1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
|
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "sandbox/linux/suid/client/setuid_sandbox_client.h"
#include <fcntl.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include "base/command_line.h"
#include "base/environment.h"
#include "base/files/file_path.h"
#include "base/files/file_util.h"
#include "base/files/scoped_file.h"
#include "base/logging.h"
#include "base/macros.h"
#include "base/memory/scoped_ptr.h"
#include "base/path_service.h"
#include "base/posix/eintr_wrapper.h"
#include "base/process/launch.h"
#include "base/process/process_metrics.h"
#include "base/strings/string_number_conversions.h"
#include "sandbox/linux/services/init_process_reaper.h"
#include "sandbox/linux/suid/common/sandbox.h"
#include "sandbox/linux/suid/common/suid_unsafe_environment_variables.h"
namespace {
bool IsFileSystemAccessDenied() {
base::ScopedFD self_exe(HANDLE_EINTR(open(base::kProcSelfExe, O_RDONLY)));
return !self_exe.is_valid();
}
// Set an environment variable that reflects the API version we expect from the
// setuid sandbox. Old versions of the sandbox will ignore this.
void SetSandboxAPIEnvironmentVariable(base::Environment* env) {
env->SetVar(sandbox::kSandboxEnvironmentApiRequest,
base::IntToString(sandbox::kSUIDSandboxApiNumber));
}
// Unset environment variables that are expected to be set by the setuid
// sandbox. This is to allow nesting of one instance of the SUID sandbox
// inside another.
void UnsetExpectedEnvironmentVariables(base::EnvironmentMap* env_map) {
DCHECK(env_map);
const base::NativeEnvironmentString environment_vars[] = {
sandbox::kSandboxDescriptorEnvironmentVarName,
sandbox::kSandboxHelperPidEnvironmentVarName,
sandbox::kSandboxEnvironmentApiProvides,
sandbox::kSandboxPIDNSEnvironmentVarName,
sandbox::kSandboxNETNSEnvironmentVarName,
};
for (size_t i = 0; i < arraysize(environment_vars); ++i) {
// Setting values in EnvironmentMap to an empty-string will make
// sure that they get unset from the environment via AlterEnvironment().
(*env_map)[environment_vars[i]] = base::NativeEnvironmentString();
}
}
// Wrapper around a shared C function.
// Returns the "saved" environment variable name corresponding to |envvar|
// in a new string or NULL.
std::string* CreateSavedVariableName(const char* env_var) {
char* const saved_env_var = SandboxSavedEnvironmentVariable(env_var);
if (!saved_env_var)
return NULL;
std::string* saved_env_var_copy = new std::string(saved_env_var);
// SandboxSavedEnvironmentVariable is the C function that we wrap and uses
// malloc() to allocate memory.
free(saved_env_var);
return saved_env_var_copy;
}
// The ELF loader will clear many environment variables so we save them to
// different names here so that the SUID sandbox can resolve them for the
// renderer.
void SaveSUIDUnsafeEnvironmentVariables(base::Environment* env) {
for (unsigned i = 0; kSUIDUnsafeEnvironmentVariables[i]; ++i) {
const char* env_var = kSUIDUnsafeEnvironmentVariables[i];
// Get the saved environment variable corresponding to envvar.
scoped_ptr<std::string> saved_env_var(CreateSavedVariableName(env_var));
if (saved_env_var == NULL)
continue;
std::string value;
if (env->GetVar(env_var, &value))
env->SetVar(saved_env_var->c_str(), value);
else
env->UnSetVar(saved_env_var->c_str());
}
}
int GetHelperApi(base::Environment* env) {
std::string api_string;
int api_number = 0; // Assume API version 0 if no environment was found.
if (env->GetVar(sandbox::kSandboxEnvironmentApiProvides, &api_string) &&
!base::StringToInt(api_string, &api_number)) {
// It's an error if we could not convert the API number.
api_number = -1;
}
return api_number;
}
// Convert |var_name| from the environment |env| to an int.
// Return -1 if the variable does not exist or the value cannot be converted.
int EnvToInt(base::Environment* env, const char* var_name) {
std::string var_string;
int var_value = -1;
if (env->GetVar(var_name, &var_string) &&
!base::StringToInt(var_string, &var_value)) {
var_value = -1;
}
return var_value;
}
pid_t GetHelperPID(base::Environment* env) {
return EnvToInt(env, sandbox::kSandboxHelperPidEnvironmentVarName);
}
// Get the IPC file descriptor used to communicate with the setuid helper.
int GetIPCDescriptor(base::Environment* env) {
return EnvToInt(env, sandbox::kSandboxDescriptorEnvironmentVarName);
}
const char* GetDevelSandboxPath() {
return getenv("CHROME_DEVEL_SANDBOX");
}
} // namespace
namespace sandbox {
SetuidSandboxClient* SetuidSandboxClient::Create() {
base::Environment* environment(base::Environment::Create());
SetuidSandboxClient* sandbox_client(new SetuidSandboxClient);
CHECK(environment);
sandbox_client->env_ = environment;
return sandbox_client;
}
SetuidSandboxClient::SetuidSandboxClient()
: env_(NULL),
sandboxed_(false) {
}
SetuidSandboxClient::~SetuidSandboxClient() {
delete env_;
}
void SetuidSandboxClient::CloseDummyFile() {
// When we're launched through the setuid sandbox, SetupLaunchOptions
// arranges for kZygoteIdFd to be a dummy file descriptor to satisfy an
// ancient setuid sandbox ABI requirement. However, the descriptor is no
// longer needed, so we can simply close it right away now.
CHECK(IsSuidSandboxChild());
// Sanity check that kZygoteIdFd refers to a pipe.
struct stat st;
PCHECK(0 == fstat(kZygoteIdFd, &st));
CHECK(S_ISFIFO(st.st_mode));
PCHECK(0 == IGNORE_EINTR(close(kZygoteIdFd)));
}
bool SetuidSandboxClient::ChrootMe() {
int ipc_fd = GetIPCDescriptor(env_);
if (ipc_fd < 0) {
LOG(ERROR) << "Failed to obtain the sandbox IPC descriptor";
return false;
}
if (HANDLE_EINTR(write(ipc_fd, &kMsgChrootMe, 1)) != 1) {
PLOG(ERROR) << "Failed to write to chroot pipe";
return false;
}
// We need to reap the chroot helper process in any event.
pid_t helper_pid = GetHelperPID(env_);
// If helper_pid is -1 we wait for any child.
if (HANDLE_EINTR(waitpid(helper_pid, NULL, 0)) < 0) {
PLOG(ERROR) << "Failed to wait for setuid helper to die";
return false;
}
char reply;
if (HANDLE_EINTR(read(ipc_fd, &reply, 1)) != 1) {
PLOG(ERROR) << "Failed to read from chroot pipe";
return false;
}
if (reply != kMsgChrootSuccessful) {
LOG(ERROR) << "Error code reply from chroot helper";
return false;
}
// We now consider ourselves "fully sandboxed" as far as the
// setuid sandbox is concerned.
CHECK(IsFileSystemAccessDenied());
sandboxed_ = true;
return true;
}
bool SetuidSandboxClient::CreateInitProcessReaper(
base::Closure* post_fork_parent_callback) {
return sandbox::CreateInitProcessReaper(post_fork_parent_callback);
}
bool SetuidSandboxClient::IsSuidSandboxUpToDate() const {
return GetHelperApi(env_) == kSUIDSandboxApiNumber;
}
bool SetuidSandboxClient::IsSuidSandboxChild() const {
return GetIPCDescriptor(env_) >= 0;
}
bool SetuidSandboxClient::IsInNewPIDNamespace() const {
return env_->HasVar(kSandboxPIDNSEnvironmentVarName);
}
bool SetuidSandboxClient::IsInNewNETNamespace() const {
return env_->HasVar(kSandboxNETNSEnvironmentVarName);
}
bool SetuidSandboxClient::IsSandboxed() const {
return sandboxed_;
}
// Check if CHROME_DEVEL_SANDBOX is set but empty. This currently disables
// the setuid sandbox. TODO(jln): fix this (crbug.com/245376).
bool SetuidSandboxClient::IsDisabledViaEnvironment() {
const char* devel_sandbox_path = GetDevelSandboxPath();
if (devel_sandbox_path && '\0' == *devel_sandbox_path) {
return true;
}
return false;
}
base::FilePath SetuidSandboxClient::GetSandboxBinaryPath() {
base::FilePath sandbox_binary;
base::FilePath exe_dir;
if (PathService::Get(base::DIR_EXE, &exe_dir)) {
base::FilePath sandbox_candidate = exe_dir.AppendASCII("chrome-sandbox");
if (base::PathExists(sandbox_candidate))
sandbox_binary = sandbox_candidate;
}
// In user-managed builds, including development builds, an environment
// variable is required to enable the sandbox. See
// http://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment
struct stat st;
if (sandbox_binary.empty() && stat(base::kProcSelfExe, &st) == 0 &&
st.st_uid == getuid()) {
const char* devel_sandbox_path = GetDevelSandboxPath();
if (devel_sandbox_path) {
sandbox_binary = base::FilePath(devel_sandbox_path);
}
}
return sandbox_binary;
}
void SetuidSandboxClient::PrependWrapper(base::CommandLine* cmd_line) {
std::string sandbox_binary(GetSandboxBinaryPath().value());
struct stat st;
if (sandbox_binary.empty() || stat(sandbox_binary.c_str(), &st) != 0) {
LOG(FATAL) << "The SUID sandbox helper binary is missing: "
<< sandbox_binary << " Aborting now. See "
"https://code.google.com/p/chromium/wiki/"
"LinuxSUIDSandboxDevelopment.";
}
if (access(sandbox_binary.c_str(), X_OK) != 0 || (st.st_uid != 0) ||
((st.st_mode & S_ISUID) == 0) || ((st.st_mode & S_IXOTH)) == 0) {
LOG(FATAL) << "The SUID sandbox helper binary was found, but is not "
"configured correctly. Rather than run without sandboxing "
"I'm aborting now. You need to make sure that "
<< sandbox_binary << " is owned by root and has mode 4755.";
}
cmd_line->PrependWrapper(sandbox_binary);
}
void SetuidSandboxClient::SetupLaunchOptions(
base::LaunchOptions* options,
base::FileHandleMappingVector* fds_to_remap,
base::ScopedFD* dummy_fd) {
DCHECK(options);
DCHECK(fds_to_remap);
// Launching a setuid binary requires PR_SET_NO_NEW_PRIVS to not be used.
options->allow_new_privs = true;
UnsetExpectedEnvironmentVariables(&options->environ);
// Set dummy_fd to the reading end of a closed pipe.
int pipe_fds[2];
PCHECK(0 == pipe(pipe_fds));
PCHECK(0 == IGNORE_EINTR(close(pipe_fds[1])));
dummy_fd->reset(pipe_fds[0]);
// We no longer need a dummy socket for discovering the child's PID,
// but the sandbox is still hard-coded to expect a file descriptor at
// kZygoteIdFd. Fixing this requires a sandbox API change. :(
fds_to_remap->push_back(std::make_pair(dummy_fd->get(), kZygoteIdFd));
}
void SetuidSandboxClient::SetupLaunchEnvironment() {
SaveSUIDUnsafeEnvironmentVariables(env_);
SetSandboxAPIEnvironmentVariable(env_);
}
} // namespace sandbox
|
