1// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#ifndef SANDBOX_LINUX_SUID_SETUID_SANDBOX_CLIENT_H_ 6#define SANDBOX_LINUX_SUID_SETUID_SANDBOX_CLIENT_H_ 7 8#include "base/basictypes.h" 9#include "base/callback_forward.h" 10#include "base/files/file_path.h" 11#include "base/files/scoped_file.h" 12#include "base/process/launch.h" 13#include "sandbox/sandbox_export.h" 14 15namespace sandbox { 16 17// Helper class to use the setuid sandbox. This class is to be used both 18// before launching the setuid helper and after being executed through the 19// setuid helper. 20// This class is difficult to use. It has been created by refactoring very old 21// code scathered through the Chromium code base. 22// 23// A typical use for "A" launching a sandboxed process "B" would be: 24// 1. A calls SetupLaunchEnvironment() 25// 2. A sets up a CommandLine and then amends it with 26// PrependWrapper() (or manually, by relying on GetSandboxBinaryPath()). 27// 3. A uses SetupLaunchOptions() to arrange for a dummy descriptor for the 28// setuid sandbox ABI. 29// 4. A launches B with base::LaunchProcess, using the amended CommandLine. 30// 5. B uses CloseDummyFile() to close the dummy file descriptor. 31// 6. B performs various initializations that require access to the file 32// system. 33// 6.b (optional) B uses sandbox::Credentials::HasOpenDirectory() to verify 34// that no directory is kept open (which would allow bypassing the setuid 35// sandbox). 36// 7. B should be prepared to assume the role of init(1). In particular, B 37// cannot receive any signal from any other process, excluding SIGKILL. 38// If B dies, all the processes in the namespace will die. 39// B can fork() and the parent can assume the role of init(1), by using 40// CreateInitProcessReaper(). 41// 8. B requests being chroot-ed through ChrootMe() and 42// requests other sandboxing status via the status functions. 43class SANDBOX_EXPORT SetuidSandboxClient { 44 public: 45 // All instantation should go through this factory method. 46 static class SetuidSandboxClient* Create(); 47 ~SetuidSandboxClient(); 48 49 // Close the dummy file descriptor leftover from the sandbox ABI. 50 void CloseDummyFile(); 51 // Ask the setuid helper over the setuid sandbox IPC channel to chroot() us 52 // to an empty directory. 53 // Will only work if we have been launched through the setuid helper. 54 bool ChrootMe(); 55 // When a new PID namespace is created, the process with pid == 1 should 56 // assume the role of init. 57 // See sandbox/linux/services/init_process_reaper.h for more information 58 // on this API. 59 bool CreateInitProcessReaper(base::Closure* post_fork_parent_callback); 60 61 // Did we get launched through an up to date setuid binary ? 62 bool IsSuidSandboxUpToDate() const; 63 // Did we get launched through the setuid helper ? 64 bool IsSuidSandboxChild() const; 65 // Did the setuid helper create a new PID namespace ? 66 bool IsInNewPIDNamespace() const; 67 // Did the setuid helper create a new network namespace ? 68 bool IsInNewNETNamespace() const; 69 // Are we done and fully sandboxed ? 70 bool IsSandboxed() const; 71 72 // The setuid sandbox may still be disabled via the environment. 73 // This is tracked in crbug.com/245376. 74 bool IsDisabledViaEnvironment(); 75 // Get the sandbox binary path. This method knows about the 76 // CHROME_DEVEL_SANDBOX environment variable used for user-managed builds. If 77 // the sandbox binary cannot be found, it will return an empty FilePath. 78 base::FilePath GetSandboxBinaryPath(); 79 // Modify |cmd_line| to launch via the setuid sandbox. Crash if the setuid 80 // sandbox binary cannot be found. |cmd_line| must not be NULL. 81 void PrependWrapper(base::CommandLine* cmd_line); 82 // Set-up the launch options for launching via the setuid sandbox. Caller is 83 // responsible for keeping |dummy_fd| alive until LaunchProcess() completes. 84 // |options| and |fds_to_remap| must not be NULL. 85 // (Keeping |dummy_fd| alive is an unfortunate historical artifact of the 86 // chrome-sandbox ABI.) 87 void SetupLaunchOptions(base::LaunchOptions* options, 88 base::FileHandleMappingVector* fds_to_remap, 89 base::ScopedFD* dummy_fd); 90 // Set-up the environment. This should be done prior to launching the setuid 91 // helper. 92 void SetupLaunchEnvironment(); 93 94 private: 95 SetuidSandboxClient(); 96 97 // Holds the environment. Will never be NULL. 98 base::Environment* env_; 99 bool sandboxed_; 100 101 DISALLOW_COPY_AND_ASSIGN(SetuidSandboxClient); 102}; 103 104} // namespace sandbox 105 106#endif // SANDBOX_LINUX_SUID_SETUID_SANDBOX_CLIENT_H_ 107