| blob | dc62f1b21392b05012a6dda3a24b50be97bacf91 |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
7 #include <errno.h>
8 #include <signal.h>
9 #include <stdint.h>
10 #include <stdio.h>
11 #include <sys/syscall.h>
12 #include <sys/types.h>
13 #include <sys/wait.h>
14 #include <unistd.h>
38 // Checks that the set of RES-uids and the set of RES-gids have
39 // one element each and return that element in |resuid| and |resgid|
40 // respectively. It's ok to pass NULL as one or both of the ids.
52 }
59 // CWD is essentially an implicit file descriptor, so be careful to not
60 // leave it behind.
63 }
65 // chroot() to an empty dir that is "safe". To be safe, it must not contain
66 // any subdirectory (chroot-ing there would allow a chroot escape) and it must
67 // be impossible to create an empty directory there.
68 // We achieve this by doing the following:
69 // 1. We create a new process sharing file system information.
70 // 2. In the child, we chroot to /proc/self/fdinfo/
71 // This is already "safe", since fdinfo/ does not contain another directory and
72 // one cannot create another directory there.
73 // 3. The process dies
74 // After (3) happens, the directory is not available anymore in /proc.
76 // We need to chroot to a fdinfo that is unique to a process and have that
77 // process die.
78 // 1. We don't want to simply fork() because duplicating the page tables is
79 // slow with a big address space.
80 // 2. We do not use a regular thread (that would unshare CLONE_FILES) because
81 // when we are in a PID namespace, we cannot easily get a handle to the
82 // /proc/tid directory for the thread (since /proc may not be aware of the
83 // PID namespace). With a process, we can just use /proc/self.
86 #if defined(ARCH_CPU_X86_FAMILY) || defined(ARCH_CPU_ARM_FAMILY) || \
87 defined(ARCH_CPU_MIPS64_FAMILY) || defined(ARCH_CPU_MIPS_FAMILY)
88 // The stack grows downward.
90 #else
92 #endif
103 }
105 // CHECK() that an attempt to move to a new user namespace raised an expected
106 // errno.
108 // EPERM can happen if already in a chroot. EUSERS if too many nested
109 // namespaces are used. EINVAL for kernels that don't support the feature.
110 // Valgrind will ENOSYS unshare().
113 }
115 // Converts a Capability to the corresponding Linux CAP_XXX value.
122 }
126 }
130 // static
134 }
138 }
140 // static
144 }
146 // static
149 }
151 // static
158 // Initially, cap has no capability flags set. Enable the effective and
159 // permitted flags only for the requested capabilities.
166 }
169 }
171 // static
176 #if !defined(THREAD_SANITIZER)
177 // With TSAN, accept to break the security model as it is a testing
178 // configuration.
180 #endif
183 }
195 }
196 }
199 }
214 mask;
215 }
217 // static
219 // Valgrind will let clone(2) pass-through, but doesn't support unshare(),
220 // so always consider UserNS unsupported there.
223 }
225 #if defined(THREAD_SANITIZER)
226 // With TSAN, processes will always have threads running and can never
227 // enter a new user namespace with MoveToNewUserNS().
229 #endif
231 // This is roughly a fork().
237 }
239 // The parent process could have had threads. In the child, these threads
240 // have disappeared. Make sure to not do anything in the child, as this is a
241 // fragile execution environment.
244 }
246 // Always reap the child.
252 // clone(2) succeeded, we can use CLONE_NEWUSER.
254 }
257 uid_t uid;
258 gid_t gid;
260 // If all the uids (or gids) are not equal to each other, the security
261 // model will most likely confuse the caller, abort.
264 }
272 }
276 }
278 // The current {r,e,s}{u,g}id is now an overflow id (c.f.
279 // /proc/sys/kernel/overflowuid). Setup the uid and gid maps.
287 }
295 // We never let this function fail.
297 }
303 }
305 // Since we just forked, we are single threaded.
308 }