1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
|
/*
* Copyright (C) 2013 University of Szeged
* Copyright (C) 2013 Renata Hodovan <reni@inf.u-szeged.hu>
* All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Library General Public
* License as published by the Free Software Foundation; either
* version 2 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Library General Public License for more details.
*
* You should have received a copy of the GNU Library General Public License
* along with this library; see the file COPYING.LIB. If not, write to
* the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
* Boston, MA 02110-1301, USA.
*/
#include "SandboxEnvironmentLinux.h"
#include <dirent.h>
#include <dlfcn.h>
#include <err.h>
#include <errno.h>
#include <fcntl.h>
#include <grp.h>
#include <limits.h>
#include <link.h>
#include <pwd.h>
#include <sched.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/capability.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/resource.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <utime.h>
#include <vector>
static const unsigned maximumPathLength = 512;
static char sandboxDirectory[maximumPathLength];
static uid_t sandboxUserUID;
static uid_t sandboxUserGID;
static inline void strlcpy(char *destination, const char* source, int maxLength)
{
destination[0] = '\0';
strncat(destination, source, maxLength - 1);
}
static inline void strlcat(char* destination, const char* source, int maxLength)
{
strncat(destination, source, maxLength - 1 - strnlen(destination, maxLength - 1));
}
static inline void appendDirectoryComponent(char* fullPath, const char* directoryPath, const char* fileName)
{
strlcpy(fullPath, directoryPath, maximumPathLength);
strlcat(fullPath, fileName, maximumPathLength);
}
// This function runs in a cloned process and it is waiting for a request message
// from WebProcess to perform the chroot(). If the operation was successful the function
// never returns. So this function has no return value.
static void launchChangeRootHelper(int helperSocket, int webProcessSocket)
{
// We need to restrict the resources available to our process to avoid opening
// a file by mistake. However, CAP_SYS_RESOURCE capability should be dropped
// otherwise it won't work.
struct rlimit restrictedResource = { 0, 0 };
if (setrlimit(RLIMIT_NOFILE, &restrictedResource) == -1) {
fprintf(stderr, "Helper couldn't set the resource limit: %s.\n", strerror(errno));
return;
}
if (close(webProcessSocket) == -1) {
fprintf(stderr, "Failed to close socket %d: %s.\n", webProcessSocket, strerror(errno));
return;
}
char message;
// We expect a 'C' (ChrootMe) message from the WebProcess.
if (read(helperSocket, &message, 1) != 1) {
fprintf(stderr, "Failed to read message from the web process: %s %d.\n", strerror(errno), errno);
return;
}
if (message != MSG_CHROOTME) {
fprintf(stderr, "Wrong message recieved: %x.\n", message);
return;
}
struct stat sandboxDirectoryInfo;
if (lstat(sandboxDirectory, &sandboxDirectoryInfo) == -1) {
fprintf(stderr, "Sandbox directory (%s) is not available: %s.\n", sandboxDirectory, strerror(errno));
return;
}
if (!S_ISDIR(sandboxDirectoryInfo.st_mode)) {
fprintf(stderr, "%s is not a directory!\n", sandboxDirectory);
return;
}
if (chroot(sandboxDirectory) == -1) {
fprintf(stderr, "Chrooting failed: %s.\n", strerror(errno));
return;
}
// Chroot only changes the root directory of the calling process but doesn't change
// the current working directory. Therefore, if we don't do it manually a malicious user
// could break out the jail with relative paths.
if (chdir("/") == -1) {
fprintf(stderr, "Couldn't change the working directory to /.: %s\n", strerror(errno));
return;
}
// Sending acknowledgement to the WebProcess that the sandboxing was successfull.
message = MSG_CHROOTED;
if (write(helperSocket, &message, 1) != 1) {
fprintf(stderr, "Couldn't send acknowledgement to WebProcess: %s.\n", strerror(errno));
return;
}
exit(EXIT_SUCCESS);
}
static bool setEnvironmentVariablesForChangeRootHelper(pid_t pid, int helperSocket, int webProcessSocket)
{
const int descriptorSize = 32;
char socketDescriptor[descriptorSize];
char sandboxHelperPID[descriptorSize];
int length = snprintf(sandboxHelperPID, sizeof(sandboxHelperPID), "%u", pid);
if (length < 0 || length >= sizeof(sandboxHelperPID)) {
fprintf(stderr, "Failed to convert the sandbox helper PID to a string.\n");
return false;
}
if (setenv(SANDBOX_HELPER_PID, sandboxHelperPID, 1) == -1) {
fprintf(stderr, "Couldn't set the SBX_HELPER_PID environment variable: %s\n", strerror(errno));
return false;
}
length = snprintf(socketDescriptor, sizeof(socketDescriptor), "%u", webProcessSocket);
if (length < 0 || length >= sizeof(socketDescriptor)) {
fprintf(stderr, "Failed to convert the sandbox helper file descriptor to a string.\n");
return false;
}
if (setenv(SANDBOX_DESCRIPTOR, socketDescriptor, 1) == -1) {
fprintf(stderr, "Failed to store the helper's file descriptor into an environment variable: %s.\n", strerror(errno));
return false;
}
if (close(helperSocket) == -1) {
fprintf(stderr, "Closing of %d failed: %s.\n", helperSocket, strerror(errno));
return false;
}
return true;
}
static bool prepareAndStartChangeRootHelper()
{
int socketPair[2];
if (socketpair(AF_UNIX, SOCK_STREAM, 0, socketPair) == -1) {
fprintf(stderr, "Couldn't create socketpair: %s\n", strerror(errno));
return false;
}
pid_t pid = syscall(SYS_clone, CLONE_FS | SIGCHLD, 0, 0, 0);
if (pid == -1) {
fprintf(stderr, "Clone failed: %s\n", strerror(errno));
return false;
}
if (!pid) {
// Child process: we start the chroot helper which waits for the "ChrootMe"
// message from the WebProcess. If we are successed, then we won't return.
launchChangeRootHelper(socketPair[0], socketPair[1]);
// We reach this part only if launchChrootHelper() failed, instead it should have exited.
exit(EXIT_FAILURE);
return false;
}
// Parent process: exports the pid of the helper and the socket id so the
// helper and the WebProcess can communicate.
return setEnvironmentVariablesForChangeRootHelper(pid, socketPair[0], socketPair[1]);
}
// Setting linux capabilities (permitted, effective and inheritable) for the current process.
// Permitted set indicates the capabilities what could be set for the process.
// Effective set is a subset of permitted set, they are actually effective.
// Inheritable set indicates the capabilities what the children will inherit from the current process.
static bool setCapabilities(cap_value_t* capabilityList, int length)
{
// Capabilities should be initialized without flags.
cap_t capabilities = cap_init();
if (!capabilities) {
fprintf(stderr, "Failed to initialize process capabilities: %s.\n", strerror(errno));
return false;
}
if (cap_clear(capabilities) == -1) {
fprintf(stderr, "Failed to clear process capabilities: %s.\n", strerror(errno));
return false;
}
if (capabilityList && length) {
if (cap_set_flag(capabilities, CAP_EFFECTIVE, length, capabilityList, CAP_SET) == -1
|| cap_set_flag(capabilities, CAP_INHERITABLE, length, capabilityList, CAP_SET) == -1
|| cap_set_flag(capabilities, CAP_PERMITTED, length, capabilityList, CAP_SET) == -1) {
fprintf(stderr, "Failed to set process capability flags: %s.\n", strerror(errno));
cap_free(capabilities);
return false;
}
}
if (cap_set_proc(capabilities) == -1) {
fprintf(stderr, "Failed to set process capabilities: %s.\n", strerror(errno));
cap_free(capabilities);
return false;
}
cap_free(capabilities);
return true;
}
static bool dropPrivileges()
{
// We become explicitely non dumpable.
if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) == -1) {
fprintf(stderr, "Setting dumpable is failed: %s\n", strerror(errno));
return false;
}
if (setresgid(sandboxUserGID, sandboxUserGID, sandboxUserGID) == -1) {
fprintf(stderr, "Failed to fallback to group: %d.\n", sandboxUserGID);
return false;
}
if (setresuid(sandboxUserUID, sandboxUserUID, sandboxUserUID) == -1) {
fprintf(stderr, "Failed to fallback to user: %d.\n", sandboxUserUID);
return false;
}
// Drop all capabilities. Again, setuid() normally takes care of this if we had euid 0.
return setCapabilities(0, 0);
}
static bool fileExists(const char* path)
{
struct stat fileStat;
if (lstat(path, &fileStat) == -1) {
if (errno == ENOENT)
return false;
}
return true;
}
static mode_t directoryPermissions(const char* directory)
{
struct stat fileStat;
if (lstat(directory, &fileStat) == -1) {
fprintf(stderr, "Failed to obtain information about directory (%s): %s\n", directory, strerror(errno));
return false;
}
return fileStat.st_mode;
}
static bool createDirectory(char* pathToCreate, const char* nextDirectoryToCreate)
{
strlcat(pathToCreate, nextDirectoryToCreate, maximumPathLength);
char pathToCreateInSandbox[maximumPathLength];
appendDirectoryComponent(pathToCreateInSandbox, sandboxDirectory, pathToCreate);
mode_t mode = directoryPermissions(pathToCreate);
if (mkdir(pathToCreateInSandbox, mode) == -1) {
if (errno != EEXIST) {
fprintf(stderr, "Creation of %s failed: %s\n", pathToCreateInSandbox, strerror(errno));
return false;
}
}
struct stat fileInfo;
if (lstat(pathToCreate, &fileInfo) == -1) {
fprintf(stderr, "Couldn't obtain information about directory (%s): %s\n", pathToCreate, strerror(errno));
return false;
}
if (fileInfo.st_uid == getuid()) {
if (chown(pathToCreateInSandbox, sandboxUserUID, sandboxUserGID) == -1) {
fprintf(stderr, "Failed to assign the ownership of %s to the sandbox user: %s.\n", pathToCreateInSandbox, strerror(errno));
return false;
}
}
if (chmod(pathToCreateInSandbox, fileInfo.st_mode) == -1) {
fprintf(stderr, "Failed to set the permissions of %s: %s.\n", pathToCreateInSandbox, strerror(errno));
return false;
}
return true;
}
// This function creates a directory chain with the given path.
// First, it splits up the path by '/'-s and walks through the chunks from the base directory.
// It checks the existance of the actual path and creates it if it doesn't exist yet.
static bool createDirectoryChain(const char* path)
{
char fullPathInSandbox[maximumPathLength];
appendDirectoryComponent(fullPathInSandbox, sandboxDirectory, path);
if (fileExists(fullPathInSandbox))
return true;
char alreadyCreatedPath[maximumPathLength];
alreadyCreatedPath[0] = '\0';
// startPos is (path + 1) because we skip the first '/'.
const char* startPos = path + 1;
const char* endPos;
while ((endPos = strchr(startPos, '/'))) {
char nextDirectoryToCreate[maximumPathLength];
strlcpy(nextDirectoryToCreate, startPos - 1, strnlen(startPos - 1, endPos - startPos + 1) + 1);
if (!createDirectory(alreadyCreatedPath, nextDirectoryToCreate))
return false;
startPos = endPos + 1;
}
// Create the last directory of the directory path.
alreadyCreatedPath[0] = '\0';
return createDirectory(alreadyCreatedPath, path);
}
static bool createDeviceFiles()
{
const char* devDirectory = "/dev";
if (!createDirectoryChain(devDirectory))
return false;
const char* devices[2] = { "/dev/random", "/dev/urandom" };
for (int i = 0; i < sizeof(devices) / sizeof(devices[0]); ++i) {
struct stat status;
if (lstat(devices[i], &status)) {
fprintf(stderr, "Failed to stat device file (%s): %s\n", devices[i], strerror(errno));
return false;
}
dev_t dev = status.st_rdev;
// Both needed device files (/dev/random and /dev/urandom) are character m_devices and their permissions should be: rw-rw-rw-.
char device[maximumPathLength];
appendDirectoryComponent(device, sandboxDirectory, devices[i]);
if (mknod(device, S_IFCHR | S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH, makedev(major(dev), minor(dev))) == -1) {
if (errno != EEXIST) {
fprintf(stderr, "Couldn't create device file %s: %s\n", device, strerror(errno));
return false;
}
}
}
return true;
}
static bool mountFileSystems()
{
const char* procPath = "/proc";
if (!createDirectoryChain(procPath))
return false;
char procPathInSandbox[maximumPathLength];
appendDirectoryComponent(procPathInSandbox, sandboxDirectory, procPath);
if (mount(procPath, procPathInSandbox, "proc", 0, 0) == -1) {
if (errno != EBUSY) {
fprintf(stderr, "Failed to mount '%s': %s\n", procPath, strerror(errno));
return false;
}
}
const char* sharedMemoryPath = "/run/shm";
if (!createDirectoryChain(sharedMemoryPath)) {
fprintf(stderr, "Failed to create directory for /run/shm in the sandbox: %s.\n", strerror(errno));
return false;
}
char sharedMemoryPathInSandbox[maximumPathLength];
appendDirectoryComponent(sharedMemoryPathInSandbox, sandboxDirectory, sharedMemoryPath);
if (mount(sharedMemoryPath, sharedMemoryPathInSandbox, "tmpfs", 0, 0) == -1) {
if (errno != EBUSY) {
fprintf(stderr, "Failed to mount '%s': %s.\n", sharedMemoryPath, strerror(errno));
return false;
}
}
return true;
}
static bool linkFile(const char* sourceFile, const char* targetFile)
{
char oldPath[maximumPathLength];
char targetPath[maximumPathLength];
strlcpy(oldPath, sourceFile, maximumPathLength);
strlcpy(targetPath, targetFile, maximumPathLength);
while (true) {
struct stat fileInfo;
if (lstat(oldPath, &fileInfo) == -1) {
if (errno != ENOENT) {
fprintf(stderr, "Couldn't obtain information about %s: %s\n", oldPath, strerror(errno));
return false;
}
// If the original file doesn't exist (e.g. dangling links) then we can ignore it
// in the sandbox too.
return true;
}
const char* endOfBaseDirectoryInSource = strrchr(oldPath, '/');
if (!endOfBaseDirectoryInSource) {
fprintf(stderr, "Invalid source: %s.\n", oldPath);
return false;
}
char baseDirectoryOfSource[maximumPathLength];
// To determine the length of the base directory we have to consider the tailing
// slash (+1) and adding plus one because strlcpy() copies (maxLength - 1) characters
// from the source.
strlcpy(baseDirectoryOfSource, oldPath, endOfBaseDirectoryInSource - oldPath + 2);
if (!createDirectoryChain(baseDirectoryOfSource)) {
fprintf(stderr, "Creating %s failed: %s.\n", baseDirectoryOfSource, strerror(errno));
return false;
}
if (link(oldPath, targetPath) == -1) {
if (errno != EEXIST && errno != ENOENT) {
fprintf(stderr, "Linking %s failed: %s.\n", oldPath, strerror(errno));
return false;
}
}
// Handle symlinks. We don't want to have dangling links in the sandbox. So we have to
// follow them and put the whole link chain into the sandbox.
if ((fileInfo.st_mode & S_IFMT) != S_IFLNK)
break;
char symlinkTarget[maximumPathLength];
int lengthOfTheLink = readlink(oldPath, symlinkTarget, sizeof(symlinkTarget) - 1);
if (lengthOfTheLink > 0)
symlinkTarget[lengthOfTheLink] = '\0';
char symlinkTargetInRealWorld[maximumPathLength];
char symlinkTargetInSandbox[maximumPathLength];
// Making difference between relative and absolute paths.
// If the symlinks target starts with '/' then we have nothing to do with it.
// Otherwise it's a relative path and we have to concatenate it to the current
// path to obtain the target.
if (symlinkTarget[0] == '/') {
strlcpy(symlinkTargetInRealWorld, symlinkTarget, maximumPathLength);
appendDirectoryComponent(symlinkTargetInSandbox, sandboxDirectory, symlinkTarget);
} else {
appendDirectoryComponent(symlinkTargetInRealWorld, baseDirectoryOfSource, symlinkTarget);
appendDirectoryComponent(symlinkTargetInSandbox, sandboxDirectory, symlinkTargetInRealWorld);
}
// Initialize oldPath and targetPath variables for the next loop of while.
oldPath[0] = '\0';
targetPath[0] = '\0';
strlcat(oldPath, symlinkTargetInRealWorld, maximumPathLength);
strlcat(targetPath, symlinkTargetInSandbox, maximumPathLength);
}
return true;
}
// This function extends the standard link function by linking directories and all their contents
// and subdirectories recursively.
static bool linkDirectory(const char* sourceDirectoryPath, const char* targetDirectoryPath)
{
if (!createDirectoryChain(sourceDirectoryPath))
return false;
DIR* directory = opendir(sourceDirectoryPath);
if (!directory) {
fprintf(stderr, "Couldn't open directory %s: %s\n", sourceDirectoryPath, strerror(errno));
return false;
}
while (struct dirent *directoryInfo = readdir(directory)) {
char* fileName = directoryInfo->d_name;
// We must not link '.' and ".." into the sandbox.
if (!strcmp(fileName, ".") || !strcmp(fileName, ".."))
continue;
char sourceFile[maximumPathLength];
char targetFile[maximumPathLength];
appendDirectoryComponent(sourceFile, sourceDirectoryPath, fileName);
appendDirectoryComponent(targetFile, targetDirectoryPath, fileName);
bool returnValue;
if (directoryInfo->d_type == DT_DIR) {
strncat(sourceFile, "/", 1);
strncat(targetFile, "/", 1);
returnValue = linkDirectory(sourceFile, targetFile);
} else
returnValue = linkFile(sourceFile, targetFile);
if (!returnValue)
return false;
}
// Restore the original modification time of the directories because
// it could have meaning e.g. in the hash generation of cache files.
struct stat fileStat;
if (lstat(sourceDirectoryPath, &fileStat) == -1) {
fprintf(stderr, "Failed to obtain information about the directory '%s': %s\n", sourceDirectoryPath, strerror(errno));
return false;
}
struct utimbuf times;
times.actime = fileStat.st_atime;
times.modtime = fileStat.st_mtime;
if (utime(targetDirectoryPath, ×) == -1) {
fprintf(stderr, "Couldn't set back the last modification time of '%s': %s\n", targetDirectoryPath, strerror(errno));
return false;
}
return true;
}
static bool collectRunTimeDependencies()
{
// The list of empirically gathered library dependencies.
const char* runtimeDependencies[] = {
"libnss_dns.so",
"libresolv.so",
"libssl.so",
"libcrypto.so"
};
for (int i = 0; i < sizeof(runtimeDependencies) / sizeof(runtimeDependencies[0]); ++i) {
// To obtain the path of the runtime dependencies we open them with dlopen.
// With the handle supplied by dlopen we can obtain information about the dynamically
// linked libraries, so the path where are they installed.
void* handle = dlopen(runtimeDependencies[i], RTLD_LAZY);
if (!handle) {
fprintf(stderr, "Couldn't get the handler of %s: %s\n", runtimeDependencies[i], dlerror());
return false;
}
struct link_map* linkMap;
if (dlinfo(handle, RTLD_DI_LINKMAP, &linkMap) == -1) {
fprintf(stderr, "Couldn't get information about %s: %s\n", runtimeDependencies[i], dlerror());
return false;
}
if (!linkMap) {
fprintf(stderr, "Couldn't get the linkmap of %s: %s.\n", runtimeDependencies[i], strerror(errno));
return false;
}
char pathOfTheLibraryInSandbox[maximumPathLength];
appendDirectoryComponent(pathOfTheLibraryInSandbox, sandboxDirectory, linkMap->l_name);
if (!linkFile(linkMap->l_name, pathOfTheLibraryInSandbox)) {
fprintf(stderr, "Linking runtime dependency: %s failed: %s\n", linkMap->l_name, strerror(errno));
dlclose(handle);
return false;
}
dlclose(handle);
}
return true;
}
static bool setupXauthorityForNobodyUser()
{
// To be able use X inside the sandbox an .Xauthority file must be exist inside it,
// owned by the sandboxuser. Furthermore, XAUTHORITY environment variable must point to it.
char buffer[BUFSIZ];
size_t size;
struct passwd* realUser = getpwuid(getuid());
if (!realUser) {
fprintf(stderr, "Couldn't obtain the current user: %s\n", strerror(errno));
return false;
}
char xauthorityOfRealUser[maximumPathLength];
char xauthorityInSandbox[maximumPathLength];
appendDirectoryComponent(xauthorityOfRealUser, realUser->pw_dir, "/.Xauthority");
appendDirectoryComponent(xauthorityInSandbox, sandboxDirectory, xauthorityOfRealUser);
FILE* source = fopen(xauthorityOfRealUser, "rb");
if (!source) {
fprintf(stderr, "Couldn't open %s: %s\n", xauthorityOfRealUser, strerror(errno));
return false;
}
FILE* dest = fopen(xauthorityInSandbox, "wb");
if (!dest) {
fprintf(stderr, "Couldn't open %s: %s\n", xauthorityInSandbox, strerror(errno));
return false;
}
// We copy the .Xauthority file of the real user (instead of linking) because 'nobody' user
// should own it but we don't want to change the permissions of the original file.
while ((size = fread(buffer, 1, BUFSIZ, source))) {
if (fwrite(buffer, 1, size, dest) != size) {
fprintf(stderr, "Failed to copy .Xauthority to the sandbox: %s.\n", strerror(errno));
return false;
}
}
if (fclose(source)) {
fprintf(stderr, "Closing the .Xauthority file of the real user failed: %s\n", strerror(errno));
return false;
}
if (fclose(dest)) {
fprintf(stderr, "Closing the .Xauthority file of the sandbox user failed: %s\n", strerror(errno));
return false;
}
if (chown(xauthorityInSandbox, sandboxUserUID, sandboxUserGID) == -1) {
fprintf(stderr, "Chowning .Xauthority (%s) failed: %s.\n", xauthorityInSandbox, strerror(errno));
return false;
}
if (setenv("XAUTHORITY", xauthorityInSandbox, 1) == -1) {
fprintf(stderr, "Couldn't set the XAUTHORITY envrionment variable: %s\n", strerror(errno));
return false;
}
return true;
}
static bool initializeSandbox()
{
// Create the sandbox directory. We only need to enter it, so
// the executable permission is needed only.
if (mkdir(sandboxDirectory, S_IFDIR | S_IXUSR | S_IXOTH) == -1) {
if (errno != EEXIST) {
fprintf(stderr, "Couldn't create the sandbox directory: %s\n", strerror(errno));
return false;
}
}
if (!createDeviceFiles())
return false;
if (!mountFileSystems())
return false;
// Hard link cache and font directories into the sandbox environment.
struct passwd* userInfo = getpwuid(getuid());
const char* home = userInfo->pw_dir;
char localDirectory[maximumPathLength];
char cacheDirectory[maximumPathLength];
char fontDirectory[maximumPathLength];
appendDirectoryComponent(localDirectory, home, "/.local/share/");
appendDirectoryComponent(cacheDirectory, home, "/.cache/");
appendDirectoryComponent(fontDirectory, home, "/.fontconfig/");
const char* linkedDirectories[] = {
cacheDirectory,
fontDirectory,
localDirectory,
"/etc/fonts/",
"/etc/ssl/certs/",
"/var/cache/fontconfig/",
"/usr/share/fonts/"
};
for (int i = 0; i < sizeof(linkedDirectories) / sizeof(linkedDirectories[0]); ++i) {
char linkedDirectoryInSandbox[maximumPathLength];
appendDirectoryComponent(linkedDirectoryInSandbox, sandboxDirectory, linkedDirectories[i]);
if (!linkDirectory(linkedDirectories[i], linkedDirectoryInSandbox))
return false;
}
if (!setupXauthorityForNobodyUser())
return false;
return collectRunTimeDependencies();
}
static bool restrictCapabilities()
{
// Capabilities we need.
// CAP_SYS_ADMIN capabilty is added because cloning with CLONE_NEWPID flag later will need it.
cap_value_t capabilityList[] = { CAP_SETUID, CAP_SETGID, CAP_SYS_ADMIN, CAP_SYS_CHROOT};
// Reduce capabilities to what we need.
// Although we still have root euid and we keep root equivalent capabilities,
// we removed (= didn't add) CAP_SYS_RESSOURCE capabilites and this resulted that
// the setrlimit function with RLIMIT_NOFILE will be effective later.
if (!setCapabilities(capabilityList, sizeof(capabilityList) / sizeof(capabilityList[0]))) {
fprintf(stderr, "Could not adjust process capabilities: %s.\n", strerror(errno));
return false;
}
return true;
}
static bool moveToNewPIDNamespace()
{
// CLONE_NEWPID and CLONE_FS should be in that order.
// We can't share filesystems accross namespaces.
int status;
pid_t expectedPID;
pid_t pid = syscall(SYS_clone, CLONE_NEWPID | SIGCHLD, 0, 0, 0);
if (pid == -1) {
fprintf(stderr, "Cloning is failed: %s\n", strerror(errno));
return false;
}
if (!pid) {
// Child should run with pid number 1 in the new namespace.
if (getpid() != 1) {
fprintf(stderr, "Couldn't create a new PID namespace.\n");
return false;
}
return true;
}
// We are waiting for our child (WebProcess).
// If this wait is successful it means that our child is terminated.
expectedPID = waitpid(pid, &status, 0);
if (expectedPID != pid) {
fprintf(stderr, "Process with PID %d terminated instead of the expected one with PID %d: %s.\n", expectedPID, pid, strerror(errno));
exit(EXIT_FAILURE);
}
if (WIFEXITED(status))
exit(WEXITSTATUS(status));
exit(EXIT_SUCCESS);
}
static bool run(int argc, char *const argv[])
{
struct passwd* userInfo = getpwuid(getuid());
if (!userInfo) {
fprintf(stderr, "Couldn't get the current user: %s.\n", strerror(errno));
return false;
}
appendDirectoryComponent(sandboxDirectory, userInfo->pw_dir, "/.wk2-sandbox");
// Currently we use 'nobody' user as the sandbox user and fall back to the real user
// if we failed to get it (we could extend this in the future with a specific restricted user).
if (struct passwd* nobodyUser = getpwnam("nobody")) {
sandboxUserUID = nobodyUser->pw_uid;
sandboxUserGID = nobodyUser->pw_gid;
} else {
sandboxUserUID = getuid();
sandboxUserGID = getgid();
}
// We should have three parameters:
// path_of_this_binary path_of_the_webprocess socket_to_communicate_with_uiprocess
if (argc != 3) {
fprintf(stderr, "Starting SandboxProcess requires 3 parameters!\n");
return false;
}
// SandboxProcess should be run with suid flag ...
if (geteuid()) {
fprintf(stderr, "The sandbox is not seteuid root.\n");
return false;
}
// ... but not as root (not with sudo).
if (!getuid()) {
fprintf(stderr, "The sandbox is not designed to be run by root.\n");
return false;
}
if (!initializeSandbox())
return false;
if (!restrictCapabilities())
return false;
// We move ourself and our children into a new PID namespace,
// where process IDs start from 0 again.
if (!moveToNewPIDNamespace())
return false;
// Starting a helper what will waiting for the "chrootme" message from WebProcess.
if (!prepareAndStartChangeRootHelper())
return false;
// We don't need any special privileges anymore.
if (!dropPrivileges())
return false;
// Sanity check: if our effective or real uid/gid is still 0 (root) or
// we can set any of them to 0, then the dropping of privileges is failed.
// We ensure here that we cannot set root id after here.
if (!geteuid() || !getegid() || !setuid(0) || !setgid(0)) {
fprintf(stderr, "Dropping privileges failed!\n");
return false;
}
// Start the WebProcess.
if (execl(argv[1], argv[1], argv[2], reinterpret_cast<char*>(0)) == -1) {
fprintf(stderr, "Couldn't start WebProcess: %s\n", strerror(errno));
return false;
}
return true;
}
int main(int argc, char *const argv[])
{
return run(argc, argv) ? 0 : 1;
}
|
