mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Only spawn init processes when using PID NS
PiperOrigin-RevId: 239169620 Change-Id: I9f26cfab90189a1baa5b87a700ce892cf0c95a89
This commit is contained in:
parent
7ecdd2f8fc
commit
5d216fb191
|
@ -153,13 +153,12 @@ pid_t Executor::StartSubProcess(int32_t clone_flags, const Namespace* ns,
|
||||||
pid_t sandboxee_pid = fork_client_->SendRequest(
|
pid_t sandboxee_pid = fork_client_->SendRequest(
|
||||||
request, exec_fd_, client_comms_fd_, ns_fd, &init_pid);
|
request, exec_fd_, client_comms_fd_, ns_fd, &init_pid);
|
||||||
|
|
||||||
// init_pid = 0 means that we're executing the libunwind sandbox and don't
|
|
||||||
// need an init process.
|
|
||||||
// TODO(hamacher): This is also the case for spawning the custom forksever
|
|
||||||
// (not spawning children from the custom forkserver), so
|
|
||||||
// we should clean it up.
|
|
||||||
if (init_pid == -1) {
|
if (init_pid == -1) {
|
||||||
LOG(ERROR) << "Could not obtain init PID";
|
LOG(ERROR) << "Could not obtain init PID";
|
||||||
|
} else if (init_pid == 0 && request.clone_flags() & CLONE_NEWPID) {
|
||||||
|
LOG(FATAL)
|
||||||
|
<< "No init process was spawned even though a PID NS was created, "
|
||||||
|
<< "potential logic bug";
|
||||||
} else if (init_pid > 0) {
|
} else if (init_pid > 0) {
|
||||||
if (init_pid_out) {
|
if (init_pid_out) {
|
||||||
*init_pid_out = init_pid;
|
*init_pid_out = init_pid;
|
||||||
|
|
|
@ -255,9 +255,8 @@ void ForkServer::LaunchChild(const ForkRequest& request, int execve_fd,
|
||||||
SAPI_RAW_CHECK(cap_set_proc(caps) == 0, "while dropping capabilities");
|
SAPI_RAW_CHECK(cap_set_proc(caps) == 0, "while dropping capabilities");
|
||||||
cap_free(caps);
|
cap_free(caps);
|
||||||
|
|
||||||
// The unwind sandbox is not running in a PID namespace and doesn't require
|
// A custom init process is only needed if a new PID NS is created.
|
||||||
// an init process, everything else does.
|
if (request.clone_flags() & CLONE_NEWPID) {
|
||||||
if (request.mode() != FORKSERVER_FORK_JOIN_SANDBOX_UNWIND) {
|
|
||||||
RunInitProcess(signaling_fd, open_fds);
|
RunInitProcess(signaling_fd, open_fds);
|
||||||
}
|
}
|
||||||
if (request.mode() == FORKSERVER_FORK_EXECVE_SANDBOX ||
|
if (request.mode() == FORKSERVER_FORK_EXECVE_SANDBOX ||
|
||||||
|
@ -392,7 +391,7 @@ pid_t ForkServer::ServeRequest() const {
|
||||||
|
|
||||||
fd_closer1.Close();
|
fd_closer1.Close();
|
||||||
|
|
||||||
if (fork_request.mode() != FORKSERVER_FORK_JOIN_SANDBOX_UNWIND) {
|
if (fork_request.clone_flags() & CLONE_NEWPID) {
|
||||||
union {
|
union {
|
||||||
struct cmsghdr cmh;
|
struct cmsghdr cmh;
|
||||||
char ctrl[CMSG_SPACE(sizeof(struct ucred))];
|
char ctrl[CMSG_SPACE(sizeof(struct ucred))];
|
||||||
|
@ -414,8 +413,8 @@ pid_t ForkServer::ServeRequest() const {
|
||||||
// previously forked.
|
// previously forked.
|
||||||
init_pid = sandboxee_pid;
|
init_pid = sandboxee_pid;
|
||||||
|
|
||||||
// And the actual sandboxee will be forked from the init process, so we need
|
// And the actual sandboxee will be forked from the init process, so we
|
||||||
// to receive the actual PID.
|
// need to receive the actual PID.
|
||||||
struct cmsghdr* cmsgp = nullptr;
|
struct cmsghdr* cmsgp = nullptr;
|
||||||
if (TEMP_FAILURE_RETRY(recvmsg(fd_closer0.get(), &msgh, MSG_WAITALL)) <=
|
if (TEMP_FAILURE_RETRY(recvmsg(fd_closer0.get(), &msgh, MSG_WAITALL)) <=
|
||||||
0 ||
|
0 ||
|
||||||
|
@ -431,6 +430,7 @@ pid_t ForkServer::ServeRequest() const {
|
||||||
sandboxee_pid = ucredp->pid;
|
sandboxee_pid = ucredp->pid;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Parent.
|
// Parent.
|
||||||
close(comms_fd);
|
close(comms_fd);
|
||||||
if (exec_fd >= 0) {
|
if (exec_fd >= 0) {
|
||||||
|
|
Loading…
Reference in New Issue
Block a user