Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (c) 2012 The Chromium OS Authors. All rights reserved. |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 3 | * Use of this source code is governed by a BSD-style license that can be |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 4 | * found in the LICENSE file. |
| 5 | */ |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 6 | |
| 7 | #define _BSD_SOURCE |
| 8 | #define _GNU_SOURCE |
Jorge Lucangeli Obes | c2c9bcc | 2012-05-01 09:30:24 -0700 | [diff] [blame] | 9 | |
Jorge Lucangeli Obes | 524c040 | 2012-01-17 11:30:23 -0800 | [diff] [blame] | 10 | #include <asm/unistd.h> |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 11 | #include <ctype.h> |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 12 | #include <errno.h> |
| 13 | #include <grp.h> |
| 14 | #include <inttypes.h> |
Will Drewry | fe4a372 | 2011-09-16 14:50:50 -0500 | [diff] [blame] | 15 | #include <limits.h> |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 16 | #include <linux/capability.h> |
| 17 | #include <linux/securebits.h> |
| 18 | #include <pwd.h> |
| 19 | #include <sched.h> |
| 20 | #include <signal.h> |
Will Drewry | 2f54b6a | 2011-09-16 13:45:31 -0500 | [diff] [blame] | 21 | #include <stdarg.h> |
Jorge Lucangeli Obes | 524c040 | 2012-01-17 11:30:23 -0800 | [diff] [blame] | 22 | #include <stddef.h> |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 23 | #include <stdio.h> |
| 24 | #include <stdlib.h> |
| 25 | #include <string.h> |
| 26 | #include <syscall.h> |
| 27 | #include <sys/capability.h> |
| 28 | #include <sys/mount.h> |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 29 | #include <sys/param.h> |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 30 | #include <sys/prctl.h> |
Jorge Lucangeli Obes | 524c040 | 2012-01-17 11:30:23 -0800 | [diff] [blame] | 31 | #include <sys/user.h> |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 32 | #include <sys/wait.h> |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 33 | #include <unistd.h> |
| 34 | |
| 35 | #include "libminijail.h" |
| 36 | #include "libminijail-private.h" |
| 37 | |
Jorge Lucangeli Obes | bda833c | 2012-07-31 16:25:56 -0700 | [diff] [blame] | 38 | #include "signal.h" |
Jorge Lucangeli Obes | 524c040 | 2012-01-17 11:30:23 -0800 | [diff] [blame] | 39 | #include "syscall_filter.h" |
Jorge Lucangeli Obes | a6b034d | 2012-08-07 15:29:20 -0700 | [diff] [blame] | 40 | #include "util.h" |
Jorge Lucangeli Obes | 524c040 | 2012-01-17 11:30:23 -0800 | [diff] [blame] | 41 | |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 42 | /* Until these are reliably available in linux/prctl.h */ |
Jorge Lucangeli Obes | 524c040 | 2012-01-17 11:30:23 -0800 | [diff] [blame] | 43 | #ifndef PR_SET_SECCOMP |
Jorge Lucangeli Obes | c2c9bcc | 2012-05-01 09:30:24 -0700 | [diff] [blame] | 44 | # define PR_SET_SECCOMP 22 |
Jorge Lucangeli Obes | 524c040 | 2012-01-17 11:30:23 -0800 | [diff] [blame] | 45 | #endif |
| 46 | |
| 47 | /* For seccomp_filter using BPF. */ |
| 48 | #ifndef PR_SET_NO_NEW_PRIVS |
| 49 | # define PR_SET_NO_NEW_PRIVS 38 |
| 50 | #endif |
| 51 | #ifndef SECCOMP_MODE_FILTER |
| 52 | # define SECCOMP_MODE_FILTER 2 /* uses user-supplied filter. */ |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 53 | #endif |
| 54 | |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 55 | struct binding { |
| 56 | char *src; |
| 57 | char *dest; |
| 58 | int writeable; |
| 59 | struct binding *next; |
| 60 | }; |
| 61 | |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 62 | struct minijail { |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 63 | struct { |
| 64 | int uid:1; |
| 65 | int gid:1; |
| 66 | int caps:1; |
| 67 | int vfs:1; |
| 68 | int pids:1; |
| 69 | int seccomp:1; |
| 70 | int readonly:1; |
| 71 | int usergroups:1; |
| 72 | int ptrace:1; |
Jorge Lucangeli Obes | c2c9bcc | 2012-05-01 09:30:24 -0700 | [diff] [blame] | 73 | int no_new_privs:1; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 74 | int seccomp_filter:1; |
Jorge Lucangeli Obes | bda833c | 2012-07-31 16:25:56 -0700 | [diff] [blame] | 75 | int log_seccomp_filter:1; |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 76 | int chroot:1; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 77 | } flags; |
| 78 | uid_t uid; |
| 79 | gid_t gid; |
| 80 | gid_t usergid; |
| 81 | char *user; |
| 82 | uint64_t caps; |
| 83 | pid_t initpid; |
Jorge Lucangeli Obes | 524c040 | 2012-01-17 11:30:23 -0800 | [diff] [blame] | 84 | int filter_len; |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 85 | int binding_count; |
| 86 | char *chrootdir; |
Jorge Lucangeli Obes | 524c040 | 2012-01-17 11:30:23 -0800 | [diff] [blame] | 87 | struct sock_fprog *filter_prog; |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 88 | struct binding *bindings_head; |
| 89 | struct binding *bindings_tail; |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 90 | }; |
| 91 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 92 | struct minijail API *minijail_new(void) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 93 | { |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 94 | return calloc(1, sizeof(struct minijail)); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 95 | } |
| 96 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 97 | void API minijail_change_uid(struct minijail *j, uid_t uid) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 98 | { |
| 99 | if (uid == 0) |
| 100 | die("useless change to uid 0"); |
| 101 | j->uid = uid; |
| 102 | j->flags.uid = 1; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 103 | } |
| 104 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 105 | void API minijail_change_gid(struct minijail *j, gid_t gid) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 106 | { |
| 107 | if (gid == 0) |
| 108 | die("useless change to gid 0"); |
| 109 | j->gid = gid; |
| 110 | j->flags.gid = 1; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 111 | } |
| 112 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 113 | int API minijail_change_user(struct minijail *j, const char *user) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 114 | { |
| 115 | char *buf = NULL; |
| 116 | struct passwd pw; |
| 117 | struct passwd *ppw = NULL; |
| 118 | ssize_t sz = sysconf(_SC_GETPW_R_SIZE_MAX); |
| 119 | if (sz == -1) |
| 120 | sz = 65536; /* your guess is as good as mine... */ |
Elly Jones | eb300c5 | 2011-09-22 14:35:43 -0400 | [diff] [blame] | 121 | |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 122 | /* |
| 123 | * sysconf(_SC_GETPW_R_SIZE_MAX), under glibc, is documented to return |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 124 | * the maximum needed size of the buffer, so we don't have to search. |
| 125 | */ |
| 126 | buf = malloc(sz); |
| 127 | if (!buf) |
| 128 | return -ENOMEM; |
| 129 | getpwnam_r(user, &pw, buf, sz, &ppw); |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 130 | /* |
| 131 | * We're safe to free the buffer here. The strings inside pw point |
| 132 | * inside buf, but we don't use any of them; this leaves the pointers |
| 133 | * dangling but it's safe. ppw points at pw if getpwnam_r succeeded. |
| 134 | */ |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 135 | free(buf); |
| 136 | if (!ppw) |
| 137 | return -errno; |
| 138 | minijail_change_uid(j, ppw->pw_uid); |
| 139 | j->user = strdup(user); |
| 140 | if (!j->user) |
| 141 | return -ENOMEM; |
| 142 | j->usergid = ppw->pw_gid; |
| 143 | return 0; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 144 | } |
| 145 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 146 | int API minijail_change_group(struct minijail *j, const char *group) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 147 | { |
| 148 | char *buf = NULL; |
| 149 | struct group gr; |
| 150 | struct group *pgr = NULL; |
| 151 | ssize_t sz = sysconf(_SC_GETGR_R_SIZE_MAX); |
| 152 | if (sz == -1) |
| 153 | sz = 65536; /* and mine is as good as yours, really */ |
Elly Jones | eb300c5 | 2011-09-22 14:35:43 -0400 | [diff] [blame] | 154 | |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 155 | /* |
| 156 | * sysconf(_SC_GETGR_R_SIZE_MAX), under glibc, is documented to return |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 157 | * the maximum needed size of the buffer, so we don't have to search. |
| 158 | */ |
| 159 | buf = malloc(sz); |
| 160 | if (!buf) |
| 161 | return -ENOMEM; |
| 162 | getgrnam_r(group, &gr, buf, sz, &pgr); |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 163 | /* |
| 164 | * We're safe to free the buffer here. The strings inside gr point |
| 165 | * inside buf, but we don't use any of them; this leaves the pointers |
| 166 | * dangling but it's safe. pgr points at gr if getgrnam_r succeeded. |
| 167 | */ |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 168 | free(buf); |
| 169 | if (!pgr) |
| 170 | return -errno; |
| 171 | minijail_change_gid(j, pgr->gr_gid); |
| 172 | return 0; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 173 | } |
| 174 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 175 | void API minijail_use_seccomp(struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 176 | { |
| 177 | j->flags.seccomp = 1; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 178 | } |
| 179 | |
Jorge Lucangeli Obes | c2c9bcc | 2012-05-01 09:30:24 -0700 | [diff] [blame] | 180 | void API minijail_no_new_privs(struct minijail *j) |
| 181 | { |
| 182 | j->flags.no_new_privs = 1; |
| 183 | } |
| 184 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 185 | void API minijail_use_seccomp_filter(struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 186 | { |
| 187 | j->flags.seccomp_filter = 1; |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 188 | } |
| 189 | |
Jorge Lucangeli Obes | bda833c | 2012-07-31 16:25:56 -0700 | [diff] [blame] | 190 | void API minijail_log_seccomp_filter_failures(struct minijail *j) |
| 191 | { |
| 192 | j->flags.log_seccomp_filter = 1; |
| 193 | } |
| 194 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 195 | void API minijail_use_caps(struct minijail *j, uint64_t capmask) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 196 | { |
| 197 | j->caps = capmask; |
| 198 | j->flags.caps = 1; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 199 | } |
| 200 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 201 | void API minijail_namespace_vfs(struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 202 | { |
| 203 | j->flags.vfs = 1; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 204 | } |
| 205 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 206 | void API minijail_namespace_pids(struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 207 | { |
Elly Jones | e58176c | 2012-01-23 11:46:17 -0500 | [diff] [blame] | 208 | j->flags.vfs = 1; |
| 209 | j->flags.readonly = 1; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 210 | j->flags.pids = 1; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 211 | } |
| 212 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 213 | void API minijail_remount_readonly(struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 214 | { |
| 215 | j->flags.vfs = 1; |
| 216 | j->flags.readonly = 1; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 217 | } |
| 218 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 219 | void API minijail_inherit_usergroups(struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 220 | { |
| 221 | j->flags.usergroups = 1; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 222 | } |
| 223 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 224 | void API minijail_disable_ptrace(struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 225 | { |
| 226 | j->flags.ptrace = 1; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 227 | } |
| 228 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 229 | int API minijail_enter_chroot(struct minijail *j, const char *dir) { |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 230 | if (j->chrootdir) |
| 231 | return -EINVAL; |
| 232 | j->chrootdir = strdup(dir); |
| 233 | if (!j->chrootdir) |
| 234 | return -ENOMEM; |
| 235 | j->flags.chroot = 1; |
| 236 | return 0; |
| 237 | } |
| 238 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 239 | int API minijail_bind(struct minijail *j, const char *src, const char *dest, |
| 240 | int writeable) { |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 241 | struct binding *b; |
| 242 | |
| 243 | if (*dest != '/') |
| 244 | return -EINVAL; |
| 245 | b = calloc(1, sizeof(*b)); |
| 246 | if (!b) |
| 247 | return -ENOMEM; |
| 248 | b->dest = strdup(dest); |
| 249 | if (!b->dest) |
| 250 | goto error; |
| 251 | b->src = strdup(src); |
| 252 | if (!b->src) |
| 253 | goto error; |
| 254 | b->writeable = writeable; |
| 255 | |
Jorge Lucangeli Obes | 224e427 | 2012-08-02 14:31:39 -0700 | [diff] [blame] | 256 | info("bind %s -> %s", src, dest); |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 257 | |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 258 | /* |
| 259 | * Force vfs namespacing so the bind mounts don't leak out into the |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 260 | * containing vfs namespace. |
| 261 | */ |
| 262 | minijail_namespace_vfs(j); |
| 263 | |
| 264 | if (j->bindings_tail) |
| 265 | j->bindings_tail->next = b; |
| 266 | else |
| 267 | j->bindings_head = b; |
| 268 | j->bindings_tail = b; |
| 269 | j->binding_count++; |
| 270 | |
| 271 | return 0; |
| 272 | |
| 273 | error: |
| 274 | free(b->src); |
| 275 | free(b->dest); |
| 276 | free(b); |
| 277 | return -ENOMEM; |
| 278 | } |
| 279 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 280 | void API minijail_parse_seccomp_filters(struct minijail *j, const char *path) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 281 | { |
| 282 | FILE *file = fopen(path, "r"); |
Jorge Lucangeli Obes | 524c040 | 2012-01-17 11:30:23 -0800 | [diff] [blame] | 283 | if (!file) { |
Jorge Lucangeli Obes | 224e427 | 2012-08-02 14:31:39 -0700 | [diff] [blame] | 284 | pdie("failed to open seccomp filter file '%s'", path); |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 285 | } |
Jorge Lucangeli Obes | 524c040 | 2012-01-17 11:30:23 -0800 | [diff] [blame] | 286 | |
| 287 | struct sock_fprog *fprog = malloc(sizeof(struct sock_fprog)); |
Jorge Lucangeli Obes | bda833c | 2012-07-31 16:25:56 -0700 | [diff] [blame] | 288 | if (compile_filter(file, fprog, j->flags.log_seccomp_filter)) { |
| 289 | die("failed to compile seccomp filter BPF program in '%s'", |
| 290 | path); |
Jorge Lucangeli Obes | 524c040 | 2012-01-17 11:30:23 -0800 | [diff] [blame] | 291 | } |
| 292 | |
| 293 | j->filter_len = fprog->len; |
| 294 | j->filter_prog = fprog; |
| 295 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 296 | fclose(file); |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 297 | } |
| 298 | |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 299 | struct marshal_state { |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 300 | size_t available; |
| 301 | size_t total; |
| 302 | char *buf; |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 303 | }; |
| 304 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 305 | void marshal_state_init(struct marshal_state *state, |
| 306 | char *buf, size_t available) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 307 | { |
| 308 | state->available = available; |
| 309 | state->buf = buf; |
| 310 | state->total = 0; |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 311 | } |
| 312 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 313 | void marshal_append(struct marshal_state *state, |
| 314 | char *src, size_t length) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 315 | { |
| 316 | size_t copy_len = MIN(state->available, length); |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 317 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 318 | /* Up to |available| will be written. */ |
| 319 | if (copy_len) { |
| 320 | memcpy(state->buf, src, copy_len); |
| 321 | state->buf += copy_len; |
| 322 | state->available -= copy_len; |
| 323 | } |
| 324 | /* |total| will contain the expected length. */ |
| 325 | state->total += length; |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 326 | } |
| 327 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 328 | void minijail_marshal_helper(struct marshal_state *state, |
| 329 | const struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 330 | { |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 331 | struct binding *b = NULL; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 332 | marshal_append(state, (char *)j, sizeof(*j)); |
| 333 | if (j->user) |
| 334 | marshal_append(state, j->user, strlen(j->user) + 1); |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 335 | if (j->chrootdir) |
| 336 | marshal_append(state, j->chrootdir, strlen(j->chrootdir) + 1); |
Jorge Lucangeli Obes | 524c040 | 2012-01-17 11:30:23 -0800 | [diff] [blame] | 337 | if (j->flags.seccomp_filter && j->filter_prog) { |
| 338 | struct sock_fprog *fp = j->filter_prog; |
| 339 | marshal_append(state, (char *)fp->filter, |
| 340 | fp->len * sizeof(struct sock_filter)); |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 341 | } |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 342 | for (b = j->bindings_head; b; b = b->next) { |
| 343 | marshal_append(state, b->src, strlen(b->src) + 1); |
| 344 | marshal_append(state, b->dest, strlen(b->dest) + 1); |
Jorge Lucangeli Obes | bda833c | 2012-07-31 16:25:56 -0700 | [diff] [blame] | 345 | marshal_append(state, (char *)&b->writeable, |
| 346 | sizeof(b->writeable)); |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 347 | } |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 348 | } |
| 349 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 350 | size_t API minijail_size(const struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 351 | { |
| 352 | struct marshal_state state; |
| 353 | marshal_state_init(&state, NULL, 0); |
| 354 | minijail_marshal_helper(&state, j); |
| 355 | return state.total; |
Will Drewry | 2ddaad0 | 2011-09-16 11:36:08 -0500 | [diff] [blame] | 356 | } |
| 357 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 358 | int minijail_marshal(const struct minijail *j, char *buf, size_t available) |
| 359 | { |
| 360 | struct marshal_state state; |
| 361 | marshal_state_init(&state, buf, available); |
| 362 | minijail_marshal_helper(&state, j); |
| 363 | return (state.total > available); |
Will Drewry | 2ddaad0 | 2011-09-16 11:36:08 -0500 | [diff] [blame] | 364 | } |
| 365 | |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 366 | /* consumebytes: consumes @length bytes from a buffer @buf of length @buflength |
| 367 | * @length Number of bytes to consume |
| 368 | * @buf Buffer to consume from |
| 369 | * @buflength Size of @buf |
| 370 | * |
| 371 | * Returns a pointer to the base of the bytes, or NULL for errors. |
| 372 | */ |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 373 | void *consumebytes(size_t length, char **buf, size_t *buflength) { |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 374 | char *p = *buf; |
| 375 | if (length > *buflength) |
| 376 | return NULL; |
| 377 | *buf += length; |
| 378 | *buflength -= length; |
| 379 | return p; |
| 380 | } |
| 381 | |
| 382 | /* consumestr: consumes a C string from a buffer @buf of length @length |
| 383 | * @buf Buffer to consume |
| 384 | * @length Length of buffer |
| 385 | * |
| 386 | * Returns a pointer to the base of the string, or NULL for errors. |
| 387 | */ |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 388 | char *consumestr(char **buf, size_t *buflength) { |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 389 | size_t len = strnlen(*buf, *buflength); |
| 390 | if (len == *buflength) |
| 391 | /* There's no null-terminator */ |
| 392 | return NULL; |
| 393 | return consumebytes(len + 1, buf, buflength); |
| 394 | } |
| 395 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 396 | int minijail_unmarshal(struct minijail *j, char *serialized, size_t length) |
| 397 | { |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 398 | int i; |
| 399 | int count; |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 400 | int ret = -EINVAL; |
| 401 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 402 | if (length < sizeof(*j)) |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 403 | goto out; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 404 | memcpy((void *)j, serialized, sizeof(*j)); |
| 405 | serialized += sizeof(*j); |
| 406 | length -= sizeof(*j); |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 407 | |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 408 | /* Potentially stale pointers not used as signals. */ |
| 409 | j->bindings_head = NULL; |
| 410 | j->bindings_tail = NULL; |
Jorge Lucangeli Obes | 524c040 | 2012-01-17 11:30:23 -0800 | [diff] [blame] | 411 | j->filter_prog = NULL; |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 412 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 413 | if (j->user) { /* stale pointer */ |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 414 | char *user = consumestr(&serialized, &length); |
| 415 | if (!user) |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 416 | goto clear_pointers; |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 417 | j->user = strdup(user); |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 418 | if (!j->user) |
| 419 | goto clear_pointers; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 420 | } |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 421 | |
Elly Jones | a8d1e1b | 2011-10-21 15:38:00 -0400 | [diff] [blame] | 422 | if (j->chrootdir) { /* stale pointer */ |
| 423 | char *chrootdir = consumestr(&serialized, &length); |
| 424 | if (!chrootdir) |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 425 | goto bad_chrootdir; |
Elly Jones | a8d1e1b | 2011-10-21 15:38:00 -0400 | [diff] [blame] | 426 | j->chrootdir = strdup(chrootdir); |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 427 | if (!j->chrootdir) |
| 428 | goto bad_chrootdir; |
Elly Jones | a8d1e1b | 2011-10-21 15:38:00 -0400 | [diff] [blame] | 429 | } |
| 430 | |
Jorge Lucangeli Obes | 524c040 | 2012-01-17 11:30:23 -0800 | [diff] [blame] | 431 | if (j->flags.seccomp_filter && j->filter_len > 0) { |
| 432 | size_t ninstrs = j->filter_len; |
| 433 | if (ninstrs > (SIZE_MAX / sizeof(struct sock_filter)) || |
| 434 | ninstrs > USHRT_MAX) |
| 435 | goto bad_filters; |
| 436 | |
| 437 | size_t program_len = ninstrs * sizeof(struct sock_filter); |
| 438 | void *program = consumebytes(program_len, &serialized, &length); |
| 439 | if (!program) |
| 440 | goto bad_filters; |
| 441 | |
| 442 | j->filter_prog = malloc(sizeof(struct sock_fprog)); |
| 443 | j->filter_prog->len = ninstrs; |
| 444 | j->filter_prog->filter = malloc(program_len); |
| 445 | memcpy(j->filter_prog->filter, program, program_len); |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 446 | } |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 447 | |
| 448 | count = j->binding_count; |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 449 | j->binding_count = 0; |
| 450 | for (i = 0; i < count; ++i) { |
| 451 | int *writeable; |
| 452 | const char *dest; |
| 453 | const char *src = consumestr(&serialized, &length); |
| 454 | if (!src) |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 455 | goto bad_bindings; |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 456 | dest = consumestr(&serialized, &length); |
| 457 | if (!dest) |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 458 | goto bad_bindings; |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 459 | writeable = consumebytes(sizeof(*writeable), &serialized, &length); |
| 460 | if (!writeable) |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 461 | goto bad_bindings; |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 462 | if (minijail_bind(j, src, dest, *writeable)) |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 463 | goto bad_bindings; |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 464 | } |
| 465 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 466 | return 0; |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 467 | |
| 468 | bad_bindings: |
Jorge Lucangeli Obes | 524c040 | 2012-01-17 11:30:23 -0800 | [diff] [blame] | 469 | if (j->flags.seccomp_filter && j->filter_len > 0) { |
| 470 | free(j->filter_prog->filter); |
| 471 | free(j->filter_prog); |
| 472 | } |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 473 | bad_filters: |
| 474 | if (j->chrootdir) |
| 475 | free(j->chrootdir); |
| 476 | bad_chrootdir: |
| 477 | if (j->user) |
| 478 | free(j->user); |
| 479 | clear_pointers: |
| 480 | j->user = NULL; |
| 481 | j->chrootdir = NULL; |
| 482 | out: |
| 483 | return ret; |
Will Drewry | 2ddaad0 | 2011-09-16 11:36:08 -0500 | [diff] [blame] | 484 | } |
| 485 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 486 | void minijail_preenter(struct minijail *j) |
| 487 | { |
| 488 | /* Strip out options which are minijail_run() only. */ |
| 489 | j->flags.vfs = 0; |
| 490 | j->flags.readonly = 0; |
| 491 | j->flags.pids = 0; |
Will Drewry | fe4a372 | 2011-09-16 14:50:50 -0500 | [diff] [blame] | 492 | } |
| 493 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 494 | void minijail_preexec(struct minijail *j) |
| 495 | { |
| 496 | int vfs = j->flags.vfs; |
| 497 | int readonly = j->flags.readonly; |
| 498 | if (j->user) |
| 499 | free(j->user); |
| 500 | j->user = NULL; |
| 501 | memset(&j->flags, 0, sizeof(j->flags)); |
| 502 | /* Now restore anything we meant to keep. */ |
| 503 | j->flags.vfs = vfs; |
| 504 | j->flags.readonly = readonly; |
| 505 | /* Note, pidns will already have been used before this call. */ |
Will Drewry | 2ddaad0 | 2011-09-16 11:36:08 -0500 | [diff] [blame] | 506 | } |
| 507 | |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 508 | /* bind_one: Applies bindings from @b for @j, recursing as needed. |
| 509 | * @j Minijail these bindings are for |
| 510 | * @b Head of list of bindings |
| 511 | * |
| 512 | * Returns 0 for success. |
| 513 | */ |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 514 | int bind_one(const struct minijail *j, struct binding *b) { |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 515 | int ret = 0; |
| 516 | char *dest = NULL; |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 517 | if (ret) |
| 518 | return ret; |
| 519 | /* dest has a leading "/" */ |
| 520 | if (asprintf(&dest, "%s%s", j->chrootdir, b->dest) < 0) |
| 521 | return -ENOMEM; |
Elly Jones | a105963 | 2011-12-15 15:17:07 -0500 | [diff] [blame] | 522 | ret = mount(b->src, dest, NULL, MS_BIND, NULL); |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 523 | if (ret) |
| 524 | pdie("bind: %s -> %s", b->src, dest); |
Elly Jones | a105963 | 2011-12-15 15:17:07 -0500 | [diff] [blame] | 525 | if (!b->writeable) { |
| 526 | ret = mount(b->src, dest, NULL, |
| 527 | MS_BIND | MS_REMOUNT | MS_RDONLY, NULL); |
| 528 | if (ret) |
| 529 | pdie("bind ro: %s -> %s", b->src, dest); |
| 530 | } |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 531 | free(dest); |
| 532 | if (b->next) |
| 533 | return bind_one(j, b->next); |
| 534 | return ret; |
| 535 | } |
| 536 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 537 | int enter_chroot(const struct minijail *j) { |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 538 | int ret; |
| 539 | if (j->bindings_head && (ret = bind_one(j, j->bindings_head))) |
| 540 | return ret; |
| 541 | |
| 542 | if (chroot(j->chrootdir)) |
| 543 | return -errno; |
| 544 | |
| 545 | if (chdir("/")) |
| 546 | return -errno; |
| 547 | |
| 548 | return 0; |
| 549 | } |
| 550 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 551 | int remount_readonly(void) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 552 | { |
| 553 | const char *kProcPath = "/proc"; |
| 554 | const unsigned int kSafeFlags = MS_NODEV | MS_NOEXEC | MS_NOSUID; |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 555 | /* |
| 556 | * Right now, we're holding a reference to our parent's old mount of |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 557 | * /proc in our namespace, which means using MS_REMOUNT here would |
| 558 | * mutate our parent's mount as well, even though we're in a VFS |
| 559 | * namespace (!). Instead, remove their mount from our namespace |
| 560 | * and make our own. |
| 561 | */ |
| 562 | if (umount(kProcPath)) |
| 563 | return -errno; |
| 564 | if (mount("", kProcPath, "proc", kSafeFlags | MS_RDONLY, "")) |
| 565 | return -errno; |
| 566 | return 0; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 567 | } |
| 568 | |
Jorge Lucangeli Obes | 6201cf5 | 2012-08-23 11:42:27 -0700 | [diff] [blame^] | 569 | void drop_ugid(const struct minijail *j) |
| 570 | { |
| 571 | if (j->flags.usergroups) { |
| 572 | if (initgroups(j->user, j->usergid)) |
| 573 | pdie("initgroups"); |
| 574 | } else { |
| 575 | /* Only attempt to clear supplemental groups if we are changing |
| 576 | * users. */ |
| 577 | if ((j->uid || j->gid) && setgroups(0, NULL)) |
| 578 | pdie("setgroups"); |
| 579 | } |
| 580 | |
| 581 | if (j->flags.gid && setresgid(j->gid, j->gid, j->gid)) |
| 582 | pdie("setresgid"); |
| 583 | |
| 584 | if (j->flags.uid && setresuid(j->uid, j->uid, j->uid)) |
| 585 | pdie("setresuid"); |
| 586 | } |
| 587 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 588 | void drop_caps(const struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 589 | { |
| 590 | cap_t caps = cap_get_proc(); |
| 591 | cap_value_t raise_flag[1]; |
| 592 | unsigned int i; |
| 593 | if (!caps) |
| 594 | die("can't get process caps"); |
| 595 | if (cap_clear_flag(caps, CAP_INHERITABLE)) |
| 596 | die("can't clear inheritable caps"); |
| 597 | if (cap_clear_flag(caps, CAP_EFFECTIVE)) |
| 598 | die("can't clear effective caps"); |
| 599 | if (cap_clear_flag(caps, CAP_PERMITTED)) |
| 600 | die("can't clear permitted caps"); |
| 601 | for (i = 0; i < sizeof(j->caps) * 8 && cap_valid((int)i); ++i) { |
| 602 | if (i != CAP_SETPCAP && !(j->caps & (1 << i))) |
| 603 | continue; |
| 604 | raise_flag[0] = i; |
| 605 | if (cap_set_flag(caps, CAP_EFFECTIVE, 1, raise_flag, CAP_SET)) |
| 606 | die("can't add effective cap"); |
| 607 | if (cap_set_flag(caps, CAP_PERMITTED, 1, raise_flag, CAP_SET)) |
| 608 | die("can't add permitted cap"); |
| 609 | if (cap_set_flag(caps, CAP_INHERITABLE, 1, raise_flag, CAP_SET)) |
| 610 | die("can't add inheritable cap"); |
| 611 | } |
| 612 | if (cap_set_proc(caps)) |
| 613 | die("can't apply cleaned capset"); |
| 614 | cap_free(caps); |
| 615 | for (i = 0; i < sizeof(j->caps) * 8 && cap_valid((int)i); ++i) { |
| 616 | if (j->caps & (1 << i)) |
| 617 | continue; |
| 618 | if (prctl(PR_CAPBSET_DROP, i)) |
| 619 | pdie("prctl(PR_CAPBSET_DROP)"); |
| 620 | } |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 621 | } |
| 622 | |
Jorge Lucangeli Obes | 6201cf5 | 2012-08-23 11:42:27 -0700 | [diff] [blame^] | 623 | void set_seccomp_filter(const struct minijail *j) |
| 624 | { |
| 625 | /* |
| 626 | * Set no_new_privs. See </kernel/seccomp.c> and </kernel/sys.c> |
| 627 | * in the kernel source tree for an explanation of the parameters. |
| 628 | */ |
| 629 | if (j->flags.no_new_privs) { |
| 630 | if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) |
| 631 | pdie("prctl(PR_SET_NO_NEW_PRIVS)"); |
| 632 | } |
| 633 | |
| 634 | /* |
| 635 | * If we're logging seccomp filter failures, |
| 636 | * install the SIGSYS handler first. |
| 637 | */ |
| 638 | if (j->flags.seccomp_filter && j->flags.log_seccomp_filter) { |
| 639 | if (install_sigsys_handler()) |
| 640 | pdie("install SIGSYS handler"); |
| 641 | warn("logging seccomp filter failures"); |
| 642 | } |
| 643 | |
| 644 | /* |
| 645 | * Install the syscall filter. |
| 646 | */ |
| 647 | if (j->flags.seccomp_filter) { |
| 648 | if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, j->filter_prog)) |
| 649 | pdie("prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER)"); |
| 650 | } |
| 651 | } |
| 652 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 653 | void API minijail_enter(const struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 654 | { |
| 655 | if (j->flags.pids) |
| 656 | die("tried to enter a pid-namespaced jail;" |
| 657 | "try minijail_run()?"); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 658 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 659 | if (j->flags.usergroups && !j->user) |
| 660 | die("usergroup inheritance without username"); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 661 | |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 662 | /* |
| 663 | * We can't recover from failures if we've dropped privileges partially, |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 664 | * so we don't even try. If any of our operations fail, we abort() the |
| 665 | * entire process. |
| 666 | */ |
| 667 | if (j->flags.vfs && unshare(CLONE_NEWNS)) |
| 668 | pdie("unshare"); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 669 | |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 670 | if (j->flags.chroot && enter_chroot(j)) |
| 671 | pdie("chroot"); |
| 672 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 673 | if (j->flags.readonly && remount_readonly()) |
| 674 | pdie("remount"); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 675 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 676 | if (j->flags.caps) { |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 677 | /* |
| 678 | * POSIX capabilities are a bit tricky. If we drop our |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 679 | * capability to change uids, our attempt to use setuid() |
| 680 | * below will fail. Hang on to root caps across setuid(), then |
| 681 | * lock securebits. |
| 682 | */ |
| 683 | if (prctl(PR_SET_KEEPCAPS, 1)) |
| 684 | pdie("prctl(PR_SET_KEEPCAPS)"); |
| 685 | if (prctl |
| 686 | (PR_SET_SECUREBITS, SECURE_ALL_BITS | SECURE_ALL_LOCKS)) |
| 687 | pdie("prctl(PR_SET_SECUREBITS)"); |
| 688 | } |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 689 | |
Jorge Lucangeli Obes | c2c9bcc | 2012-05-01 09:30:24 -0700 | [diff] [blame] | 690 | /* |
Jorge Lucangeli Obes | 6201cf5 | 2012-08-23 11:42:27 -0700 | [diff] [blame^] | 691 | * If we're setting no_new_privs, we can drop privileges |
| 692 | * before setting seccomp filter. This way filter policies |
| 693 | * don't need to allow privilege-dropping syscalls. |
Jorge Lucangeli Obes | c2c9bcc | 2012-05-01 09:30:24 -0700 | [diff] [blame] | 694 | */ |
| 695 | if (j->flags.no_new_privs) { |
Jorge Lucangeli Obes | 6201cf5 | 2012-08-23 11:42:27 -0700 | [diff] [blame^] | 696 | drop_ugid(j); |
| 697 | if (j->flags.caps) |
| 698 | drop_caps(j); |
Jorge Lucangeli Obes | c2c9bcc | 2012-05-01 09:30:24 -0700 | [diff] [blame] | 699 | |
Jorge Lucangeli Obes | 6201cf5 | 2012-08-23 11:42:27 -0700 | [diff] [blame^] | 700 | set_seccomp_filter(j); |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 701 | } else { |
Jorge Lucangeli Obes | 6201cf5 | 2012-08-23 11:42:27 -0700 | [diff] [blame^] | 702 | /* |
| 703 | * If we're not setting no_new_privs, |
| 704 | * we need to set seccomp filter *before* dropping privileges. |
| 705 | * WARNING: this means that filter policies *must* allow |
| 706 | * setgroups()/setresgid()/setresuid() for dropping root and |
| 707 | * capget()/capset()/prctl() for dropping caps. |
| 708 | */ |
| 709 | set_seccomp_filter(j); |
| 710 | |
| 711 | drop_ugid(j); |
| 712 | if (j->flags.caps) |
| 713 | drop_caps(j); |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 714 | } |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 715 | |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 716 | /* |
| 717 | * seccomp has to come last since it cuts off all the other |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 718 | * privilege-dropping syscalls :) |
| 719 | */ |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 720 | if (j->flags.seccomp && prctl(PR_SET_SECCOMP, 1)) |
| 721 | pdie("prctl(PR_SET_SECCOMP)"); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 722 | } |
| 723 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 724 | /* TODO(wad) will visibility affect this variable? */ |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 725 | static int init_exitstatus = 0; |
| 726 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 727 | void init_term(int __attribute__ ((unused)) sig) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 728 | { |
| 729 | _exit(init_exitstatus); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 730 | } |
| 731 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 732 | int init(pid_t rootpid) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 733 | { |
| 734 | pid_t pid; |
| 735 | int status; |
| 736 | /* so that we exit with the right status */ |
| 737 | signal(SIGTERM, init_term); |
| 738 | /* TODO(wad) self jail with seccomp_filters here. */ |
| 739 | while ((pid = wait(&status)) > 0) { |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 740 | /* |
| 741 | * This loop will only end when either there are no processes |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 742 | * left inside our pid namespace or we get a signal. |
| 743 | */ |
| 744 | if (pid == rootpid) |
| 745 | init_exitstatus = status; |
| 746 | } |
| 747 | if (!WIFEXITED(init_exitstatus)) |
| 748 | _exit(MINIJAIL_ERR_INIT); |
| 749 | _exit(WEXITSTATUS(init_exitstatus)); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 750 | } |
| 751 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 752 | int API minijail_from_fd(int fd, struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 753 | { |
| 754 | size_t sz = 0; |
| 755 | size_t bytes = read(fd, &sz, sizeof(sz)); |
| 756 | char *buf; |
| 757 | int r; |
| 758 | if (sizeof(sz) != bytes) |
| 759 | return -EINVAL; |
| 760 | if (sz > USHRT_MAX) /* Arbitrary sanity check */ |
| 761 | return -E2BIG; |
| 762 | buf = malloc(sz); |
| 763 | if (!buf) |
| 764 | return -ENOMEM; |
| 765 | bytes = read(fd, buf, sz); |
| 766 | if (bytes != sz) { |
| 767 | free(buf); |
| 768 | return -EINVAL; |
| 769 | } |
| 770 | r = minijail_unmarshal(j, buf, sz); |
| 771 | free(buf); |
| 772 | return r; |
Will Drewry | 2f54b6a | 2011-09-16 13:45:31 -0500 | [diff] [blame] | 773 | } |
| 774 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 775 | int API minijail_to_fd(struct minijail *j, int fd) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 776 | { |
| 777 | char *buf; |
| 778 | size_t sz = minijail_size(j); |
| 779 | ssize_t written; |
| 780 | int r; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 781 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 782 | if (!sz) |
| 783 | return -EINVAL; |
| 784 | buf = malloc(sz); |
| 785 | r = minijail_marshal(j, buf, sz); |
| 786 | if (r) { |
| 787 | free(buf); |
| 788 | return r; |
| 789 | } |
| 790 | /* Sends [size][minijail]. */ |
| 791 | written = write(fd, &sz, sizeof(sz)); |
| 792 | if (written != sizeof(sz)) { |
| 793 | free(buf); |
| 794 | return -EFAULT; |
| 795 | } |
| 796 | written = write(fd, buf, sz); |
| 797 | if (written < 0 || (size_t) written != sz) { |
| 798 | free(buf); |
| 799 | return -EFAULT; |
| 800 | } |
| 801 | free(buf); |
| 802 | return 0; |
Will Drewry | 2f54b6a | 2011-09-16 13:45:31 -0500 | [diff] [blame] | 803 | } |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 804 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 805 | int setup_preload(void) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 806 | { |
| 807 | char *oldenv = getenv(kLdPreloadEnvVar) ? : ""; |
| 808 | char *newenv = malloc(strlen(oldenv) + 2 + strlen(PRELOADPATH)); |
| 809 | if (!newenv) |
| 810 | return -ENOMEM; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 811 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 812 | /* Only insert a separating space if we have something to separate... */ |
| 813 | sprintf(newenv, "%s%s%s", oldenv, strlen(oldenv) ? " " : "", |
| 814 | PRELOADPATH); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 815 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 816 | /* setenv() makes a copy of the string we give it */ |
| 817 | setenv(kLdPreloadEnvVar, newenv, 1); |
| 818 | free(newenv); |
| 819 | return 0; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 820 | } |
| 821 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 822 | int setup_pipe(int fds[2]) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 823 | { |
| 824 | int r = pipe(fds); |
| 825 | char fd_buf[11]; |
| 826 | if (r) |
| 827 | return r; |
| 828 | r = snprintf(fd_buf, sizeof(fd_buf), "%d", fds[0]); |
| 829 | if (r <= 0) |
| 830 | return -EINVAL; |
| 831 | setenv(kFdEnvVar, fd_buf, 1); |
| 832 | return 0; |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 833 | } |
| 834 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 835 | int API minijail_run(struct minijail *j, const char *filename, |
| 836 | char *const argv[]) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 837 | { |
Jorge Lucangeli Obes | 9807d03 | 2012-04-17 13:36:00 -0700 | [diff] [blame] | 838 | return minijail_run_pid(j, filename, argv, NULL); |
| 839 | } |
| 840 | |
| 841 | int API minijail_run_pid(struct minijail *j, const char *filename, |
| 842 | char *const argv[], pid_t *pchild_pid) |
| 843 | { |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 844 | char *oldenv, *oldenv_copy = NULL; |
| 845 | pid_t child_pid; |
| 846 | int pipe_fds[2]; |
| 847 | int ret; |
Elly Jones | a05d7bb | 2012-06-14 14:09:27 -0400 | [diff] [blame] | 848 | /* We need to remember this across the minijail_preexec() call. */ |
| 849 | int pid_namespace = j->flags.pids; |
Ben Chan | 541c7e5 | 2011-08-26 14:55:53 -0700 | [diff] [blame] | 850 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 851 | oldenv = getenv(kLdPreloadEnvVar); |
| 852 | if (oldenv) { |
| 853 | oldenv_copy = strdup(oldenv); |
| 854 | if (!oldenv_copy) |
| 855 | return -ENOMEM; |
| 856 | } |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 857 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 858 | if (setup_preload()) |
| 859 | return -EFAULT; |
Will Drewry | 2f54b6a | 2011-09-16 13:45:31 -0500 | [diff] [blame] | 860 | |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 861 | /* |
| 862 | * Before we fork(2) and execve(2) the child process, we need to open |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 863 | * a pipe(2) to send the minijail configuration over. |
| 864 | */ |
| 865 | if (setup_pipe(pipe_fds)) |
| 866 | return -EFAULT; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 867 | |
Elly Jones | 761b741 | 2012-06-13 15:49:52 -0400 | [diff] [blame] | 868 | /* Use sys_clone() if and only if we're creating a pid namespace. |
| 869 | * |
| 870 | * tl;dr: WARNING: do not mix pid namespaces and multithreading. |
| 871 | * |
| 872 | * In multithreaded programs, there are a bunch of locks inside libc, |
| 873 | * some of which may be held by other threads at the time that we call |
| 874 | * minijail_run_pid(). If we call fork(), glibc does its level best to |
| 875 | * ensure that we hold all of these locks before it calls clone() |
| 876 | * internally and drop them after clone() returns, but when we call |
| 877 | * sys_clone(2) directly, all that gets bypassed and we end up with a |
| 878 | * child address space where some of libc's important locks are held by |
| 879 | * other threads (which did not get cloned, and hence will never release |
| 880 | * those locks). This is okay so long as we call exec() immediately |
| 881 | * after, but a bunch of seemingly-innocent libc functions like setenv() |
| 882 | * take locks. |
| 883 | * |
| 884 | * Hence, only call sys_clone() if we need to, in order to get at pid |
| 885 | * namespacing. If we follow this path, the child's address space might |
| 886 | * have broken locks; you may only call functions that do not acquire |
| 887 | * any locks. |
| 888 | * |
| 889 | * Unfortunately, fork() acquires every lock it can get its hands on, as |
| 890 | * previously detailed, so this function is highly likely to deadlock |
| 891 | * later on (see "deadlock here") if we're multithreaded. |
| 892 | * |
| 893 | * We might hack around this by having the clone()d child (init of the |
| 894 | * pid namespace) return directly, rather than leaving the clone()d |
| 895 | * process hanging around to be init for the new namespace (and having |
| 896 | * its fork()ed child return in turn), but that process would be crippled |
| 897 | * with its libc locks potentially broken. We might try fork()ing in the |
| 898 | * parent before we clone() to ensure that we own all the locks, but |
| 899 | * then we have to have the forked child hanging around consuming |
| 900 | * resources (and possibly having file descriptors / shared memory |
| 901 | * regions / etc attached). We'd need to keep the child around to avoid |
| 902 | * having its children get reparented to init. |
| 903 | * |
| 904 | * TODO(ellyjones): figure out if the "forked child hanging around" |
| 905 | * problem is fixable or not. It would be nice if we worked in this |
| 906 | * case. |
| 907 | */ |
Elly Jones | a05d7bb | 2012-06-14 14:09:27 -0400 | [diff] [blame] | 908 | if (pid_namespace) |
Elly Jones | 761b741 | 2012-06-13 15:49:52 -0400 | [diff] [blame] | 909 | child_pid = syscall(SYS_clone, CLONE_NEWPID | SIGCHLD, NULL); |
| 910 | else |
| 911 | child_pid = fork(); |
| 912 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 913 | if (child_pid < 0) { |
| 914 | free(oldenv_copy); |
| 915 | return child_pid; |
| 916 | } |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 917 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 918 | if (child_pid) { |
| 919 | /* Restore parent's LD_PRELOAD. */ |
| 920 | if (oldenv_copy) { |
| 921 | setenv(kLdPreloadEnvVar, oldenv_copy, 1); |
| 922 | free(oldenv_copy); |
| 923 | } else { |
| 924 | unsetenv(kLdPreloadEnvVar); |
| 925 | } |
| 926 | unsetenv(kFdEnvVar); |
| 927 | j->initpid = child_pid; |
| 928 | close(pipe_fds[0]); /* read endpoint */ |
| 929 | ret = minijail_to_fd(j, pipe_fds[1]); |
| 930 | close(pipe_fds[1]); /* write endpoint */ |
| 931 | if (ret) { |
| 932 | kill(j->initpid, SIGKILL); |
| 933 | die("failed to send marshalled minijail"); |
| 934 | } |
Jorge Lucangeli Obes | 9807d03 | 2012-04-17 13:36:00 -0700 | [diff] [blame] | 935 | if (pchild_pid) |
| 936 | *pchild_pid = child_pid; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 937 | return 0; |
| 938 | } |
| 939 | free(oldenv_copy); |
Ben Chan | 541c7e5 | 2011-08-26 14:55:53 -0700 | [diff] [blame] | 940 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 941 | /* Drop everything that cannot be inherited across execve. */ |
| 942 | minijail_preexec(j); |
| 943 | /* Jail this process and its descendants... */ |
| 944 | minijail_enter(j); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 945 | |
Elly Jones | a05d7bb | 2012-06-14 14:09:27 -0400 | [diff] [blame] | 946 | if (pid_namespace) { |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 947 | /* |
| 948 | * pid namespace: this process will become init inside the new |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 949 | * namespace, so fork off a child to actually run the program |
| 950 | * (we don't want all programs we might exec to have to know |
| 951 | * how to be init). |
Elly Jones | 761b741 | 2012-06-13 15:49:52 -0400 | [diff] [blame] | 952 | * |
| 953 | * If we're multithreaded, we'll probably deadlock here. See |
| 954 | * WARNING above. |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 955 | */ |
| 956 | child_pid = fork(); |
| 957 | if (child_pid < 0) |
| 958 | _exit(child_pid); |
| 959 | else if (child_pid > 0) |
| 960 | init(child_pid); /* never returns */ |
| 961 | } |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 962 | |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 963 | /* |
| 964 | * If we aren't pid-namespaced: |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 965 | * calling process |
| 966 | * -> execve()-ing process |
| 967 | * If we are: |
| 968 | * calling process |
| 969 | * -> init()-ing process |
| 970 | * -> execve()-ing process |
| 971 | */ |
| 972 | _exit(execve(filename, argv, environ)); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 973 | } |
| 974 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 975 | int API minijail_kill(struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 976 | { |
| 977 | int st; |
| 978 | if (kill(j->initpid, SIGTERM)) |
| 979 | return -errno; |
| 980 | if (waitpid(j->initpid, &st, 0) < 0) |
| 981 | return -errno; |
| 982 | return st; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 983 | } |
| 984 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 985 | int API minijail_wait(struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 986 | { |
| 987 | int st; |
| 988 | if (waitpid(j->initpid, &st, 0) < 0) |
| 989 | return -errno; |
Jorge Lucangeli Obes | c2c9bcc | 2012-05-01 09:30:24 -0700 | [diff] [blame] | 990 | if (!WIFEXITED(st)) { |
| 991 | if (WIFSIGNALED(st)) |
| 992 | warn("child process received signal %d", WTERMSIG(st)); |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 993 | return MINIJAIL_ERR_JAIL; |
Jorge Lucangeli Obes | c2c9bcc | 2012-05-01 09:30:24 -0700 | [diff] [blame] | 994 | } |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 995 | return WEXITSTATUS(st); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 996 | } |
| 997 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 998 | void API minijail_destroy(struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 999 | { |
Jorge Lucangeli Obes | 524c040 | 2012-01-17 11:30:23 -0800 | [diff] [blame] | 1000 | if (j->flags.seccomp_filter && j->filter_prog) { |
| 1001 | free(j->filter_prog->filter); |
| 1002 | free(j->filter_prog); |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1003 | } |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 1004 | while (j->bindings_head) { |
| 1005 | struct binding *b = j->bindings_head; |
| 1006 | j->bindings_head = j->bindings_head->next; |
| 1007 | free(b->dest); |
| 1008 | free(b->src); |
| 1009 | free(b); |
| 1010 | } |
| 1011 | j->bindings_tail = NULL; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1012 | if (j->user) |
| 1013 | free(j->user); |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 1014 | if (j->chrootdir) |
| 1015 | free(j->chrootdir); |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1016 | free(j); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 1017 | } |