minijail_main.cc - vendor/google/minijail - Git at Google

 // Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 // Some portions Copyright (c) 2011 The Chromium Authors.
 //
 // Driver program for applying a minijail from the commandline to
 // a process and its children (depending on the feature).

 #include "minijail/minijail.h"

 #include <errno.h>
 #include <grp.h>
 #include <linux/capability.h>
 #include <pwd.h>
 #include <stdio.h>
 #include <sys/prctl.h>
 #include <sys/types.h>
 #include <unistd.h>

 #include <iostream>
 #include <new>
 #include <string>
 #include <vector>

 #include <base/basictypes.h>
 #include <base/command_line.h>
 #include <base/logging.h>
 #include <base/string_number_conversions.h>
 #include <base/string_util.h>

 namespace switches {
 static const char kAddReadonlyMounts[] = "add-readonly-mounts";
 static const char kDisableTracing[] = "disable-tracing";
 static const char kEnforceSyscallsBenchmark[] = "enforce-syscall-benchmark";
 static const char kEnforceSyscallsBySource[] = "enforce-syscall-by-source";
 static const char kGid[] = "gid";
 static const char kNamespaceVfs[] = "namespace-vfs";
 static const char kNamespacePid[] = "namespace-pid";
 static const char kSanitizeEnvironment[] = "sanitize-environment";
 static const char kUid[] = "uid";
 static const char kUseCapabilities[] = "use-capabilities";
 static const char kHelp[] = "help";

 static const char kHelpMessage[] = "Available Switches:\n"
 "  --add-readonly-mounts\n"
 "    Mounts a read-only /proc. (implies namespace-vfs)\n"
 "    (TODO other read-only/special mounts)\n"
 "  --disable-tracing\n"
 "    Disables ptrace() and core dumps.\n"
 "    This may break debugging helpers\n"
 "  --enforce-syscall-benchmark\n"
 "    Runs system call filtering in a pass-through capacity only for\n"
 "    benchmarking\n"
 "  --enforce-syscall-by-source\n"
 "    Enables kernel enforcement that system calls originate from read-only\n"
 "    memory areas\n"
 "  --gid [number]\n"
 "    Numeric gid to transition to prior to execution.\n"
 "   (TODO: Supplemental groups will be cleared.)\n"
 "  --namespace-vfs\n"
 "    Enables a process-tree specific VFS view.\n"
 "  --namespace-pid\n"
 "    Makes the executed process into procss id 1 in its own process view.\n"
 "    With --add-readonly-mounts, other processes will not be visible\n"
 "  --sanitize-environment\n"
 "    Scrubs the environment clean of potentially dangerous values.\n"
 "    (Note, this is a blacklist and not a whitelist so it may need attention)\n"
 "  --uid [number]\n"
 "    Numeric uid to transition to prior to execution.\n"
 "  --use-capabilities [uint64 bitmask]\n"
 "    Restricts all root-level capabilities to CAP_SETPCAP and enables\n"
 "    SECURE_NOROOT.\n"
 "  -- /path/to/program [arg1 [arg2 [ . . . ] ] ]\n"
 "    Supplies the required program to execute and its arguments.\n"
 "    At present, an empty environment will be passed.\n"
 "\n";

 }  // namespace switches

 static bool ParseUid(const std::string& str, uid_t *uid) {
   int32 v;
   if (base::StringToInt(str, &v)) {
     *uid = v;
     return true;
   }

   // Not an integer. Let's try for a user.
   // Any character except ':' is valid in a username.
   if (strchr(str.c_str(), ':'))
     return false;
   struct passwd *user = getpwnam(str.c_str());
   if (user) {
     *uid = user->pw_uid;
     return true;
   }

   return false;
 }

 static bool ParseGid(const std::string& str, gid_t *gid) {
   int32 v;
   if (base::StringToInt(str, &v)) {
     *gid = v;
     return true;
   }

   // Not an integer, look for a group
   // Any character except ':' is valid in a group name.
   if (strchr(str.c_str(), ':'))
     return false;
   struct group *group = getgrnam(str.c_str());
   if (group) {
     *gid = group->gr_gid;
     return true;
   }

   return false;
 }

 static void ProcessSwitches(CommandLine *cl,
                             chromeos::MiniJailOptions *jail_opts) {
   if (cl->HasSwitch(switches::kHelp)) {
     std::cerr << switches::kHelpMessage;
     exit(0);
   }

   // Configure the jail options
   jail_opts->set_namespace_pid(cl->HasSwitch(switches::kNamespacePid));
   jail_opts->set_namespace_vfs(cl->HasSwitch(switches::kNamespaceVfs));
   jail_opts->set_add_readonly_mounts(
     cl->HasSwitch(switches::kAddReadonlyMounts));
   jail_opts->set_disable_tracing(cl->HasSwitch(switches::kDisableTracing));
   jail_opts->set_enforce_syscalls_benchmark(
     cl->HasSwitch(switches::kEnforceSyscallsBenchmark));
   jail_opts->set_enforce_syscalls_by_source(
     cl->HasSwitch(switches::kEnforceSyscallsBySource));
   jail_opts->set_use_capabilities(cl->HasSwitch(switches::kUseCapabilities));
   jail_opts->set_sanitize_environment(
     cl->HasSwitch(switches::kSanitizeEnvironment));

   if (jail_opts->use_capabilities()) {
     jail_opts->set_caps_bitmask(0);
     // TODO(cmasone): switch to something that parses unsigned ints.
     int64 caps = 0;
     if (base::StringToInt64(
             cl->GetSwitchValueASCII(switches::kUseCapabilities), &caps)) {
       uint64 bitmask = (caps < 0 ? 0 : caps);
       jail_opts->set_caps_bitmask(bitmask);
     }
   }

   std::string uid_string = cl->GetSwitchValueASCII(switches::kUid);
   if (!uid_string.empty()) {
     uid_t uid;
     if (!ParseUid(uid_string.c_str(), &uid)) {
       LOG(ERROR) << "Failed to parse uid: " << uid_string;
       exit(1);
     }
     jail_opts->set_uid(uid);
   }

   std::string gid_string = cl->GetSwitchValueASCII(switches::kGid);
   if (!gid_string.empty()) {
     gid_t gid;
     if (!ParseGid(gid_string.c_str(), &gid)) {
       LOG(ERROR) << "Failed to parse gid: " << gid_string;
       exit(1);
     }
     jail_opts->set_gid(gid);
   }

   if (!jail_opts->FixUpDependencies()) {
     LOG(FATAL) << "Irreconcilable jail options given. Aborting.";
   }

   // Grab the loose args to use as the command line.
   // We have to wstring->argv[][] manually. Ugh.
   std::vector<std::string> loose_args = cl->args();
   char const* *jailed_argv = new char const*[loose_args.size() + 1];
   std::vector<std::string>::const_iterator arg_it = loose_args.begin();
   char const* *ja = jailed_argv;
   for (; arg_it != loose_args.end(); ++arg_it) {
     // XXX: clean up this leak even though it doesn't matter.
     *ja++ = strdup(arg_it->c_str());
   }
   *ja = 0;

   jail_opts->set_executable_path(jailed_argv[0]);
   jail_opts->set_arguments(const_cast<char * const*>(jailed_argv),
                            loose_args.size());
   // XXX We just leak this since we're going to exec anyhow.
   // delete jailed_argv;
 }

 int main(int argc, char *argv[], char **envp) {
   CommandLine::Init(argc, argv);
   logging::InitLogging(NULL,
                        logging::LOG_ONLY_TO_SYSTEM_DEBUG_LOG,
                        logging::DONT_LOCK_LOG_FILE,
                        logging::APPEND_TO_OLD_LOG_FILE,
                        logging::DISABLE_DCHECK_FOR_NON_OFFICIAL_RELEASE_BUILDS);

   chromeos::MiniJailOptions jail_opts;
   CommandLine *cl = CommandLine::ForCurrentProcess();
   ProcessSwitches(cl, &jail_opts);
   jail_opts.set_environment(envp);

   LOG_IF(FATAL, !jail_opts.executable_path()) << "No executable given";

   chromeos::MiniJail jail;
   jail.Initialize(&jail_opts);
   bool ok = jail.Jail() && jail.Run();
   return !ok;
 }
	// Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.
	// Some portions Copyright (c) 2011 The Chromium Authors.
	//
	// Driver program for applying a minijail from the commandline to
	// a process and its children (depending on the feature).

	#include "minijail/minijail.h"

	#include <errno.h>
	#include <grp.h>
	#include <linux/capability.h>
	#include <pwd.h>
	#include <stdio.h>
	#include <sys/prctl.h>
	#include <sys/types.h>
	#include <unistd.h>

	#include <iostream>
	#include <new>
	#include <string>
	#include <vector>

	#include <base/basictypes.h>
	#include <base/command_line.h>
	#include <base/logging.h>
	#include <base/string_number_conversions.h>
	#include <base/string_util.h>

	namespace switches {
	static const char kAddReadonlyMounts[] = "add-readonly-mounts";
	static const char kDisableTracing[] = "disable-tracing";
	static const char kEnforceSyscallsBenchmark[] = "enforce-syscall-benchmark";
	static const char kEnforceSyscallsBySource[] = "enforce-syscall-by-source";
	static const char kGid[] = "gid";
	static const char kNamespaceVfs[] = "namespace-vfs";
	static const char kNamespacePid[] = "namespace-pid";
	static const char kSanitizeEnvironment[] = "sanitize-environment";
	static const char kUid[] = "uid";
	static const char kUseCapabilities[] = "use-capabilities";
	static const char kHelp[] = "help";

	static const char kHelpMessage[] = "Available Switches:\n"
	" --add-readonly-mounts\n"
	" Mounts a read-only /proc. (implies namespace-vfs)\n"
	" (TODO other read-only/special mounts)\n"
	" --disable-tracing\n"
	" Disables ptrace() and core dumps.\n"
	" This may break debugging helpers\n"
	" --enforce-syscall-benchmark\n"
	" Runs system call filtering in a pass-through capacity only for\n"
	" benchmarking\n"
	" --enforce-syscall-by-source\n"
	" Enables kernel enforcement that system calls originate from read-only\n"
	" memory areas\n"
	" --gid [number]\n"
	" Numeric gid to transition to prior to execution.\n"
	" (TODO: Supplemental groups will be cleared.)\n"
	" --namespace-vfs\n"
	" Enables a process-tree specific VFS view.\n"
	" --namespace-pid\n"
	" Makes the executed process into procss id 1 in its own process view.\n"
	" With --add-readonly-mounts, other processes will not be visible\n"
	" --sanitize-environment\n"
	" Scrubs the environment clean of potentially dangerous values.\n"
	" (Note, this is a blacklist and not a whitelist so it may need attention)\n"
	" --uid [number]\n"
	" Numeric uid to transition to prior to execution.\n"
	" --use-capabilities [uint64 bitmask]\n"
	" Restricts all root-level capabilities to CAP_SETPCAP and enables\n"
	" SECURE_NOROOT.\n"
	" -- /path/to/program [arg1 [arg2 [ . . . ] ] ]\n"
	" Supplies the required program to execute and its arguments.\n"
	" At present, an empty environment will be passed.\n"
	"\n";

	} // namespace switches

	static bool ParseUid(const std::string& str, uid_t *uid) {
	int32 v;
	if (base::StringToInt(str, &v)) {
	*uid = v;
	return true;
	}

	// Not an integer. Let's try for a user.
	// Any character except ':' is valid in a username.
	if (strchr(str.c_str(), ':'))
	return false;
	struct passwd *user = getpwnam(str.c_str());
	if (user) {
	*uid = user->pw_uid;
	return true;
	}

	return false;
	}

	static bool ParseGid(const std::string& str, gid_t *gid) {
	int32 v;
	if (base::StringToInt(str, &v)) {
	*gid = v;
	return true;
	}

	// Not an integer, look for a group
	// Any character except ':' is valid in a group name.
	if (strchr(str.c_str(), ':'))
	return false;
	struct group *group = getgrnam(str.c_str());
	if (group) {
	*gid = group->gr_gid;
	return true;
	}

	return false;
	}

	static void ProcessSwitches(CommandLine *cl,
	chromeos::MiniJailOptions *jail_opts) {
	if (cl->HasSwitch(switches::kHelp)) {
	std::cerr << switches::kHelpMessage;
	exit(0);
	}

	// Configure the jail options
	jail_opts->set_namespace_pid(cl->HasSwitch(switches::kNamespacePid));
	jail_opts->set_namespace_vfs(cl->HasSwitch(switches::kNamespaceVfs));
	jail_opts->set_add_readonly_mounts(
	cl->HasSwitch(switches::kAddReadonlyMounts));
	jail_opts->set_disable_tracing(cl->HasSwitch(switches::kDisableTracing));
	jail_opts->set_enforce_syscalls_benchmark(
	cl->HasSwitch(switches::kEnforceSyscallsBenchmark));
	jail_opts->set_enforce_syscalls_by_source(
	cl->HasSwitch(switches::kEnforceSyscallsBySource));
	jail_opts->set_use_capabilities(cl->HasSwitch(switches::kUseCapabilities));
	jail_opts->set_sanitize_environment(
	cl->HasSwitch(switches::kSanitizeEnvironment));

	if (jail_opts->use_capabilities()) {
	jail_opts->set_caps_bitmask(0);
	// TODO(cmasone): switch to something that parses unsigned ints.
	int64 caps = 0;
	if (base::StringToInt64(
	cl->GetSwitchValueASCII(switches::kUseCapabilities), &caps)) {
	uint64 bitmask = (caps < 0 ? 0 : caps);
	jail_opts->set_caps_bitmask(bitmask);
	}
	}

	std::string uid_string = cl->GetSwitchValueASCII(switches::kUid);
	if (!uid_string.empty()) {
	uid_t uid;
	if (!ParseUid(uid_string.c_str(), &uid)) {
	LOG(ERROR) << "Failed to parse uid: " << uid_string;
	exit(1);
	}
	jail_opts->set_uid(uid);
	}

	std::string gid_string = cl->GetSwitchValueASCII(switches::kGid);
	if (!gid_string.empty()) {
	gid_t gid;
	if (!ParseGid(gid_string.c_str(), &gid)) {
	LOG(ERROR) << "Failed to parse gid: " << gid_string;
	exit(1);
	}
	jail_opts->set_gid(gid);
	}

	if (!jail_opts->FixUpDependencies()) {
	LOG(FATAL) << "Irreconcilable jail options given. Aborting.";
	}

	// Grab the loose args to use as the command line.
	// We have to wstring->argv[][] manually. Ugh.
	std::vector<std::string> loose_args = cl->args();
	char const* jailed_argv = new char const[loose_args.size() + 1];
	std::vector<std::string>::const_iterator arg_it = loose_args.begin();
	char const* *ja = jailed_argv;
	for (; arg_it != loose_args.end(); ++arg_it) {
	// XXX: clean up this leak even though it doesn't matter.
	*ja++ = strdup(arg_it->c_str());
	}
	*ja = 0;

	jail_opts->set_executable_path(jailed_argv[0]);
	jail_opts->set_arguments(const_cast<char * const*>(jailed_argv),
	loose_args.size());
	// XXX We just leak this since we're going to exec anyhow.
	// delete jailed_argv;
	}

	int main(int argc, char argv[], char *envp) {
	CommandLine::Init(argc, argv);
	logging::InitLogging(NULL,
	logging::LOG_ONLY_TO_SYSTEM_DEBUG_LOG,
	logging::DONT_LOCK_LOG_FILE,
	logging::APPEND_TO_OLD_LOG_FILE,
	logging::DISABLE_DCHECK_FOR_NON_OFFICIAL_RELEASE_BUILDS);

	chromeos::MiniJailOptions jail_opts;
	CommandLine *cl = CommandLine::ForCurrentProcess();
	ProcessSwitches(cl, &jail_opts);
	jail_opts.set_environment(envp);

	LOG_IF(FATAL, !jail_opts.executable_path()) << "No executable given";

	chromeos::MiniJail jail;
	jail.Initialize(&jail_opts);
	bool ok = jail.Jail() && jail.Run();
	return !ok;
	}