Jorge Lucangeli Obes | d613ab2 | 2015-03-03 14:22:50 -0800 | [diff] [blame] | 1 | /* Copyright (c) 2012 The Chromium OS Authors. All rights reserved. |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 2 | * Use of this source code is governed by a BSD-style license that can be |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 3 | * found in the LICENSE file. |
| 4 | */ |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 5 | |
| 6 | #define _BSD_SOURCE |
| 7 | #define _GNU_SOURCE |
Jorge Lucangeli Obes | c2c9bcc | 2012-05-01 09:30:24 -0700 | [diff] [blame] | 8 | |
Jorge Lucangeli Obes | 524c040 | 2012-01-17 11:30:23 -0800 | [diff] [blame] | 9 | #include <asm/unistd.h> |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 10 | #include <ctype.h> |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 11 | #include <errno.h> |
Jorge Lucangeli Obes | 1563b5b | 2014-07-10 07:01:53 -0700 | [diff] [blame] | 12 | #include <fcntl.h> |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 13 | #include <grp.h> |
| 14 | #include <inttypes.h> |
Will Drewry | fe4a372 | 2011-09-16 14:50:50 -0500 | [diff] [blame] | 15 | #include <limits.h> |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 16 | #include <linux/capability.h> |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 17 | #include <pwd.h> |
| 18 | #include <sched.h> |
| 19 | #include <signal.h> |
Will Drewry | 2f54b6a | 2011-09-16 13:45:31 -0500 | [diff] [blame] | 20 | #include <stdarg.h> |
Jorge Lucangeli Obes | 5471450 | 2015-09-30 10:08:45 -0700 | [diff] [blame] | 21 | #include <stdbool.h> |
Jorge Lucangeli Obes | 524c040 | 2012-01-17 11:30:23 -0800 | [diff] [blame] | 22 | #include <stddef.h> |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 23 | #include <stdio.h> |
| 24 | #include <stdlib.h> |
| 25 | #include <string.h> |
| 26 | #include <syscall.h> |
| 27 | #include <sys/capability.h> |
| 28 | #include <sys/mount.h> |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 29 | #include <sys/param.h> |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 30 | #include <sys/prctl.h> |
Jorge Lucangeli Obes | 1563b5b | 2014-07-10 07:01:53 -0700 | [diff] [blame] | 31 | #include <sys/stat.h> |
| 32 | #include <sys/types.h> |
Jorge Lucangeli Obes | 524c040 | 2012-01-17 11:30:23 -0800 | [diff] [blame] | 33 | #include <sys/user.h> |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 34 | #include <sys/wait.h> |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 35 | #include <unistd.h> |
| 36 | |
| 37 | #include "libminijail.h" |
| 38 | #include "libminijail-private.h" |
| 39 | |
Jorge Lucangeli Obes | a21c8fc | 2015-07-15 16:22:34 -0700 | [diff] [blame] | 40 | #include "signal_handler.h" |
Jorge Lucangeli Obes | 524c040 | 2012-01-17 11:30:23 -0800 | [diff] [blame] | 41 | #include "syscall_filter.h" |
Jorge Lucangeli Obes | a6b034d | 2012-08-07 15:29:20 -0700 | [diff] [blame] | 42 | #include "util.h" |
Jorge Lucangeli Obes | 524c040 | 2012-01-17 11:30:23 -0800 | [diff] [blame] | 43 | |
Lei Zhang | eee3155 | 2012-10-17 21:27:10 -0700 | [diff] [blame] | 44 | #ifdef HAVE_SECUREBITS_H |
| 45 | #include <linux/securebits.h> |
| 46 | #else |
| 47 | #define SECURE_ALL_BITS 0x15 |
| 48 | #define SECURE_ALL_LOCKS (SECURE_ALL_BITS << 1) |
| 49 | #endif |
| 50 | |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 51 | /* Until these are reliably available in linux/prctl.h */ |
Jorge Lucangeli Obes | 524c040 | 2012-01-17 11:30:23 -0800 | [diff] [blame] | 52 | #ifndef PR_SET_SECCOMP |
Jorge Lucangeli Obes | c2c9bcc | 2012-05-01 09:30:24 -0700 | [diff] [blame] | 53 | # define PR_SET_SECCOMP 22 |
Jorge Lucangeli Obes | 524c040 | 2012-01-17 11:30:23 -0800 | [diff] [blame] | 54 | #endif |
| 55 | |
| 56 | /* For seccomp_filter using BPF. */ |
| 57 | #ifndef PR_SET_NO_NEW_PRIVS |
| 58 | # define PR_SET_NO_NEW_PRIVS 38 |
| 59 | #endif |
| 60 | #ifndef SECCOMP_MODE_FILTER |
| 61 | # define SECCOMP_MODE_FILTER 2 /* uses user-supplied filter. */ |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 62 | #endif |
| 63 | |
Utkarsh Sanghi | 0ef8a66 | 2014-08-18 15:50:11 -0700 | [diff] [blame] | 64 | #ifdef USE_SECCOMP_SOFTFAIL |
| 65 | # define SECCOMP_SOFTFAIL 1 |
| 66 | #else |
| 67 | # define SECCOMP_SOFTFAIL 0 |
| 68 | #endif |
| 69 | |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 70 | struct binding { |
| 71 | char *src; |
| 72 | char *dest; |
| 73 | int writeable; |
| 74 | struct binding *next; |
| 75 | }; |
| 76 | |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 77 | struct minijail { |
Jorge Lucangeli Obes | 4ae30cc | 2014-04-10 15:35:33 -0700 | [diff] [blame] | 78 | /* |
Jorge Lucangeli Obes | c8b21e1 | 2014-06-13 14:26:16 -0700 | [diff] [blame] | 79 | * WARNING: if you add a flag here you need to make sure it's |
| 80 | * accounted for in minijail_pre{enter|exec}() below. |
Jorge Lucangeli Obes | 4ae30cc | 2014-04-10 15:35:33 -0700 | [diff] [blame] | 81 | */ |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 82 | struct { |
| 83 | int uid:1; |
| 84 | int gid:1; |
| 85 | int caps:1; |
| 86 | int vfs:1; |
Jorge Lucangeli Obes | 1563b5b | 2014-07-10 07:01:53 -0700 | [diff] [blame] | 87 | int enter_vfs:1; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 88 | int pids:1; |
Elly Fong-Jones | 6c08630 | 2013-03-20 17:15:28 -0400 | [diff] [blame] | 89 | int net:1; |
Dylan Reid | 1102f5a | 2015-09-15 11:52:20 -0700 | [diff] [blame] | 90 | int enter_net:1; |
Yu-Hsi Chiang | 10e9123 | 2015-08-05 14:40:45 +0800 | [diff] [blame] | 91 | int userns:1; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 92 | int seccomp:1; |
Dylan Reid | 791f577 | 2015-09-14 20:02:42 -0700 | [diff] [blame] | 93 | int remount_proc_ro:1; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 94 | int usergroups:1; |
| 95 | int ptrace:1; |
Jorge Lucangeli Obes | c2c9bcc | 2012-05-01 09:30:24 -0700 | [diff] [blame] | 96 | int no_new_privs:1; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 97 | int seccomp_filter:1; |
Jorge Lucangeli Obes | bda833c | 2012-07-31 16:25:56 -0700 | [diff] [blame] | 98 | int log_seccomp_filter:1; |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 99 | int chroot:1; |
Yu-Hsi Chiang | 64d65a7 | 2015-08-13 17:43:27 +0800 | [diff] [blame] | 100 | int pivot_root:1; |
Lee Campbell | 11af062 | 2014-05-22 12:36:04 -0700 | [diff] [blame] | 101 | int mount_tmp:1; |
Yu-Hsi Chiang | 3e954ec | 2015-07-28 16:48:14 +0800 | [diff] [blame] | 102 | int do_init:1; |
Yu-Hsi Chiang | 3cc05ea | 2015-08-11 11:23:17 +0800 | [diff] [blame] | 103 | int pid_file:1; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 104 | } flags; |
| 105 | uid_t uid; |
| 106 | gid_t gid; |
| 107 | gid_t usergid; |
| 108 | char *user; |
| 109 | uint64_t caps; |
| 110 | pid_t initpid; |
Jorge Lucangeli Obes | 1563b5b | 2014-07-10 07:01:53 -0700 | [diff] [blame] | 111 | int mountns_fd; |
Dylan Reid | 1102f5a | 2015-09-15 11:52:20 -0700 | [diff] [blame] | 112 | int netns_fd; |
Jorge Lucangeli Obes | 524c040 | 2012-01-17 11:30:23 -0800 | [diff] [blame] | 113 | int filter_len; |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 114 | int binding_count; |
| 115 | char *chrootdir; |
Yu-Hsi Chiang | 3cc05ea | 2015-08-11 11:23:17 +0800 | [diff] [blame] | 116 | char *pid_file_path; |
Yu-Hsi Chiang | 10e9123 | 2015-08-05 14:40:45 +0800 | [diff] [blame] | 117 | char *uidmap; |
| 118 | char *gidmap; |
Jorge Lucangeli Obes | 524c040 | 2012-01-17 11:30:23 -0800 | [diff] [blame] | 119 | struct sock_fprog *filter_prog; |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 120 | struct binding *bindings_head; |
| 121 | struct binding *bindings_tail; |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 122 | }; |
| 123 | |
Jorge Lucangeli Obes | 4ae30cc | 2014-04-10 15:35:33 -0700 | [diff] [blame] | 124 | /* |
| 125 | * Strip out flags meant for the parent. |
| 126 | * We keep things that are not inherited across execve(2) (e.g. capabilities), |
| 127 | * or are easier to set after execve(2) (e.g. seccomp filters). |
| 128 | */ |
| 129 | void minijail_preenter(struct minijail *j) |
| 130 | { |
| 131 | j->flags.vfs = 0; |
Jorge Lucangeli Obes | 1563b5b | 2014-07-10 07:01:53 -0700 | [diff] [blame] | 132 | j->flags.enter_vfs = 0; |
Dylan Reid | 791f577 | 2015-09-14 20:02:42 -0700 | [diff] [blame] | 133 | j->flags.remount_proc_ro = 0; |
Jorge Lucangeli Obes | 4ae30cc | 2014-04-10 15:35:33 -0700 | [diff] [blame] | 134 | j->flags.pids = 0; |
Yu-Hsi Chiang | 3e954ec | 2015-07-28 16:48:14 +0800 | [diff] [blame] | 135 | j->flags.do_init = 0; |
Yu-Hsi Chiang | 3cc05ea | 2015-08-11 11:23:17 +0800 | [diff] [blame] | 136 | j->flags.pid_file = 0; |
Jorge Lucangeli Obes | 4ae30cc | 2014-04-10 15:35:33 -0700 | [diff] [blame] | 137 | } |
| 138 | |
| 139 | /* |
| 140 | * Strip out flags meant for the child. |
| 141 | * We keep things that are inherited across execve(2). |
| 142 | */ |
| 143 | void minijail_preexec(struct minijail *j) |
| 144 | { |
| 145 | int vfs = j->flags.vfs; |
Jorge Lucangeli Obes | 1563b5b | 2014-07-10 07:01:53 -0700 | [diff] [blame] | 146 | int enter_vfs = j->flags.enter_vfs; |
Dylan Reid | 791f577 | 2015-09-14 20:02:42 -0700 | [diff] [blame] | 147 | int remount_proc_ro = j->flags.remount_proc_ro; |
Yu-Hsi Chiang | 10e9123 | 2015-08-05 14:40:45 +0800 | [diff] [blame] | 148 | int userns = j->flags.userns; |
Jorge Lucangeli Obes | 4ae30cc | 2014-04-10 15:35:33 -0700 | [diff] [blame] | 149 | if (j->user) |
| 150 | free(j->user); |
| 151 | j->user = NULL; |
| 152 | memset(&j->flags, 0, sizeof(j->flags)); |
| 153 | /* Now restore anything we meant to keep. */ |
| 154 | j->flags.vfs = vfs; |
Jorge Lucangeli Obes | 1563b5b | 2014-07-10 07:01:53 -0700 | [diff] [blame] | 155 | j->flags.enter_vfs = enter_vfs; |
Dylan Reid | 791f577 | 2015-09-14 20:02:42 -0700 | [diff] [blame] | 156 | j->flags.remount_proc_ro = remount_proc_ro; |
Yu-Hsi Chiang | 10e9123 | 2015-08-05 14:40:45 +0800 | [diff] [blame] | 157 | j->flags.userns = userns; |
Jorge Lucangeli Obes | 4ae30cc | 2014-04-10 15:35:33 -0700 | [diff] [blame] | 158 | /* Note, |pids| will already have been used before this call. */ |
| 159 | } |
| 160 | |
| 161 | /* Minijail API. */ |
| 162 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 163 | struct minijail API *minijail_new(void) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 164 | { |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 165 | return calloc(1, sizeof(struct minijail)); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 166 | } |
| 167 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 168 | void API minijail_change_uid(struct minijail *j, uid_t uid) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 169 | { |
| 170 | if (uid == 0) |
| 171 | die("useless change to uid 0"); |
| 172 | j->uid = uid; |
| 173 | j->flags.uid = 1; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 174 | } |
| 175 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 176 | void API minijail_change_gid(struct minijail *j, gid_t gid) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 177 | { |
| 178 | if (gid == 0) |
| 179 | die("useless change to gid 0"); |
| 180 | j->gid = gid; |
| 181 | j->flags.gid = 1; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 182 | } |
| 183 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 184 | int API minijail_change_user(struct minijail *j, const char *user) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 185 | { |
| 186 | char *buf = NULL; |
| 187 | struct passwd pw; |
| 188 | struct passwd *ppw = NULL; |
| 189 | ssize_t sz = sysconf(_SC_GETPW_R_SIZE_MAX); |
| 190 | if (sz == -1) |
| 191 | sz = 65536; /* your guess is as good as mine... */ |
Elly Jones | eb300c5 | 2011-09-22 14:35:43 -0400 | [diff] [blame] | 192 | |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 193 | /* |
| 194 | * sysconf(_SC_GETPW_R_SIZE_MAX), under glibc, is documented to return |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 195 | * the maximum needed size of the buffer, so we don't have to search. |
| 196 | */ |
| 197 | buf = malloc(sz); |
| 198 | if (!buf) |
| 199 | return -ENOMEM; |
| 200 | getpwnam_r(user, &pw, buf, sz, &ppw); |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 201 | /* |
| 202 | * We're safe to free the buffer here. The strings inside pw point |
| 203 | * inside buf, but we don't use any of them; this leaves the pointers |
| 204 | * dangling but it's safe. ppw points at pw if getpwnam_r succeeded. |
| 205 | */ |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 206 | free(buf); |
Jorge Lucangeli Obes | 4e48065 | 2014-03-26 10:56:42 -0700 | [diff] [blame] | 207 | /* getpwnam_r(3) does *not* set errno when |ppw| is NULL. */ |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 208 | if (!ppw) |
Jorge Lucangeli Obes | 4e48065 | 2014-03-26 10:56:42 -0700 | [diff] [blame] | 209 | return -1; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 210 | minijail_change_uid(j, ppw->pw_uid); |
| 211 | j->user = strdup(user); |
| 212 | if (!j->user) |
| 213 | return -ENOMEM; |
| 214 | j->usergid = ppw->pw_gid; |
| 215 | return 0; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 216 | } |
| 217 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 218 | int API minijail_change_group(struct minijail *j, const char *group) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 219 | { |
Jorge Lucangeli Obes | a21c8fc | 2015-07-15 16:22:34 -0700 | [diff] [blame] | 220 | char *buf = NULL; |
Yabin Cui | 1b21c8f | 2015-07-22 10:34:45 -0700 | [diff] [blame] | 221 | struct group gr; |
| 222 | struct group *pgr = NULL; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 223 | ssize_t sz = sysconf(_SC_GETGR_R_SIZE_MAX); |
| 224 | if (sz == -1) |
| 225 | sz = 65536; /* and mine is as good as yours, really */ |
Elly Jones | eb300c5 | 2011-09-22 14:35:43 -0400 | [diff] [blame] | 226 | |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 227 | /* |
| 228 | * sysconf(_SC_GETGR_R_SIZE_MAX), under glibc, is documented to return |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 229 | * the maximum needed size of the buffer, so we don't have to search. |
| 230 | */ |
| 231 | buf = malloc(sz); |
| 232 | if (!buf) |
| 233 | return -ENOMEM; |
| 234 | getgrnam_r(group, &gr, buf, sz, &pgr); |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 235 | /* |
| 236 | * We're safe to free the buffer here. The strings inside gr point |
| 237 | * inside buf, but we don't use any of them; this leaves the pointers |
| 238 | * dangling but it's safe. pgr points at gr if getgrnam_r succeeded. |
| 239 | */ |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 240 | free(buf); |
Jorge Lucangeli Obes | 4e48065 | 2014-03-26 10:56:42 -0700 | [diff] [blame] | 241 | /* getgrnam_r(3) does *not* set errno when |pgr| is NULL. */ |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 242 | if (!pgr) |
Jorge Lucangeli Obes | 4e48065 | 2014-03-26 10:56:42 -0700 | [diff] [blame] | 243 | return -1; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 244 | minijail_change_gid(j, pgr->gr_gid); |
| 245 | return 0; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 246 | } |
| 247 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 248 | void API minijail_use_seccomp(struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 249 | { |
| 250 | j->flags.seccomp = 1; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 251 | } |
| 252 | |
Jorge Lucangeli Obes | c2c9bcc | 2012-05-01 09:30:24 -0700 | [diff] [blame] | 253 | void API minijail_no_new_privs(struct minijail *j) |
| 254 | { |
| 255 | j->flags.no_new_privs = 1; |
| 256 | } |
| 257 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 258 | void API minijail_use_seccomp_filter(struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 259 | { |
| 260 | j->flags.seccomp_filter = 1; |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 261 | } |
| 262 | |
Jorge Lucangeli Obes | bda833c | 2012-07-31 16:25:56 -0700 | [diff] [blame] | 263 | void API minijail_log_seccomp_filter_failures(struct minijail *j) |
| 264 | { |
| 265 | j->flags.log_seccomp_filter = 1; |
| 266 | } |
| 267 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 268 | void API minijail_use_caps(struct minijail *j, uint64_t capmask) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 269 | { |
| 270 | j->caps = capmask; |
| 271 | j->flags.caps = 1; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 272 | } |
| 273 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 274 | void API minijail_namespace_vfs(struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 275 | { |
| 276 | j->flags.vfs = 1; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 277 | } |
| 278 | |
Jorge Lucangeli Obes | 1563b5b | 2014-07-10 07:01:53 -0700 | [diff] [blame] | 279 | void API minijail_namespace_enter_vfs(struct minijail *j, const char *ns_path) |
| 280 | { |
| 281 | int ns_fd = open(ns_path, O_RDONLY); |
| 282 | if (ns_fd < 0) { |
| 283 | pdie("failed to open namespace '%s'", ns_path); |
| 284 | } |
| 285 | j->mountns_fd = ns_fd; |
| 286 | j->flags.enter_vfs = 1; |
| 287 | } |
| 288 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 289 | void API minijail_namespace_pids(struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 290 | { |
Elly Jones | e58176c | 2012-01-23 11:46:17 -0500 | [diff] [blame] | 291 | j->flags.vfs = 1; |
Dylan Reid | 791f577 | 2015-09-14 20:02:42 -0700 | [diff] [blame] | 292 | j->flags.remount_proc_ro = 1; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 293 | j->flags.pids = 1; |
Yu-Hsi Chiang | 3e954ec | 2015-07-28 16:48:14 +0800 | [diff] [blame] | 294 | j->flags.do_init = 1; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 295 | } |
| 296 | |
Elly Fong-Jones | 6c08630 | 2013-03-20 17:15:28 -0400 | [diff] [blame] | 297 | void API minijail_namespace_net(struct minijail *j) |
| 298 | { |
| 299 | j->flags.net = 1; |
| 300 | } |
| 301 | |
Dylan Reid | 1102f5a | 2015-09-15 11:52:20 -0700 | [diff] [blame] | 302 | void API minijail_namespace_enter_net(struct minijail *j, const char *ns_path) |
| 303 | { |
| 304 | int ns_fd = open(ns_path, O_RDONLY); |
| 305 | if (ns_fd < 0) { |
| 306 | pdie("failed to open namespace '%s'", ns_path); |
| 307 | } |
| 308 | j->netns_fd = ns_fd; |
| 309 | j->flags.enter_net = 1; |
| 310 | } |
| 311 | |
Dylan Reid | 791f577 | 2015-09-14 20:02:42 -0700 | [diff] [blame] | 312 | void API minijail_remount_proc_readonly(struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 313 | { |
| 314 | j->flags.vfs = 1; |
Dylan Reid | 791f577 | 2015-09-14 20:02:42 -0700 | [diff] [blame] | 315 | j->flags.remount_proc_ro = 1; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 316 | } |
| 317 | |
Yu-Hsi Chiang | 10e9123 | 2015-08-05 14:40:45 +0800 | [diff] [blame] | 318 | void API minijail_namespace_user(struct minijail *j) |
| 319 | { |
| 320 | j->flags.userns = 1; |
| 321 | } |
| 322 | |
| 323 | int API minijail_uidmap(struct minijail *j, const char *uidmap) |
| 324 | { |
| 325 | j->uidmap = strdup(uidmap); |
| 326 | if (!j->uidmap) |
| 327 | return -ENOMEM; |
Yu-Hsi Chiang | 1912c5b | 2015-08-31 18:59:49 +0800 | [diff] [blame] | 328 | char *ch; |
| 329 | for (ch = j->uidmap; *ch; ch++) { |
| 330 | if (*ch == ',') |
| 331 | *ch = '\n'; |
| 332 | } |
Yu-Hsi Chiang | 10e9123 | 2015-08-05 14:40:45 +0800 | [diff] [blame] | 333 | return 0; |
| 334 | } |
| 335 | |
| 336 | int API minijail_gidmap(struct minijail *j, const char *gidmap) |
| 337 | { |
| 338 | j->gidmap = strdup(gidmap); |
| 339 | if (!j->gidmap) |
| 340 | return -ENOMEM; |
Yu-Hsi Chiang | 1912c5b | 2015-08-31 18:59:49 +0800 | [diff] [blame] | 341 | char *ch; |
| 342 | for (ch = j->gidmap; *ch; ch++) { |
| 343 | if (*ch == ',') |
| 344 | *ch = '\n'; |
| 345 | } |
Yu-Hsi Chiang | 10e9123 | 2015-08-05 14:40:45 +0800 | [diff] [blame] | 346 | return 0; |
| 347 | } |
| 348 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 349 | void API minijail_inherit_usergroups(struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 350 | { |
| 351 | j->flags.usergroups = 1; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 352 | } |
| 353 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 354 | void API minijail_disable_ptrace(struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 355 | { |
| 356 | j->flags.ptrace = 1; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 357 | } |
| 358 | |
Yu-Hsi Chiang | 3e954ec | 2015-07-28 16:48:14 +0800 | [diff] [blame] | 359 | void API minijail_run_as_init(struct minijail *j) |
| 360 | { |
| 361 | /* |
| 362 | * Since the jailed program will become 'init' in the new PID namespace, |
| 363 | * Minijail does not need to fork an 'init' process. |
| 364 | */ |
| 365 | j->flags.do_init = 0; |
| 366 | } |
| 367 | |
Jorge Lucangeli Obes | c8b21e1 | 2014-06-13 14:26:16 -0700 | [diff] [blame] | 368 | int API minijail_enter_chroot(struct minijail *j, const char *dir) |
| 369 | { |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 370 | if (j->chrootdir) |
| 371 | return -EINVAL; |
| 372 | j->chrootdir = strdup(dir); |
| 373 | if (!j->chrootdir) |
| 374 | return -ENOMEM; |
| 375 | j->flags.chroot = 1; |
| 376 | return 0; |
| 377 | } |
| 378 | |
Yu-Hsi Chiang | 64d65a7 | 2015-08-13 17:43:27 +0800 | [diff] [blame] | 379 | int API minijail_enter_pivot_root(struct minijail *j, const char *dir) |
| 380 | { |
| 381 | if (j->chrootdir) |
| 382 | return -EINVAL; |
| 383 | j->chrootdir = strdup(dir); |
| 384 | if (!j->chrootdir) |
| 385 | return -ENOMEM; |
| 386 | j->flags.pivot_root = 1; |
| 387 | return 0; |
| 388 | } |
| 389 | |
Dylan Reid | a14e08d | 2015-10-22 21:05:29 -0700 | [diff] [blame] | 390 | static char *append_external_path(const char *external_path, |
| 391 | const char *path_inside_chroot) |
Dylan Reid | 08946cc | 2015-09-16 19:10:57 -0700 | [diff] [blame] | 392 | { |
Dylan Reid | a14e08d | 2015-10-22 21:05:29 -0700 | [diff] [blame] | 393 | char *path; |
Dylan Reid | 08946cc | 2015-09-16 19:10:57 -0700 | [diff] [blame] | 394 | size_t pathlen; |
| 395 | |
Dylan Reid | 08946cc | 2015-09-16 19:10:57 -0700 | [diff] [blame] | 396 | /* One extra char for '/' and one for '\0', hence + 2. */ |
Dylan Reid | a14e08d | 2015-10-22 21:05:29 -0700 | [diff] [blame] | 397 | pathlen = strlen(path_inside_chroot) + strlen(external_path) + 2; |
| 398 | path = malloc(pathlen); |
| 399 | snprintf(path, pathlen, "%s/%s", external_path, path_inside_chroot); |
Dylan Reid | 08946cc | 2015-09-16 19:10:57 -0700 | [diff] [blame] | 400 | |
Dylan Reid | a14e08d | 2015-10-22 21:05:29 -0700 | [diff] [blame] | 401 | return path; |
| 402 | } |
| 403 | |
| 404 | char API *minijail_get_original_path(struct minijail *j, |
| 405 | const char *path_inside_chroot) |
| 406 | { |
| 407 | struct binding *b; |
| 408 | |
| 409 | b = j->bindings_head; |
| 410 | while (b) { |
| 411 | /* |
| 412 | * If |path_inside_chroot| is the exact destination of a |
| 413 | * bind mount, then the original path is exactly the source of |
| 414 | * the bind mount. |
| 415 | * for example: "-b /some/path/exe,/chroot/path/exe" |
| 416 | * bind source = /some/path/exe, bind dest = /chroot/path/exe |
| 417 | * Then when getting the original path of "/chroot/path/exe", |
| 418 | * the source of that bind mount, "/some/path/exe" is what |
| 419 | * should be returned. |
| 420 | */ |
| 421 | if (!strcmp(b->dest, path_inside_chroot)) |
| 422 | return strdup(b->src); |
| 423 | |
| 424 | /* |
| 425 | * If |path_inside_chroot| is within the destination path of a |
| 426 | * bind mount, take the suffix of the chroot path relative to |
| 427 | * the bind mount destination path, and append it to the bind |
| 428 | * mount source path. |
| 429 | */ |
| 430 | if (!strncmp(b->dest, path_inside_chroot, strlen(b->dest))) { |
| 431 | const char *relative_path = |
| 432 | path_inside_chroot + strlen(b->dest); |
| 433 | return append_external_path(b->src, relative_path); |
| 434 | } |
| 435 | b = b->next; |
| 436 | } |
| 437 | |
| 438 | /* If there is a chroot path, append |path_inside_chroot| to that. */ |
| 439 | if (j->chrootdir) |
| 440 | return append_external_path(j->chrootdir, path_inside_chroot); |
| 441 | |
| 442 | /* No chroot, so the path outside is the same as it is inside. */ |
| 443 | return strdup(path_inside_chroot); |
Dylan Reid | 08946cc | 2015-09-16 19:10:57 -0700 | [diff] [blame] | 444 | } |
| 445 | |
Lee Campbell | 11af062 | 2014-05-22 12:36:04 -0700 | [diff] [blame] | 446 | void API minijail_mount_tmp(struct minijail *j) |
| 447 | { |
| 448 | j->flags.mount_tmp = 1; |
| 449 | } |
| 450 | |
Yu-Hsi Chiang | 3cc05ea | 2015-08-11 11:23:17 +0800 | [diff] [blame] | 451 | int API minijail_write_pid_file(struct minijail *j, const char *path) |
| 452 | { |
| 453 | j->pid_file_path = strdup(path); |
| 454 | if (!j->pid_file_path) |
| 455 | return -ENOMEM; |
| 456 | j->flags.pid_file = 1; |
| 457 | return 0; |
| 458 | } |
| 459 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 460 | int API minijail_bind(struct minijail *j, const char *src, const char *dest, |
Jorge Lucangeli Obes | c8b21e1 | 2014-06-13 14:26:16 -0700 | [diff] [blame] | 461 | int writeable) |
| 462 | { |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 463 | struct binding *b; |
| 464 | |
| 465 | if (*dest != '/') |
| 466 | return -EINVAL; |
| 467 | b = calloc(1, sizeof(*b)); |
| 468 | if (!b) |
| 469 | return -ENOMEM; |
| 470 | b->dest = strdup(dest); |
| 471 | if (!b->dest) |
| 472 | goto error; |
| 473 | b->src = strdup(src); |
| 474 | if (!b->src) |
| 475 | goto error; |
| 476 | b->writeable = writeable; |
| 477 | |
Jorge Lucangeli Obes | 224e427 | 2012-08-02 14:31:39 -0700 | [diff] [blame] | 478 | info("bind %s -> %s", src, dest); |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 479 | |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 480 | /* |
| 481 | * Force vfs namespacing so the bind mounts don't leak out into the |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 482 | * containing vfs namespace. |
| 483 | */ |
| 484 | minijail_namespace_vfs(j); |
| 485 | |
| 486 | if (j->bindings_tail) |
| 487 | j->bindings_tail->next = b; |
| 488 | else |
| 489 | j->bindings_head = b; |
| 490 | j->bindings_tail = b; |
| 491 | j->binding_count++; |
| 492 | |
| 493 | return 0; |
| 494 | |
| 495 | error: |
| 496 | free(b->src); |
| 497 | free(b->dest); |
| 498 | free(b); |
| 499 | return -ENOMEM; |
| 500 | } |
| 501 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 502 | void API minijail_parse_seccomp_filters(struct minijail *j, const char *path) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 503 | { |
Utkarsh Sanghi | 0ef8a66 | 2014-08-18 15:50:11 -0700 | [diff] [blame] | 504 | if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL)) { |
| 505 | if ((errno == ENOSYS) && SECCOMP_SOFTFAIL) { |
| 506 | warn("not loading seccomp filter, seccomp not supported"); |
| 507 | return; |
| 508 | } |
| 509 | } |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 510 | FILE *file = fopen(path, "r"); |
Jorge Lucangeli Obes | 524c040 | 2012-01-17 11:30:23 -0800 | [diff] [blame] | 511 | if (!file) { |
Jorge Lucangeli Obes | 224e427 | 2012-08-02 14:31:39 -0700 | [diff] [blame] | 512 | pdie("failed to open seccomp filter file '%s'", path); |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 513 | } |
Jorge Lucangeli Obes | 524c040 | 2012-01-17 11:30:23 -0800 | [diff] [blame] | 514 | |
| 515 | struct sock_fprog *fprog = malloc(sizeof(struct sock_fprog)); |
Jorge Lucangeli Obes | bda833c | 2012-07-31 16:25:56 -0700 | [diff] [blame] | 516 | if (compile_filter(file, fprog, j->flags.log_seccomp_filter)) { |
| 517 | die("failed to compile seccomp filter BPF program in '%s'", |
| 518 | path); |
Jorge Lucangeli Obes | 524c040 | 2012-01-17 11:30:23 -0800 | [diff] [blame] | 519 | } |
| 520 | |
| 521 | j->filter_len = fprog->len; |
| 522 | j->filter_prog = fprog; |
| 523 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 524 | fclose(file); |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 525 | } |
| 526 | |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 527 | struct marshal_state { |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 528 | size_t available; |
| 529 | size_t total; |
| 530 | char *buf; |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 531 | }; |
| 532 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 533 | void marshal_state_init(struct marshal_state *state, |
| 534 | char *buf, size_t available) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 535 | { |
| 536 | state->available = available; |
| 537 | state->buf = buf; |
| 538 | state->total = 0; |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 539 | } |
| 540 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 541 | void marshal_append(struct marshal_state *state, |
| 542 | char *src, size_t length) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 543 | { |
| 544 | size_t copy_len = MIN(state->available, length); |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 545 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 546 | /* Up to |available| will be written. */ |
| 547 | if (copy_len) { |
| 548 | memcpy(state->buf, src, copy_len); |
| 549 | state->buf += copy_len; |
| 550 | state->available -= copy_len; |
| 551 | } |
| 552 | /* |total| will contain the expected length. */ |
| 553 | state->total += length; |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 554 | } |
| 555 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 556 | void minijail_marshal_helper(struct marshal_state *state, |
| 557 | const struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 558 | { |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 559 | struct binding *b = NULL; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 560 | marshal_append(state, (char *)j, sizeof(*j)); |
| 561 | if (j->user) |
| 562 | marshal_append(state, j->user, strlen(j->user) + 1); |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 563 | if (j->chrootdir) |
| 564 | marshal_append(state, j->chrootdir, strlen(j->chrootdir) + 1); |
Jorge Lucangeli Obes | 524c040 | 2012-01-17 11:30:23 -0800 | [diff] [blame] | 565 | if (j->flags.seccomp_filter && j->filter_prog) { |
| 566 | struct sock_fprog *fp = j->filter_prog; |
| 567 | marshal_append(state, (char *)fp->filter, |
| 568 | fp->len * sizeof(struct sock_filter)); |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 569 | } |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 570 | for (b = j->bindings_head; b; b = b->next) { |
| 571 | marshal_append(state, b->src, strlen(b->src) + 1); |
| 572 | marshal_append(state, b->dest, strlen(b->dest) + 1); |
Jorge Lucangeli Obes | bda833c | 2012-07-31 16:25:56 -0700 | [diff] [blame] | 573 | marshal_append(state, (char *)&b->writeable, |
| 574 | sizeof(b->writeable)); |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 575 | } |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 576 | } |
| 577 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 578 | size_t API minijail_size(const struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 579 | { |
| 580 | struct marshal_state state; |
| 581 | marshal_state_init(&state, NULL, 0); |
| 582 | minijail_marshal_helper(&state, j); |
| 583 | return state.total; |
Will Drewry | 2ddaad0 | 2011-09-16 11:36:08 -0500 | [diff] [blame] | 584 | } |
| 585 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 586 | int minijail_marshal(const struct minijail *j, char *buf, size_t available) |
| 587 | { |
| 588 | struct marshal_state state; |
| 589 | marshal_state_init(&state, buf, available); |
| 590 | minijail_marshal_helper(&state, j); |
| 591 | return (state.total > available); |
Will Drewry | 2ddaad0 | 2011-09-16 11:36:08 -0500 | [diff] [blame] | 592 | } |
| 593 | |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 594 | /* consumebytes: consumes @length bytes from a buffer @buf of length @buflength |
| 595 | * @length Number of bytes to consume |
| 596 | * @buf Buffer to consume from |
| 597 | * @buflength Size of @buf |
| 598 | * |
| 599 | * Returns a pointer to the base of the bytes, or NULL for errors. |
| 600 | */ |
Jorge Lucangeli Obes | c8b21e1 | 2014-06-13 14:26:16 -0700 | [diff] [blame] | 601 | void *consumebytes(size_t length, char **buf, size_t *buflength) |
| 602 | { |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 603 | char *p = *buf; |
| 604 | if (length > *buflength) |
| 605 | return NULL; |
| 606 | *buf += length; |
| 607 | *buflength -= length; |
| 608 | return p; |
| 609 | } |
| 610 | |
| 611 | /* consumestr: consumes a C string from a buffer @buf of length @length |
| 612 | * @buf Buffer to consume |
| 613 | * @length Length of buffer |
| 614 | * |
| 615 | * Returns a pointer to the base of the string, or NULL for errors. |
| 616 | */ |
Jorge Lucangeli Obes | c8b21e1 | 2014-06-13 14:26:16 -0700 | [diff] [blame] | 617 | char *consumestr(char **buf, size_t *buflength) |
| 618 | { |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 619 | size_t len = strnlen(*buf, *buflength); |
| 620 | if (len == *buflength) |
Jorge Lucangeli Obes | 5471450 | 2015-09-30 10:08:45 -0700 | [diff] [blame] | 621 | /* There's no null-terminator. */ |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 622 | return NULL; |
| 623 | return consumebytes(len + 1, buf, buflength); |
| 624 | } |
| 625 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 626 | int minijail_unmarshal(struct minijail *j, char *serialized, size_t length) |
| 627 | { |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 628 | int i; |
| 629 | int count; |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 630 | int ret = -EINVAL; |
| 631 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 632 | if (length < sizeof(*j)) |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 633 | goto out; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 634 | memcpy((void *)j, serialized, sizeof(*j)); |
| 635 | serialized += sizeof(*j); |
| 636 | length -= sizeof(*j); |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 637 | |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 638 | /* Potentially stale pointers not used as signals. */ |
| 639 | j->bindings_head = NULL; |
| 640 | j->bindings_tail = NULL; |
Jorge Lucangeli Obes | 524c040 | 2012-01-17 11:30:23 -0800 | [diff] [blame] | 641 | j->filter_prog = NULL; |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 642 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 643 | if (j->user) { /* stale pointer */ |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 644 | char *user = consumestr(&serialized, &length); |
| 645 | if (!user) |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 646 | goto clear_pointers; |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 647 | j->user = strdup(user); |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 648 | if (!j->user) |
| 649 | goto clear_pointers; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 650 | } |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 651 | |
Elly Jones | a8d1e1b | 2011-10-21 15:38:00 -0400 | [diff] [blame] | 652 | if (j->chrootdir) { /* stale pointer */ |
| 653 | char *chrootdir = consumestr(&serialized, &length); |
| 654 | if (!chrootdir) |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 655 | goto bad_chrootdir; |
Elly Jones | a8d1e1b | 2011-10-21 15:38:00 -0400 | [diff] [blame] | 656 | j->chrootdir = strdup(chrootdir); |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 657 | if (!j->chrootdir) |
| 658 | goto bad_chrootdir; |
Elly Jones | a8d1e1b | 2011-10-21 15:38:00 -0400 | [diff] [blame] | 659 | } |
| 660 | |
Jorge Lucangeli Obes | 524c040 | 2012-01-17 11:30:23 -0800 | [diff] [blame] | 661 | if (j->flags.seccomp_filter && j->filter_len > 0) { |
| 662 | size_t ninstrs = j->filter_len; |
| 663 | if (ninstrs > (SIZE_MAX / sizeof(struct sock_filter)) || |
| 664 | ninstrs > USHRT_MAX) |
| 665 | goto bad_filters; |
| 666 | |
| 667 | size_t program_len = ninstrs * sizeof(struct sock_filter); |
| 668 | void *program = consumebytes(program_len, &serialized, &length); |
| 669 | if (!program) |
| 670 | goto bad_filters; |
| 671 | |
| 672 | j->filter_prog = malloc(sizeof(struct sock_fprog)); |
| 673 | j->filter_prog->len = ninstrs; |
| 674 | j->filter_prog->filter = malloc(program_len); |
| 675 | memcpy(j->filter_prog->filter, program, program_len); |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 676 | } |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 677 | |
| 678 | count = j->binding_count; |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 679 | j->binding_count = 0; |
| 680 | for (i = 0; i < count; ++i) { |
| 681 | int *writeable; |
| 682 | const char *dest; |
| 683 | const char *src = consumestr(&serialized, &length); |
| 684 | if (!src) |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 685 | goto bad_bindings; |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 686 | dest = consumestr(&serialized, &length); |
| 687 | if (!dest) |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 688 | goto bad_bindings; |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 689 | writeable = consumebytes(sizeof(*writeable), &serialized, &length); |
| 690 | if (!writeable) |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 691 | goto bad_bindings; |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 692 | if (minijail_bind(j, src, dest, *writeable)) |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 693 | goto bad_bindings; |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 694 | } |
| 695 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 696 | return 0; |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 697 | |
| 698 | bad_bindings: |
Jorge Lucangeli Obes | 524c040 | 2012-01-17 11:30:23 -0800 | [diff] [blame] | 699 | if (j->flags.seccomp_filter && j->filter_len > 0) { |
| 700 | free(j->filter_prog->filter); |
| 701 | free(j->filter_prog); |
| 702 | } |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 703 | bad_filters: |
| 704 | if (j->chrootdir) |
| 705 | free(j->chrootdir); |
| 706 | bad_chrootdir: |
| 707 | if (j->user) |
| 708 | free(j->user); |
| 709 | clear_pointers: |
| 710 | j->user = NULL; |
| 711 | j->chrootdir = NULL; |
| 712 | out: |
| 713 | return ret; |
Will Drewry | 2ddaad0 | 2011-09-16 11:36:08 -0500 | [diff] [blame] | 714 | } |
| 715 | |
Yu-Hsi Chiang | 10e9123 | 2015-08-05 14:40:45 +0800 | [diff] [blame] | 716 | static void write_ugid_mappings(const struct minijail *j, int *pipe_fds) |
| 717 | { |
| 718 | int fd, ret, len; |
| 719 | size_t sz; |
| 720 | char fname[32]; |
| 721 | close(pipe_fds[0]); |
| 722 | |
| 723 | sz = sizeof(fname); |
| 724 | if (j->uidmap) { |
| 725 | ret = snprintf(fname, sz, "/proc/%d/uid_map", j->initpid); |
Jorge Lucangeli Obes | 2034274 | 2015-10-27 11:39:59 -0700 | [diff] [blame] | 726 | if (ret < 0 || (size_t)ret >= sz) |
Yu-Hsi Chiang | 10e9123 | 2015-08-05 14:40:45 +0800 | [diff] [blame] | 727 | die("failed to write file name of uid_map"); |
| 728 | fd = open(fname, O_WRONLY); |
| 729 | if (fd < 0) |
| 730 | pdie("failed to open '%s'", fname); |
| 731 | len = strlen(j->uidmap); |
| 732 | if (write(fd, j->uidmap, len) < len) |
| 733 | die("failed to set uid_map"); |
| 734 | close(fd); |
| 735 | } |
| 736 | if (j->gidmap) { |
| 737 | ret = snprintf(fname, sz, "/proc/%d/gid_map", j->initpid); |
Jorge Lucangeli Obes | 2034274 | 2015-10-27 11:39:59 -0700 | [diff] [blame] | 738 | if (ret < 0 || (size_t)ret >= sz) |
Yu-Hsi Chiang | 10e9123 | 2015-08-05 14:40:45 +0800 | [diff] [blame] | 739 | die("failed to write file name of gid_map"); |
| 740 | fd = open(fname, O_WRONLY); |
| 741 | if (fd < 0) |
| 742 | pdie("failed to open '%s'", fname); |
| 743 | len = strlen(j->gidmap); |
| 744 | if (write(fd, j->gidmap, len) < len) |
| 745 | die("failed to set gid_map"); |
| 746 | close(fd); |
| 747 | } |
| 748 | |
| 749 | close(pipe_fds[1]); |
| 750 | } |
| 751 | |
| 752 | static void enter_user_namespace(const struct minijail *j, int *pipe_fds) |
| 753 | { |
| 754 | char buf; |
| 755 | |
| 756 | close(pipe_fds[1]); |
| 757 | |
| 758 | /* Wait for parent to set up uid/gid mappings. */ |
| 759 | if (read(pipe_fds[0], &buf, 1) != 0) |
| 760 | die("failed to sync with parent"); |
| 761 | close(pipe_fds[0]); |
| 762 | |
| 763 | if (j->uidmap && setresuid(0, 0, 0)) |
| 764 | pdie("setresuid"); |
| 765 | if (j->gidmap && setresgid(0, 0, 0)) |
| 766 | pdie("setresgid"); |
| 767 | } |
| 768 | |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 769 | /* bind_one: Applies bindings from @b for @j, recursing as needed. |
| 770 | * @j Minijail these bindings are for |
| 771 | * @b Head of list of bindings |
| 772 | * |
| 773 | * Returns 0 for success. |
| 774 | */ |
Jorge Lucangeli Obes | c8b21e1 | 2014-06-13 14:26:16 -0700 | [diff] [blame] | 775 | int bind_one(const struct minijail *j, struct binding *b) |
| 776 | { |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 777 | int ret = 0; |
| 778 | char *dest = NULL; |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 779 | if (ret) |
| 780 | return ret; |
| 781 | /* dest has a leading "/" */ |
| 782 | if (asprintf(&dest, "%s%s", j->chrootdir, b->dest) < 0) |
| 783 | return -ENOMEM; |
Elly Jones | a105963 | 2011-12-15 15:17:07 -0500 | [diff] [blame] | 784 | ret = mount(b->src, dest, NULL, MS_BIND, NULL); |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 785 | if (ret) |
| 786 | pdie("bind: %s -> %s", b->src, dest); |
Elly Jones | a105963 | 2011-12-15 15:17:07 -0500 | [diff] [blame] | 787 | if (!b->writeable) { |
| 788 | ret = mount(b->src, dest, NULL, |
Jorge Lucangeli Obes | 2f61ee4 | 2014-06-16 11:08:18 -0700 | [diff] [blame] | 789 | MS_BIND | MS_REMOUNT | MS_RDONLY, NULL); |
Elly Jones | a105963 | 2011-12-15 15:17:07 -0500 | [diff] [blame] | 790 | if (ret) |
| 791 | pdie("bind ro: %s -> %s", b->src, dest); |
| 792 | } |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 793 | free(dest); |
| 794 | if (b->next) |
| 795 | return bind_one(j, b->next); |
| 796 | return ret; |
| 797 | } |
| 798 | |
Jorge Lucangeli Obes | c8b21e1 | 2014-06-13 14:26:16 -0700 | [diff] [blame] | 799 | int enter_chroot(const struct minijail *j) |
| 800 | { |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 801 | int ret; |
| 802 | if (j->bindings_head && (ret = bind_one(j, j->bindings_head))) |
| 803 | return ret; |
| 804 | |
| 805 | if (chroot(j->chrootdir)) |
| 806 | return -errno; |
| 807 | |
| 808 | if (chdir("/")) |
| 809 | return -errno; |
| 810 | |
| 811 | return 0; |
| 812 | } |
| 813 | |
Yu-Hsi Chiang | 64d65a7 | 2015-08-13 17:43:27 +0800 | [diff] [blame] | 814 | int enter_pivot_root(const struct minijail *j) |
| 815 | { |
Yu-Hsi Chiang | e0a530e | 2015-09-08 18:49:49 +0800 | [diff] [blame] | 816 | int ret, oldroot, newroot; |
Yu-Hsi Chiang | 64d65a7 | 2015-08-13 17:43:27 +0800 | [diff] [blame] | 817 | if (j->bindings_head && (ret = bind_one(j, j->bindings_head))) |
| 818 | return ret; |
| 819 | |
Yu-Hsi Chiang | e0a530e | 2015-09-08 18:49:49 +0800 | [diff] [blame] | 820 | /* Keep the fd for both old and new root. It will be used in fchdir later. */ |
| 821 | oldroot = open("/", O_DIRECTORY | O_RDONLY); |
| 822 | if (oldroot < 0) |
| 823 | pdie("failed to open / for fchdir"); |
| 824 | newroot = open(j->chrootdir, O_DIRECTORY | O_RDONLY); |
| 825 | if (newroot < 0) |
| 826 | pdie("failed to open %s for fchdir", j->chrootdir); |
| 827 | |
Yu-Hsi Chiang | 64d65a7 | 2015-08-13 17:43:27 +0800 | [diff] [blame] | 828 | /* To ensure chrootdir is the root of a file system, do a self bind mount. */ |
| 829 | if (mount(j->chrootdir, j->chrootdir, "bind", MS_BIND | MS_REC, "")) |
| 830 | pdie("failed to bind mount '%s'", j->chrootdir); |
| 831 | if (chdir(j->chrootdir)) |
| 832 | return -errno; |
Yu-Hsi Chiang | e0a530e | 2015-09-08 18:49:49 +0800 | [diff] [blame] | 833 | if (syscall(SYS_pivot_root, ".", ".")) |
Yu-Hsi Chiang | 64d65a7 | 2015-08-13 17:43:27 +0800 | [diff] [blame] | 834 | pdie("pivot_root"); |
Yu-Hsi Chiang | e0a530e | 2015-09-08 18:49:49 +0800 | [diff] [blame] | 835 | |
| 836 | /* |
| 837 | * Now the old root is mounted on top of the new root. Use fchdir to |
| 838 | * change to the old root and unmount it. |
| 839 | */ |
| 840 | if (fchdir(oldroot)) |
| 841 | pdie("failed to fchdir to old /"); |
Yu-Hsi Chiang | 64d65a7 | 2015-08-13 17:43:27 +0800 | [diff] [blame] | 842 | /* The old root might be busy, so use lazy unmount. */ |
Yu-Hsi Chiang | e0a530e | 2015-09-08 18:49:49 +0800 | [diff] [blame] | 843 | if (umount2(".", MNT_DETACH)) |
| 844 | pdie("umount(/)"); |
| 845 | /* Change back to the new root. */ |
| 846 | if (fchdir(newroot)) |
Yu-Hsi Chiang | 64d65a7 | 2015-08-13 17:43:27 +0800 | [diff] [blame] | 847 | return -errno; |
| 848 | if (chroot("/")) |
| 849 | return -errno; |
Jorge Lucangeli Obes | 46a5509 | 2015-10-12 15:31:59 -0700 | [diff] [blame] | 850 | /* Set correct CWD for getcwd(3). */ |
| 851 | if (chdir("/")) |
| 852 | return -errno; |
Yu-Hsi Chiang | 64d65a7 | 2015-08-13 17:43:27 +0800 | [diff] [blame] | 853 | |
| 854 | return 0; |
| 855 | } |
| 856 | |
Lee Campbell | 11af062 | 2014-05-22 12:36:04 -0700 | [diff] [blame] | 857 | int mount_tmp(void) |
| 858 | { |
Jorge Lucangeli Obes | 3901da6 | 2015-03-03 13:55:11 -0800 | [diff] [blame] | 859 | return mount("none", "/tmp", "tmpfs", 0, "size=64M,mode=777"); |
Lee Campbell | 11af062 | 2014-05-22 12:36:04 -0700 | [diff] [blame] | 860 | } |
| 861 | |
Dylan Reid | 791f577 | 2015-09-14 20:02:42 -0700 | [diff] [blame] | 862 | int remount_proc_readonly(const struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 863 | { |
| 864 | const char *kProcPath = "/proc"; |
| 865 | const unsigned int kSafeFlags = MS_NODEV | MS_NOEXEC | MS_NOSUID; |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 866 | /* |
| 867 | * Right now, we're holding a reference to our parent's old mount of |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 868 | * /proc in our namespace, which means using MS_REMOUNT here would |
| 869 | * mutate our parent's mount as well, even though we're in a VFS |
| 870 | * namespace (!). Instead, remove their mount from our namespace |
Yu-Hsi Chiang | 10e9123 | 2015-08-05 14:40:45 +0800 | [diff] [blame] | 871 | * and make our own. However, if we are in a new user namespace, /proc |
| 872 | * is not seen as mounted, so don't return error if umount() fails. |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 873 | */ |
Jorge Lucangeli Obes | 805be39 | 2015-10-12 15:55:59 -0700 | [diff] [blame] | 874 | if (umount2(kProcPath, MNT_DETACH) && !j->flags.userns) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 875 | return -errno; |
| 876 | if (mount("", kProcPath, "proc", kSafeFlags | MS_RDONLY, "")) |
| 877 | return -errno; |
| 878 | return 0; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 879 | } |
| 880 | |
Yu-Hsi Chiang | 3cc05ea | 2015-08-11 11:23:17 +0800 | [diff] [blame] | 881 | static void write_pid_file(const struct minijail *j) |
| 882 | { |
| 883 | FILE *fp = fopen(j->pid_file_path, "w"); |
| 884 | |
| 885 | if (!fp) |
| 886 | pdie("failed to open '%s'", j->pid_file_path); |
| 887 | if (fprintf(fp, "%d\n", (int)j->initpid) < 0) |
| 888 | pdie("fprintf(%s)", j->pid_file_path); |
| 889 | if (fclose(fp)) |
| 890 | pdie("fclose(%s)", j->pid_file_path); |
| 891 | } |
| 892 | |
Jorge Lucangeli Obes | 6201cf5 | 2012-08-23 11:42:27 -0700 | [diff] [blame] | 893 | void drop_ugid(const struct minijail *j) |
| 894 | { |
| 895 | if (j->flags.usergroups) { |
| 896 | if (initgroups(j->user, j->usergid)) |
| 897 | pdie("initgroups"); |
| 898 | } else { |
| 899 | /* Only attempt to clear supplemental groups if we are changing |
| 900 | * users. */ |
| 901 | if ((j->uid || j->gid) && setgroups(0, NULL)) |
| 902 | pdie("setgroups"); |
| 903 | } |
| 904 | |
| 905 | if (j->flags.gid && setresgid(j->gid, j->gid, j->gid)) |
| 906 | pdie("setresgid"); |
| 907 | |
| 908 | if (j->flags.uid && setresuid(j->uid, j->uid, j->uid)) |
| 909 | pdie("setresuid"); |
| 910 | } |
| 911 | |
Mike Frysinger | 3adfef7 | 2013-05-09 17:19:08 -0400 | [diff] [blame] | 912 | /* |
| 913 | * We specifically do not use cap_valid() as that only tells us the last |
| 914 | * valid cap we were *compiled* against (i.e. what the version of kernel |
| 915 | * headers says). If we run on a different kernel version, then it's not |
| 916 | * uncommon for that to be less (if an older kernel) or more (if a newer |
| 917 | * kernel). So suck up the answer via /proc. |
| 918 | */ |
Jorge Lucangeli Obes | 2034274 | 2015-10-27 11:39:59 -0700 | [diff] [blame] | 919 | static unsigned int get_last_valid_cap() |
Mike Frysinger | 3adfef7 | 2013-05-09 17:19:08 -0400 | [diff] [blame] | 920 | { |
Dylan Reid | f682d47 | 2015-09-17 21:39:07 -0700 | [diff] [blame] | 921 | const char cap_file[] = "/proc/sys/kernel/cap_last_cap"; |
| 922 | FILE *fp = fopen(cap_file, "re"); |
Jorge Lucangeli Obes | 2034274 | 2015-10-27 11:39:59 -0700 | [diff] [blame] | 923 | unsigned int last_valid_cap; |
Mike Frysinger | 3adfef7 | 2013-05-09 17:19:08 -0400 | [diff] [blame] | 924 | |
Dylan Reid | f682d47 | 2015-09-17 21:39:07 -0700 | [diff] [blame] | 925 | if (fscanf(fp, "%u", &last_valid_cap) != 1) |
| 926 | pdie("fscanf(%s)", cap_file); |
| 927 | fclose(fp); |
Mike Frysinger | 3adfef7 | 2013-05-09 17:19:08 -0400 | [diff] [blame] | 928 | |
Dylan Reid | f682d47 | 2015-09-17 21:39:07 -0700 | [diff] [blame] | 929 | return last_valid_cap; |
Mike Frysinger | 3adfef7 | 2013-05-09 17:19:08 -0400 | [diff] [blame] | 930 | } |
| 931 | |
Jorge Lucangeli Obes | 2034274 | 2015-10-27 11:39:59 -0700 | [diff] [blame] | 932 | void drop_caps(const struct minijail *j, unsigned int last_valid_cap) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 933 | { |
| 934 | cap_t caps = cap_get_proc(); |
Kees Cook | 323878a | 2013-02-05 15:35:24 -0800 | [diff] [blame] | 935 | cap_value_t flag[1]; |
Kees Cook | e5609ac | 2013-02-06 14:12:41 -0800 | [diff] [blame] | 936 | const uint64_t one = 1; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 937 | unsigned int i; |
| 938 | if (!caps) |
| 939 | die("can't get process caps"); |
| 940 | if (cap_clear_flag(caps, CAP_INHERITABLE)) |
| 941 | die("can't clear inheritable caps"); |
| 942 | if (cap_clear_flag(caps, CAP_EFFECTIVE)) |
| 943 | die("can't clear effective caps"); |
| 944 | if (cap_clear_flag(caps, CAP_PERMITTED)) |
| 945 | die("can't clear permitted caps"); |
Dylan Reid | f682d47 | 2015-09-17 21:39:07 -0700 | [diff] [blame] | 946 | for (i = 0; i < sizeof(j->caps) * 8 && i <= last_valid_cap; ++i) { |
Kees Cook | 323878a | 2013-02-05 15:35:24 -0800 | [diff] [blame] | 947 | /* Keep CAP_SETPCAP for dropping bounding set bits. */ |
Kees Cook | e5609ac | 2013-02-06 14:12:41 -0800 | [diff] [blame] | 948 | if (i != CAP_SETPCAP && !(j->caps & (one << i))) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 949 | continue; |
Kees Cook | 323878a | 2013-02-05 15:35:24 -0800 | [diff] [blame] | 950 | flag[0] = i; |
| 951 | if (cap_set_flag(caps, CAP_EFFECTIVE, 1, flag, CAP_SET)) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 952 | die("can't add effective cap"); |
Kees Cook | 323878a | 2013-02-05 15:35:24 -0800 | [diff] [blame] | 953 | if (cap_set_flag(caps, CAP_PERMITTED, 1, flag, CAP_SET)) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 954 | die("can't add permitted cap"); |
Kees Cook | 323878a | 2013-02-05 15:35:24 -0800 | [diff] [blame] | 955 | if (cap_set_flag(caps, CAP_INHERITABLE, 1, flag, CAP_SET)) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 956 | die("can't add inheritable cap"); |
| 957 | } |
| 958 | if (cap_set_proc(caps)) |
Kees Cook | 323878a | 2013-02-05 15:35:24 -0800 | [diff] [blame] | 959 | die("can't apply initial cleaned capset"); |
| 960 | |
| 961 | /* |
| 962 | * Instead of dropping bounding set first, do it here in case |
| 963 | * the caller had a more permissive bounding set which could |
| 964 | * have been used above to raise a capability that wasn't already |
| 965 | * present. This requires CAP_SETPCAP, so we raised/kept it above. |
| 966 | */ |
Dylan Reid | f682d47 | 2015-09-17 21:39:07 -0700 | [diff] [blame] | 967 | for (i = 0; i < sizeof(j->caps) * 8 && i <= last_valid_cap; ++i) { |
Kees Cook | e5609ac | 2013-02-06 14:12:41 -0800 | [diff] [blame] | 968 | if (j->caps & (one << i)) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 969 | continue; |
| 970 | if (prctl(PR_CAPBSET_DROP, i)) |
| 971 | pdie("prctl(PR_CAPBSET_DROP)"); |
| 972 | } |
Kees Cook | 323878a | 2013-02-05 15:35:24 -0800 | [diff] [blame] | 973 | |
| 974 | /* If CAP_SETPCAP wasn't specifically requested, now we remove it. */ |
Kees Cook | e5609ac | 2013-02-06 14:12:41 -0800 | [diff] [blame] | 975 | if ((j->caps & (one << CAP_SETPCAP)) == 0) { |
Kees Cook | 323878a | 2013-02-05 15:35:24 -0800 | [diff] [blame] | 976 | flag[0] = CAP_SETPCAP; |
| 977 | if (cap_set_flag(caps, CAP_EFFECTIVE, 1, flag, CAP_CLEAR)) |
| 978 | die("can't clear effective cap"); |
| 979 | if (cap_set_flag(caps, CAP_PERMITTED, 1, flag, CAP_CLEAR)) |
| 980 | die("can't clear permitted cap"); |
| 981 | if (cap_set_flag(caps, CAP_INHERITABLE, 1, flag, CAP_CLEAR)) |
| 982 | die("can't clear inheritable cap"); |
| 983 | } |
| 984 | |
| 985 | if (cap_set_proc(caps)) |
| 986 | die("can't apply final cleaned capset"); |
| 987 | |
| 988 | cap_free(caps); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 989 | } |
| 990 | |
Jorge Lucangeli Obes | 6201cf5 | 2012-08-23 11:42:27 -0700 | [diff] [blame] | 991 | void set_seccomp_filter(const struct minijail *j) |
| 992 | { |
| 993 | /* |
| 994 | * Set no_new_privs. See </kernel/seccomp.c> and </kernel/sys.c> |
| 995 | * in the kernel source tree for an explanation of the parameters. |
| 996 | */ |
| 997 | if (j->flags.no_new_privs) { |
| 998 | if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) |
| 999 | pdie("prctl(PR_SET_NO_NEW_PRIVS)"); |
| 1000 | } |
| 1001 | |
| 1002 | /* |
| 1003 | * If we're logging seccomp filter failures, |
| 1004 | * install the SIGSYS handler first. |
| 1005 | */ |
| 1006 | if (j->flags.seccomp_filter && j->flags.log_seccomp_filter) { |
| 1007 | if (install_sigsys_handler()) |
| 1008 | pdie("install SIGSYS handler"); |
| 1009 | warn("logging seccomp filter failures"); |
| 1010 | } |
| 1011 | |
| 1012 | /* |
| 1013 | * Install the syscall filter. |
| 1014 | */ |
| 1015 | if (j->flags.seccomp_filter) { |
Utkarsh Sanghi | 0ef8a66 | 2014-08-18 15:50:11 -0700 | [diff] [blame] | 1016 | if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, j->filter_prog)) { |
| 1017 | if ((errno == ENOSYS) && SECCOMP_SOFTFAIL) { |
| 1018 | warn("seccomp not supported"); |
| 1019 | return; |
| 1020 | } |
Jorge Lucangeli Obes | 6201cf5 | 2012-08-23 11:42:27 -0700 | [diff] [blame] | 1021 | pdie("prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER)"); |
Utkarsh Sanghi | 0ef8a66 | 2014-08-18 15:50:11 -0700 | [diff] [blame] | 1022 | } |
Jorge Lucangeli Obes | 6201cf5 | 2012-08-23 11:42:27 -0700 | [diff] [blame] | 1023 | } |
| 1024 | } |
| 1025 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 1026 | void API minijail_enter(const struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1027 | { |
Dylan Reid | f682d47 | 2015-09-17 21:39:07 -0700 | [diff] [blame] | 1028 | /* |
| 1029 | * Get the last valid cap from /proc, since /proc can be unmounted |
| 1030 | * before drop_caps(). |
| 1031 | */ |
Jorge Lucangeli Obes | 2034274 | 2015-10-27 11:39:59 -0700 | [diff] [blame] | 1032 | unsigned int last_valid_cap = get_last_valid_cap(); |
Dylan Reid | f682d47 | 2015-09-17 21:39:07 -0700 | [diff] [blame] | 1033 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1034 | if (j->flags.pids) |
| 1035 | die("tried to enter a pid-namespaced jail;" |
Jorge Lucangeli Obes | 1563b5b | 2014-07-10 07:01:53 -0700 | [diff] [blame] | 1036 | " try minijail_run()?"); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 1037 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1038 | if (j->flags.usergroups && !j->user) |
| 1039 | die("usergroup inheritance without username"); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 1040 | |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 1041 | /* |
| 1042 | * We can't recover from failures if we've dropped privileges partially, |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1043 | * so we don't even try. If any of our operations fail, we abort() the |
| 1044 | * entire process. |
| 1045 | */ |
Jorge Lucangeli Obes | 1563b5b | 2014-07-10 07:01:53 -0700 | [diff] [blame] | 1046 | if (j->flags.enter_vfs && setns(j->mountns_fd, CLONE_NEWNS)) |
| 1047 | pdie("setns(CLONE_NEWNS)"); |
| 1048 | |
Jorge Lucangeli Obes | 805be39 | 2015-10-12 15:55:59 -0700 | [diff] [blame] | 1049 | if (j->flags.vfs) { |
| 1050 | if (unshare(CLONE_NEWNS)) |
| 1051 | pdie("unshare(vfs)"); |
| 1052 | /* |
| 1053 | * Remount all filesystems as private. If they are shared |
| 1054 | * new bind mounts will creep out of our namespace. |
| 1055 | * https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt |
| 1056 | */ |
| 1057 | if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) |
| 1058 | pdie("mount(/, private)"); |
| 1059 | } |
Elly Fong-Jones | 6c08630 | 2013-03-20 17:15:28 -0400 | [diff] [blame] | 1060 | |
Dylan Reid | 1102f5a | 2015-09-15 11:52:20 -0700 | [diff] [blame] | 1061 | if (j->flags.enter_net) { |
| 1062 | if (setns(j->netns_fd, CLONE_NEWNET)) |
| 1063 | pdie("setns(CLONE_NEWNET)"); |
| 1064 | } else if (j->flags.net && unshare(CLONE_NEWNET)) { |
Elly Fong-Jones | 6c08630 | 2013-03-20 17:15:28 -0400 | [diff] [blame] | 1065 | pdie("unshare(net)"); |
Dylan Reid | 1102f5a | 2015-09-15 11:52:20 -0700 | [diff] [blame] | 1066 | } |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 1067 | |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 1068 | if (j->flags.chroot && enter_chroot(j)) |
| 1069 | pdie("chroot"); |
| 1070 | |
Yu-Hsi Chiang | 64d65a7 | 2015-08-13 17:43:27 +0800 | [diff] [blame] | 1071 | if (j->flags.pivot_root && enter_pivot_root(j)) |
| 1072 | pdie("pivot_root"); |
| 1073 | |
Jorge Lucangeli Obes | 3901da6 | 2015-03-03 13:55:11 -0800 | [diff] [blame] | 1074 | if (j->flags.mount_tmp && mount_tmp()) |
Lee Campbell | 11af062 | 2014-05-22 12:36:04 -0700 | [diff] [blame] | 1075 | pdie("mount_tmp"); |
| 1076 | |
Dylan Reid | 791f577 | 2015-09-14 20:02:42 -0700 | [diff] [blame] | 1077 | if (j->flags.remount_proc_ro && remount_proc_readonly(j)) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1078 | pdie("remount"); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 1079 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1080 | if (j->flags.caps) { |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 1081 | /* |
| 1082 | * POSIX capabilities are a bit tricky. If we drop our |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1083 | * capability to change uids, our attempt to use setuid() |
| 1084 | * below will fail. Hang on to root caps across setuid(), then |
| 1085 | * lock securebits. |
| 1086 | */ |
| 1087 | if (prctl(PR_SET_KEEPCAPS, 1)) |
| 1088 | pdie("prctl(PR_SET_KEEPCAPS)"); |
| 1089 | if (prctl |
| 1090 | (PR_SET_SECUREBITS, SECURE_ALL_BITS | SECURE_ALL_LOCKS)) |
| 1091 | pdie("prctl(PR_SET_SECUREBITS)"); |
| 1092 | } |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 1093 | |
Jorge Lucangeli Obes | c2c9bcc | 2012-05-01 09:30:24 -0700 | [diff] [blame] | 1094 | /* |
Jorge Lucangeli Obes | 6201cf5 | 2012-08-23 11:42:27 -0700 | [diff] [blame] | 1095 | * If we're setting no_new_privs, we can drop privileges |
| 1096 | * before setting seccomp filter. This way filter policies |
| 1097 | * don't need to allow privilege-dropping syscalls. |
Jorge Lucangeli Obes | c2c9bcc | 2012-05-01 09:30:24 -0700 | [diff] [blame] | 1098 | */ |
| 1099 | if (j->flags.no_new_privs) { |
Jorge Lucangeli Obes | 6201cf5 | 2012-08-23 11:42:27 -0700 | [diff] [blame] | 1100 | drop_ugid(j); |
| 1101 | if (j->flags.caps) |
Dylan Reid | f682d47 | 2015-09-17 21:39:07 -0700 | [diff] [blame] | 1102 | drop_caps(j, last_valid_cap); |
Jorge Lucangeli Obes | c2c9bcc | 2012-05-01 09:30:24 -0700 | [diff] [blame] | 1103 | |
Jorge Lucangeli Obes | 6201cf5 | 2012-08-23 11:42:27 -0700 | [diff] [blame] | 1104 | set_seccomp_filter(j); |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1105 | } else { |
Jorge Lucangeli Obes | 6201cf5 | 2012-08-23 11:42:27 -0700 | [diff] [blame] | 1106 | /* |
| 1107 | * If we're not setting no_new_privs, |
| 1108 | * we need to set seccomp filter *before* dropping privileges. |
| 1109 | * WARNING: this means that filter policies *must* allow |
| 1110 | * setgroups()/setresgid()/setresuid() for dropping root and |
| 1111 | * capget()/capset()/prctl() for dropping caps. |
| 1112 | */ |
| 1113 | set_seccomp_filter(j); |
| 1114 | |
| 1115 | drop_ugid(j); |
| 1116 | if (j->flags.caps) |
Dylan Reid | f682d47 | 2015-09-17 21:39:07 -0700 | [diff] [blame] | 1117 | drop_caps(j, last_valid_cap); |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1118 | } |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 1119 | |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 1120 | /* |
| 1121 | * seccomp has to come last since it cuts off all the other |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1122 | * privilege-dropping syscalls :) |
| 1123 | */ |
Utkarsh Sanghi | 0ef8a66 | 2014-08-18 15:50:11 -0700 | [diff] [blame] | 1124 | if (j->flags.seccomp && prctl(PR_SET_SECCOMP, 1)) { |
| 1125 | if ((errno == ENOSYS) && SECCOMP_SOFTFAIL) { |
| 1126 | warn("seccomp not supported"); |
| 1127 | return; |
| 1128 | } |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1129 | pdie("prctl(PR_SET_SECCOMP)"); |
Utkarsh Sanghi | 0ef8a66 | 2014-08-18 15:50:11 -0700 | [diff] [blame] | 1130 | } |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 1131 | } |
| 1132 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 1133 | /* TODO(wad) will visibility affect this variable? */ |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 1134 | static int init_exitstatus = 0; |
| 1135 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 1136 | void init_term(int __attribute__ ((unused)) sig) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1137 | { |
| 1138 | _exit(init_exitstatus); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 1139 | } |
| 1140 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 1141 | int init(pid_t rootpid) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1142 | { |
| 1143 | pid_t pid; |
| 1144 | int status; |
| 1145 | /* so that we exit with the right status */ |
| 1146 | signal(SIGTERM, init_term); |
| 1147 | /* TODO(wad) self jail with seccomp_filters here. */ |
| 1148 | while ((pid = wait(&status)) > 0) { |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 1149 | /* |
| 1150 | * This loop will only end when either there are no processes |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1151 | * left inside our pid namespace or we get a signal. |
| 1152 | */ |
| 1153 | if (pid == rootpid) |
| 1154 | init_exitstatus = status; |
| 1155 | } |
| 1156 | if (!WIFEXITED(init_exitstatus)) |
| 1157 | _exit(MINIJAIL_ERR_INIT); |
| 1158 | _exit(WEXITSTATUS(init_exitstatus)); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 1159 | } |
| 1160 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 1161 | int API minijail_from_fd(int fd, struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1162 | { |
| 1163 | size_t sz = 0; |
| 1164 | size_t bytes = read(fd, &sz, sizeof(sz)); |
| 1165 | char *buf; |
| 1166 | int r; |
| 1167 | if (sizeof(sz) != bytes) |
| 1168 | return -EINVAL; |
Jorge Lucangeli Obes | 5471450 | 2015-09-30 10:08:45 -0700 | [diff] [blame] | 1169 | if (sz > USHRT_MAX) /* arbitrary sanity check */ |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1170 | return -E2BIG; |
| 1171 | buf = malloc(sz); |
| 1172 | if (!buf) |
| 1173 | return -ENOMEM; |
| 1174 | bytes = read(fd, buf, sz); |
| 1175 | if (bytes != sz) { |
| 1176 | free(buf); |
| 1177 | return -EINVAL; |
| 1178 | } |
| 1179 | r = minijail_unmarshal(j, buf, sz); |
| 1180 | free(buf); |
| 1181 | return r; |
Will Drewry | 2f54b6a | 2011-09-16 13:45:31 -0500 | [diff] [blame] | 1182 | } |
| 1183 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 1184 | int API minijail_to_fd(struct minijail *j, int fd) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1185 | { |
| 1186 | char *buf; |
| 1187 | size_t sz = minijail_size(j); |
| 1188 | ssize_t written; |
| 1189 | int r; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 1190 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1191 | if (!sz) |
| 1192 | return -EINVAL; |
| 1193 | buf = malloc(sz); |
| 1194 | r = minijail_marshal(j, buf, sz); |
| 1195 | if (r) { |
| 1196 | free(buf); |
| 1197 | return r; |
| 1198 | } |
| 1199 | /* Sends [size][minijail]. */ |
| 1200 | written = write(fd, &sz, sizeof(sz)); |
| 1201 | if (written != sizeof(sz)) { |
| 1202 | free(buf); |
| 1203 | return -EFAULT; |
| 1204 | } |
| 1205 | written = write(fd, buf, sz); |
| 1206 | if (written < 0 || (size_t) written != sz) { |
| 1207 | free(buf); |
| 1208 | return -EFAULT; |
| 1209 | } |
| 1210 | free(buf); |
| 1211 | return 0; |
Will Drewry | 2f54b6a | 2011-09-16 13:45:31 -0500 | [diff] [blame] | 1212 | } |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 1213 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 1214 | int setup_preload(void) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1215 | { |
Daniel Erat | 5b7a318 | 2015-08-19 16:06:22 -0600 | [diff] [blame] | 1216 | #if defined(__ANDROID__) |
Jorge Lucangeli Obes | a21c8fc | 2015-07-15 16:22:34 -0700 | [diff] [blame] | 1217 | /* Don't use LDPRELOAD on Brillo. */ |
| 1218 | return 0; |
| 1219 | #else |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1220 | char *oldenv = getenv(kLdPreloadEnvVar) ? : ""; |
| 1221 | char *newenv = malloc(strlen(oldenv) + 2 + strlen(PRELOADPATH)); |
| 1222 | if (!newenv) |
| 1223 | return -ENOMEM; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 1224 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1225 | /* Only insert a separating space if we have something to separate... */ |
| 1226 | sprintf(newenv, "%s%s%s", oldenv, strlen(oldenv) ? " " : "", |
| 1227 | PRELOADPATH); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 1228 | |
Jorge Lucangeli Obes | 5471450 | 2015-09-30 10:08:45 -0700 | [diff] [blame] | 1229 | /* setenv() makes a copy of the string we give it. */ |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1230 | setenv(kLdPreloadEnvVar, newenv, 1); |
| 1231 | free(newenv); |
| 1232 | return 0; |
Jorge Lucangeli Obes | a21c8fc | 2015-07-15 16:22:34 -0700 | [diff] [blame] | 1233 | #endif |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 1234 | } |
| 1235 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 1236 | int setup_pipe(int fds[2]) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1237 | { |
| 1238 | int r = pipe(fds); |
| 1239 | char fd_buf[11]; |
| 1240 | if (r) |
| 1241 | return r; |
| 1242 | r = snprintf(fd_buf, sizeof(fd_buf), "%d", fds[0]); |
| 1243 | if (r <= 0) |
| 1244 | return -EINVAL; |
| 1245 | setenv(kFdEnvVar, fd_buf, 1); |
| 1246 | return 0; |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 1247 | } |
| 1248 | |
Jorge Lucangeli Obes | 339a113 | 2013-02-15 16:53:47 -0800 | [diff] [blame] | 1249 | int setup_pipe_end(int fds[2], size_t index) |
| 1250 | { |
| 1251 | if (index > 1) |
| 1252 | return -1; |
| 1253 | |
| 1254 | close(fds[1 - index]); |
| 1255 | return fds[index]; |
| 1256 | } |
| 1257 | |
| 1258 | int setup_and_dupe_pipe_end(int fds[2], size_t index, int fd) |
| 1259 | { |
| 1260 | if (index > 1) |
| 1261 | return -1; |
| 1262 | |
| 1263 | close(fds[1 - index]); |
| 1264 | /* dup2(2) the corresponding end of the pipe into |fd|. */ |
| 1265 | return dup2(fds[index], fd); |
| 1266 | } |
| 1267 | |
Jorge Lucangeli Obes | 5471450 | 2015-09-30 10:08:45 -0700 | [diff] [blame] | 1268 | int minijail_run_internal(struct minijail *j, const char *filename, |
| 1269 | char *const argv[], pid_t *pchild_pid, |
| 1270 | int *pstdin_fd, int *pstdout_fd, int *pstderr_fd, |
| 1271 | int use_preload); |
| 1272 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 1273 | int API minijail_run(struct minijail *j, const char *filename, |
| 1274 | char *const argv[]) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1275 | { |
Jorge Lucangeli Obes | 5471450 | 2015-09-30 10:08:45 -0700 | [diff] [blame] | 1276 | return minijail_run_internal(j, filename, argv, NULL, NULL, NULL, NULL, |
| 1277 | true); |
Jorge Lucangeli Obes | 9807d03 | 2012-04-17 13:36:00 -0700 | [diff] [blame] | 1278 | } |
| 1279 | |
| 1280 | int API minijail_run_pid(struct minijail *j, const char *filename, |
| 1281 | char *const argv[], pid_t *pchild_pid) |
| 1282 | { |
Jorge Lucangeli Obes | 5471450 | 2015-09-30 10:08:45 -0700 | [diff] [blame] | 1283 | return minijail_run_internal(j, filename, argv, pchild_pid, |
| 1284 | NULL, NULL, NULL, true); |
Jorge Lucangeli Obes | df4bd35 | 2012-08-29 19:12:28 -0700 | [diff] [blame] | 1285 | } |
| 1286 | |
| 1287 | int API minijail_run_pipe(struct minijail *j, const char *filename, |
Jorge Lucangeli Obes | 6537a56 | 2012-09-05 10:39:40 -0700 | [diff] [blame] | 1288 | char *const argv[], int *pstdin_fd) |
Jorge Lucangeli Obes | df4bd35 | 2012-08-29 19:12:28 -0700 | [diff] [blame] | 1289 | { |
Jorge Lucangeli Obes | 5471450 | 2015-09-30 10:08:45 -0700 | [diff] [blame] | 1290 | return minijail_run_internal(j, filename, argv, NULL, pstdin_fd, |
| 1291 | NULL, NULL, true); |
Jorge Lucangeli Obes | df4bd35 | 2012-08-29 19:12:28 -0700 | [diff] [blame] | 1292 | } |
| 1293 | |
Jorge Lucangeli Obes | 339a113 | 2013-02-15 16:53:47 -0800 | [diff] [blame] | 1294 | int API minijail_run_pid_pipes(struct minijail *j, const char *filename, |
Jorge Lucangeli Obes | 4ae30cc | 2014-04-10 15:35:33 -0700 | [diff] [blame] | 1295 | char *const argv[], pid_t *pchild_pid, |
| 1296 | int *pstdin_fd, int *pstdout_fd, int *pstderr_fd) |
Jorge Lucangeli Obes | 339a113 | 2013-02-15 16:53:47 -0800 | [diff] [blame] | 1297 | { |
Jorge Lucangeli Obes | 5471450 | 2015-09-30 10:08:45 -0700 | [diff] [blame] | 1298 | return minijail_run_internal(j, filename, argv, pchild_pid, |
| 1299 | pstdin_fd, pstdout_fd, pstderr_fd, true); |
| 1300 | } |
| 1301 | |
| 1302 | int API minijail_run_no_preload(struct minijail *j, const char *filename, |
| 1303 | char *const argv[]) |
| 1304 | { |
| 1305 | return minijail_run_internal(j, filename, argv, NULL, NULL, NULL, NULL, |
| 1306 | false); |
| 1307 | } |
| 1308 | |
Samuel Tan | 63187f4 | 2015-10-16 13:01:53 -0700 | [diff] [blame] | 1309 | int API minijail_run_pid_pipes_no_preload(struct minijail *j, |
| 1310 | const char *filename, char *const argv[], |
| 1311 | pid_t *pchild_pid, |
| 1312 | int *pstdin_fd, int *pstdout_fd, int *pstderr_fd) { |
| 1313 | return minijail_run_internal(j, filename, argv, pchild_pid, |
| 1314 | pstdin_fd, pstdout_fd, pstderr_fd, false); |
| 1315 | } |
| 1316 | |
Jorge Lucangeli Obes | 5471450 | 2015-09-30 10:08:45 -0700 | [diff] [blame] | 1317 | int minijail_run_internal(struct minijail *j, const char *filename, |
| 1318 | char *const argv[], pid_t *pchild_pid, |
| 1319 | int *pstdin_fd, int *pstdout_fd, int *pstderr_fd, |
| 1320 | int use_preload) |
| 1321 | { |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1322 | char *oldenv, *oldenv_copy = NULL; |
| 1323 | pid_t child_pid; |
| 1324 | int pipe_fds[2]; |
Jorge Lucangeli Obes | df4bd35 | 2012-08-29 19:12:28 -0700 | [diff] [blame] | 1325 | int stdin_fds[2]; |
Jorge Lucangeli Obes | 339a113 | 2013-02-15 16:53:47 -0800 | [diff] [blame] | 1326 | int stdout_fds[2]; |
| 1327 | int stderr_fds[2]; |
Yu-Hsi Chiang | 10e9123 | 2015-08-05 14:40:45 +0800 | [diff] [blame] | 1328 | int userns_pipe_fds[2]; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1329 | int ret; |
Elly Jones | a05d7bb | 2012-06-14 14:09:27 -0400 | [diff] [blame] | 1330 | /* We need to remember this across the minijail_preexec() call. */ |
| 1331 | int pid_namespace = j->flags.pids; |
Yu-Hsi Chiang | 3e954ec | 2015-07-28 16:48:14 +0800 | [diff] [blame] | 1332 | int do_init = j->flags.do_init; |
Ben Chan | 541c7e5 | 2011-08-26 14:55:53 -0700 | [diff] [blame] | 1333 | |
Jorge Lucangeli Obes | 5471450 | 2015-09-30 10:08:45 -0700 | [diff] [blame] | 1334 | if (use_preload) { |
| 1335 | oldenv = getenv(kLdPreloadEnvVar); |
| 1336 | if (oldenv) { |
| 1337 | oldenv_copy = strdup(oldenv); |
| 1338 | if (!oldenv_copy) |
| 1339 | return -ENOMEM; |
| 1340 | } |
| 1341 | |
| 1342 | if (setup_preload()) |
| 1343 | return -EFAULT; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1344 | } |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 1345 | |
Jorge Lucangeli Obes | 5471450 | 2015-09-30 10:08:45 -0700 | [diff] [blame] | 1346 | if (!use_preload) { |
| 1347 | if (j->flags.caps) |
| 1348 | die("Capabilities are not supported without " |
| 1349 | "LD_PRELOAD"); |
| 1350 | } |
Will Drewry | 2f54b6a | 2011-09-16 13:45:31 -0500 | [diff] [blame] | 1351 | |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 1352 | /* |
Jorge Lucangeli Obes | 3c84df1 | 2015-05-14 17:37:58 -0700 | [diff] [blame] | 1353 | * Make the process group ID of this process equal to its PID, so that |
| 1354 | * both the Minijail process and the jailed process can be killed |
| 1355 | * together. |
| 1356 | * Don't fail on EPERM, since setpgid(0, 0) can only EPERM when |
| 1357 | * the process is already a process group leader. |
| 1358 | */ |
| 1359 | if (setpgid(0 /* use calling PID */, 0 /* make PGID = PID */)) { |
| 1360 | if (errno != EPERM) { |
| 1361 | pdie("setpgid(0, 0)"); |
| 1362 | } |
| 1363 | } |
| 1364 | |
Jorge Lucangeli Obes | 5471450 | 2015-09-30 10:08:45 -0700 | [diff] [blame] | 1365 | if (use_preload) { |
| 1366 | /* |
| 1367 | * Before we fork(2) and execve(2) the child process, we need |
| 1368 | * to open a pipe(2) to send the minijail configuration over. |
| 1369 | */ |
| 1370 | if (setup_pipe(pipe_fds)) |
| 1371 | return -EFAULT; |
| 1372 | } |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 1373 | |
Jorge Lucangeli Obes | df4bd35 | 2012-08-29 19:12:28 -0700 | [diff] [blame] | 1374 | /* |
| 1375 | * If we want to write to the child process' standard input, |
| 1376 | * create the pipe(2) now. |
| 1377 | */ |
| 1378 | if (pstdin_fd) { |
| 1379 | if (pipe(stdin_fds)) |
| 1380 | return -EFAULT; |
| 1381 | } |
| 1382 | |
Jorge Lucangeli Obes | 339a113 | 2013-02-15 16:53:47 -0800 | [diff] [blame] | 1383 | /* |
| 1384 | * If we want to read from the child process' standard output, |
| 1385 | * create the pipe(2) now. |
| 1386 | */ |
| 1387 | if (pstdout_fd) { |
| 1388 | if (pipe(stdout_fds)) |
| 1389 | return -EFAULT; |
| 1390 | } |
| 1391 | |
| 1392 | /* |
| 1393 | * If we want to read from the child process' standard error, |
| 1394 | * create the pipe(2) now. |
| 1395 | */ |
| 1396 | if (pstderr_fd) { |
| 1397 | if (pipe(stderr_fds)) |
| 1398 | return -EFAULT; |
| 1399 | } |
| 1400 | |
Yu-Hsi Chiang | 10e9123 | 2015-08-05 14:40:45 +0800 | [diff] [blame] | 1401 | /* |
| 1402 | * If we want to set up a new uid/gid mapping in the user namespace, |
| 1403 | * create the pipe(2) to sync between parent and child. |
| 1404 | */ |
| 1405 | if (j->flags.userns) { |
| 1406 | if (pipe(userns_pipe_fds)) |
| 1407 | return -EFAULT; |
| 1408 | } |
| 1409 | |
Elly Jones | 761b741 | 2012-06-13 15:49:52 -0400 | [diff] [blame] | 1410 | /* Use sys_clone() if and only if we're creating a pid namespace. |
| 1411 | * |
| 1412 | * tl;dr: WARNING: do not mix pid namespaces and multithreading. |
| 1413 | * |
| 1414 | * In multithreaded programs, there are a bunch of locks inside libc, |
| 1415 | * some of which may be held by other threads at the time that we call |
| 1416 | * minijail_run_pid(). If we call fork(), glibc does its level best to |
| 1417 | * ensure that we hold all of these locks before it calls clone() |
| 1418 | * internally and drop them after clone() returns, but when we call |
| 1419 | * sys_clone(2) directly, all that gets bypassed and we end up with a |
| 1420 | * child address space where some of libc's important locks are held by |
| 1421 | * other threads (which did not get cloned, and hence will never release |
| 1422 | * those locks). This is okay so long as we call exec() immediately |
| 1423 | * after, but a bunch of seemingly-innocent libc functions like setenv() |
| 1424 | * take locks. |
| 1425 | * |
| 1426 | * Hence, only call sys_clone() if we need to, in order to get at pid |
| 1427 | * namespacing. If we follow this path, the child's address space might |
| 1428 | * have broken locks; you may only call functions that do not acquire |
| 1429 | * any locks. |
| 1430 | * |
| 1431 | * Unfortunately, fork() acquires every lock it can get its hands on, as |
| 1432 | * previously detailed, so this function is highly likely to deadlock |
| 1433 | * later on (see "deadlock here") if we're multithreaded. |
| 1434 | * |
| 1435 | * We might hack around this by having the clone()d child (init of the |
| 1436 | * pid namespace) return directly, rather than leaving the clone()d |
| 1437 | * process hanging around to be init for the new namespace (and having |
| 1438 | * its fork()ed child return in turn), but that process would be crippled |
| 1439 | * with its libc locks potentially broken. We might try fork()ing in the |
| 1440 | * parent before we clone() to ensure that we own all the locks, but |
| 1441 | * then we have to have the forked child hanging around consuming |
| 1442 | * resources (and possibly having file descriptors / shared memory |
| 1443 | * regions / etc attached). We'd need to keep the child around to avoid |
| 1444 | * having its children get reparented to init. |
| 1445 | * |
| 1446 | * TODO(ellyjones): figure out if the "forked child hanging around" |
| 1447 | * problem is fixable or not. It would be nice if we worked in this |
| 1448 | * case. |
| 1449 | */ |
Yu-Hsi Chiang | 10e9123 | 2015-08-05 14:40:45 +0800 | [diff] [blame] | 1450 | if (pid_namespace) { |
| 1451 | int clone_flags = CLONE_NEWPID | SIGCHLD; |
| 1452 | if (j->flags.userns) |
| 1453 | clone_flags |= CLONE_NEWUSER; |
| 1454 | child_pid = syscall(SYS_clone, clone_flags, NULL); |
Jorge Lucangeli Obes | 5471450 | 2015-09-30 10:08:45 -0700 | [diff] [blame] | 1455 | } else { |
Elly Jones | 761b741 | 2012-06-13 15:49:52 -0400 | [diff] [blame] | 1456 | child_pid = fork(); |
Jorge Lucangeli Obes | 5471450 | 2015-09-30 10:08:45 -0700 | [diff] [blame] | 1457 | } |
Elly Jones | 761b741 | 2012-06-13 15:49:52 -0400 | [diff] [blame] | 1458 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1459 | if (child_pid < 0) { |
Jorge Lucangeli Obes | 5471450 | 2015-09-30 10:08:45 -0700 | [diff] [blame] | 1460 | if (use_preload) { |
| 1461 | free(oldenv_copy); |
| 1462 | } |
Lee Campbell | 1e4fc6a | 2014-06-06 17:40:02 -0700 | [diff] [blame] | 1463 | die("failed to fork child"); |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1464 | } |
Will Drewry | f89aef5 | 2011-09-16 16:48:57 -0500 | [diff] [blame] | 1465 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1466 | if (child_pid) { |
Jorge Lucangeli Obes | 5471450 | 2015-09-30 10:08:45 -0700 | [diff] [blame] | 1467 | if (use_preload) { |
| 1468 | /* Restore parent's LD_PRELOAD. */ |
| 1469 | if (oldenv_copy) { |
| 1470 | setenv(kLdPreloadEnvVar, oldenv_copy, 1); |
| 1471 | free(oldenv_copy); |
| 1472 | } else { |
| 1473 | unsetenv(kLdPreloadEnvVar); |
| 1474 | } |
| 1475 | unsetenv(kFdEnvVar); |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1476 | } |
Jorge Lucangeli Obes | df4bd35 | 2012-08-29 19:12:28 -0700 | [diff] [blame] | 1477 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1478 | j->initpid = child_pid; |
Jorge Lucangeli Obes | df4bd35 | 2012-08-29 19:12:28 -0700 | [diff] [blame] | 1479 | |
Yu-Hsi Chiang | 3cc05ea | 2015-08-11 11:23:17 +0800 | [diff] [blame] | 1480 | if (j->flags.pid_file) |
| 1481 | write_pid_file(j); |
| 1482 | |
Yu-Hsi Chiang | 10e9123 | 2015-08-05 14:40:45 +0800 | [diff] [blame] | 1483 | if (j->flags.userns) |
| 1484 | write_ugid_mappings(j, userns_pipe_fds); |
| 1485 | |
Jorge Lucangeli Obes | 5471450 | 2015-09-30 10:08:45 -0700 | [diff] [blame] | 1486 | if (use_preload) { |
| 1487 | /* Send marshalled minijail. */ |
| 1488 | close(pipe_fds[0]); /* read endpoint */ |
| 1489 | ret = minijail_to_fd(j, pipe_fds[1]); |
| 1490 | close(pipe_fds[1]); /* write endpoint */ |
| 1491 | if (ret) { |
| 1492 | kill(j->initpid, SIGKILL); |
| 1493 | die("failed to send marshalled minijail"); |
| 1494 | } |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1495 | } |
Jorge Lucangeli Obes | df4bd35 | 2012-08-29 19:12:28 -0700 | [diff] [blame] | 1496 | |
Jorge Lucangeli Obes | 9807d03 | 2012-04-17 13:36:00 -0700 | [diff] [blame] | 1497 | if (pchild_pid) |
| 1498 | *pchild_pid = child_pid; |
Jorge Lucangeli Obes | df4bd35 | 2012-08-29 19:12:28 -0700 | [diff] [blame] | 1499 | |
| 1500 | /* |
| 1501 | * If we want to write to the child process' standard input, |
| 1502 | * set up the write end of the pipe. |
| 1503 | */ |
Jorge Lucangeli Obes | 339a113 | 2013-02-15 16:53:47 -0800 | [diff] [blame] | 1504 | if (pstdin_fd) |
| 1505 | *pstdin_fd = setup_pipe_end(stdin_fds, |
Jorge Lucangeli Obes | 5471450 | 2015-09-30 10:08:45 -0700 | [diff] [blame] | 1506 | 1 /* write end */); |
Jorge Lucangeli Obes | 339a113 | 2013-02-15 16:53:47 -0800 | [diff] [blame] | 1507 | |
| 1508 | /* |
| 1509 | * If we want to read from the child process' standard output, |
| 1510 | * set up the read end of the pipe. |
| 1511 | */ |
| 1512 | if (pstdout_fd) |
| 1513 | *pstdout_fd = setup_pipe_end(stdout_fds, |
Jorge Lucangeli Obes | 5471450 | 2015-09-30 10:08:45 -0700 | [diff] [blame] | 1514 | 0 /* read end */); |
Jorge Lucangeli Obes | 339a113 | 2013-02-15 16:53:47 -0800 | [diff] [blame] | 1515 | |
| 1516 | /* |
| 1517 | * If we want to read from the child process' standard error, |
| 1518 | * set up the read end of the pipe. |
| 1519 | */ |
| 1520 | if (pstderr_fd) |
| 1521 | *pstderr_fd = setup_pipe_end(stderr_fds, |
Jorge Lucangeli Obes | 5471450 | 2015-09-30 10:08:45 -0700 | [diff] [blame] | 1522 | 0 /* read end */); |
Jorge Lucangeli Obes | df4bd35 | 2012-08-29 19:12:28 -0700 | [diff] [blame] | 1523 | |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1524 | return 0; |
| 1525 | } |
| 1526 | free(oldenv_copy); |
Ben Chan | 541c7e5 | 2011-08-26 14:55:53 -0700 | [diff] [blame] | 1527 | |
Yu-Hsi Chiang | 10e9123 | 2015-08-05 14:40:45 +0800 | [diff] [blame] | 1528 | if (j->flags.userns) |
| 1529 | enter_user_namespace(j, userns_pipe_fds); |
| 1530 | |
Jorge Lucangeli Obes | df4bd35 | 2012-08-29 19:12:28 -0700 | [diff] [blame] | 1531 | /* |
| 1532 | * If we want to write to the jailed process' standard input, |
| 1533 | * set up the read end of the pipe. |
| 1534 | */ |
| 1535 | if (pstdin_fd) { |
Jorge Lucangeli Obes | 339a113 | 2013-02-15 16:53:47 -0800 | [diff] [blame] | 1536 | if (setup_and_dupe_pipe_end(stdin_fds, 0 /* read end */, |
| 1537 | STDIN_FILENO) < 0) |
Jorge Lucangeli Obes | df4bd35 | 2012-08-29 19:12:28 -0700 | [diff] [blame] | 1538 | die("failed to set up stdin pipe"); |
| 1539 | } |
| 1540 | |
Jorge Lucangeli Obes | 339a113 | 2013-02-15 16:53:47 -0800 | [diff] [blame] | 1541 | /* |
| 1542 | * If we want to read from the jailed process' standard output, |
| 1543 | * set up the write end of the pipe. |
| 1544 | */ |
| 1545 | if (pstdout_fd) { |
| 1546 | if (setup_and_dupe_pipe_end(stdout_fds, 1 /* write end */, |
| 1547 | STDOUT_FILENO) < 0) |
| 1548 | die("failed to set up stdout pipe"); |
| 1549 | } |
| 1550 | |
| 1551 | /* |
| 1552 | * If we want to read from the jailed process' standard error, |
| 1553 | * set up the write end of the pipe. |
| 1554 | */ |
| 1555 | if (pstderr_fd) { |
| 1556 | if (setup_and_dupe_pipe_end(stderr_fds, 1 /* write end */, |
| 1557 | STDERR_FILENO) < 0) |
| 1558 | die("failed to set up stderr pipe"); |
| 1559 | } |
| 1560 | |
Dylan Reid | 791f577 | 2015-09-14 20:02:42 -0700 | [diff] [blame] | 1561 | /* If running an init program, let it decide when/how to mount /proc. */ |
| 1562 | if (pid_namespace && !do_init) |
| 1563 | j->flags.remount_proc_ro = 0; |
| 1564 | |
Jorge Lucangeli Obes | 5471450 | 2015-09-30 10:08:45 -0700 | [diff] [blame] | 1565 | if (use_preload) { |
| 1566 | /* Strip out flags that cannot be inherited across execve(2). */ |
| 1567 | minijail_preexec(j); |
| 1568 | } else { |
| 1569 | j->flags.pids = 0; |
| 1570 | } |
| 1571 | /* Jail this process, then execve() the target. */ |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1572 | minijail_enter(j); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 1573 | |
Yu-Hsi Chiang | 3e954ec | 2015-07-28 16:48:14 +0800 | [diff] [blame] | 1574 | if (pid_namespace && do_init) { |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 1575 | /* |
| 1576 | * pid namespace: this process will become init inside the new |
Yu-Hsi Chiang | 3e954ec | 2015-07-28 16:48:14 +0800 | [diff] [blame] | 1577 | * namespace. We don't want all programs we might exec to have |
Jorge Lucangeli Obes | 5471450 | 2015-09-30 10:08:45 -0700 | [diff] [blame] | 1578 | * to know how to be init. Normally (do_init == 1) we fork off |
Yu-Hsi Chiang | 3e954ec | 2015-07-28 16:48:14 +0800 | [diff] [blame] | 1579 | * a child to actually run the program. If |do_init == 0|, we |
| 1580 | * let the program keep pid 1 and be init. |
Elly Jones | 761b741 | 2012-06-13 15:49:52 -0400 | [diff] [blame] | 1581 | * |
| 1582 | * If we're multithreaded, we'll probably deadlock here. See |
| 1583 | * WARNING above. |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1584 | */ |
| 1585 | child_pid = fork(); |
| 1586 | if (child_pid < 0) |
| 1587 | _exit(child_pid); |
| 1588 | else if (child_pid > 0) |
| 1589 | init(child_pid); /* never returns */ |
| 1590 | } |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 1591 | |
Elly Jones | dd3e851 | 2012-01-23 15:13:38 -0500 | [diff] [blame] | 1592 | /* |
Jorge Lucangeli Obes | 5471450 | 2015-09-30 10:08:45 -0700 | [diff] [blame] | 1593 | * If we aren't pid-namespaced, or the jailed program asked to be init: |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1594 | * calling process |
| 1595 | * -> execve()-ing process |
| 1596 | * If we are: |
| 1597 | * calling process |
| 1598 | * -> init()-ing process |
| 1599 | * -> execve()-ing process |
| 1600 | */ |
| 1601 | _exit(execve(filename, argv, environ)); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 1602 | } |
| 1603 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 1604 | int API minijail_kill(struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1605 | { |
| 1606 | int st; |
| 1607 | if (kill(j->initpid, SIGTERM)) |
| 1608 | return -errno; |
| 1609 | if (waitpid(j->initpid, &st, 0) < 0) |
| 1610 | return -errno; |
| 1611 | return st; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 1612 | } |
| 1613 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 1614 | int API minijail_wait(struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1615 | { |
| 1616 | int st; |
| 1617 | if (waitpid(j->initpid, &st, 0) < 0) |
| 1618 | return -errno; |
Jorge Lucangeli Obes | 1530b74 | 2012-12-11 14:08:09 -0800 | [diff] [blame] | 1619 | |
Jorge Lucangeli Obes | c2c9bcc | 2012-05-01 09:30:24 -0700 | [diff] [blame] | 1620 | if (!WIFEXITED(st)) { |
Jorge Lucangeli Obes | 18d1eba | 2014-04-18 13:58:20 -0700 | [diff] [blame] | 1621 | int error_status = st; |
| 1622 | if (WIFSIGNALED(st)) { |
| 1623 | int signum = WTERMSIG(st); |
mukesh agrawal | c420a26 | 2013-06-11 17:22:42 -0700 | [diff] [blame] | 1624 | warn("child process %d received signal %d", |
Jorge Lucangeli Obes | 18d1eba | 2014-04-18 13:58:20 -0700 | [diff] [blame] | 1625 | j->initpid, signum); |
| 1626 | /* |
| 1627 | * We return MINIJAIL_ERR_JAIL if the process received |
| 1628 | * SIGSYS, which happens when a syscall is blocked by |
| 1629 | * seccomp filters. |
| 1630 | * If not, we do what bash(1) does: |
| 1631 | * $? = 128 + signum |
| 1632 | */ |
| 1633 | if (signum == SIGSYS) { |
| 1634 | error_status = MINIJAIL_ERR_JAIL; |
| 1635 | } else { |
| 1636 | error_status = 128 + signum; |
| 1637 | } |
| 1638 | } |
| 1639 | return error_status; |
Jorge Lucangeli Obes | c2c9bcc | 2012-05-01 09:30:24 -0700 | [diff] [blame] | 1640 | } |
Jorge Lucangeli Obes | 1530b74 | 2012-12-11 14:08:09 -0800 | [diff] [blame] | 1641 | |
| 1642 | int exit_status = WEXITSTATUS(st); |
| 1643 | if (exit_status != 0) |
mukesh agrawal | c420a26 | 2013-06-11 17:22:42 -0700 | [diff] [blame] | 1644 | info("child process %d exited with status %d", |
| 1645 | j->initpid, exit_status); |
Jorge Lucangeli Obes | 1530b74 | 2012-12-11 14:08:09 -0800 | [diff] [blame] | 1646 | |
| 1647 | return exit_status; |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 1648 | } |
| 1649 | |
Will Drewry | 6ac9112 | 2011-10-21 16:38:58 -0500 | [diff] [blame] | 1650 | void API minijail_destroy(struct minijail *j) |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1651 | { |
Jorge Lucangeli Obes | 524c040 | 2012-01-17 11:30:23 -0800 | [diff] [blame] | 1652 | if (j->flags.seccomp_filter && j->filter_prog) { |
| 1653 | free(j->filter_prog->filter); |
| 1654 | free(j->filter_prog); |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1655 | } |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 1656 | while (j->bindings_head) { |
| 1657 | struct binding *b = j->bindings_head; |
| 1658 | j->bindings_head = j->bindings_head->next; |
| 1659 | free(b->dest); |
| 1660 | free(b->src); |
| 1661 | free(b); |
| 1662 | } |
| 1663 | j->bindings_tail = NULL; |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1664 | if (j->user) |
| 1665 | free(j->user); |
Will Drewry | bee7ba7 | 2011-10-21 20:47:01 -0500 | [diff] [blame] | 1666 | if (j->chrootdir) |
| 1667 | free(j->chrootdir); |
Elly Jones | e1749eb | 2011-10-07 13:54:59 -0400 | [diff] [blame] | 1668 | free(j); |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 1669 | } |