bytes = write(fd, &ch, 1);
|
| + } while (bytes == -1 && errno == EINTR);
|
| + if (bytes != 1) {
|
| + perror("write");
|
| + close(fd);
|
| + return false;
|
| + }
|
| + do {
|
| + errno = 0;
|
| + bytes = read(fd, &ch, 1);
|
| + } while (bytes == -1 && errno == EINTR);
|
| + close(fd);
|
| + if (bytes != 1) {
|
| + perror("read");
|
| + return false;
|
| + }
|
| + if (ch != kMsgChrootSuccessful) {
|
| + return false;
|
| + }
|
| return true;
|
| }
|
|
|
| @@ -207,6 +282,51 @@
|
| _exit(0);
|
|
|
| if (pid == 0) {
|
| + if (syscall(__NR_getpid) == 1) {
|
| + int fds[2];
|
| + char ch = 0;
|
| + if (pipe(fds)) {
|
| + perror("Failed to create pipe");
|
| + _exit(1);
|
| + }
|
| + pid = fork();
|
| + if (pid > 0) {
|
| + // The very first process in the new namespace takes on the
|
| + // role of the traditional "init" process. It must reap exit
|
| + // codes of daemon processes until the namespace is completely
|
| + // empty.
|
| + // We have to be careful that this "init" process doesn't
|
| + // provide a new attack surface. So, we also move it into
|
| + // a separate chroot and we drop all privileges. It does
|
| + // still need to access "/proc" and "/dev/null", though. So,
|
| + // we have to provide it with a file handles to these resources.
|
| + // These file handle are not accessible by any other processes in
|
| + // the sandbox and thus safe.
|
| + close(fds[0]);
|
| + int proc_fd = open("/proc", O_RDONLY | O_DIRECTORY);
|
| + int null_fd = open("/dev/null", O_RDWR);
|
| + if (!JailMe()) {
|
| + FatalError("Could not remove privileges from "
|
| + "new \"init\" process");
|
| + }
|
| + SystemInitProcess(fds[1], pid, proc_fd, null_fd);
|
| + } else if (pid != 0) {
|
| + perror("Failed to fork");
|
| + _exit(1);
|
| + }
|
| + // Wait for the "init" process to complete initialization.
|
| + close(fds[1]);
|
| + errno = 0;
|
| + while (read(fds[0], &ch, 1) < 0 && errno == EINTR) {
|
| + }
|
| + close(fds[0]);
|
| + if (ch != ' ') {
|
| + // We'll likely never get here. If the "init" process fails, it's
|
| + // death typically takes everyone of its children with it.
|
| + FatalError("Failed to set up new \"init\" process inside sandbox");
|
| + }
|
| + }
|
| +
|
| if (kCloneExtraFlags[i] & CLONE_NEWPID) {
|
| setenv("SBX_PID_NS", "", 1 /* overwrite */);
|
| } else {
|
| @@ -232,42 +352,6 @@
|
| return true;
|
| }
|
|
|
| -static bool DropRoot() {
|
| - if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0)) {
|
| - perror("prctl(PR_SET_DUMPABLE)");
|
| - return false;
|
| - }
|
| -
|
| - if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) {
|
| - perror("Still dumpable after prctl(PR_SET_DUMPABLE)");
|
| - return false;
|
| - }
|
| -
|
| - gid_t rgid, egid, sgid;
|
| - if (getresgid(&rgid, &egid, &sgid)) {
|
| - perror("getresgid");
|
| - return false;
|
| - }
|
| -
|
| - if (setresgid(rgid, rgid, rgid)) {
|
| - perror("setresgid");
|
| - return false;
|
| - }
|
| -
|
| - uid_t ruid, euid, suid;
|
| - if (getresuid(&ruid, &euid, &suid)) {
|
| - perror("getresuid");
|
| - return false;
|
| - }
|
| -
|
| - if (setresuid(ruid, ruid, ruid)) {
|
| - perror("setresuid");
|
| - return false;
|
| - }
|
| -
|
| - return true;
|
| -}
|
| -
|
| static bool SetupChildEnvironment() {
|
| unsigned i;
|
|
|
| @@ -343,7 +427,7 @@
|
|
|
| if (!MoveToNewNamespaces())
|
| return 1;
|
| - if (!SpawnChrootHelper())
|
| + if (SpawnChrootHelper() < 0)
|
| return 1;
|
| if (!DropRoot())
|
| return 1;
|
|
|
Chromium Code Reviews
Issue 9295005:
Calling clone(CLONE_NEWPID) results in the new pid namespace getting a new "init" process. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/