From 0e161112cc06b7d77d8c9b73b334b209d79e12d1 Mon Sep 17 00:00:00 2001 From: "agl@chromium.org" Date: Fri, 10 Jul 2009 18:17:32 +0000 Subject: Linux: use a temp directory for the chroot. Ubuntu systems (at least) wipe /var/run at boot time, which is deleting our sandbox directory. Instead, we have the SUID helper create a temp directory in /tmp, unlink it and use that for the chroot directory. A file descriptor is passed to the zygote process for it to fchdir into. (Thanks to fta for discussions on this.) BUG=16363 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@20388 0039d316-1c4b-4281-b951-d872f2087c98 --- sandbox/linux/suid/sandbox.cc | 47 +++++++++++++++++++++++++++++++++++++------ 1 file changed, 41 insertions(+), 6 deletions(-) (limited to 'sandbox/linux') diff --git a/sandbox/linux/suid/sandbox.cc b/sandbox/linux/suid/sandbox.cc index 1ea2af3..abd066c 100644 --- a/sandbox/linux/suid/sandbox.cc +++ b/sandbox/linux/suid/sandbox.cc @@ -2,8 +2,11 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. +// http://code.google.com/p/chromium/wiki/LinuxSUIDSandbox + #include #include +#include #include #include #include @@ -22,7 +25,6 @@ #define CLONE_NEWPID 0x20000000 #endif -static const char kSandboxPath[] = "/var/run/chrome-sandbox"; static const char kChromeBinary[] = "/opt/google/chrome/chrome"; static const char kSandboxDescriptorEnvironmentVarName[] = "SBX_D"; @@ -62,6 +64,23 @@ static int CloneChrootHelperProcess() { } if (pid == 0) { + // We create a temp directory for our chroot. Nobody should ever write into + // it, so it's root:root 0555. + char kTempDirectoryTemplate[] = "/tmp/chrome-sandbox-chroot-XXXXXX"; + const char* temp_dir = mkdtemp(kTempDirectoryTemplate); + if (!temp_dir) + FatalError("Failed to create temp directory for chroot"); + + const int chroot_dir_fd = open(temp_dir, O_DIRECTORY | O_RDONLY); + if (chroot_dir_fd < 0) { + rmdir(temp_dir); + FatalError("Failed to open chroot temp directory"); + } + + rmdir(temp_dir); + fchown(chroot_dir_fd, 0, 0); + fchmod(chroot_dir_fd, 0555); + // We share our files structure with an untrusted process. As a security in // depth measure, we make sure that we can't open anything by mistake. // TODO: drop CAP_SYS_RESOURCE @@ -87,25 +106,41 @@ static int CloneChrootHelperProcess() { if (msg != kMsgChrootMe) FatalError("Unknown message from sandboxed process"); - if (chdir(kSandboxPath)) - FatalError("Cannot chdir into %s", kSandboxPath); + if (fchdir(chroot_dir_fd)) + FatalError("Cannot chdir into chroot temp directory"); struct stat st; if (stat(".", &st)) FatalError("stat"); if (st.st_uid || st.st_gid || st.st_mode & S_IWOTH) - FatalError("Bad permissions on chroot directory (%s)", kSandboxPath); + FatalError("Bad permissions on chroot temp directory"); if (chroot(".")) - FatalError("Cannot chroot into %s", kSandboxPath); + FatalError("Cannot chroot into temp directory"); if (chdir("/")) FatalError("Cannot chdir to / after chroot"); const char reply = kMsgChrootSuccessful; do { - bytes = write(sv[0], &reply, 1); + struct msghdr msg = {0}; + struct iovec iov = {(char *) &reply, 1}; + + msg.msg_iov = &iov; + msg.msg_iovlen = 1; + + char control_buffer[CMSG_SPACE(sizeof(int))]; + msg.msg_control = control_buffer; + msg.msg_controllen = sizeof(control_buffer); + struct cmsghdr* cmsg = CMSG_FIRSTHDR(&msg); + cmsg->cmsg_level = SOL_SOCKET; + cmsg->cmsg_type = SCM_RIGHTS; + cmsg->cmsg_len = CMSG_LEN(sizeof(int)); + memcpy(CMSG_DATA(cmsg), &chroot_dir_fd, sizeof(int)); + msg.msg_controllen = cmsg->cmsg_len; + + bytes = sendmsg(sv[0], &msg, 0); } while (bytes == -1 && errno == EINTR); if (bytes != 1) -- cgit v1.1