| // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include "sandbox/linux/services/credentials.h" |
| |
| #include <errno.h> |
| #include <signal.h> |
| #include <stdio.h> |
| #include <sys/syscall.h> |
| #include <sys/types.h> |
| #include <sys/wait.h> |
| #include <unistd.h> |
| |
| #include "base/basictypes.h" |
| #include "base/bind.h" |
| #include "base/files/file_path.h" |
| #include "base/files/file_util.h" |
| #include "base/logging.h" |
| #include "base/posix/eintr_wrapper.h" |
| #include "base/process/launch.h" |
| #include "base/template_util.h" |
| #include "base/third_party/valgrind/valgrind.h" |
| #include "build/build_config.h" |
| #include "sandbox/linux/services/namespace_utils.h" |
| #include "sandbox/linux/services/proc_util.h" |
| #include "sandbox/linux/services/syscall_wrappers.h" |
| #include "sandbox/linux/services/thread_helpers.h" |
| #include "sandbox/linux/system_headers/capability.h" |
| |
| namespace sandbox { |
| |
| namespace { |
| |
| bool IsRunningOnValgrind() { return RUNNING_ON_VALGRIND; } |
| |
| // Checks that the set of RES-uids and the set of RES-gids have |
| // one element each and return that element in |resuid| and |resgid| |
| // respectively. It's ok to pass NULL as one or both of the ids. |
| bool GetRESIds(uid_t* resuid, gid_t* resgid) { |
| uid_t ruid, euid, suid; |
| gid_t rgid, egid, sgid; |
| PCHECK(getresuid(&ruid, &euid, &suid) == 0); |
| PCHECK(getresgid(&rgid, &egid, &sgid) == 0); |
| const bool uids_are_equal = (ruid == euid) && (ruid == suid); |
| const bool gids_are_equal = (rgid == egid) && (rgid == sgid); |
| if (!uids_are_equal || !gids_are_equal) return false; |
| if (resuid) *resuid = euid; |
| if (resgid) *resgid = egid; |
| return true; |
| } |
| |
| const int kExitSuccess = 0; |
| |
| int ChrootToSelfFdinfo(void*) { |
| RAW_CHECK(chroot("/proc/self/fdinfo/") == 0); |
| |
| // CWD is essentially an implicit file descriptor, so be careful to not |
| // leave it behind. |
| RAW_CHECK(chdir("/") == 0); |
| _exit(kExitSuccess); |
| } |
| |
| // chroot() to an empty dir that is "safe". To be safe, it must not contain |
| // any subdirectory (chroot-ing there would allow a chroot escape) and it must |
| // be impossible to create an empty directory there. |
| // We achieve this by doing the following: |
| // 1. We create a new process sharing file system information. |
| // 2. In the child, we chroot to /proc/self/fdinfo/ |
| // This is already "safe", since fdinfo/ does not contain another directory and |
| // one cannot create another directory there. |
| // 3. The process dies |
| // After (3) happens, the directory is not available anymore in /proc. |
| bool ChrootToSafeEmptyDir() { |
| // We need to chroot to a fdinfo that is unique to a process and have that |
| // process die. |
| // 1. We don't want to simply fork() because duplicating the page tables is |
| // slow with a big address space. |
| // 2. We do not use a regular thread (that would unshare CLONE_FILES) because |
| // when we are in a PID namespace, we cannot easily get a handle to the |
| // /proc/tid directory for the thread (since /proc may not be aware of the |
| // PID namespace). With a process, we can just use /proc/self. |
| pid_t pid = -1; |
| char stack_buf[PTHREAD_STACK_MIN]; |
| #if defined(ARCH_CPU_X86_FAMILY) || defined(ARCH_CPU_ARM_FAMILY) || \ |
| defined(ARCH_CPU_MIPS64_FAMILY) || defined(ARCH_CPU_MIPS_FAMILY) |
| // The stack grows downward. |
| void* stack = stack_buf + sizeof(stack_buf); |
| #else |
| #error "Unsupported architecture" |
| #endif |
| pid = clone(ChrootToSelfFdinfo, stack, |
| CLONE_VM | CLONE_VFORK | CLONE_FS | SIGCHLD, nullptr, nullptr, |
| nullptr, nullptr); |
| PCHECK(pid != -1); |
| |
| int status = -1; |
| PCHECK(HANDLE_EINTR(waitpid(pid, &status, 0)) == pid); |
| |
| return WIFEXITED(status) && WEXITSTATUS(status) == kExitSuccess; |
| } |
| |
| // CHECK() that an attempt to move to a new user namespace raised an expected |
| // errno. |
| void CheckCloneNewUserErrno(int error) { |
| // EPERM can happen if already in a chroot. EUSERS if too many nested |
| // namespaces are used. EINVAL for kernels that don't support the feature. |
| // Valgrind will ENOSYS unshare(). |
| PCHECK(error == EPERM || error == EUSERS || error == EINVAL || |
| error == ENOSYS); |
| } |
| |
| // Converts a LinuxCapability to the corresponding Linux CAP_XXX value. |
| int LinuxCapabilityToKernelValue(LinuxCapability cap) { |
| switch (cap) { |
| case LinuxCapability::kCapSysChroot: |
| return CAP_SYS_CHROOT; |
| case LinuxCapability::kCapSysAdmin: |
| return CAP_SYS_ADMIN; |
| } |
| |
| LOG(FATAL) << "Invalid LinuxCapability: " << static_cast<int>(cap); |
| } |
| |
| } // namespace. |
| |
| bool Credentials::DropAllCapabilities(int proc_fd) { |
| if (!SetCapabilities(proc_fd, std::vector<LinuxCapability>())) { |
| return false; |
| } |
| |
| CHECK(!HasAnyCapability()); |
| return true; |
| } |
| |
| bool Credentials::DropAllCapabilities() { |
| base::ScopedFD proc_fd(ProcUtil::OpenProc()); |
| return Credentials::DropAllCapabilities(proc_fd.get()); |
| } |
| |
| // static |
| bool Credentials::SetCapabilities(int proc_fd, |
| const std::vector<LinuxCapability>& caps) { |
| DCHECK_LE(0, proc_fd); |
| |
| #if !defined(THREAD_SANITIZER) |
| // With TSAN, accept to break the security model as it is a testing |
| // configuration. |
| CHECK(ThreadHelpers::IsSingleThreaded(proc_fd)); |
| #endif |
| |
| struct cap_hdr hdr = {}; |
| hdr.version = _LINUX_CAPABILITY_VERSION_3; |
| struct cap_data data[_LINUX_CAPABILITY_U32S_3] = {{}}; |
| |
| // Initially, cap has no capability flags set. Enable the effective and |
| // permitted flags only for the requested capabilities. |
| for (const LinuxCapability cap : caps) { |
| const int cap_num = LinuxCapabilityToKernelValue(cap); |
| const size_t index = CAP_TO_INDEX(cap_num); |
| const uint32_t mask = CAP_TO_MASK(cap_num); |
| data[index].effective |= mask; |
| data[index].permitted |= mask; |
| } |
| |
| return sys_capset(&hdr, data) == 0; |
| } |
| |
| bool Credentials::HasAnyCapability() { |
| struct cap_hdr hdr = {}; |
| hdr.version = _LINUX_CAPABILITY_VERSION_3; |
| struct cap_data data[_LINUX_CAPABILITY_U32S_3] = {{}}; |
| |
| PCHECK(sys_capget(&hdr, data) == 0); |
| |
| for (size_t i = 0; i < arraysize(data); ++i) { |
| if (data[i].effective || data[i].permitted || data[i].inheritable) { |
| return true; |
| } |
| } |
| |
| return false; |
| } |
| |
| bool Credentials::HasCapability(LinuxCapability cap) { |
| struct cap_hdr hdr = {}; |
| hdr.version = _LINUX_CAPABILITY_VERSION_3; |
| struct cap_data data[_LINUX_CAPABILITY_U32S_3] = {{}}; |
| |
| PCHECK(sys_capget(&hdr, data) == 0); |
| |
| const int cap_num = LinuxCapabilityToKernelValue(cap); |
| const size_t index = CAP_TO_INDEX(cap_num); |
| const uint32_t mask = CAP_TO_MASK(cap_num); |
| |
| return (data[index].effective | data[index].permitted | |
| data[index].inheritable) & |
| mask; |
| } |
| |
| // static |
| bool Credentials::CanCreateProcessInNewUserNS() { |
| // Valgrind will let clone(2) pass-through, but doesn't support unshare(), |
| // so always consider UserNS unsupported there. |
| if (IsRunningOnValgrind()) { |
| return false; |
| } |
| |
| #if defined(THREAD_SANITIZER) |
| // With TSAN, processes will always have threads running and can never |
| // enter a new user namespace with MoveToNewUserNS(). |
| return false; |
| #endif |
| |
| // This is roughly a fork(). |
| const pid_t pid = sys_clone(CLONE_NEWUSER | SIGCHLD, 0, 0, 0, 0); |
| |
| if (pid == -1) { |
| CheckCloneNewUserErrno(errno); |
| return false; |
| } |
| |
| // The parent process could have had threads. In the child, these threads |
| // have disappeared. Make sure to not do anything in the child, as this is a |
| // fragile execution environment. |
| if (pid == 0) { |
| _exit(kExitSuccess); |
| } |
| |
| // Always reap the child. |
| int status = -1; |
| PCHECK(HANDLE_EINTR(waitpid(pid, &status, 0)) == pid); |
| CHECK(WIFEXITED(status)); |
| CHECK_EQ(kExitSuccess, WEXITSTATUS(status)); |
| |
| // clone(2) succeeded, we can use CLONE_NEWUSER. |
| return true; |
| } |
| |
| bool Credentials::MoveToNewUserNS() { |
| uid_t uid; |
| gid_t gid; |
| if (!GetRESIds(&uid, &gid)) { |
| // If all the uids (or gids) are not equal to each other, the security |
| // model will most likely confuse the caller, abort. |
| DVLOG(1) << "uids or gids differ!"; |
| return false; |
| } |
| int ret = unshare(CLONE_NEWUSER); |
| if (ret) { |
| const int unshare_errno = errno; |
| VLOG(1) << "Looks like unprivileged CLONE_NEWUSER may not be available " |
| << "on this kernel."; |
| CheckCloneNewUserErrno(unshare_errno); |
| return false; |
| } |
| |
| if (NamespaceUtils::KernelSupportsDenySetgroups()) { |
| PCHECK(NamespaceUtils::DenySetgroups()); |
| } |
| |
| // The current {r,e,s}{u,g}id is now an overflow id (c.f. |
| // /proc/sys/kernel/overflowuid). Setup the uid and gid maps. |
| DCHECK(GetRESIds(NULL, NULL)); |
| const char kGidMapFile[] = "/proc/self/gid_map"; |
| const char kUidMapFile[] = "/proc/self/uid_map"; |
| PCHECK(NamespaceUtils::WriteToIdMapFile(kGidMapFile, gid)); |
| PCHECK(NamespaceUtils::WriteToIdMapFile(kUidMapFile, uid)); |
| DCHECK(GetRESIds(NULL, NULL)); |
| return true; |
| } |
| |
| bool Credentials::DropFileSystemAccess(int proc_fd) { |
| CHECK_LE(0, proc_fd); |
| |
| CHECK(ChrootToSafeEmptyDir()); |
| CHECK(!base::DirectoryExists(base::FilePath("/proc"))); |
| CHECK(!ProcUtil::HasOpenDirectory(proc_fd)); |
| // We never let this function fail. |
| return true; |
| } |
| |
| } // namespace sandbox. |