Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / minijail / a6eb21a9b410cfd8c8f48177816b0f671d6cd4c5 / . / system.c
blob: 49f89157d1f18d111cc92ac32a6274dc6517e26b [file] [log] [blame]
Jorge Lucangeli Obes0b208772017-04-19 14:15:46 -0400[diff] [blame]1/* Copyright (C) 2017 The Android Open Source Project
2 *
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16#include "system.h"
17
18#include <errno.h>
19#include <fcntl.h>
20#include <net/if.h>
21#include <stdbool.h>
22#include <stdio.h>
23#include <string.h>
24#include <sys/ioctl.h>
25#include <sys/prctl.h>
26#include <sys/socket.h>
27#include <sys/stat.h>
28#include <unistd.h>
29
30#include "util.h"
31
32#ifdef HAVE_SECUREBITS_H
33#include <linux/securebits.h>
34#else
35#define SECURE_ALL_BITS 0x55
36#define SECURE_ALL_LOCKS (SECURE_ALL_BITS << 1)
37#endif
Jorge Lucangeli Obesa6eb21a2017-04-20 10:44:00 -0400[diff] [blame^]38
39#define SECURE_BITS_NO_AMBIENT 0x15
40#define SECURE_LOCKS_NO_AMBIENT (SECURE_BITS_NO_AMBIENT << 1)
Jorge Lucangeli Obes0b208772017-04-19 14:15:46 -0400[diff] [blame]41
42/*
43 * Assert the value of SECURE_ALL_BITS at compile-time.
Jorge Lucangeli Obesa6eb21a2017-04-20 10:44:00 -0400[diff] [blame^]44 * Android devices are currently compiled against 4.4 kernel headers. Kernel 4.3
Jorge Lucangeli Obes0b208772017-04-19 14:15:46 -0400[diff] [blame]45 * added a new securebit.
46 * When a new securebit is added, the new SECURE_ALL_BITS mask will return EPERM
47 * when used on older kernels. The compile-time assert will catch this situation
48 * at compile time.
49 */
Jorge Lucangeli Obesa6eb21a2017-04-20 10:44:00 -0400[diff] [blame^]50#if defined(__ANDROID__)
Jorge Lucangeli Obes0b208772017-04-19 14:15:46 -0400[diff] [blame]51_Static_assert(SECURE_ALL_BITS == 0x55, "SECURE_ALL_BITS == 0x55.");
52#endif
53
54int lock_securebits(void)
55{
56 /*
Jorge Lucangeli Obesa6eb21a2017-04-20 10:44:00 -0400[diff] [blame^]57 * Ambient capabilities can only be raised if they're already present
58 * in the permitted *and* inheritable set. Therefore, we don't really
59 * need to lock the NO_CAP_AMBIENT_RAISE securebit, since we are already
60 * configuring the permitted and inheritable set.
Jorge Lucangeli Obes0b208772017-04-19 14:15:46 -0400[diff] [blame]61 */
62 int securebits_ret =
Jorge Lucangeli Obesa6eb21a2017-04-20 10:44:00 -0400[diff] [blame^]63 prctl(PR_SET_SECUREBITS,
64 SECURE_BITS_NO_AMBIENT | SECURE_LOCKS_NO_AMBIENT);
Jorge Lucangeli Obes0b208772017-04-19 14:15:46 -0400[diff] [blame]65 if (securebits_ret < 0) {
66 pwarn("prctl(PR_SET_SECUREBITS) failed");
67 return -1;
68 }
69
70 return 0;
71}
72
73int write_proc_file(pid_t pid, const char *content, const char *basename)
74{
75 int fd, ret;
76 size_t sz, len;
77 ssize_t written;
78 char filename[32];
79
80 sz = sizeof(filename);
81 ret = snprintf(filename, sz, "/proc/%d/%s", pid, basename);
82 if (ret < 0 || (size_t)ret >= sz) {
83 warn("failed to generate %s filename", basename);
84 return -1;
85 }
86
87 fd = open(filename, O_WRONLY | O_CLOEXEC);
88 if (fd < 0) {
89 pwarn("failed to open '%s'", filename);
90 return -errno;
91 }
92
93 len = strlen(content);
94 written = write(fd, content, len);
95 if (written < 0) {
96 pwarn("failed to write '%s'", filename);
97 return -1;
98 }
99
100 if ((size_t)written < len) {
101 warn("failed to write %zu bytes to '%s'", len, filename);
102 return -1;
103 }
104 close(fd);
105 return 0;
106}
107
108/*
109 * We specifically do not use cap_valid() as that only tells us the last
110 * valid cap we were *compiled* against (i.e. what the version of kernel
111 * headers says). If we run on a different kernel version, then it's not
112 * uncommon for that to be less (if an older kernel) or more (if a newer
113 * kernel).
114 * Normally, we suck up the answer via /proc. On Android, not all processes are
115 * guaranteed to be able to access '/proc/sys/kernel/cap_last_cap' so we
116 * programmatically find the value by calling prctl(PR_CAPBSET_READ).
117 */
118unsigned int get_last_valid_cap(void)
119{
120 unsigned int last_valid_cap = 0;
121 if (is_android()) {
122 for (; prctl(PR_CAPBSET_READ, last_valid_cap, 0, 0, 0) >= 0;
123 ++last_valid_cap)
124 ;
125
126 /* |last_valid_cap| will be the first failing value. */
127 if (last_valid_cap > 0) {
128 last_valid_cap--;
129 }
130 } else {
131 const char cap_file[] = "/proc/sys/kernel/cap_last_cap";
132 FILE *fp = fopen(cap_file, "re");
133 if (fscanf(fp, "%u", &last_valid_cap) != 1)
134 pdie("fscanf(%s)", cap_file);
135 fclose(fp);
136 }
137 return last_valid_cap;
138}
139
Jorge Lucangeli Obesa6eb21a2017-04-20 10:44:00 -0400[diff] [blame^]140int cap_ambient_supported(void)
141{
142 return prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_CHOWN, 0, 0) >=
143 0;
144}
145
Jorge Lucangeli Obes0b208772017-04-19 14:15:46 -0400[diff] [blame]146int config_net_loopback(void)
147{
148 const char ifname[] = "lo";
149 int sock;
150 struct ifreq ifr;
151
152 /* Make sure people don't try to add really long names. */
153 _Static_assert(sizeof(ifname) <= IFNAMSIZ, "interface name too long");
154
155 sock = socket(AF_LOCAL, SOCK_DGRAM | SOCK_CLOEXEC, 0);
156 if (sock < 0) {
157 pwarn("socket(AF_LOCAL) failed");
158 return -1;
159 }
160
161 /*
162 * Do the equiv of `ip link set up lo`. The kernel will assign
163 * IPv4 (127.0.0.1) & IPv6 (::1) addresses automatically!
164 */
165 strcpy(ifr.ifr_name, ifname);
166 if (ioctl(sock, SIOCGIFFLAGS, &ifr) < 0) {
167 pwarn("ioctl(SIOCGIFFLAGS) failed");
168 return -1;
169 }
170
171 /* The kernel preserves ifr.ifr_name for use. */
172 ifr.ifr_flags |= IFF_UP | IFF_RUNNING;
173 if (ioctl(sock, SIOCSIFFLAGS, &ifr) < 0) {
174 pwarn("ioctl(SIOCSIFFLAGS) failed");
175 return -1;
176 }
177
178 close(sock);
179 return 0;
180}
181
182int setup_pipe_end(int fds[2], size_t index)
183{
184 if (index > 1)
185 return -1;
186
187 close(fds[1 - index]);
188 return fds[index];
189}
190
191int setup_and_dupe_pipe_end(int fds[2], size_t index, int fd)
192{
193 if (index > 1)
194 return -1;
195
196 close(fds[1 - index]);
197 /* dup2(2) the corresponding end of the pipe into |fd|. */
198 return dup2(fds[index], fd);
199}
200
201int write_pid_to_path(pid_t pid, const char *path)
202{
203 FILE *fp = fopen(path, "w");
204
205 if (!fp) {
206 pwarn("failed to open '%s'", path);
207 return -errno;
208 }
209 if (fprintf(fp, "%d\n", (int)pid) < 0) {
210 /* fprintf(3) does not set errno on failure. */
211 warn("fprintf(%s) failed", path);
212 return -1;
213 }
214 if (fclose(fp)) {
215 pwarn("fclose(%s) failed", path);
216 return -errno;
217 }
218
219 return 0;
220}
221
222/*
223 * setup_mount_destination: Ensures the mount target exists.
224 * Creates it if needed and possible.
225 */
226int setup_mount_destination(const char *source, const char *dest, uid_t uid,
227 uid_t gid)
228{
229 int rc;
230 struct stat st_buf;
231
232 rc = stat(dest, &st_buf);
233 if (rc == 0) /* destination exists */
234 return 0;
235
236 /*
237 * Try to create the destination.
238 * Either make a directory or touch a file depending on the source type.
239 * If the source doesn't exist, assume it is a filesystem type such as
240 * "tmpfs" and create a directory to mount it on.
241 */
242 rc = stat(source, &st_buf);
243 if (rc || S_ISDIR(st_buf.st_mode) || S_ISBLK(st_buf.st_mode)) {
244 if (mkdir(dest, 0700))
245 return -errno;
246 } else {
247 int fd = open(dest, O_RDWR | O_CREAT, 0700);
248 if (fd < 0)
249 return -errno;
250 close(fd);
251 }
252 return chown(dest, uid, gid);
253}