Gitiles
Code Review Sign In
gerrit.openfyde.cn / chromium.googlesource.com / chromiumos / platform / minijail / 871d781e5508c2ea52e1513aeaf1ab072a7666fa / . / env.cc
blob: 5ee0667515663f988bf5e51f8f54ce419e57e200 [file] [log] [blame]
drewry@google.combd940e92009-12-07 19:13:27 +0000[diff] [blame]1// Copyright (c) 2009 The Chromium OS Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4// Some portions Copyright (c) 2009 The Chromium Authors.
5//
6// Default implementation of the Env interface.
7
8#include "minijail/env.h"
9
10#include <asm/unistd.h>
11#include <errno.h>
12#include <fcntl.h>
13#include <grp.h>
Chris Masone871d7812010-02-04 09:34:23 -0800[diff] [blame^]14#include <pwd.h>
drewry@google.combd940e92009-12-07 19:13:27 +0000[diff] [blame]15#include <sched.h>
16#include <signal.h>
17#include <stdarg.h>
18#include <stdbool.h>
19#include <stdio.h>
20#include <stdlib.h>
21#include <string.h>
22#include <sys/capability.h>
23#include <sys/mount.h>
24#include <sys/prctl.h>
25#include <sys/resource.h>
26#include <sys/socket.h>
27#include <sys/stat.h>
28#include <sys/time.h>
29#include <sys/types.h>
30#include <unistd.h>
31
32#include <base/logging.h>
33
34// prctl constants that are still missing in the headers.
35#define PR_GET_KEEPCAPS 7
36#define PR_SET_KEEPCAPS 8
37#define PR_CAPBSET_READ 23
38#define PR_CAPBSET_DROP 24
39#define PR_GET_SECUREBITS 27
40#define PR_SET_SECUREBITS 28
41
42namespace chromeos {
43
44namespace minijail {
45
46bool Env::DisableTracing() const {
47 DLOG(INFO) << "Disabling DUMPABLE...";
48 if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0)) {
49 PLOG(FATAL) << "Failed to set PR_SET_KEEPCAPS";
50 }
51 if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) {
52 LOG(FATAL) << "PR_SET_DUMPABLE could not be set";
53 }
54 DLOG(INFO) << "Success";
55 return true;
56}
57
58bool Env::KeepRootCapabilities() const {
59 DLOG(INFO) << "Enabling KEEPCAPS...";
60 if (prctl(PR_SET_KEEPCAPS, 1) < 0) {
61 PLOG(FATAL) << "Failed to set PR_SET_KEEPCAPS";
62 }
63 if (prctl(PR_GET_KEEPCAPS, 0) != 1) {
64 LOG(FATAL) << "PR_GET_KEEPCAPS could not be set";
65 }
66
67 DLOG(INFO) << "Success.";
68 return true;
69}
70
71bool Env::DisableDefaultRootPrivileges() const {
72 DLOG(INFO) << "Enabling SECURE_ALL...";
73 // From: kernel/include/linux/securebits.h:
74 // http://git.chromium.org/cgi-bin/gitweb.cgi?p=kernel.git;a=blob;f=include/linux/securebits.h
75 const int kSecureBitsAllLocked = 0x3f;
76 if (prctl(PR_SET_SECUREBITS, kSecureBitsAllLocked)) {
77 PLOG(FATAL) << "Failed to set PR_SET_SECUREBITS";
78 }
79 DLOG(INFO) << "Success.";
80 return true;
81}
82
83bool Env::ChangeUser(uid_t uid, gid_t gid) const {
84 // TODO(wad) support supplemental groups
85 DLOG(INFO) << "Dropping root...";
Chris Masone871d7812010-02-04 09:34:23 -0800[diff] [blame^]86 struct passwd* entry = getpwuid(uid);
87 endpwent();
88 if (!entry) {
89 LOG(INFO) << "UID is unknown. Clearing all supplemental groups";
90 PLOG_IF(FATAL, setgroups(0, NULL))
91 << "Failed to clear supplementary groups";
92 } else {
93 PLOG_IF(FATAL, initgroups(entry->pw_name, entry->pw_gid))
94 << "Failed to set supplementary groups";
drewry@google.combd940e92009-12-07 19:13:27 +0000[diff] [blame]95 }
96 if (setresgid(gid, gid, gid)) {
97 PLOG(FATAL) << "Failed to change to gid " << gid;
98 }
99 if (setresuid(uid, uid, uid)) {
100 PLOG(FATAL) << "Failed to change to uid " << uid;
101 }
102 DLOG(INFO) << "Success.";
103 return true;
104}
105
106// At present, the total number of capabilities is less than 32. We
107// will just pack them into a bitmask to save on effort.
108bool Env::SanitizeBoundingSet(uint64 cap_mask) const {
109 unsigned int cap;
110 DLOG(INFO) << "Cleaning the bounding set...";
111 // XXX: we read until prctl complains but that may not
112 // match CAP_LAST_CAP. We'll just drop the excess if it turns up.
113 // We mustnĀ“t drop CAP_SETPCAP on the way though.
114 static const uint32 kBitsInAByte = 8;
115 static const uint32 kMaxCaps = sizeof(cap_mask) * kBitsInAByte;
116 for (cap = 0; cap < kMaxCaps && prctl(PR_CAPBSET_READ, cap) >= 0; ++cap) {
117 if (cap == CAP_SETPCAP) {
118 continue;
119 }
120 if (cap_mask & (1ULL << (cap))) {
121 DLOG(INFO) << "Leaving cap " << cap << " in bounding set";
122 continue;
123 }
124 if (prctl(PR_CAPBSET_DROP, cap)) {
125 PLOG(FATAL) << "Failed to clean the bounding set of cap " << cap;
126 }
127 }
128 DLOG(INFO) << "Success.";
129 return true;
130}
131
132bool Env::SanitizeCapabilities(uint64 effective_capmask) const {
133 DLOG(INFO) << "Dropping capabilities...";
134 unsigned int cap;
135 cap_t caps = cap_get_proc();
136 cap_value_t raise_flag[1];
137 if (!caps) {
138 PLOG(FATAL) << "cap_get_proc failed";
139 }
140 if (cap_clear_flag(caps, CAP_INHERITABLE)) {
141 PLOG(FATAL) << "Failed to clear all inheritable caps";
142 }
143 if (cap_clear_flag(caps, CAP_EFFECTIVE)) {
144 PLOG(FATAL) << "Failed to clear all effective caps";
145 }
146 if (cap_clear_flag(caps, CAP_PERMITTED)) {
147 PLOG(FATAL) << "Failed to clear all permitted caps";
148 }
149 for (cap = 0; cap < sizeof(effective_capmask)*8; ++cap) {
150 // In a secure_noroot jail, cap_setpcap is safe.
151 if (cap == CAP_SETPCAP ||
152 effective_capmask & (1 << cap)) {
153 raise_flag[0] = cap;
154 DLOG(INFO) << "Adding cap " << cap << "=eip";
155 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, raise_flag, CAP_SET)) {
156 PLOG(FATAL) << "Failed to add cap " << cap << " to the effective set";
157 }
158 if (cap_set_flag(caps, CAP_PERMITTED, 1, raise_flag, CAP_SET)) {
159 PLOG(FATAL) << "Failed to add cap " << cap << " to the permitted set";
160 }
161 if (cap_set_flag(caps, CAP_INHERITABLE, 1, raise_flag, CAP_SET)) {
162 PLOG(FATAL) << "Failed to add cap " << cap << " to the inherite set";
163 }
164 }
165 }
166 if (cap_set_proc(caps)) {
167 PLOG(FATAL) << "Failed to apply cleaned capset";
168 }
169 cap_free(caps);
170 DLOG(INFO) << "Success.";
171 return true;
172}
173
174bool Env::FilterSyscallsBySource() const {
175 DLOG(INFO) << "Calling seccomp(2)";
176 if (prctl(PR_SET_SECCOMP, 2)) {
177 PLOG(FATAL) << "Failed to enabled seccomp(2)";
178 }
179 DLOG(INFO) << "System calls now filtered by source";
180 return true;
181}
182
183bool Env::FilterSyscallsBenchmarkOnly() const {
184 DLOG(INFO) << "Calling seccomp(3)";
185 if (prctl(PR_SET_SECCOMP, 3)) {
186 PLOG(FATAL) << "Failed to enabled seccomp(3)";
187 }
188 DLOG(INFO) << "System calls now nop filtered";
189 return true;
190}
191
192bool Env::EnterNamespace(int namespaces) const {
193 if (namespaces == 0) {
194 DLOG(INFO) << "No namespacing to be done.";
195 return true;
196 }
197 DLOG(INFO) << "Entering namespaces " << namespaces;
198 // TODO(wad) support namespace args
199 const pid_t pid = syscall(
200 __NR_clone, namespaces | CLONE_VFORK | SIGCHLD, 0, 0, 0);
201 if (pid == -1) {
202 PLOG(FATAL) << "Could not use PID namespacing";
203 return false;
204 }
205 if (pid) {
206 // Kill the original process without atexit handlers.
207 DLOG(INFO) << "original process death:" << pid;
208 _exit(0);
209 }
210 DLOG(INFO) << "Success: " << getpid();
211 return true;
212}
213
214bool Env::Mount() const {
215 DLOG(INFO) << "Attempting to mount /proc RO.";
216 if (mount("proc",
217 "/proc",
218 "proc",
219 MS_NODEV|MS_NOEXEC|MS_NOSUID|MS_RDONLY,
220 "")) {
221 PLOG(FATAL) << "Failed to mount a local /proc";
222 }
223 DLOG(INFO) << "Success.";
224 return true;
225}
226
227bool Env::Run(const char *path, char * const *argv, char * const *envp) const {
228 // TODO(wad) log-pid option
229 DLOG(INFO) << "Executing: " << path << " with args: ";
230 for (char * const* arg = argv; *arg; ++arg) {
231 DLOG(INFO) << "-> " << *arg;
232 }
233 execve(path, argv, envp);
234 PLOG(FATAL) << "failed to execute " << path;
235 return false;
236}
237
238} // namespace minijail
239} // namespace chromeos