StarMirror/sandboxed-api
1
0
Fork 0
mirror of https://github.com/google/sandboxed-api.git synced 2024-03-22 13:11:30 +08:00
Code Issues Projects Releases Wiki Activity
8e5771b007
sandboxed-api/sandboxed_api/sandbox2/mounts.h
Christian Blichmann ca6ec4337d Add workaround for active Tomoyo LSM 
Recenly, Debian based distribution kernels started activating the Tomoyo Linux
Security Module by default. Even if it is not used, this changes the behavior
of `/dev/fd` (pointing to `/proc/self/fd` by default), which Sandbox2 needs during
`execveat()`.

As a result, Sandbox2 and Sandboxed API always fail without one of the following
conditions
- `/proc` mounted within the sandboxee
- `/dev` mounted
- `/dev/fd` symlinked to `/proc/self/fd` in the sandboxee's mount namespace

Some code pointers to upstream Linux 5.12.2:
- https://elixir.bootlin.com/linux/v5.12.2/source/fs/exec.c#L1775
- https://elixir.bootlin.com/linux/v5.12.2/source/security/tomoyo/tomoyo.c#L107
- https://elixir.bootlin.com/linux/v5.12.2/source/security/tomoyo/domain.c#L729

To find out whether your system has Tomoyo enabled, use this command, similar to
what this change does in code:

```
$ cat /sys/kernel/security/lsm | grep tomoyo && echo "Tomoyo active"
capability,yama,apparmor,tomoyo
Tomoyo active
```

The config setting `CONFIG_DEFAULT_SECURITY` controls which LSMs are built into
the kernel by default.

PiperOrigin-RevId: 372919524
Change-Id: I2181819c04f15f57d96c44ea9977d0def4a1b623
2021-05-10 07:04:04 -07:00

93 lines
3.1 KiB
C++
Raw Blame History

// Copyright 2019 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef SANDBOXED_API_SANDBOX2_MOUNTTREE_H_
#define SANDBOXED_API_SANDBOX2_MOUNTTREE_H_
#include <string>
#include <vector>
#include "absl/base/attributes.h"
#include "absl/status/status.h"
#include "absl/status/statusor.h"
#include "absl/strings/string_view.h"
#include "sandboxed_api/sandbox2/mounttree.pb.h"
namespace sandbox2 {
class Mounts {
public:
Mounts() {
MountTree::Node root;
root.mutable_root_node()->set_is_ro(true);
*mount_tree_.mutable_node() = root;
}
explicit Mounts(MountTree mount_tree) : mount_tree_(std::move(mount_tree)) {}
Mounts(const Mounts&) = default;
Mounts(Mounts&&) = default;
Mounts& operator=(const Mounts&) = default;
Mounts& operator=(Mounts&&) = default;
absl::Status AddFile(absl::string_view path, bool is_ro = true);
absl::Status AddFileAt(absl::string_view outside, absl::string_view inside,
bool is_ro = true);
absl::Status AddDirectoryAt(absl::string_view outside,
absl::string_view inside, bool is_ro = true);
absl::Status AddMappingsForBinary(const std::string& path,
absl::string_view ld_library_path = {});
absl::Status AddTmpfs(absl::string_view inside, size_t sz);
void CreateMounts(const std::string& root_path) const;
MountTree GetMountTree() const { return mount_tree_; }
void SetRootWritable() {
mount_tree_.mutable_node()->mutable_root_node()->set_is_ro(false);
}
bool IsRootReadOnly() const {
return mount_tree_.has_node() && mount_tree_.node().has_root_node() &&
mount_tree_.node().root_node().is_ro();
}
// Lists the outside and inside entries of the input tree in the output
// parameters, in an ls-like manner. Each entry is traversed in the
// depth-first order. However, the entries on the same level of hierarchy are
// traversed in their natural order in the tree. The elements in the output
// containers match each other pairwise: outside_entries[i] is mounted as
// inside_entries[i]. The elements of inside_entries are prefixed with either
// 'R' (read-only) or 'W' (writable).
void RecursivelyListMounts(std::vector<std::string>* outside_entries,
std::vector<std::string>* inside_entries);
absl::StatusOr<std::string> ResolvePath(absl::string_view path) const;
private:
friend class MountTreeTest;
absl::Status Insert(absl::string_view path, const MountTree::Node& node);
MountTree mount_tree_;
};
} // namespace sandbox2
#endif // SANDBOXED_API_SANDBOX2_MOUNTTREE_H_
Reference in New Issue View Git Blame Copy Permalink