sandbox/linux/services/credentials.cc

   1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "sandbox/linux/services/credentials.h"
   6
   7 #include <errno.h>
   8 #include <signal.h>
   9 #include <stdint.h>
  10 #include <stdio.h>
  11 #include <sys/syscall.h>
  12 #include <sys/types.h>
  13 #include <sys/wait.h>
  14 #include <unistd.h>
  15
  16 #include "base/bind.h"
  17 #include "base/files/file_path.h"
  18 #include "base/files/file_util.h"
  19 #include "base/logging.h"
  20 #include "base/posix/eintr_wrapper.h"
  21 #include "base/process/launch.h"
  22 #include "base/template_util.h"
  23 #include "base/third_party/valgrind/valgrind.h"
  24 #include "build/build_config.h"
  25 #include "sandbox/linux/services/namespace_utils.h"
  26 #include "sandbox/linux/services/proc_util.h"
  27 #include "sandbox/linux/services/syscall_wrappers.h"
  28 #include "sandbox/linux/services/thread_helpers.h"
  29 #include "sandbox/linux/system_headers/capability.h"
  30 #include "sandbox/linux/system_headers/linux_signal.h"
  31
  32 namespace sandbox {
  33
  34 namespace {
  35
  36 bool IsRunningOnValgrind() { return RUNNING_ON_VALGRIND; }
  37
  38 // Checks that the set of RES-uids and the set of RES-gids have
  39 // one element each and return that element in |resuid| and |resgid|
  40 // respectively. It's ok to pass NULL as one or both of the ids.
  41 bool GetRESIds(uid_t* resuid, gid_t* resgid) {
  42   uid_t ruid, euid, suid;
  43   gid_t rgid, egid, sgid;
  44   PCHECK(sys_getresuid(&ruid, &euid, &suid) == 0);
  45   PCHECK(sys_getresgid(&rgid, &egid, &sgid) == 0);
  46   const bool uids_are_equal = (ruid == euid) && (ruid == suid);
  47   const bool gids_are_equal = (rgid == egid) && (rgid == sgid);
  48   if (!uids_are_equal || !gids_are_equal) return false;
  49   if (resuid) *resuid = euid;
  50   if (resgid) *resgid = egid;
  51   return true;
  52 }
  53
  54 const int kExitSuccess = 0;
  55
  56 #if defined(__clang__)
  57 // Disable sanitizers that rely on TLS and may write to non-stack memory.
  58 __attribute__((no_sanitize_address))
  59 __attribute__((no_sanitize_thread))
  60 __attribute__((no_sanitize_memory))
  61 #endif
  62 int ChrootToSelfFdinfo(void*) {
  63   // This function can be run from a vforked child, so it should not write to
  64   // any memory other than the stack or errno. Reads from TLS may be different
  65   // from in the parent process.
  66   RAW_CHECK(sys_chroot("/proc/self/fdinfo/") == 0);
  67
  68   // CWD is essentially an implicit file descriptor, so be careful to not
  69   // leave it behind.
  70   RAW_CHECK(chdir("/") == 0);
  71   _exit(kExitSuccess);
  72 }
  73
  74 // chroot() to an empty dir that is "safe". To be safe, it must not contain
  75 // any subdirectory (chroot-ing there would allow a chroot escape) and it must
  76 // be impossible to create an empty directory there.
  77 // We achieve this by doing the following:
  78 // 1. We create a new process sharing file system information.
  79 // 2. In the child, we chroot to /proc/self/fdinfo/
  80 // This is already "safe", since fdinfo/ does not contain another directory and
  81 // one cannot create another directory there.
  82 // 3. The process dies
  83 // After (3) happens, the directory is not available anymore in /proc.
  84 bool ChrootToSafeEmptyDir() {
  85   // We need to chroot to a fdinfo that is unique to a process and have that
  86   // process die.
  87   // 1. We don't want to simply fork() because duplicating the page tables is
  88   // slow with a big address space.
  89   // 2. We do not use a regular thread (that would unshare CLONE_FILES) because
  90   // when we are in a PID namespace, we cannot easily get a handle to the
  91   // /proc/tid directory for the thread (since /proc may not be aware of the
  92   // PID namespace). With a process, we can just use /proc/self.
  93   pid_t pid = -1;
  94   char stack_buf[PTHREAD_STACK_MIN];
  95 #if defined(ARCH_CPU_X86_FAMILY) || defined(ARCH_CPU_ARM_FAMILY) || \
  96     defined(ARCH_CPU_MIPS64_FAMILY) || defined(ARCH_CPU_MIPS_FAMILY)
  97   // The stack grows downward.
  98   void* stack = stack_buf + sizeof(stack_buf);
  99 #else
 100 #error "Unsupported architecture"
 101 #endif
 102
 103   int clone_flags = CLONE_FS | LINUX_SIGCHLD;
 104   void* tls = nullptr;
 105 #if defined(ARCH_CPU_X86_64) || defined(ARCH_CPU_ARM_FAMILY)
 106   // Use CLONE_VM | CLONE_VFORK as an optimization to avoid copying page tables.
 107   // Since clone writes to the new child's TLS before returning, we must set a
 108   // new TLS to avoid corrupting the current process's TLS. On ARCH_CPU_X86,
 109   // glibc performs syscalls by calling a function pointer in TLS, so we do not
 110   // attempt this optimization.
 111   clone_flags |= CLONE_VM | CLONE_VFORK | CLONE_SETTLS;
 112
 113   char tls_buf[PTHREAD_STACK_MIN] = {0};
 114   tls = tls_buf;
 115 #endif
 116
 117   pid = clone(ChrootToSelfFdinfo, stack, clone_flags, nullptr, nullptr, tls,
 118               nullptr);
 119   PCHECK(pid != -1);
 120
 121   int status = -1;
 122   PCHECK(HANDLE_EINTR(waitpid(pid, &status, 0)) == pid);
 123
 124   return WIFEXITED(status) && WEXITSTATUS(status) == kExitSuccess;
 125 }
 126
 127 // CHECK() that an attempt to move to a new user namespace raised an expected
 128 // errno.
 129 void CheckCloneNewUserErrno(int error) {
 130   // EPERM can happen if already in a chroot. EUSERS if too many nested
 131   // namespaces are used. EINVAL for kernels that don't support the feature.
 132   // Valgrind will ENOSYS unshare().
 133   PCHECK(error == EPERM || error == EUSERS || error == EINVAL ||
 134          error == ENOSYS);
 135 }
 136
 137 // Converts a Capability to the corresponding Linux CAP_XXX value.
 138 int CapabilityToKernelValue(Credentials::Capability cap) {
 139   switch (cap) {
 140     case Credentials::Capability::SYS_CHROOT:
 141       return CAP_SYS_CHROOT;
 142     case Credentials::Capability::SYS_ADMIN:
 143       return CAP_SYS_ADMIN;
 144   }
 145
 146   LOG(FATAL) << "Invalid Capability: " << static_cast<int>(cap);
 147   return 0;
 148 }
 149
 150 }  // namespace.
 151
 152 // static
 153 bool Credentials::DropAllCapabilities(int proc_fd) {
 154   if (!SetCapabilities(proc_fd, std::vector<Capability>())) {
 155     return false;
 156   }
 157
 158   CHECK(!HasAnyCapability());
 159   return true;
 160 }
 161
 162 // static
 163 bool Credentials::DropAllCapabilities() {
 164   base::ScopedFD proc_fd(ProcUtil::OpenProc());
 165   return Credentials::DropAllCapabilities(proc_fd.get());
 166 }
 167
 168 // static
 169 bool Credentials::DropAllCapabilitiesOnCurrentThread() {
 170   return SetCapabilitiesOnCurrentThread(std::vector<Capability>());
 171 }
 172
 173 // static
 174 bool Credentials::SetCapabilitiesOnCurrentThread(
 175     const std::vector<Capability>& caps) {
 176   struct cap_hdr hdr = {};
 177   hdr.version = _LINUX_CAPABILITY_VERSION_3;
 178   struct cap_data data[_LINUX_CAPABILITY_U32S_3] = {{}};
 179
 180   // Initially, cap has no capability flags set. Enable the effective and
 181   // permitted flags only for the requested capabilities.
 182   for (const Capability cap : caps) {
 183     const int cap_num = CapabilityToKernelValue(cap);
 184     const size_t index = CAP_TO_INDEX(cap_num);
 185     const uint32_t mask = CAP_TO_MASK(cap_num);
 186     data[index].effective |= mask;
 187     data[index].permitted |= mask;
 188   }
 189
 190   return sys_capset(&hdr, data) == 0;
 191 }
 192
 193 // static
 194 bool Credentials::SetCapabilities(int proc_fd,
 195                                   const std::vector<Capability>& caps) {
 196   DCHECK_LE(0, proc_fd);
 197
 198 #if !defined(THREAD_SANITIZER)
 199   // With TSAN, accept to break the security model as it is a testing
 200   // configuration.
 201   CHECK(ThreadHelpers::IsSingleThreaded(proc_fd));
 202 #endif
 203
 204   return SetCapabilitiesOnCurrentThread(caps);
 205 }
 206
 207 bool Credentials::HasAnyCapability() {
 208   struct cap_hdr hdr = {};
 209   hdr.version = _LINUX_CAPABILITY_VERSION_3;
 210   struct cap_data data[_LINUX_CAPABILITY_U32S_3] = {{}};
 211
 212   PCHECK(sys_capget(&hdr, data) == 0);
 213
 214   for (size_t i = 0; i < arraysize(data); ++i) {
 215     if (data[i].effective || data[i].permitted || data[i].inheritable) {
 216       return true;
 217     }
 218   }
 219
 220   return false;
 221 }
 222
 223 bool Credentials::HasCapability(Capability cap) {
 224   struct cap_hdr hdr = {};
 225   hdr.version = _LINUX_CAPABILITY_VERSION_3;
 226   struct cap_data data[_LINUX_CAPABILITY_U32S_3] = {{}};
 227
 228   PCHECK(sys_capget(&hdr, data) == 0);
 229
 230   const int cap_num = CapabilityToKernelValue(cap);
 231   const size_t index = CAP_TO_INDEX(cap_num);
 232   const uint32_t mask = CAP_TO_MASK(cap_num);
 233
 234   return (data[index].effective | data[index].permitted |
 235           data[index].inheritable) &
 236          mask;
 237 }
 238
 239 // static
 240 bool Credentials::CanCreateProcessInNewUserNS() {
 241   // Valgrind will let clone(2) pass-through, but doesn't support unshare(),
 242   // so always consider UserNS unsupported there.
 243   if (IsRunningOnValgrind()) {
 244     return false;
 245   }
 246
 247 #if defined(THREAD_SANITIZER)
 248   // With TSAN, processes will always have threads running and can never
 249   // enter a new user namespace with MoveToNewUserNS().
 250   return false;
 251 #endif
 252
 253   // This is roughly a fork().
 254   const pid_t pid = sys_clone(CLONE_NEWUSER | SIGCHLD, 0, 0, 0, 0);
 255
 256   if (pid == -1) {
 257     CheckCloneNewUserErrno(errno);
 258     return false;
 259   }
 260
 261   // The parent process could have had threads. In the child, these threads
 262   // have disappeared. Make sure to not do anything in the child, as this is a
 263   // fragile execution environment.
 264   if (pid == 0) {
 265     _exit(kExitSuccess);
 266   }
 267
 268   // Always reap the child.
 269   int status = -1;
 270   PCHECK(HANDLE_EINTR(waitpid(pid, &status, 0)) == pid);
 271   CHECK(WIFEXITED(status));
 272   CHECK_EQ(kExitSuccess, WEXITSTATUS(status));
 273
 274   // clone(2) succeeded, we can use CLONE_NEWUSER.
 275   return true;
 276 }
 277
 278 bool Credentials::MoveToNewUserNS() {
 279   uid_t uid;
 280   gid_t gid;
 281   if (!GetRESIds(&uid, &gid)) {
 282     // If all the uids (or gids) are not equal to each other, the security
 283     // model will most likely confuse the caller, abort.
 284     DVLOG(1) << "uids or gids differ!";
 285     return false;
 286   }
 287   int ret = sys_unshare(CLONE_NEWUSER);
 288   if (ret) {
 289     const int unshare_errno = errno;
 290     VLOG(1) << "Looks like unprivileged CLONE_NEWUSER may not be available "
 291             << "on this kernel.";
 292     CheckCloneNewUserErrno(unshare_errno);
 293     return false;
 294   }
 295
 296   if (NamespaceUtils::KernelSupportsDenySetgroups()) {
 297     PCHECK(NamespaceUtils::DenySetgroups());
 298   }
 299
 300   // The current {r,e,s}{u,g}id is now an overflow id (c.f.
 301   // /proc/sys/kernel/overflowuid). Setup the uid and gid maps.
 302   DCHECK(GetRESIds(NULL, NULL));
 303   const char kGidMapFile[] = "/proc/self/gid_map";
 304   const char kUidMapFile[] = "/proc/self/uid_map";
 305   PCHECK(NamespaceUtils::WriteToIdMapFile(kGidMapFile, gid));
 306   PCHECK(NamespaceUtils::WriteToIdMapFile(kUidMapFile, uid));
 307   DCHECK(GetRESIds(NULL, NULL));
 308   return true;
 309 }
 310
 311 bool Credentials::DropFileSystemAccess(int proc_fd) {
 312   CHECK_LE(0, proc_fd);
 313
 314   CHECK(ChrootToSafeEmptyDir());
 315   CHECK(!base::DirectoryExists(base::FilePath("/proc")));
 316   CHECK(!ProcUtil::HasOpenDirectory(proc_fd));
 317   // We never let this function fail.
 318   return true;
 319 }
 320
 321 pid_t Credentials::ForkAndDropCapabilitiesInChild() {
 322   pid_t pid = fork();
 323   if (pid != 0) {
 324     return pid;
 325   }
 326
 327   // Since we just forked, we are single threaded.
 328   PCHECK(DropAllCapabilitiesOnCurrentThread());
 329   return 0;
 330 }
 331
 332 }  // namespace sandbox.