setuid_sandbox_client.h revision 010d83a9304c5a91596085d917d248abff47903a 
1// Copyright (c) 2012 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef SANDBOX_LINUX_SUID_SETUID_SANDBOX_CLIENT_H_
6#define SANDBOX_LINUX_SUID_SETUID_SANDBOX_CLIENT_H_
7
8#include "base/basictypes.h"
9#include "base/callback_forward.h"
10#include "base/files/file_path.h"
11#include "base/files/scoped_file.h"
12#include "base/process/launch.h"
13#include "sandbox/linux/sandbox_export.h"
14
15namespace sandbox {
16
17// Helper class to use the setuid sandbox. This class is to be used both
18// before launching the setuid helper and after being executed through the
19// setuid helper.
20// This class is difficult to use. It has been created by refactoring very old
21// code scathered through the Chromium code base.
22//
23// A typical use for "A" launching a sandboxed process "B" would be:
24// 1. A calls SetupLaunchEnvironment()
25// 2. A sets up a CommandLine and then amends it with
26//    PrependWrapper() (or manually, by relying on GetSandboxBinaryPath()).
27// 3. A uses SetupLaunchOptions() to arrange for a dummy descriptor for the
28//    setuid sandbox ABI.
29// 4. A launches B with base::LaunchProcess, using the amended CommandLine.
30// 5. B uses CloseDummyFile() to close the dummy file descriptor.
31// 6. B performs various initializations that require access to the file
32//    system.
33// 6.b (optional) B uses sandbox::Credentials::HasOpenDirectory() to verify
34//    that no directory is kept open (which would allow bypassing the setuid
35//    sandbox).
36// 7. B should be prepared to assume the role of init(1). In particular, B
37//    cannot receive any signal from any other process, excluding SIGKILL.
38//    If B dies, all the processes in the namespace will die.
39//    B can fork() and the parent can assume the role of init(1), by using
40//    CreateInitProcessReaper().
41// 8. B requests being chroot-ed through ChrootMe() and
42//    requests other sandboxing status via the status functions.
43class SANDBOX_EXPORT SetuidSandboxClient {
44 public:
45  // All instantation should go through this factory method.
46  static class SetuidSandboxClient* Create();
47  ~SetuidSandboxClient();
48
49  // Close the dummy file descriptor leftover from the sandbox ABI.
50  void CloseDummyFile();
51  // Ask the setuid helper over the setuid sandbox IPC channel to chroot() us
52  // to an empty directory.
53  // Will only work if we have been launched through the setuid helper.
54  bool ChrootMe();
55  // When a new PID namespace is created, the process with pid == 1 should
56  // assume the role of init.
57  // See sandbox/linux/services/init_process_reaper.h for more information
58  // on this API.
59  bool CreateInitProcessReaper(base::Closure* post_fork_parent_callback);
60
61  // Did we get launched through an up to date setuid binary ?
62  bool IsSuidSandboxUpToDate() const;
63  // Did we get launched through the setuid helper ?
64  bool IsSuidSandboxChild() const;
65  // Did the setuid helper create a new PID namespace ?
66  bool IsInNewPIDNamespace() const;
67  // Did the setuid helper create a new network namespace ?
68  bool IsInNewNETNamespace() const;
69  // Are we done and fully sandboxed ?
70  bool IsSandboxed() const;
71
72  // The setuid sandbox may still be disabled via the environment.
73  // This is tracked in crbug.com/245376.
74  bool IsDisabledViaEnvironment();
75  // Get the sandbox binary path. This method knows about the
76  // CHROME_DEVEL_SANDBOX environment variable used for user-managed builds. If
77  // the sandbox binary cannot be found, it will return an empty FilePath.
78  base::FilePath GetSandboxBinaryPath();
79  // Modify |cmd_line| to launch via the setuid sandbox. Crash if the setuid
80  // sandbox binary cannot be found.  |cmd_line| must not be NULL.
81  void PrependWrapper(base::CommandLine* cmd_line);
82  // Set-up the launch options for launching via the setuid sandbox.  Caller is
83  // responsible for keeping |dummy_fd| alive until LaunchProcess() completes.
84  // |options| and |fds_to_remap| must not be NULL.
85  // (Keeping |dummy_fd| alive is an unfortunate historical artifact of the
86  // chrome-sandbox ABI.)
87  void SetupLaunchOptions(base::LaunchOptions* options,
88                          base::FileHandleMappingVector* fds_to_remap,
89                          base::ScopedFD* dummy_fd);
90  // Set-up the environment. This should be done prior to launching the setuid
91  // helper.
92  void SetupLaunchEnvironment();
93
94 private:
95  // Holds the environment. Will never be NULL.
96  base::Environment* env_;
97  bool sandboxed_;
98  DISALLOW_IMPLICIT_CONSTRUCTORS(SetuidSandboxClient);
99};
100
101}  // namespace sandbox
102
103#endif  // SANDBOX_LINUX_SUID_SETUID_SANDBOX_CLIENT_H_
104