diff options
| author | jln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-06-05 01:03:32 +0000 |
|---|---|---|
| committer | jln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-06-05 01:03:32 +0000 |
| commit | 0381ae21ec09e278a4a0f6c00ac2a4e2cb54a3de (patch) | |
| tree | 1f01eec3a772ca20ea015e45558a64908e599138 /sandbox | |
| parent | d51d08e86464c89e8ab91deb39a448ba24ff2e48 (diff) | |
| download | chromium_src-0381ae21ec09e278a4a0f6c00ac2a4e2cb54a3de.zip chromium_src-0381ae21ec09e278a4a0f6c00ac2a4e2cb54a3de.tar.gz chromium_src-0381ae21ec09e278a4a0f6c00ac2a4e2cb54a3de.tar.bz2 | |
Setuid sandbox API versioning
We introduce API versioning to the setuid sandbox and issue warnings when
the versions Chrome and the Sandbox expect are different.
1. The Zygote launcher in the browser will export the API version it expects
to the environment.
2. The setuid sandbox will match its own version with the one in the
environment.
3. Afterwards, it will export the API it provides to the environment for the
sandboxed process.
4. The Zygote (the sandboxed process) will in turn check for the API number.
The double check is needed because a version of the browser or of the setuid
sandbox that does check for API could co-exist with a version that does not.
The various utilities that are part of the setuid sandbox are not versioned
because they have callers that are external to Chrome (in ChromeOS).
When environment variables are not found, we assume version 0. Since the API
is for now set to 0, this change will not produce any warning at the moment.
BUG=None
TEST=None
Review URL: https://chromiumcodereview.appspot.com/10492006
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@140456 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'sandbox')
| -rw-r--r-- | sandbox/linux/suid/linux_util.h | 3 | ||||
| -rw-r--r-- | sandbox/linux/suid/sandbox.c | 58 |
2 files changed, 59 insertions, 2 deletions
diff --git a/sandbox/linux/suid/linux_util.h b/sandbox/linux/suid/linux_util.h index 72e3f00..d064252 100644 --- a/sandbox/linux/suid/linux_util.h +++ b/sandbox/linux/suid/linux_util.h @@ -1,4 +1,4 @@ -// Copyright (c) 2009 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -12,6 +12,7 @@ #include <sys/types.h> static const char kFindInodeSwitch[] = "--find-inode"; +static const char kSuidSandboxGetApiSwitch[] = "--get-api"; // Find the process which holds the given socket, named by inode number. If // multiple processes hold the socket, this function returns false. diff --git a/sandbox/linux/suid/sandbox.c b/sandbox/linux/suid/sandbox.c index 2436092..b46e906 100644 --- a/sandbox/linux/suid/sandbox.c +++ b/sandbox/linux/suid/sandbox.c @@ -42,6 +42,12 @@ static const char kSandboxDescriptorEnvironmentVarName[] = "SBX_D"; static const char kSandboxHelperPidEnvironmentVarName[] = "SBX_HELPER_PID"; + +// Should be kept in sync with base/linux_util.h +static const long kSUIDSandboxApiNumber = 0; +static const char kSandboxEnvironmentApiRequest[] = "SBX_CHROME_API_RQ"; +static const char kSandboxEnvironmentApiProvides[] = "SBX_CHROME_API_PRV"; + // This number must be kept in sync with common/zygote_commands_linux.h static const int kZygoteIdFd = 7; @@ -361,9 +367,48 @@ static bool SetupChildEnvironment() { return true; } +bool CheckAndExportApiVersion() { + // Check the environment to see if a specific API version was requested. + // assume version 0 if none. + long api_number = -1; + char *api_string = getenv(kSandboxEnvironmentApiRequest); + if (!api_string) { + api_number = 0; + } else { + errno = 0; + char* endptr = NULL; + api_number = strtol(api_string, &endptr, 10); + if (!endptr || *endptr || errno != 0) + return false; + } + + // Warn only for now. + if (api_number != kSUIDSandboxApiNumber) { + fprintf(stderr, "The setuid sandbox provides API version %ld, " + "but you need %ld\n" + "Please read " + "https://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment." + "\n\n", + kSUIDSandboxApiNumber, + api_number); + } + + // Export our version so that the sandboxed process can verify it did not + // use an old sandbox. + char version_string[64]; + snprintf(version_string, sizeof(version_string), "%ld", + kSUIDSandboxApiNumber); + if (setenv(kSandboxEnvironmentApiProvides, version_string, 1)) { + perror("setenv"); + return false; + } + + return true; +} + int main(int argc, char **argv) { if (argc <= 1) { - if (argc == 0) { + if (argc <= 0) { return 1; } @@ -371,6 +416,12 @@ int main(int argc, char **argv) { return 1; } + // Allow someone to query our API version + if (argc == 2 && 0 == strcmp(argv[1], kSuidSandboxGetApiSwitch)) { + printf("%ld\n", kSUIDSandboxApiNumber); + return 0; + } + // In the SUID sandbox, if we succeed in calling MoveToNewNamespaces() // below, then the zygote and all the renderers are in an alternate PID // namespace and do not know their real PIDs. As such, they report the wrong @@ -426,6 +477,11 @@ int main(int argc, char **argv) { } #endif + // Protect the core setuid sandbox functionality with an API version + if (!CheckAndExportApiVersion()) { + return 1; + } + if (!MoveToNewNamespaces()) return 1; if (!SpawnChrootHelper()) |