// Copyright 2013 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifdef UNSAFE_BUFFERS_BUILD // TODO(crbug.com/351564777): Remove this and convert code to safer constructs. #pragma allow_unsafe_buffers #endif #include "sandbox/linux/services/credentials.h" #include <errno.h> #include <limits.h> #include <sched.h> #include <signal.h> #include <stddef.h> #include <stdint.h> #include <stdio.h> #include <sys/syscall.h> #include <sys/types.h> #include <sys/wait.h> #include <unistd.h> #include "base/compiler_specific.h" #include "base/files/file_path.h" #include "base/files/file_util.h" #include "base/functional/bind.h" #include "base/logging.h" #include "base/posix/eintr_wrapper.h" #include "base/process/launch.h" #include "build/build_config.h" #include "sandbox/linux/services/namespace_utils.h" #include "sandbox/linux/services/proc_util.h" #include "sandbox/linux/services/syscall_wrappers.h" #include "sandbox/linux/services/thread_helpers.h" #include "sandbox/linux/system_headers/capability.h" #include "sandbox/linux/system_headers/linux_signal.h" namespace sandbox { namespace { const int kExitSuccess = …; #if !defined(THREAD_SANITIZER) const int kExitFailure = …; #endif #if defined(__clang__) // Disable sanitizers that rely on TLS and may write to non-stack memory. __attribute__((no_sanitize_address)) __attribute__((no_sanitize_thread)) __attribute__((no_sanitize_memory)) #endif int ChrootToSelfFdinfo(void*) { … } // chroot() to an empty dir that is "safe". To be safe, it must not contain // any subdirectory (chroot-ing there would allow a chroot escape) and it must // be impossible to create an empty directory there. // We achieve this by doing the following: // 1. We create a new process sharing file system information. // 2. In the child, we chroot to /proc/self/fdinfo/ // This is already "safe", since fdinfo/ does not contain another directory and // one cannot create another directory there. // 3. The process dies // After (3) happens, the directory is not available anymore in /proc. bool ChrootToSafeEmptyDir() { … } // CHECK() that an attempt to move to a new user namespace raised an expected // errno. void CheckCloneNewUserErrno(int error) { … } // Converts a Capability to the corresponding Linux CAP_XXX value. int CapabilityToKernelValue(Credentials::Capability cap) { … } } // namespace. // static bool Credentials::GetRESIds(uid_t* resuid, gid_t* resgid) { … } // static bool Credentials::SetGidAndUidMaps(gid_t gid, uid_t uid) { … } // static bool Credentials::DropAllCapabilities(int proc_fd) { … } // static bool Credentials::DropAllCapabilities() { … } // static bool Credentials::DropAllCapabilitiesOnCurrentThread() { … } // static bool Credentials::SetCapabilitiesOnCurrentThread( const std::vector<Capability>& caps) { … } // static bool Credentials::SetCapabilities(int proc_fd, const std::vector<Capability>& caps) { … } bool Credentials::HasAnyCapability() { … } bool Credentials::HasCapability(Capability cap) { … } // static bool Credentials::CanCreateProcessInNewUserNS() { … } bool Credentials::MoveToNewUserNS() { … } bool Credentials::DropFileSystemAccess(int proc_fd) { … } bool Credentials::HasFileSystemAccess() { … } pid_t Credentials::ForkAndDropCapabilitiesInChild() { … } } // namespace sandbox.
Codebase Browser
chromium