StarMirror/sandboxed-api
1
0
Fork 0
mirror of https://github.com/google/sandboxed-api.git synced 2024-03-22 13:11:30 +08:00
Code Issues Projects Releases Wiki Activity

Seal memfd in embed_file.cc

Browse Source 
PiperOrigin-RevId: 383358851
Change-Id: I839a9b816f9c7f486908fbccdc3ecd621bd1c402
This commit is contained in:
Christian Blichmann 2021-07-07 00:58:33 -07:00 committed by Copybara-Service
parent 424c543eb7
commit a290ffc8bc
2 changed files with 17 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
sandboxed_api/embed_file.cc
View File

@ -38,29 +38,35 @@ EmbedFile* EmbedFile::GetEmbedFileSingleton() {
int EmbedFile::CreateFdForFileToc(const FileToc* toc) { int EmbedFile::CreateFdForFileToc(const FileToc* toc) {
// Create a memfd/temp file and write contents of the SAPI library to it. // Create a memfd/temp file and write contents of the SAPI library to it.
int embed_fd = -1; int fd = -1;
if (!sandbox2::util::CreateMemFd(&embed_fd, toc->name)) { if (!sandbox2::util::CreateMemFd(&fd, toc->name)) {
SAPI_RAW_LOG(ERROR, "Couldn't create a temporary file for TOC name '%s'", SAPI_RAW_LOG(ERROR, "Couldn't create a temporary file for TOC name '%s'",
toc->name); toc->name);
return -1; return -1;
} }
file_util::fileops::FDCloser embed_fd(fd);
if (!file_util::fileops::WriteToFD(embed_fd, toc->data, toc->size)) { if (!file_util::fileops::WriteToFD(embed_fd.get(), toc->data, toc->size)) {
SAPI_RAW_PLOG(ERROR, "Couldn't write SAPI embed file '%s' to memfd file", SAPI_RAW_PLOG(ERROR, "Couldn't write SAPI embed file '%s' to memfd file",
toc->name); toc->name);
close(embed_fd);
return -1; return -1;
} }
// Make the underlying file non-writeable. // Make the underlying file non-writeable.
if (fchmod(embed_fd, if (fchmod(embed_fd.get(),
S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) == -1) { S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) == -1) {
SAPI_RAW_PLOG(ERROR, "Could't make FD=%d RX-only", embed_fd); SAPI_RAW_PLOG(ERROR, "Could't make FD=%d RX-only", embed_fd.get());
close(embed_fd);
return -1; return -1;
} }
return embed_fd; // Seal the file
if (fcntl(embed_fd.get(), F_ADD_SEALS,
F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE) == -1) {
SAPI_RAW_PLOG(ERROR, "Couldn't apply file seals to FD=%d", embed_fd.get());
return -1;
}
return embed_fd.Release();
} }
int EmbedFile::GetFdForFileToc(const FileToc* toc) { int EmbedFile::GetFdForFileToc(const FileToc* toc) {

5
sandboxed_api/sandbox2/util.cc
View File

@ -210,9 +210,10 @@ pid_t ForkWithFlags(int flags) {
bool CreateMemFd(int* fd, const char* name) { bool CreateMemFd(int* fd, const char* name) {
// Usually defined in linux/memfd.h. Define it here to avoid dependency on // Usually defined in linux/memfd.h. Define it here to avoid dependency on
// UAPI headers. // UAPI headers.
constexpr uintptr_t MFD_CLOEXEC = 0x0001U; constexpr uintptr_t MFD_CLOEXEC = 0x0001;
constexpr uintptr_t MFD_ALLOW_SEALING = 0x0002;
int tmp_fd = Syscall(__NR_memfd_create, reinterpret_cast<uintptr_t>(name), int tmp_fd = Syscall(__NR_memfd_create, reinterpret_cast<uintptr_t>(name),
MFD_CLOEXEC); MFD_CLOEXEC | MFD_ALLOW_SEALING);
if (tmp_fd < 0) { if (tmp_fd < 0) {
if (errno == ENOSYS) { if (errno == ENOSYS) {
SAPI_RAW_LOG(ERROR, SAPI_RAW_LOG(ERROR,