p71924506
/
aosp12
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
aosp12/external/minijail/minijail0_cli.c

1108 lines
31 KiB
C
Raw Normal View History

init from android-12.1.0_r8
2023-01-09 17:11:35 +08:00
/* Copyright 2018 The Chromium OS Authors. All rights reserved.
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*/
#include <dlfcn.h>
#include <errno.h>
#include <getopt.h>
#include <inttypes.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/capability.h>
#include <sys/mount.h>
#include <sys/types.h>
#include <unistd.h>
#include <linux/filter.h>
#include "libminijail.h"
#include "libsyscalls.h"
#include "elfparse.h"
#include "minijail0_cli.h"
#include "system.h"
#include "util.h"
#define IDMAP_LEN 32U
#define DEFAULT_TMP_SIZE (64 * 1024 * 1024)
/*
* A malloc() that aborts on failure. We only implement this in the CLI as
* the library should return ENOMEM errors when allocations fail.
*/
static void *xmalloc(size_t size)
{
void *ret = malloc(size);
if (!ret) {
perror("malloc() failed");
exit(1);
}
return ret;
}
static char *xstrdup(const char *s)
{
char *ret = strdup(s);
if (!ret) {
perror("strdup() failed");
exit(1);
}
return ret;
}
static void set_user(struct minijail *j, const char *arg, uid_t *out_uid,
gid_t *out_gid)
{
char *end = NULL;
int uid = strtod(arg, &end);
if (!*end && *arg) {
*out_uid = uid;
minijail_change_uid(j, uid);
return;
}
int ret = lookup_user(arg, out_uid, out_gid);
if (ret) {
fprintf(stderr, "Bad user '%s': %s\n", arg, strerror(-ret));
exit(1);
}
ret = minijail_change_user(j, arg);
if (ret) {
fprintf(stderr, "minijail_change_user('%s') failed: %s\n", arg,
strerror(-ret));
exit(1);
}
}
static void set_group(struct minijail *j, const char *arg, gid_t *out_gid)
{
char *end = NULL;
int gid = strtod(arg, &end);
if (!*end && *arg) {
*out_gid = gid;
minijail_change_gid(j, gid);
return;
}
int ret = lookup_group(arg, out_gid);
if (ret) {
fprintf(stderr, "Bad group '%s': %s\n", arg, strerror(-ret));
exit(1);
}
minijail_change_gid(j, *out_gid);
}
/*
* Helper function used by --add-suppl-group (possibly more than once),
* to build the supplementary gids array.
*/
static void suppl_group_add(size_t *suppl_gids_count, gid_t **suppl_gids,
char *arg) {
char *end = NULL;
int groupid = strtod(arg, &end);
gid_t gid;
int ret;
if (!*end && *arg) {
/* A gid number has been specified, proceed. */
gid = groupid;
} else if ((ret = lookup_group(arg, &gid))) {
/*
* A group name has been specified,
* but doesn't exist: we bail out.
*/
fprintf(stderr, "Bad group '%s': %s\n", arg, strerror(-ret));
exit(1);
}
/*
* From here, gid is guaranteed to be set and valid,
* we add it to our supplementary gids array.
*/
*suppl_gids = realloc(*suppl_gids,
sizeof(gid_t) * ++(*suppl_gids_count));
if (!suppl_gids) {
fprintf(stderr, "failed to allocate memory.\n");
exit(1);
}
(*suppl_gids)[*suppl_gids_count - 1] = gid;
}
static void skip_securebits(struct minijail *j, const char *arg)
{
uint64_t securebits_skip_mask;
char *end = NULL;
securebits_skip_mask = strtoull(arg, &end, 16);
if (*end) {
fprintf(stderr, "Invalid securebit mask: '%s'\n", arg);
exit(1);
}
minijail_skip_setting_securebits(j, securebits_skip_mask);
}
static void use_caps(struct minijail *j, const char *arg)
{
uint64_t caps = 0;
cap_t parsed_caps = cap_from_text(arg);
if (parsed_caps != NULL) {
unsigned int i;
const uint64_t one = 1;
cap_flag_value_t cap_value;
unsigned int last_valid_cap = get_last_valid_cap();
for (i = 0; i <= last_valid_cap; ++i) {
if (cap_get_flag(parsed_caps, i, CAP_EFFECTIVE,
&cap_value)) {
if (errno == EINVAL) {
/*
* Some versions of libcap reject any
* capabilities they were not compiled
* with by returning EINVAL.
*/
continue;
}
fprintf(stderr,
"Could not get the value of "
"the %d-th capability: %m\n",
i);
exit(1);
}
if (cap_value == CAP_SET)
caps |= (one << i);
}
cap_free(parsed_caps);
} else {
char *end = NULL;
caps = strtoull(arg, &end, 16);
if (*end) {
fprintf(stderr, "Invalid cap set: '%s'\n", arg);
exit(1);
}
}
minijail_use_caps(j, caps);
}
static void add_binding(struct minijail *j, char *arg)
{
char *src = tokenize(&arg, ",");
char *dest = tokenize(&arg, ",");
char *flags = tokenize(&arg, ",");
if (!src || src[0] == '\0' || arg != NULL) {
fprintf(stderr, "Bad binding: %s %s\n", src, dest);
exit(1);
}
if (dest == NULL || dest[0] == '\0')
dest = src;
int writable;
if (flags == NULL || flags[0] == '\0' || !strcmp(flags, "0"))
writable = 0;
else if (!strcmp(flags, "1"))
writable = 1;
else {
fprintf(stderr, "Bad value for <writable>: %s\n", flags);
exit(1);
}
if (minijail_bind(j, src, dest, writable)) {
fprintf(stderr, "minijail_bind failed.\n");
exit(1);
}
}
static void add_rlimit(struct minijail *j, char *arg)
{
char *type = tokenize(&arg, ",");
char *cur = tokenize(&arg, ",");
char *max = tokenize(&arg, ",");
char *end;
if (!type || type[0] == '\0' || !cur || cur[0] == '\0' ||
!max || max[0] == '\0' || arg != NULL) {
fprintf(stderr, "Bad rlimit '%s'.\n", arg);
exit(1);
}
rlim_t cur_rlim;
rlim_t max_rlim;
if (!strcmp(cur, "unlimited")) {
cur_rlim = RLIM_INFINITY;
} else {
end = NULL;
cur_rlim = strtoul(cur, &end, 0);
if (*end) {
fprintf(stderr, "Bad soft limit: '%s'.\n", cur);
exit(1);
}
}
if (!strcmp(max, "unlimited")) {
max_rlim = RLIM_INFINITY;
} else {
end = NULL;
max_rlim = strtoul(max, &end, 0);
if (*end) {
fprintf(stderr, "Bad hard limit: '%s'.\n", max);
exit(1);
}
}
end = NULL;
int resource = parse_single_constant(type, &end);
if (type == end) {
fprintf(stderr, "Bad rlimit: '%s'.\n", type);
exit(1);
}
if (minijail_rlimit(j, resource, cur_rlim, max_rlim)) {
fprintf(stderr, "minijail_rlimit '%s,%s,%s' failed.\n", type,
cur, max);
exit(1);
}
}
static void add_mount(struct minijail *j, char *arg)
{
char *src = tokenize(&arg, ",");
char *dest = tokenize(&arg, ",");
char *type = tokenize(&arg, ",");
char *flags = tokenize(&arg, ",");
char *data = tokenize(&arg, ",");
char *end;
if (!src || src[0] == '\0' || !dest || dest[0] == '\0' ||
!type || type[0] == '\0') {
fprintf(stderr, "Bad mount: %s %s %s\n", src, dest, type);
exit(1);
}
/*
* Fun edge case: the data option itself is comma delimited. If there
* were no more options, then arg would be set to NULL. But if we had
* more pending, it'll be pointing to the next token. Back up and undo
* the null byte so it'll be merged back.
* An example:
* none,/tmp,tmpfs,0xe,mode=0755,uid=10,gid=10
* The tokenize calls above will turn this memory into:
* none\0/tmp\0tmpfs\00xe\0mode=0755\0uid=10,gid=10
* With data pointing at mode=0755 and arg pointing at uid=10,gid=10.
*/
if (arg != NULL)
arg[-1] = ',';
unsigned long mountflags;
if (flags == NULL || flags[0] == '\0') {
mountflags = 0;
} else {
end = NULL;
mountflags = parse_constant(flags, &end);
if (flags == end) {
fprintf(stderr, "Bad mount flags: %s\n", flags);
exit(1);
}
}
if (minijail_mount_with_data(j, src, dest, type,
mountflags, data)) {
fprintf(stderr, "minijail_mount failed.\n");
exit(1);
}
}
static char *build_idmap(id_t id, id_t lowerid)
{
int ret;
char *idmap = xmalloc(IDMAP_LEN);
ret = snprintf(idmap, IDMAP_LEN, "%d %d 1", id, lowerid);
if (ret < 0 || (size_t)ret >= IDMAP_LEN) {
free(idmap);
fprintf(stderr, "Could not build id map.\n");
exit(1);
}
return idmap;
}
static int has_cap_setgid(void)
{
cap_t caps;
cap_flag_value_t cap_value;
if (!CAP_IS_SUPPORTED(CAP_SETGID))
return 0;
caps = cap_get_proc();
if (!caps) {
fprintf(stderr, "Could not get process' capabilities: %m\n");
exit(1);
}
if (cap_get_flag(caps, CAP_SETGID, CAP_EFFECTIVE, &cap_value)) {
fprintf(stderr, "Could not get the value of CAP_SETGID: %m\n");
exit(1);
}
if (cap_free(caps)) {
fprintf(stderr, "Could not free capabilities: %m\n");
exit(1);
}
return cap_value == CAP_SET;
}
static void set_ugid_mapping(struct minijail *j, int set_uidmap, uid_t uid,
char *uidmap, int set_gidmap, gid_t gid,
char *gidmap)
{
if (set_uidmap) {
minijail_namespace_user(j);
minijail_namespace_pids(j);
if (!uidmap) {
/*
* If no map is passed, map the current uid to the
* chosen uid in the target namespace (or root, if none
* was chosen).
*/
uidmap = build_idmap(uid, getuid());
}
if (0 != minijail_uidmap(j, uidmap)) {
fprintf(stderr, "Could not set uid map.\n");
exit(1);
}
free(uidmap);
}
if (set_gidmap) {
minijail_namespace_user(j);
minijail_namespace_pids(j);
if (!gidmap) {
/*
* If no map is passed, map the current gid to the
* chosen gid in the target namespace.
*/
gidmap = build_idmap(gid, getgid());
}
if (!has_cap_setgid()) {
/*
* This means that we are not running as root,
* so we also have to disable setgroups(2) to
* be able to set the gid map.
* See
* http://man7.org/linux/man-pages/man7/user_namespaces.7.html
*/
minijail_namespace_user_disable_setgroups(j);
}
if (0 != minijail_gidmap(j, gidmap)) {
fprintf(stderr, "Could not set gid map.\n");
exit(1);
}
free(gidmap);
}
}
static void use_chroot(struct minijail *j, const char *path, int *chroot,
int pivot_root)
{
if (pivot_root) {
fprintf(stderr, "Could not set chroot because "
"'-P' was specified.\n");
exit(1);
}
if (minijail_enter_chroot(j, path)) {
fprintf(stderr, "Could not set chroot.\n");
exit(1);
}
*chroot = 1;
}
static void use_pivot_root(struct minijail *j, const char *path,
int *pivot_root, int chroot)
{
if (chroot) {
fprintf(stderr, "Could not set pivot_root because "
"'-C' was specified.\n");
exit(1);
}
if (minijail_enter_pivot_root(j, path)) {
fprintf(stderr, "Could not set pivot_root.\n");
exit(1);
}
minijail_namespace_vfs(j);
*pivot_root = 1;
}
static void use_profile(struct minijail *j, const char *profile,
int *pivot_root, int chroot, size_t *tmp_size)
{
/* Note: New profiles should be added in minijail0_cli_unittest.cc. */
if (!strcmp(profile, "minimalistic-mountns") ||
!strcmp(profile, "minimalistic-mountns-nodev")) {
minijail_namespace_vfs(j);
if (minijail_bind(j, "/", "/", 0)) {
fprintf(stderr, "minijail_bind(/) failed.\n");
exit(1);
}
if (minijail_bind(j, "/proc", "/proc", 0)) {
fprintf(stderr, "minijail_bind(/proc) failed.\n");
exit(1);
}
if (!strcmp(profile, "minimalistic-mountns")) {
if (minijail_bind(j, "/dev/log", "/dev/log", 0)) {
fprintf(stderr, "minijail_bind(/dev/log) failed.\n");
exit(1);
}
minijail_mount_dev(j);
}
if (!*tmp_size) {
/* Avoid clobbering |tmp_size| if it was already set. */
*tmp_size = DEFAULT_TMP_SIZE;
}
minijail_remount_proc_readonly(j);
use_pivot_root(j, DEFAULT_PIVOT_ROOT, pivot_root, chroot);
} else {
fprintf(stderr, "Unrecognized profile name '%s'\n", profile);
exit(1);
}
}
static void set_remount_mode(struct minijail *j, const char *mode)
{
unsigned long msmode;
if (!strcmp(mode, "shared"))
msmode = MS_SHARED;
else if (!strcmp(mode, "private"))
msmode = MS_PRIVATE;
else if (!strcmp(mode, "slave"))
msmode = MS_SLAVE;
else if (!strcmp(mode, "unbindable"))
msmode = MS_UNBINDABLE;
else {
fprintf(stderr, "Unknown remount mode: '%s'\n", mode);
exit(1);
}
minijail_remount_mode(j, msmode);
}
static void read_seccomp_filter(const char *filter_path,
struct sock_fprog *filter)
{
FILE *f = fopen(filter_path, "re");
if (!f) {
fprintf(stderr, "failed to open %s: %m", filter_path);
exit(1);
}
off_t filter_size = 0;
if (fseeko(f, 0, SEEK_END) == -1 || (filter_size = ftello(f)) == -1) {
fclose(f);
fprintf(stderr, "failed to get file size of %s: %m",
filter_path);
exit(1);
}
if (filter_size % sizeof(struct sock_filter) != 0) {
fclose(f);
fprintf(stderr,
"filter size (%" PRId64
") of %s is not a multiple of %zu: %m",
filter_size, filter_path, sizeof(struct sock_filter));
exit(1);
}
rewind(f);
filter->len = filter_size / sizeof(struct sock_filter);
filter->filter = xmalloc(filter_size);
if (fread(filter->filter, sizeof(struct sock_filter), filter->len, f) !=
filter->len) {
fclose(f);
fprintf(stderr, "failed read %s: %m", filter_path);
exit(1);
}
fclose(f);
}
static void usage(const char *progn)
{
size_t i;
/* clang-format off */
printf("Usage: %s [-dGhHiIKlLnNprRstUvyYz]\n"
" [-a <table>]\n"
" [-b <src>[,[dest][,<writeable>]]] [-k <src>,<dest>,<type>[,<flags>[,<data>]]]\n"
" [-c <caps>] [-C <dir>] [-P <dir>] [-e[file]] [-f <file>] [-g <group>]\n"
" [-m[<uid> <loweruid> <count>]*] [-M[<gid> <lowergid> <count>]*] [--profile <name>]\n"
" [-R <type,cur,max>] [-S <file>] [-t[size]] [-T <type>] [-u <user>] [-V <file>]\n"
" <program> [args...]\n"
" -a <table>: Use alternate syscall table <table>.\n"
" -b <...>: Bind <src> to <dest> in chroot.\n"
" Multiple instances allowed.\n"
" -B <mask>: Skip setting securebits in <mask> when restricting capabilities (-c).\n"
" By default, SECURE_NOROOT, SECURE_NO_SETUID_FIXUP, and \n"
" SECURE_KEEP_CAPS (together with their respective locks) are set.\n"
" There are eight securebits in total.\n"
" -k <...>: Mount <src> at <dest> in chroot.\n"
" <flags> and <data> can be specified as in mount(2).\n"
" Multiple instances allowed.\n"
" -c <caps>: Restrict caps to <caps>.\n"
" -C <dir>: chroot(2) to <dir>.\n"
" Not compatible with -P.\n"
" -P <dir>: pivot_root(2) to <dir> (implies -v).\n"
" Not compatible with -C.\n"
" --mount-dev, Create a new /dev with a minimal set of device nodes (implies -v).\n"
" -d: See the minijail0(1) man page for the exact set.\n"
" -e[file]: Enter new network namespace, or existing one if |file| is provided.\n"
" -f <file>: Write the pid of the jailed process to <file>.\n"
" -g <group>: Change gid to <group>.\n"
" -G: Inherit supplementary groups from new uid.\n"
" Not compatible with -y or --add-suppl-group.\n"
" -y: Keep original uid's supplementary groups.\n"
" Not compatible with -G or --add-suppl-group.\n"
" --add-suppl-group <g>:Add <g> to the proccess' supplementary groups,\n"
" can be specified multiple times to add several groups.\n"
" Not compatible with -y or -G.\n"
" -h: Help (this message).\n"
" -H: Seccomp filter help message.\n"
" -i: Exit immediately after fork(2). The jailed process will run\n"
" in the background.\n"
" -I: Run <program> as init (pid 1) inside a new pid namespace (implies -p).\n"
" -K: Do not change share mode of any existing mounts.\n"
" -K<mode>: Mark all existing mounts as <mode> instead of MS_PRIVATE.\n"
" -l: Enter new IPC namespace.\n"
" -L: Report blocked syscalls when using seccomp filter.\n"
" If the kernel does not support SECCOMP_RET_LOG,\n"
" forces the following syscalls to be allowed:\n"
" ", progn);
/* clang-format on */
for (i = 0; i < log_syscalls_len; i++)
printf("%s ", log_syscalls[i]);
/* clang-format off */
printf("\n"
" -m[map]: Set the uid map of a user namespace (implies -pU).\n"
" Same arguments as newuidmap(1), multiple mappings should be separated by ',' (comma).\n"
" With no mapping, map the current uid to root inside the user namespace.\n"
" Not compatible with -b without the 'writable' option.\n"
" -M[map]: Set the gid map of a user namespace (implies -pU).\n"
" Same arguments as newgidmap(1), multiple mappings should be separated by ',' (comma).\n"
" With no mapping, map the current gid to root inside the user namespace.\n"
" Not compatible with -b without the 'writable' option.\n"
" -n: Set no_new_privs.\n"
" -N: Enter a new cgroup namespace.\n"
" -p: Enter new pid namespace (implies -vr).\n"
" -r: Remount /proc read-only (implies -v).\n"
" -R: Set rlimits, can be specified multiple times.\n"
" -s: Use seccomp mode 1 (not the same as -S).\n"
" -S <file>: Set seccomp filter using <file>.\n"
" E.g., '-S /usr/share/filters/<prog>.$(uname -m)'.\n"
" Requires -n when not running as root.\n"
" -t[size]: Mount tmpfs at /tmp (implies -v).\n"
" Optional argument specifies size (default \"64M\").\n"
" -T <type>: Assume <program> is a <type> ELF binary; <type> can be 'static' or 'dynamic'.\n"
" This will avoid accessing <program> binary before execve(2).\n"
" Type 'static' will avoid preload hooking.\n"
" -u <user>: Change uid to <user>.\n"
" -U: Enter new user namespace (implies -p).\n"
" -v: Enter new mount namespace.\n"
" -V <file>: Enter specified mount namespace.\n"
" -w: Create and join a new anonymous session keyring.\n"
" -Y: Synchronize seccomp filters across thread group.\n"
" -z: Don't forward signals to jailed process.\n"
" --ambient: Raise ambient capabilities. Requires -c.\n"
" --uts[=name]: Enter a new UTS namespace (and set hostname).\n"
" --logging=<s>:Use <s> as the logging system.\n"
" <s> must be 'auto' (default), 'syslog', or 'stderr'.\n"
" --profile <p>:Configure minijail0 to run with the <p> sandboxing profile,\n"
" which is a convenient way to express multiple flags\n"
" that are typically used together.\n"
" See the minijail0(1) man page for the full list.\n"
" --preload-library=<f>:Overrides the path to \"" PRELOADPATH "\".\n"
" This is only really useful for local testing.\n"
" --seccomp-bpf-binary=<f>:Set a pre-compiled seccomp filter using <f>.\n"
" E.g., '-S /usr/share/filters/<prog>.$(uname -m).bpf'.\n"
" Requires -n when not running as root.\n"
" The user is responsible for ensuring that the binary\n"
" was compiled for the correct architecture / kernel version.\n"
" --allow-speculative-execution:Allow speculative execution and disable\n"
" mitigations for speculative execution attacks.\n");
/* clang-format on */
}
static void seccomp_filter_usage(const char *progn)
{
const struct syscall_entry *entry = syscall_table;
printf("Usage: %s -S <policy.file> <program> [args...]\n\n"
"System call names supported:\n",
progn);
for (; entry->name && entry->nr >= 0; ++entry)
printf(" %s [%d]\n", entry->name, entry->nr);
printf("\nSee minijail0(5) for example policies.\n");
}
int parse_args(struct minijail *j, int argc, char *const argv[],
int *exit_immediately, ElfType *elftype,
const char **preload_path)
{
int opt;
int use_seccomp_filter = 0, use_seccomp_filter_binary = 0;
int forward = 1;
int binding = 0;
int chroot = 0, pivot_root = 0;
int mount_ns = 0, change_remount = 0;
const char *remount_mode = NULL;
int inherit_suppl_gids = 0, keep_suppl_gids = 0;
int caps = 0, ambient_caps = 0;
int seccomp = -1;
bool use_uid = false, use_gid = false;
uid_t uid = 0;
gid_t gid = 0;
gid_t *suppl_gids = NULL;
size_t suppl_gids_count = 0;
char *uidmap = NULL, *gidmap = NULL;
int set_uidmap = 0, set_gidmap = 0;
size_t tmp_size = 0;
const char *filter_path = NULL;
int log_to_stderr = -1;
const char *optstring =
"+u:g:sS:c:C:P:b:B:V:f:m::M::k:a:e::R:T:vrGhHinNplLt::IUK::wyYzd";
/* clang-format off */
const struct option long_options[] = {
{"help", no_argument, 0, 'h'},
{"mount-dev", no_argument, 0, 'd'},
{"ambient", no_argument, 0, 128},
{"uts", optional_argument, 0, 129},
{"logging", required_argument, 0, 130},
{"profile", required_argument, 0, 131},
{"preload-library", required_argument, 0, 132},
{"seccomp-bpf-binary", required_argument, 0, 133},
{"add-suppl-group", required_argument, 0, 134},
{"allow-speculative-execution", no_argument, 0, 135},
{0, 0, 0, 0},
};
/* clang-format on */
while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) !=
-1) {
switch (opt) {
case 'u':
if (use_uid) {
fprintf(stderr,
"-u provided multiple times.\n");
exit(1);
}
use_uid = true;
set_user(j, optarg, &uid, &gid);
break;
case 'g':
if (use_gid) {
fprintf(stderr,
"-g provided multiple times.\n");
exit(1);
}
use_gid = true;
set_group(j, optarg, &gid);
break;
case 'n':
minijail_no_new_privs(j);
break;
case 's':
if (seccomp != -1 && seccomp != 1) {
fprintf(stderr,
"Do not use -s, -S, or "
"--seccomp-bpf-binary together.\n");
exit(1);
}
seccomp = 1;
minijail_use_seccomp(j);
break;
case 'S':
if (seccomp != -1 && seccomp != 2) {
fprintf(stderr,
"Do not use -s, -S, or "
"--seccomp-bpf-binary together.\n");
exit(1);
}
seccomp = 2;
minijail_use_seccomp_filter(j);
filter_path = optarg;
use_seccomp_filter = 1;
break;
case 'l':
minijail_namespace_ipc(j);
break;
case 'L':
minijail_log_seccomp_filter_failures(j);
break;
case 'b':
add_binding(j, optarg);
binding = 1;
break;
case 'B':
skip_securebits(j, optarg);
break;
case 'c':
caps = 1;
use_caps(j, optarg);
break;
case 'C':
use_chroot(j, optarg, &chroot, pivot_root);
break;
case 'k':
add_mount(j, optarg);
break;
case 'K':
remount_mode = optarg;
change_remount = 1;
break;
case 'P':
use_pivot_root(j, optarg, &pivot_root, chroot);
break;
case 'f':
if (0 != minijail_write_pid_file(j, optarg)) {
fprintf(stderr,
"Could not prepare pid file path.\n");
exit(1);
}
break;
case 't':
minijail_namespace_vfs(j);
if (!tmp_size) {
/*
* Avoid clobbering |tmp_size| if it was already
* set.
*/
tmp_size = DEFAULT_TMP_SIZE;
}
if (optarg != NULL &&
0 != parse_size(&tmp_size, optarg)) {
fprintf(stderr, "Invalid /tmp tmpfs size.\n");
exit(1);
}
break;
case 'v':
minijail_namespace_vfs(j);
/*
* Set the default mount propagation in the command-line
* tool to MS_SLAVE.
*
* When executing the sandboxed program in a new mount
* namespace the Minijail library will by default
* remount all mounts with the MS_PRIVATE flag. While
* this is an appropriate, safe default for the library,
* MS_PRIVATE can be problematic: unmount events will
* not propagate into mountpoints marked as MS_PRIVATE.
* This means that if a mount is unmounted in the root
* mount namespace, it will not be unmounted in the
* non-root mount namespace.
* This in turn can be problematic because activity in
* the non-root mount namespace can now directly
* influence the root mount namespace (e.g. preventing
* re-mounts of said mount), which would be a privilege
* inversion.
*
* Setting the default in the command-line to MS_SLAVE
* will still prevent mounts from leaking out of the
* non-root mount namespace but avoid these
* privilege-inversion issues.
* For cases where mounts should not flow *into* the
* namespace either, the user can pass -Kprivate.
* Note that mounts are marked as MS_PRIVATE by default
* by the kernel, so unless the init process (like
* systemd) or something else marks them as shared, this
* won't do anything.
*/
minijail_remount_mode(j, MS_SLAVE);
mount_ns = 1;
break;
case 'V':
minijail_namespace_enter_vfs(j, optarg);
break;
case 'r':
minijail_remount_proc_readonly(j);
break;
case 'G':
if (keep_suppl_gids) {
fprintf(stderr,
"-y and -G are not compatible.\n");
exit(1);
}
minijail_inherit_usergroups(j);
inherit_suppl_gids = 1;
break;
case 'y':
if (inherit_suppl_gids) {
fprintf(stderr,
"-y and -G are not compatible.\n");
exit(1);
}
minijail_keep_supplementary_gids(j);
keep_suppl_gids = 1;
break;
case 'N':
minijail_namespace_cgroups(j);
break;
case 'p':
minijail_namespace_pids(j);
break;
case 'e':
if (optarg)
minijail_namespace_enter_net(j, optarg);
else
minijail_namespace_net(j);
break;
case 'i':
*exit_immediately = 1;
break;
case 'H':
seccomp_filter_usage(argv[0]);
exit(0);
case 'I':
minijail_namespace_pids(j);
minijail_run_as_init(j);
break;
case 'U':
minijail_namespace_user(j);
minijail_namespace_pids(j);
break;
case 'm':
set_uidmap = 1;
if (uidmap) {
free(uidmap);
uidmap = NULL;
}
if (optarg)
uidmap = xstrdup(optarg);
break;
case 'M':
set_gidmap = 1;
if (gidmap) {
free(gidmap);
gidmap = NULL;
}
if (optarg)
gidmap = xstrdup(optarg);
break;
case 'a':
if (0 != minijail_use_alt_syscall(j, optarg)) {
fprintf(stderr,
"Could not set alt-syscall table.\n");
exit(1);
}
break;
case 'R':
add_rlimit(j, optarg);
break;
case 'T':
if (!strcmp(optarg, "static"))
*elftype = ELFSTATIC;
else if (!strcmp(optarg, "dynamic"))
*elftype = ELFDYNAMIC;
else {
fprintf(stderr, "ELF type must be 'static' or "
"'dynamic'.\n");
exit(1);
}
break;
case 'w':
minijail_new_session_keyring(j);
break;
case 'Y':
minijail_set_seccomp_filter_tsync(j);
break;
case 'z':
forward = 0;
break;
case 'd':
minijail_namespace_vfs(j);
minijail_mount_dev(j);
break;
/* Long options. */
case 128: /* Ambient caps. */
ambient_caps = 1;
minijail_set_ambient_caps(j);
break;
case 129: /* UTS/hostname namespace. */
minijail_namespace_uts(j);
if (optarg)
minijail_namespace_set_hostname(j, optarg);
break;
case 130: /* Logging. */
if (!strcmp(optarg, "auto")) {
log_to_stderr = -1;
} else if (!strcmp(optarg, "syslog")) {
log_to_stderr = 0;
} else if (!strcmp(optarg, "stderr")) {
log_to_stderr = 1;
} else {
fprintf(stderr, "--logger must be 'syslog' or "
"'stderr'.\n");
exit(1);
}
break;
case 131: /* Profile */
use_profile(j, optarg, &pivot_root, chroot, &tmp_size);
break;
case 132: /* PRELOADPATH */
*preload_path = optarg;
break;
case 133: /* seccomp-bpf binary. */
if (seccomp != -1 && seccomp != 3) {
fprintf(stderr,
"Do not use -s, -S, or "
"--seccomp-bpf-binary together.\n");
exit(1);
}
seccomp = 3;
minijail_use_seccomp_filter(j);
filter_path = optarg;
use_seccomp_filter_binary = 1;
break;
case 134:
suppl_group_add(&suppl_gids_count, &suppl_gids,
optarg);
break;
case 135:
minijail_set_seccomp_filter_allow_speculation(j);
break;
default:
usage(argv[0]);
exit(opt == 'h' ? 0 : 1);
}
}
if (log_to_stderr == -1) {
/* Autodetect default logging output. */
log_to_stderr = isatty(STDIN_FILENO) ? 1 : 0;
}
if (log_to_stderr) {
init_logging(LOG_TO_FD, STDERR_FILENO, LOG_INFO);
/*
* When logging to stderr, ensure the FD survives the jailing.
*/
if (0 !=
minijail_preserve_fd(j, STDERR_FILENO, STDERR_FILENO)) {
fprintf(stderr, "Could not preserve stderr.\n");
exit(1);
}
}
/* Set up uid/gid mapping. */
if (set_uidmap || set_gidmap) {
set_ugid_mapping(j, set_uidmap, uid, uidmap, set_gidmap, gid,
gidmap);
}
/* Can only set ambient caps when using regular caps. */
if (ambient_caps && !caps) {
fprintf(stderr, "Can't set ambient capabilities (--ambient) "
"without actually using capabilities (-c).\n");
exit(1);
}
/* Set up signal handlers in minijail unless asked not to. */
if (forward)
minijail_forward_signals(j);
/*
* Only allow bind mounts when entering a chroot, using pivot_root, or
* a new mount namespace.
*/
if (binding && !(chroot || pivot_root || mount_ns)) {
fprintf(stderr, "Bind mounts require a chroot, pivot_root, or "
" new mount namespace.\n");
exit(1);
}
/*
* / is only remounted when entering a new mount namespace, so unless
* that's set there is no need for the -K/-K<mode> flags.
*/
if (change_remount && !mount_ns) {
fprintf(stderr, "No need to use -K (skip remounting '/') or "
"-K<mode> (remount '/' as <mode>)\n"
"without -v (new mount namespace).\n"
"Do you need to add '-v' explicitly?\n");
exit(1);
}
/* Configure the remount flag here to avoid having -v override it. */
if (change_remount) {
if (remount_mode != NULL) {
set_remount_mode(j, remount_mode);
} else {
minijail_skip_remount_private(j);
}
}
/*
* Proceed in setting the supplementary gids specified on the
* cmdline options.
*/
if (suppl_gids_count) {
minijail_set_supplementary_gids(j, suppl_gids_count,
suppl_gids);
free(suppl_gids);
}
/*
* We parse seccomp filters here to make sure we've collected all
* cmdline options.
*/
if (use_seccomp_filter) {
minijail_parse_seccomp_filters(j, filter_path);
} else if (use_seccomp_filter_binary) {
struct sock_fprog filter;
read_seccomp_filter(filter_path, &filter);
minijail_set_seccomp_filters(j, &filter);
free((void *)filter.filter);
}
/* Mount a tmpfs under /tmp and set its size. */
if (tmp_size)
minijail_mount_tmp_size(j, tmp_size);
/*
* There should be at least one additional unparsed argument: the
* executable name.
*/
if (argc == optind) {
usage(argv[0]);
exit(1);
}
if (*elftype == ELFERROR) {
/*
* -T was not specified.
* Get the path to the program adjusted for changing root.
*/
char *program_path =
minijail_get_original_path(j, argv[optind]);
/* Check that we can access the target program. */
if (access(program_path, X_OK)) {
fprintf(stderr,
"Target program '%s' is not accessible.\n",
argv[optind]);
exit(1);
}
/* Check if target is statically or dynamically linked. */
*elftype = get_elf_linkage(program_path);
free(program_path);
}
/*
* Setting capabilities need either a dynamically-linked binary, or the
* use of ambient capabilities for them to be able to survive an
* execve(2).
*/
if (caps && *elftype == ELFSTATIC && !ambient_caps) {
fprintf(stderr, "Can't run statically-linked binaries with "
"capabilities (-c) without also setting "
"ambient capabilities. Try passing "
"--ambient.\n");
exit(1);
}
return optind;
}