libminijail.c revision e5609acdef8b6634be1fa81756a4ad188b0c69f0
1/* 2 * Copyright (c) 2012 The Chromium OS Authors. All rights reserved. 3 * Use of this source code is governed by a BSD-style license that can be 4 * found in the LICENSE file. 5 */ 6 7#define _BSD_SOURCE 8#define _GNU_SOURCE 9 10#include <asm/unistd.h> 11#include <ctype.h> 12#include <errno.h> 13#include <grp.h> 14#include <inttypes.h> 15#include <limits.h> 16#include <linux/capability.h> 17#include <pwd.h> 18#include <sched.h> 19#include <signal.h> 20#include <stdarg.h> 21#include <stddef.h> 22#include <stdio.h> 23#include <stdlib.h> 24#include <string.h> 25#include <syscall.h> 26#include <sys/capability.h> 27#include <sys/mount.h> 28#include <sys/param.h> 29#include <sys/prctl.h> 30#include <sys/user.h> 31#include <sys/wait.h> 32#include <unistd.h> 33 34#include "libminijail.h" 35#include "libminijail-private.h" 36 37#include "signal.h" 38#include "syscall_filter.h" 39#include "util.h" 40 41#ifdef HAVE_SECUREBITS_H 42#include <linux/securebits.h> 43#else 44#define SECURE_ALL_BITS 0x15 45#define SECURE_ALL_LOCKS (SECURE_ALL_BITS << 1) 46#endif 47 48/* Until these are reliably available in linux/prctl.h */ 49#ifndef PR_SET_SECCOMP 50# define PR_SET_SECCOMP 22 51#endif 52 53/* For seccomp_filter using BPF. */ 54#ifndef PR_SET_NO_NEW_PRIVS 55# define PR_SET_NO_NEW_PRIVS 38 56#endif 57#ifndef SECCOMP_MODE_FILTER 58# define SECCOMP_MODE_FILTER 2 /* uses user-supplied filter. */ 59#endif 60 61struct binding { 62 char *src; 63 char *dest; 64 int writeable; 65 struct binding *next; 66}; 67 68struct minijail { 69 struct { 70 int uid:1; 71 int gid:1; 72 int caps:1; 73 int vfs:1; 74 int pids:1; 75 int seccomp:1; 76 int readonly:1; 77 int usergroups:1; 78 int ptrace:1; 79 int no_new_privs:1; 80 int seccomp_filter:1; 81 int log_seccomp_filter:1; 82 int chroot:1; 83 } flags; 84 uid_t uid; 85 gid_t gid; 86 gid_t usergid; 87 char *user; 88 uint64_t caps; 89 pid_t initpid; 90 int filter_len; 91 int binding_count; 92 char *chrootdir; 93 struct sock_fprog *filter_prog; 94 struct binding *bindings_head; 95 struct binding *bindings_tail; 96}; 97 98struct minijail API *minijail_new(void) 99{ 100 return calloc(1, sizeof(struct minijail)); 101} 102 103void API minijail_change_uid(struct minijail *j, uid_t uid) 104{ 105 if (uid == 0) 106 die("useless change to uid 0"); 107 j->uid = uid; 108 j->flags.uid = 1; 109} 110 111void API minijail_change_gid(struct minijail *j, gid_t gid) 112{ 113 if (gid == 0) 114 die("useless change to gid 0"); 115 j->gid = gid; 116 j->flags.gid = 1; 117} 118 119int API minijail_change_user(struct minijail *j, const char *user) 120{ 121 char *buf = NULL; 122 struct passwd pw; 123 struct passwd *ppw = NULL; 124 ssize_t sz = sysconf(_SC_GETPW_R_SIZE_MAX); 125 if (sz == -1) 126 sz = 65536; /* your guess is as good as mine... */ 127 128 /* 129 * sysconf(_SC_GETPW_R_SIZE_MAX), under glibc, is documented to return 130 * the maximum needed size of the buffer, so we don't have to search. 131 */ 132 buf = malloc(sz); 133 if (!buf) 134 return -ENOMEM; 135 getpwnam_r(user, &pw, buf, sz, &ppw); 136 /* 137 * We're safe to free the buffer here. The strings inside pw point 138 * inside buf, but we don't use any of them; this leaves the pointers 139 * dangling but it's safe. ppw points at pw if getpwnam_r succeeded. 140 */ 141 free(buf); 142 if (!ppw) 143 return -errno; 144 minijail_change_uid(j, ppw->pw_uid); 145 j->user = strdup(user); 146 if (!j->user) 147 return -ENOMEM; 148 j->usergid = ppw->pw_gid; 149 return 0; 150} 151 152int API minijail_change_group(struct minijail *j, const char *group) 153{ 154 char *buf = NULL; 155 struct group gr; 156 struct group *pgr = NULL; 157 ssize_t sz = sysconf(_SC_GETGR_R_SIZE_MAX); 158 if (sz == -1) 159 sz = 65536; /* and mine is as good as yours, really */ 160 161 /* 162 * sysconf(_SC_GETGR_R_SIZE_MAX), under glibc, is documented to return 163 * the maximum needed size of the buffer, so we don't have to search. 164 */ 165 buf = malloc(sz); 166 if (!buf) 167 return -ENOMEM; 168 getgrnam_r(group, &gr, buf, sz, &pgr); 169 /* 170 * We're safe to free the buffer here. The strings inside gr point 171 * inside buf, but we don't use any of them; this leaves the pointers 172 * dangling but it's safe. pgr points at gr if getgrnam_r succeeded. 173 */ 174 free(buf); 175 if (!pgr) 176 return -errno; 177 minijail_change_gid(j, pgr->gr_gid); 178 return 0; 179} 180 181void API minijail_use_seccomp(struct minijail *j) 182{ 183 j->flags.seccomp = 1; 184} 185 186void API minijail_no_new_privs(struct minijail *j) 187{ 188 j->flags.no_new_privs = 1; 189} 190 191void API minijail_use_seccomp_filter(struct minijail *j) 192{ 193 j->flags.seccomp_filter = 1; 194} 195 196void API minijail_log_seccomp_filter_failures(struct minijail *j) 197{ 198 j->flags.log_seccomp_filter = 1; 199} 200 201void API minijail_use_caps(struct minijail *j, uint64_t capmask) 202{ 203 j->caps = capmask; 204 j->flags.caps = 1; 205} 206 207void API minijail_namespace_vfs(struct minijail *j) 208{ 209 j->flags.vfs = 1; 210} 211 212void API minijail_namespace_pids(struct minijail *j) 213{ 214 j->flags.vfs = 1; 215 j->flags.readonly = 1; 216 j->flags.pids = 1; 217} 218 219void API minijail_remount_readonly(struct minijail *j) 220{ 221 j->flags.vfs = 1; 222 j->flags.readonly = 1; 223} 224 225void API minijail_inherit_usergroups(struct minijail *j) 226{ 227 j->flags.usergroups = 1; 228} 229 230void API minijail_disable_ptrace(struct minijail *j) 231{ 232 j->flags.ptrace = 1; 233} 234 235int API minijail_enter_chroot(struct minijail *j, const char *dir) { 236 if (j->chrootdir) 237 return -EINVAL; 238 j->chrootdir = strdup(dir); 239 if (!j->chrootdir) 240 return -ENOMEM; 241 j->flags.chroot = 1; 242 return 0; 243} 244 245int API minijail_bind(struct minijail *j, const char *src, const char *dest, 246 int writeable) { 247 struct binding *b; 248 249 if (*dest != '/') 250 return -EINVAL; 251 b = calloc(1, sizeof(*b)); 252 if (!b) 253 return -ENOMEM; 254 b->dest = strdup(dest); 255 if (!b->dest) 256 goto error; 257 b->src = strdup(src); 258 if (!b->src) 259 goto error; 260 b->writeable = writeable; 261 262 info("bind %s -> %s", src, dest); 263 264 /* 265 * Force vfs namespacing so the bind mounts don't leak out into the 266 * containing vfs namespace. 267 */ 268 minijail_namespace_vfs(j); 269 270 if (j->bindings_tail) 271 j->bindings_tail->next = b; 272 else 273 j->bindings_head = b; 274 j->bindings_tail = b; 275 j->binding_count++; 276 277 return 0; 278 279error: 280 free(b->src); 281 free(b->dest); 282 free(b); 283 return -ENOMEM; 284} 285 286void API minijail_parse_seccomp_filters(struct minijail *j, const char *path) 287{ 288 FILE *file = fopen(path, "r"); 289 if (!file) { 290 pdie("failed to open seccomp filter file '%s'", path); 291 } 292 293 struct sock_fprog *fprog = malloc(sizeof(struct sock_fprog)); 294 if (compile_filter(file, fprog, j->flags.log_seccomp_filter)) { 295 die("failed to compile seccomp filter BPF program in '%s'", 296 path); 297 } 298 299 j->filter_len = fprog->len; 300 j->filter_prog = fprog; 301 302 fclose(file); 303} 304 305struct marshal_state { 306 size_t available; 307 size_t total; 308 char *buf; 309}; 310 311void marshal_state_init(struct marshal_state *state, 312 char *buf, size_t available) 313{ 314 state->available = available; 315 state->buf = buf; 316 state->total = 0; 317} 318 319void marshal_append(struct marshal_state *state, 320 char *src, size_t length) 321{ 322 size_t copy_len = MIN(state->available, length); 323 324 /* Up to |available| will be written. */ 325 if (copy_len) { 326 memcpy(state->buf, src, copy_len); 327 state->buf += copy_len; 328 state->available -= copy_len; 329 } 330 /* |total| will contain the expected length. */ 331 state->total += length; 332} 333 334void minijail_marshal_helper(struct marshal_state *state, 335 const struct minijail *j) 336{ 337 struct binding *b = NULL; 338 marshal_append(state, (char *)j, sizeof(*j)); 339 if (j->user) 340 marshal_append(state, j->user, strlen(j->user) + 1); 341 if (j->chrootdir) 342 marshal_append(state, j->chrootdir, strlen(j->chrootdir) + 1); 343 if (j->flags.seccomp_filter && j->filter_prog) { 344 struct sock_fprog *fp = j->filter_prog; 345 marshal_append(state, (char *)fp->filter, 346 fp->len * sizeof(struct sock_filter)); 347 } 348 for (b = j->bindings_head; b; b = b->next) { 349 marshal_append(state, b->src, strlen(b->src) + 1); 350 marshal_append(state, b->dest, strlen(b->dest) + 1); 351 marshal_append(state, (char *)&b->writeable, 352 sizeof(b->writeable)); 353 } 354} 355 356size_t API minijail_size(const struct minijail *j) 357{ 358 struct marshal_state state; 359 marshal_state_init(&state, NULL, 0); 360 minijail_marshal_helper(&state, j); 361 return state.total; 362} 363 364int minijail_marshal(const struct minijail *j, char *buf, size_t available) 365{ 366 struct marshal_state state; 367 marshal_state_init(&state, buf, available); 368 minijail_marshal_helper(&state, j); 369 return (state.total > available); 370} 371 372/* consumebytes: consumes @length bytes from a buffer @buf of length @buflength 373 * @length Number of bytes to consume 374 * @buf Buffer to consume from 375 * @buflength Size of @buf 376 * 377 * Returns a pointer to the base of the bytes, or NULL for errors. 378 */ 379void *consumebytes(size_t length, char **buf, size_t *buflength) { 380 char *p = *buf; 381 if (length > *buflength) 382 return NULL; 383 *buf += length; 384 *buflength -= length; 385 return p; 386} 387 388/* consumestr: consumes a C string from a buffer @buf of length @length 389 * @buf Buffer to consume 390 * @length Length of buffer 391 * 392 * Returns a pointer to the base of the string, or NULL for errors. 393 */ 394char *consumestr(char **buf, size_t *buflength) { 395 size_t len = strnlen(*buf, *buflength); 396 if (len == *buflength) 397 /* There's no null-terminator */ 398 return NULL; 399 return consumebytes(len + 1, buf, buflength); 400} 401 402int minijail_unmarshal(struct minijail *j, char *serialized, size_t length) 403{ 404 int i; 405 int count; 406 int ret = -EINVAL; 407 408 if (length < sizeof(*j)) 409 goto out; 410 memcpy((void *)j, serialized, sizeof(*j)); 411 serialized += sizeof(*j); 412 length -= sizeof(*j); 413 414 /* Potentially stale pointers not used as signals. */ 415 j->bindings_head = NULL; 416 j->bindings_tail = NULL; 417 j->filter_prog = NULL; 418 419 if (j->user) { /* stale pointer */ 420 char *user = consumestr(&serialized, &length); 421 if (!user) 422 goto clear_pointers; 423 j->user = strdup(user); 424 if (!j->user) 425 goto clear_pointers; 426 } 427 428 if (j->chrootdir) { /* stale pointer */ 429 char *chrootdir = consumestr(&serialized, &length); 430 if (!chrootdir) 431 goto bad_chrootdir; 432 j->chrootdir = strdup(chrootdir); 433 if (!j->chrootdir) 434 goto bad_chrootdir; 435 } 436 437 if (j->flags.seccomp_filter && j->filter_len > 0) { 438 size_t ninstrs = j->filter_len; 439 if (ninstrs > (SIZE_MAX / sizeof(struct sock_filter)) || 440 ninstrs > USHRT_MAX) 441 goto bad_filters; 442 443 size_t program_len = ninstrs * sizeof(struct sock_filter); 444 void *program = consumebytes(program_len, &serialized, &length); 445 if (!program) 446 goto bad_filters; 447 448 j->filter_prog = malloc(sizeof(struct sock_fprog)); 449 j->filter_prog->len = ninstrs; 450 j->filter_prog->filter = malloc(program_len); 451 memcpy(j->filter_prog->filter, program, program_len); 452 } 453 454 count = j->binding_count; 455 j->binding_count = 0; 456 for (i = 0; i < count; ++i) { 457 int *writeable; 458 const char *dest; 459 const char *src = consumestr(&serialized, &length); 460 if (!src) 461 goto bad_bindings; 462 dest = consumestr(&serialized, &length); 463 if (!dest) 464 goto bad_bindings; 465 writeable = consumebytes(sizeof(*writeable), &serialized, &length); 466 if (!writeable) 467 goto bad_bindings; 468 if (minijail_bind(j, src, dest, *writeable)) 469 goto bad_bindings; 470 } 471 472 return 0; 473 474bad_bindings: 475 if (j->flags.seccomp_filter && j->filter_len > 0) { 476 free(j->filter_prog->filter); 477 free(j->filter_prog); 478 } 479bad_filters: 480 if (j->chrootdir) 481 free(j->chrootdir); 482bad_chrootdir: 483 if (j->user) 484 free(j->user); 485clear_pointers: 486 j->user = NULL; 487 j->chrootdir = NULL; 488out: 489 return ret; 490} 491 492void minijail_preenter(struct minijail *j) 493{ 494 /* Strip out options which are minijail_run() only. */ 495 j->flags.vfs = 0; 496 j->flags.readonly = 0; 497 j->flags.pids = 0; 498} 499 500void minijail_preexec(struct minijail *j) 501{ 502 int vfs = j->flags.vfs; 503 int readonly = j->flags.readonly; 504 if (j->user) 505 free(j->user); 506 j->user = NULL; 507 memset(&j->flags, 0, sizeof(j->flags)); 508 /* Now restore anything we meant to keep. */ 509 j->flags.vfs = vfs; 510 j->flags.readonly = readonly; 511 /* Note, pidns will already have been used before this call. */ 512} 513 514/* bind_one: Applies bindings from @b for @j, recursing as needed. 515 * @j Minijail these bindings are for 516 * @b Head of list of bindings 517 * 518 * Returns 0 for success. 519 */ 520int bind_one(const struct minijail *j, struct binding *b) { 521 int ret = 0; 522 char *dest = NULL; 523 if (ret) 524 return ret; 525 /* dest has a leading "/" */ 526 if (asprintf(&dest, "%s%s", j->chrootdir, b->dest) < 0) 527 return -ENOMEM; 528 ret = mount(b->src, dest, NULL, MS_BIND, NULL); 529 if (ret) 530 pdie("bind: %s -> %s", b->src, dest); 531 if (!b->writeable) { 532 ret = mount(b->src, dest, NULL, 533 MS_BIND | MS_REMOUNT | MS_RDONLY, NULL); 534 if (ret) 535 pdie("bind ro: %s -> %s", b->src, dest); 536 } 537 free(dest); 538 if (b->next) 539 return bind_one(j, b->next); 540 return ret; 541} 542 543int enter_chroot(const struct minijail *j) { 544 int ret; 545 if (j->bindings_head && (ret = bind_one(j, j->bindings_head))) 546 return ret; 547 548 if (chroot(j->chrootdir)) 549 return -errno; 550 551 if (chdir("/")) 552 return -errno; 553 554 return 0; 555} 556 557int remount_readonly(void) 558{ 559 const char *kProcPath = "/proc"; 560 const unsigned int kSafeFlags = MS_NODEV | MS_NOEXEC | MS_NOSUID; 561 /* 562 * Right now, we're holding a reference to our parent's old mount of 563 * /proc in our namespace, which means using MS_REMOUNT here would 564 * mutate our parent's mount as well, even though we're in a VFS 565 * namespace (!). Instead, remove their mount from our namespace 566 * and make our own. 567 */ 568 if (umount(kProcPath)) 569 return -errno; 570 if (mount("", kProcPath, "proc", kSafeFlags | MS_RDONLY, "")) 571 return -errno; 572 return 0; 573} 574 575void drop_ugid(const struct minijail *j) 576{ 577 if (j->flags.usergroups) { 578 if (initgroups(j->user, j->usergid)) 579 pdie("initgroups"); 580 } else { 581 /* Only attempt to clear supplemental groups if we are changing 582 * users. */ 583 if ((j->uid || j->gid) && setgroups(0, NULL)) 584 pdie("setgroups"); 585 } 586 587 if (j->flags.gid && setresgid(j->gid, j->gid, j->gid)) 588 pdie("setresgid"); 589 590 if (j->flags.uid && setresuid(j->uid, j->uid, j->uid)) 591 pdie("setresuid"); 592} 593 594void drop_caps(const struct minijail *j) 595{ 596 cap_t caps = cap_get_proc(); 597 cap_value_t flag[1]; 598 const uint64_t one = 1; 599 unsigned int i; 600 if (!caps) 601 die("can't get process caps"); 602 if (cap_clear_flag(caps, CAP_INHERITABLE)) 603 die("can't clear inheritable caps"); 604 if (cap_clear_flag(caps, CAP_EFFECTIVE)) 605 die("can't clear effective caps"); 606 if (cap_clear_flag(caps, CAP_PERMITTED)) 607 die("can't clear permitted caps"); 608 for (i = 0; i < sizeof(j->caps) * 8 && cap_valid((int)i); ++i) { 609 /* Keep CAP_SETPCAP for dropping bounding set bits. */ 610 if (i != CAP_SETPCAP && !(j->caps & (one << i))) 611 continue; 612 flag[0] = i; 613 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, flag, CAP_SET)) 614 die("can't add effective cap"); 615 if (cap_set_flag(caps, CAP_PERMITTED, 1, flag, CAP_SET)) 616 die("can't add permitted cap"); 617 if (cap_set_flag(caps, CAP_INHERITABLE, 1, flag, CAP_SET)) 618 die("can't add inheritable cap"); 619 } 620 if (cap_set_proc(caps)) 621 die("can't apply initial cleaned capset"); 622 623 /* 624 * Instead of dropping bounding set first, do it here in case 625 * the caller had a more permissive bounding set which could 626 * have been used above to raise a capability that wasn't already 627 * present. This requires CAP_SETPCAP, so we raised/kept it above. 628 */ 629 for (i = 0; i < sizeof(j->caps) * 8 && cap_valid((int)i); ++i) { 630 if (j->caps & (one << i)) 631 continue; 632 if (prctl(PR_CAPBSET_DROP, i)) 633 pdie("prctl(PR_CAPBSET_DROP)"); 634 } 635 636 /* If CAP_SETPCAP wasn't specifically requested, now we remove it. */ 637 if ((j->caps & (one << CAP_SETPCAP)) == 0) { 638 flag[0] = CAP_SETPCAP; 639 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, flag, CAP_CLEAR)) 640 die("can't clear effective cap"); 641 if (cap_set_flag(caps, CAP_PERMITTED, 1, flag, CAP_CLEAR)) 642 die("can't clear permitted cap"); 643 if (cap_set_flag(caps, CAP_INHERITABLE, 1, flag, CAP_CLEAR)) 644 die("can't clear inheritable cap"); 645 } 646 647 if (cap_set_proc(caps)) 648 die("can't apply final cleaned capset"); 649 650 cap_free(caps); 651} 652 653void set_seccomp_filter(const struct minijail *j) 654{ 655 /* 656 * Set no_new_privs. See </kernel/seccomp.c> and </kernel/sys.c> 657 * in the kernel source tree for an explanation of the parameters. 658 */ 659 if (j->flags.no_new_privs) { 660 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) 661 pdie("prctl(PR_SET_NO_NEW_PRIVS)"); 662 } 663 664 /* 665 * If we're logging seccomp filter failures, 666 * install the SIGSYS handler first. 667 */ 668 if (j->flags.seccomp_filter && j->flags.log_seccomp_filter) { 669 if (install_sigsys_handler()) 670 pdie("install SIGSYS handler"); 671 warn("logging seccomp filter failures"); 672 } 673 674 /* 675 * Install the syscall filter. 676 */ 677 if (j->flags.seccomp_filter) { 678 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, j->filter_prog)) 679 pdie("prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER)"); 680 } 681} 682 683void API minijail_enter(const struct minijail *j) 684{ 685 if (j->flags.pids) 686 die("tried to enter a pid-namespaced jail;" 687 "try minijail_run()?"); 688 689 if (j->flags.usergroups && !j->user) 690 die("usergroup inheritance without username"); 691 692 /* 693 * We can't recover from failures if we've dropped privileges partially, 694 * so we don't even try. If any of our operations fail, we abort() the 695 * entire process. 696 */ 697 if (j->flags.vfs && unshare(CLONE_NEWNS)) 698 pdie("unshare"); 699 700 if (j->flags.chroot && enter_chroot(j)) 701 pdie("chroot"); 702 703 if (j->flags.readonly && remount_readonly()) 704 pdie("remount"); 705 706 if (j->flags.caps) { 707 /* 708 * POSIX capabilities are a bit tricky. If we drop our 709 * capability to change uids, our attempt to use setuid() 710 * below will fail. Hang on to root caps across setuid(), then 711 * lock securebits. 712 */ 713 if (prctl(PR_SET_KEEPCAPS, 1)) 714 pdie("prctl(PR_SET_KEEPCAPS)"); 715 if (prctl 716 (PR_SET_SECUREBITS, SECURE_ALL_BITS | SECURE_ALL_LOCKS)) 717 pdie("prctl(PR_SET_SECUREBITS)"); 718 } 719 720 /* 721 * If we're setting no_new_privs, we can drop privileges 722 * before setting seccomp filter. This way filter policies 723 * don't need to allow privilege-dropping syscalls. 724 */ 725 if (j->flags.no_new_privs) { 726 drop_ugid(j); 727 if (j->flags.caps) 728 drop_caps(j); 729 730 set_seccomp_filter(j); 731 } else { 732 /* 733 * If we're not setting no_new_privs, 734 * we need to set seccomp filter *before* dropping privileges. 735 * WARNING: this means that filter policies *must* allow 736 * setgroups()/setresgid()/setresuid() for dropping root and 737 * capget()/capset()/prctl() for dropping caps. 738 */ 739 set_seccomp_filter(j); 740 741 drop_ugid(j); 742 if (j->flags.caps) 743 drop_caps(j); 744 } 745 746 /* 747 * seccomp has to come last since it cuts off all the other 748 * privilege-dropping syscalls :) 749 */ 750 if (j->flags.seccomp && prctl(PR_SET_SECCOMP, 1)) 751 pdie("prctl(PR_SET_SECCOMP)"); 752} 753 754/* TODO(wad) will visibility affect this variable? */ 755static int init_exitstatus = 0; 756 757void init_term(int __attribute__ ((unused)) sig) 758{ 759 _exit(init_exitstatus); 760} 761 762int init(pid_t rootpid) 763{ 764 pid_t pid; 765 int status; 766 /* so that we exit with the right status */ 767 signal(SIGTERM, init_term); 768 /* TODO(wad) self jail with seccomp_filters here. */ 769 while ((pid = wait(&status)) > 0) { 770 /* 771 * This loop will only end when either there are no processes 772 * left inside our pid namespace or we get a signal. 773 */ 774 if (pid == rootpid) 775 init_exitstatus = status; 776 } 777 if (!WIFEXITED(init_exitstatus)) 778 _exit(MINIJAIL_ERR_INIT); 779 _exit(WEXITSTATUS(init_exitstatus)); 780} 781 782int API minijail_from_fd(int fd, struct minijail *j) 783{ 784 size_t sz = 0; 785 size_t bytes = read(fd, &sz, sizeof(sz)); 786 char *buf; 787 int r; 788 if (sizeof(sz) != bytes) 789 return -EINVAL; 790 if (sz > USHRT_MAX) /* Arbitrary sanity check */ 791 return -E2BIG; 792 buf = malloc(sz); 793 if (!buf) 794 return -ENOMEM; 795 bytes = read(fd, buf, sz); 796 if (bytes != sz) { 797 free(buf); 798 return -EINVAL; 799 } 800 r = minijail_unmarshal(j, buf, sz); 801 free(buf); 802 return r; 803} 804 805int API minijail_to_fd(struct minijail *j, int fd) 806{ 807 char *buf; 808 size_t sz = minijail_size(j); 809 ssize_t written; 810 int r; 811 812 if (!sz) 813 return -EINVAL; 814 buf = malloc(sz); 815 r = minijail_marshal(j, buf, sz); 816 if (r) { 817 free(buf); 818 return r; 819 } 820 /* Sends [size][minijail]. */ 821 written = write(fd, &sz, sizeof(sz)); 822 if (written != sizeof(sz)) { 823 free(buf); 824 return -EFAULT; 825 } 826 written = write(fd, buf, sz); 827 if (written < 0 || (size_t) written != sz) { 828 free(buf); 829 return -EFAULT; 830 } 831 free(buf); 832 return 0; 833} 834 835int setup_preload(void) 836{ 837 char *oldenv = getenv(kLdPreloadEnvVar) ? : ""; 838 char *newenv = malloc(strlen(oldenv) + 2 + strlen(PRELOADPATH)); 839 if (!newenv) 840 return -ENOMEM; 841 842 /* Only insert a separating space if we have something to separate... */ 843 sprintf(newenv, "%s%s%s", oldenv, strlen(oldenv) ? " " : "", 844 PRELOADPATH); 845 846 /* setenv() makes a copy of the string we give it */ 847 setenv(kLdPreloadEnvVar, newenv, 1); 848 free(newenv); 849 return 0; 850} 851 852int setup_pipe(int fds[2]) 853{ 854 int r = pipe(fds); 855 char fd_buf[11]; 856 if (r) 857 return r; 858 r = snprintf(fd_buf, sizeof(fd_buf), "%d", fds[0]); 859 if (r <= 0) 860 return -EINVAL; 861 setenv(kFdEnvVar, fd_buf, 1); 862 return 0; 863} 864 865int API minijail_run(struct minijail *j, const char *filename, 866 char *const argv[]) 867{ 868 return minijail_run_pid_pipe(j, filename, argv, NULL, NULL); 869} 870 871int API minijail_run_pid(struct minijail *j, const char *filename, 872 char *const argv[], pid_t *pchild_pid) 873{ 874 return minijail_run_pid_pipe(j, filename, argv, pchild_pid, NULL); 875} 876 877int API minijail_run_pipe(struct minijail *j, const char *filename, 878 char *const argv[], int *pstdin_fd) 879{ 880 return minijail_run_pid_pipe(j, filename, argv, NULL, pstdin_fd); 881} 882 883int API minijail_run_pid_pipe(struct minijail *j, const char *filename, 884 char *const argv[], pid_t *pchild_pid, 885 int *pstdin_fd) 886{ 887 char *oldenv, *oldenv_copy = NULL; 888 pid_t child_pid; 889 int pipe_fds[2]; 890 int stdin_fds[2]; 891 int ret; 892 /* We need to remember this across the minijail_preexec() call. */ 893 int pid_namespace = j->flags.pids; 894 895 oldenv = getenv(kLdPreloadEnvVar); 896 if (oldenv) { 897 oldenv_copy = strdup(oldenv); 898 if (!oldenv_copy) 899 return -ENOMEM; 900 } 901 902 if (setup_preload()) 903 return -EFAULT; 904 905 /* 906 * Before we fork(2) and execve(2) the child process, we need to open 907 * a pipe(2) to send the minijail configuration over. 908 */ 909 if (setup_pipe(pipe_fds)) 910 return -EFAULT; 911 912 /* 913 * If we want to write to the child process' standard input, 914 * create the pipe(2) now. 915 */ 916 if (pstdin_fd) { 917 if (pipe(stdin_fds)) 918 return -EFAULT; 919 } 920 921 /* Use sys_clone() if and only if we're creating a pid namespace. 922 * 923 * tl;dr: WARNING: do not mix pid namespaces and multithreading. 924 * 925 * In multithreaded programs, there are a bunch of locks inside libc, 926 * some of which may be held by other threads at the time that we call 927 * minijail_run_pid(). If we call fork(), glibc does its level best to 928 * ensure that we hold all of these locks before it calls clone() 929 * internally and drop them after clone() returns, but when we call 930 * sys_clone(2) directly, all that gets bypassed and we end up with a 931 * child address space where some of libc's important locks are held by 932 * other threads (which did not get cloned, and hence will never release 933 * those locks). This is okay so long as we call exec() immediately 934 * after, but a bunch of seemingly-innocent libc functions like setenv() 935 * take locks. 936 * 937 * Hence, only call sys_clone() if we need to, in order to get at pid 938 * namespacing. If we follow this path, the child's address space might 939 * have broken locks; you may only call functions that do not acquire 940 * any locks. 941 * 942 * Unfortunately, fork() acquires every lock it can get its hands on, as 943 * previously detailed, so this function is highly likely to deadlock 944 * later on (see "deadlock here") if we're multithreaded. 945 * 946 * We might hack around this by having the clone()d child (init of the 947 * pid namespace) return directly, rather than leaving the clone()d 948 * process hanging around to be init for the new namespace (and having 949 * its fork()ed child return in turn), but that process would be crippled 950 * with its libc locks potentially broken. We might try fork()ing in the 951 * parent before we clone() to ensure that we own all the locks, but 952 * then we have to have the forked child hanging around consuming 953 * resources (and possibly having file descriptors / shared memory 954 * regions / etc attached). We'd need to keep the child around to avoid 955 * having its children get reparented to init. 956 * 957 * TODO(ellyjones): figure out if the "forked child hanging around" 958 * problem is fixable or not. It would be nice if we worked in this 959 * case. 960 */ 961 if (pid_namespace) 962 child_pid = syscall(SYS_clone, CLONE_NEWPID | SIGCHLD, NULL); 963 else 964 child_pid = fork(); 965 966 if (child_pid < 0) { 967 free(oldenv_copy); 968 return child_pid; 969 } 970 971 if (child_pid) { 972 /* Restore parent's LD_PRELOAD. */ 973 if (oldenv_copy) { 974 setenv(kLdPreloadEnvVar, oldenv_copy, 1); 975 free(oldenv_copy); 976 } else { 977 unsetenv(kLdPreloadEnvVar); 978 } 979 unsetenv(kFdEnvVar); 980 981 j->initpid = child_pid; 982 983 /* Send marshalled minijail. */ 984 close(pipe_fds[0]); /* read endpoint */ 985 ret = minijail_to_fd(j, pipe_fds[1]); 986 close(pipe_fds[1]); /* write endpoint */ 987 if (ret) { 988 kill(j->initpid, SIGKILL); 989 die("failed to send marshalled minijail"); 990 } 991 992 if (pchild_pid) 993 *pchild_pid = child_pid; 994 995 /* 996 * If we want to write to the child process' standard input, 997 * set up the write end of the pipe. 998 */ 999 if (pstdin_fd) { 1000 close(stdin_fds[0]); /* read endpoint */ 1001 *pstdin_fd = stdin_fds[1]; 1002 } 1003 1004 return 0; 1005 } 1006 free(oldenv_copy); 1007 1008 /* 1009 * If we want to write to the jailed process' standard input, 1010 * set up the read end of the pipe. 1011 */ 1012 if (pstdin_fd) { 1013 close(stdin_fds[1]); /* write endpoint */ 1014 /* dup2(2) the read end of the pipe into stdin. */ 1015 if (dup2(stdin_fds[0], 0)) 1016 die("failed to set up stdin pipe"); 1017 } 1018 1019 /* Drop everything that cannot be inherited across execve. */ 1020 minijail_preexec(j); 1021 /* Jail this process and its descendants... */ 1022 minijail_enter(j); 1023 1024 if (pid_namespace) { 1025 /* 1026 * pid namespace: this process will become init inside the new 1027 * namespace, so fork off a child to actually run the program 1028 * (we don't want all programs we might exec to have to know 1029 * how to be init). 1030 * 1031 * If we're multithreaded, we'll probably deadlock here. See 1032 * WARNING above. 1033 */ 1034 child_pid = fork(); 1035 if (child_pid < 0) 1036 _exit(child_pid); 1037 else if (child_pid > 0) 1038 init(child_pid); /* never returns */ 1039 } 1040 1041 /* 1042 * If we aren't pid-namespaced: 1043 * calling process 1044 * -> execve()-ing process 1045 * If we are: 1046 * calling process 1047 * -> init()-ing process 1048 * -> execve()-ing process 1049 */ 1050 _exit(execve(filename, argv, environ)); 1051} 1052 1053int API minijail_kill(struct minijail *j) 1054{ 1055 int st; 1056 if (kill(j->initpid, SIGTERM)) 1057 return -errno; 1058 if (waitpid(j->initpid, &st, 0) < 0) 1059 return -errno; 1060 return st; 1061} 1062 1063int API minijail_wait(struct minijail *j) 1064{ 1065 int st; 1066 if (waitpid(j->initpid, &st, 0) < 0) 1067 return -errno; 1068 1069 if (!WIFEXITED(st)) { 1070 if (WIFSIGNALED(st)) 1071 warn("child process received signal %d", WTERMSIG(st)); 1072 return MINIJAIL_ERR_JAIL; 1073 } 1074 1075 int exit_status = WEXITSTATUS(st); 1076 if (exit_status != 0) 1077 info("child process exited with status %d", exit_status); 1078 1079 return exit_status; 1080} 1081 1082void API minijail_destroy(struct minijail *j) 1083{ 1084 if (j->flags.seccomp_filter && j->filter_prog) { 1085 free(j->filter_prog->filter); 1086 free(j->filter_prog); 1087 } 1088 while (j->bindings_head) { 1089 struct binding *b = j->bindings_head; 1090 j->bindings_head = j->bindings_head->next; 1091 free(b->dest); 1092 free(b->src); 1093 free(b); 1094 } 1095 j->bindings_tail = NULL; 1096 if (j->user) 1097 free(j->user); 1098 if (j->chrootdir) 1099 free(j->chrootdir); 1100 free(j); 1101} 1102