1 /* Copyright 2018 The Chromium OS Authors. All rights reserved.
2 * Use of this source code is governed by a BSD-style license that can be
3 * found in the LICENSE file.
4 */
5
6 #include <dlfcn.h>
7 #include <err.h>
8 #include <errno.h>
9 #include <fcntl.h>
10 #include <getopt.h>
11 #include <inttypes.h>
12 #include <stdbool.h>
13 #include <stdio.h>
14 #include <stdlib.h>
15 #include <string.h>
16 #include <sys/capability.h>
17 #include <sys/mount.h>
18 #include <sys/stat.h>
19 #include <sys/types.h>
20 #include <sys/vfs.h>
21 #include <unistd.h>
22
23 #include <linux/filter.h>
24
25 #include "libminijail.h"
26 #include "libsyscalls.h"
27
28 #include "config_parser.h"
29 #include "elfparse.h"
30 #include "minijail0_cli.h"
31 #include "system.h"
32 #include "util.h"
33
34 #define IDMAP_LEN 32U
35 #define DEFAULT_TMP_SIZE (64 * 1024 * 1024)
36
37 /*
38 * A malloc() that aborts on failure. We only implement this in the CLI as
39 * the library should return ENOMEM errors when allocations fail.
40 */
xmalloc(size_t size)41 static void *xmalloc(size_t size)
42 {
43 void *ret = malloc(size);
44 if (!ret)
45 err(1, "malloc() failed");
46 return ret;
47 }
48
xstrdup(const char * s)49 static char *xstrdup(const char *s)
50 {
51 char *ret = strdup(s);
52 if (!ret)
53 err(1, "strdup() failed");
54 return ret;
55 }
56
set_user(struct minijail * j,const char * arg,uid_t * out_uid,gid_t * out_gid)57 static void set_user(struct minijail *j, const char *arg, uid_t *out_uid,
58 gid_t *out_gid)
59 {
60 char *end = NULL;
61 uid_t uid = strtoul(arg, &end, 10);
62 if (!*end && *arg) {
63 *out_uid = uid;
64 minijail_change_uid(j, uid);
65 return;
66 }
67
68 int ret = lookup_user(arg, out_uid, out_gid);
69 if (ret) {
70 errno = -ret;
71 err(1, "Bad user '%s'", arg);
72 }
73
74 ret = minijail_change_user(j, arg);
75 if (ret) {
76 errno = -ret;
77 err(1, "minijail_change_user('%s') failed", arg);
78 }
79 }
80
set_group(struct minijail * j,const char * arg,gid_t * out_gid)81 static void set_group(struct minijail *j, const char *arg, gid_t *out_gid)
82 {
83 char *end = NULL;
84 gid_t gid = strtoul(arg, &end, 10);
85 if (!*end && *arg) {
86 *out_gid = gid;
87 minijail_change_gid(j, gid);
88 return;
89 }
90
91 int ret = lookup_group(arg, out_gid);
92 if (ret) {
93 errno = -ret;
94 err(1, "Bad group '%s'", arg);
95 }
96
97 minijail_change_gid(j, *out_gid);
98 }
99
100 /*
101 * Helper function used by --add-suppl-group (possibly more than once),
102 * to build the supplementary gids array.
103 */
suppl_group_add(size_t * suppl_gids_count,gid_t ** suppl_gids,char * arg)104 static void suppl_group_add(size_t *suppl_gids_count, gid_t **suppl_gids,
105 char *arg)
106 {
107 char *end = NULL;
108 gid_t gid = strtoul(arg, &end, 10);
109 int ret;
110 if (!*end && *arg) {
111 /* A gid number has been specified, proceed. */
112 } else if ((ret = lookup_group(arg, &gid))) {
113 /*
114 * A group name has been specified,
115 * but doesn't exist: we bail out.
116 */
117 errno = -ret;
118 err(1, "Bad group '%s'", arg);
119 }
120
121 /*
122 * From here, gid is guaranteed to be set and valid,
123 * we add it to our supplementary gids array.
124 */
125 *suppl_gids =
126 realloc(*suppl_gids, sizeof(gid_t) * ++(*suppl_gids_count));
127 if (!suppl_gids)
128 err(1, "failed to allocate memory");
129
130 (*suppl_gids)[*suppl_gids_count - 1] = gid;
131 }
132
skip_securebits(struct minijail * j,const char * arg)133 static void skip_securebits(struct minijail *j, const char *arg)
134 {
135 uint64_t securebits_skip_mask;
136 char *end = NULL;
137 securebits_skip_mask = strtoull(arg, &end, 16);
138 if (*end)
139 errx(1, "Invalid securebit mask: '%s'", arg);
140 minijail_skip_setting_securebits(j, securebits_skip_mask);
141 }
142
use_caps(struct minijail * j,const char * arg)143 static void use_caps(struct minijail *j, const char *arg)
144 {
145 uint64_t caps = 0;
146 cap_t parsed_caps = cap_from_text(arg);
147
148 if (parsed_caps != NULL) {
149 unsigned int i;
150 const uint64_t one = 1;
151 cap_flag_value_t cap_value;
152 unsigned int last_valid_cap = get_last_valid_cap();
153
154 for (i = 0; i <= last_valid_cap; ++i) {
155 if (cap_get_flag(parsed_caps, i, CAP_EFFECTIVE,
156 &cap_value)) {
157 if (errno == EINVAL) {
158 /*
159 * Some versions of libcap reject any
160 * capabilities they were not compiled
161 * with by returning EINVAL.
162 */
163 continue;
164 }
165 err(1,
166 "Could not get the value of the %d-th "
167 "capability",
168 i);
169 }
170 if (cap_value == CAP_SET)
171 caps |= (one << i);
172 }
173 cap_free(parsed_caps);
174 } else {
175 char *end = NULL;
176 caps = strtoull(arg, &end, 16);
177 if (*end)
178 errx(1, "Invalid cap set: '%s'", arg);
179 }
180
181 minijail_use_caps(j, caps);
182 }
183
add_binding(struct minijail * j,char * arg)184 static void add_binding(struct minijail *j, char *arg)
185 {
186 char *src = tokenize(&arg, ",");
187 char *dest = tokenize(&arg, ",");
188 char *flags = tokenize(&arg, ",");
189 if (!src || src[0] == '\0' || arg != NULL)
190 errx(1, "Bad binding: %s %s", src, dest);
191 if (dest == NULL || dest[0] == '\0')
192 dest = src;
193 int writable;
194 if (flags == NULL || flags[0] == '\0' || !strcmp(flags, "0"))
195 writable = 0;
196 else if (!strcmp(flags, "1"))
197 writable = 1;
198 else
199 errx(1, "Bad value for <writable>: %s", flags);
200 if (minijail_bind(j, src, dest, writable))
201 errx(1, "minijail_bind failed");
202 }
203
add_rlimit(struct minijail * j,char * arg)204 static void add_rlimit(struct minijail *j, char *arg)
205 {
206 char *type = tokenize(&arg, ",");
207 char *cur = tokenize(&arg, ",");
208 char *max = tokenize(&arg, ",");
209 char *end;
210 if (!type || type[0] == '\0' || !cur || cur[0] == '\0' || !max ||
211 max[0] == '\0' || arg != NULL) {
212 errx(1, "Bad rlimit '%s'", arg);
213 }
214 rlim_t cur_rlim;
215 rlim_t max_rlim;
216 if (!strcmp(cur, "unlimited")) {
217 cur_rlim = RLIM_INFINITY;
218 } else {
219 end = NULL;
220 cur_rlim = strtoul(cur, &end, 0);
221 if (*end)
222 errx(1, "Bad soft limit: '%s'", cur);
223 }
224 if (!strcmp(max, "unlimited")) {
225 max_rlim = RLIM_INFINITY;
226 } else {
227 end = NULL;
228 max_rlim = strtoul(max, &end, 0);
229 if (*end)
230 errx(1, "Bad hard limit: '%s'", max);
231 }
232
233 end = NULL;
234 int resource = parse_single_constant(type, &end);
235 if (type == end)
236 errx(1, "Bad rlimit: '%s'", type);
237
238 if (minijail_rlimit(j, resource, cur_rlim, max_rlim))
239 errx(1, "minijail_rlimit '%s,%s,%s' failed", type, cur, max);
240 }
241
add_mount(struct minijail * j,char * arg)242 static void add_mount(struct minijail *j, char *arg)
243 {
244 char *src = tokenize(&arg, ",");
245 char *dest = tokenize(&arg, ",");
246 char *type = tokenize(&arg, ",");
247 char *flags = tokenize(&arg, ",");
248 char *data = tokenize(&arg, ",");
249 char *end;
250 if (!src || src[0] == '\0' || !dest || dest[0] == '\0' || !type ||
251 type[0] == '\0') {
252 errx(1, "Bad mount: %s %s %s", src, dest, type);
253 }
254
255 /*
256 * Fun edge case: the data option itself is comma delimited. If there
257 * were no more options, then arg would be set to NULL. But if we had
258 * more pending, it'll be pointing to the next token. Back up and undo
259 * the null byte so it'll be merged back.
260 * An example:
261 * none,/tmp,tmpfs,0xe,mode=0755,uid=10,gid=10
262 * The tokenize calls above will turn this memory into:
263 * none\0/tmp\0tmpfs\00xe\0mode=0755\0uid=10,gid=10
264 * With data pointing at mode=0755 and arg pointing at uid=10,gid=10.
265 */
266 if (arg != NULL)
267 arg[-1] = ',';
268
269 unsigned long mountflags;
270 if (flags == NULL || flags[0] == '\0') {
271 mountflags = 0;
272 } else {
273 end = NULL;
274 mountflags = parse_constant(flags, &end);
275 if (flags == end)
276 errx(1, "Bad mount flags: %s", flags);
277 }
278
279 if (minijail_mount_with_data(j, src, dest, type, mountflags, data))
280 errx(1, "minijail_mount failed");
281 }
282
build_idmap(id_t id,id_t lowerid)283 static char *build_idmap(id_t id, id_t lowerid)
284 {
285 int ret;
286 char *idmap = xmalloc(IDMAP_LEN);
287 ret = snprintf(idmap, IDMAP_LEN, "%d %d 1", id, lowerid);
288 if (ret < 0 || (size_t)ret >= IDMAP_LEN) {
289 free(idmap);
290 errx(1, "Could not build id map");
291 }
292 return idmap;
293 }
294
has_cap_setgid(void)295 static int has_cap_setgid(void)
296 {
297 cap_t caps;
298 cap_flag_value_t cap_value;
299
300 if (!CAP_IS_SUPPORTED(CAP_SETGID))
301 return 0;
302
303 caps = cap_get_proc();
304 if (!caps)
305 err(1, "Could not get process' capabilities");
306
307 if (cap_get_flag(caps, CAP_SETGID, CAP_EFFECTIVE, &cap_value))
308 err(1, "Could not get the value of CAP_SETGID");
309
310 if (cap_free(caps))
311 err(1, "Could not free capabilities");
312
313 return cap_value == CAP_SET;
314 }
315
set_ugid_mapping(struct minijail * j,int set_uidmap,uid_t uid,char * uidmap,int set_gidmap,gid_t gid,char * gidmap)316 static void set_ugid_mapping(struct minijail *j, int set_uidmap, uid_t uid,
317 char *uidmap, int set_gidmap, gid_t gid,
318 char *gidmap)
319 {
320 if (set_uidmap) {
321 minijail_namespace_user(j);
322 minijail_namespace_pids(j);
323
324 if (!uidmap) {
325 /*
326 * If no map is passed, map the current uid to the
327 * chosen uid in the target namespace (or root, if none
328 * was chosen).
329 */
330 uidmap = build_idmap(uid, getuid());
331 }
332 if (0 != minijail_uidmap(j, uidmap))
333 errx(1, "Could not set uid map");
334 free(uidmap);
335 }
336 if (set_gidmap) {
337 minijail_namespace_user(j);
338 minijail_namespace_pids(j);
339
340 if (!gidmap) {
341 /*
342 * If no map is passed, map the current gid to the
343 * chosen gid in the target namespace.
344 */
345 gidmap = build_idmap(gid, getgid());
346 }
347 if (!has_cap_setgid()) {
348 /*
349 * This means that we are not running as root,
350 * so we also have to disable setgroups(2) to
351 * be able to set the gid map.
352 * See
353 * http://man7.org/linux/man-pages/man7/user_namespaces.7.html
354 */
355 minijail_namespace_user_disable_setgroups(j);
356 }
357 if (0 != minijail_gidmap(j, gidmap))
358 errx(1, "Could not set gid map");
359 free(gidmap);
360 }
361 }
362
use_chroot(struct minijail * j,const char * path,int * chroot,int pivot_root)363 static void use_chroot(struct minijail *j, const char *path, int *chroot,
364 int pivot_root)
365 {
366 if (pivot_root)
367 errx(1, "Could not set chroot because -P was specified");
368 if (minijail_enter_chroot(j, path))
369 errx(1, "Could not set chroot");
370 *chroot = 1;
371 }
372
use_pivot_root(struct minijail * j,const char * path,int * pivot_root,int chroot)373 static void use_pivot_root(struct minijail *j, const char *path,
374 int *pivot_root, int chroot)
375 {
376 if (chroot)
377 errx(1, "Could not set pivot_root because -C was specified");
378 if (minijail_enter_pivot_root(j, path))
379 errx(1, "Could not set pivot_root");
380 minijail_namespace_vfs(j);
381 *pivot_root = 1;
382 }
383
use_profile(struct minijail * j,const char * profile,int * pivot_root,int chroot,size_t * tmp_size)384 static void use_profile(struct minijail *j, const char *profile,
385 int *pivot_root, int chroot, size_t *tmp_size)
386 {
387 /* Note: New profiles should be added in minijail0_cli_unittest.cc. */
388
389 if (!strcmp(profile, "minimalistic-mountns") ||
390 !strcmp(profile, "minimalistic-mountns-nodev")) {
391 minijail_namespace_vfs(j);
392 if (minijail_bind(j, "/", "/", 0))
393 errx(1, "minijail_bind(/) failed");
394 if (minijail_bind(j, "/proc", "/proc", 0))
395 errx(1, "minijail_bind(/proc) failed");
396 if (!strcmp(profile, "minimalistic-mountns")) {
397 if (minijail_bind(j, "/dev/log", "/dev/log", 0))
398 errx(1, "minijail_bind(/dev/log) failed");
399 minijail_mount_dev(j);
400 }
401 if (!*tmp_size) {
402 /* Avoid clobbering |tmp_size| if it was already set. */
403 *tmp_size = DEFAULT_TMP_SIZE;
404 }
405 minijail_remount_proc_readonly(j);
406 use_pivot_root(j, DEFAULT_PIVOT_ROOT, pivot_root, chroot);
407 } else
408 errx(1, "Unrecognized profile name '%s'", profile);
409 }
410
set_remount_mode(struct minijail * j,const char * mode)411 static void set_remount_mode(struct minijail *j, const char *mode)
412 {
413 unsigned long msmode;
414 if (!strcmp(mode, "shared"))
415 msmode = MS_SHARED;
416 else if (!strcmp(mode, "private"))
417 msmode = MS_PRIVATE;
418 else if (!strcmp(mode, "slave"))
419 msmode = MS_SLAVE;
420 else if (!strcmp(mode, "unbindable"))
421 msmode = MS_UNBINDABLE;
422 else
423 errx(1, "Unknown remount mode: '%s'", mode);
424 minijail_remount_mode(j, msmode);
425 }
426
read_seccomp_filter(const char * filter_path,struct sock_fprog * filter)427 static void read_seccomp_filter(const char *filter_path,
428 struct sock_fprog *filter)
429 {
430 attribute_cleanup_fp FILE *f = fopen(filter_path, "re");
431 if (!f)
432 err(1, "failed to open %s", filter_path);
433 off_t filter_size = 0;
434 if (fseeko(f, 0, SEEK_END) == -1 || (filter_size = ftello(f)) == -1)
435 err(1, "failed to get file size of %s", filter_path);
436 if (filter_size % sizeof(struct sock_filter) != 0) {
437 errx(1,
438 "filter size (%" PRId64 ") of %s is not a multiple of"
439 " %zu",
440 filter_size, filter_path, sizeof(struct sock_filter));
441 }
442 rewind(f);
443
444 filter->len = filter_size / sizeof(struct sock_filter);
445 filter->filter = xmalloc(filter_size);
446 if (fread(filter->filter, sizeof(struct sock_filter), filter->len, f) !=
447 filter->len) {
448 err(1, "failed read %s", filter_path);
449 }
450 }
451
452 /*
453 * Long options use values starting at 0x100 so that they're out of range of
454 * bytes which is how command line options are processed. Practically speaking,
455 * we could get by with the (7-bit) ASCII range, but UTF-8 codepoints would be a
456 * bit confusing, and honestly there's no reason to "optimize" here.
457 *
458 * The long enum values are internal to this file and can freely change at any
459 * time without breaking anything. Please keep alphabetically ordered.
460 */
461 enum {
462 /* Everything after this point only have long options. */
463 LONG_OPTION_BASE = 0x100,
464 OPT_ADD_SUPPL_GROUP,
465 OPT_ALLOW_SPECULATIVE_EXECUTION,
466 OPT_AMBIENT,
467 OPT_CONFIG,
468 OPT_ENV_ADD,
469 OPT_ENV_RESET,
470 OPT_LOGGING,
471 OPT_PRELOAD_LIBRARY,
472 OPT_PROFILE,
473 OPT_SECCOMP_BPF_BINARY,
474 OPT_UTS,
475 };
476
477 /*
478 * NB: When adding new options, prefer long-option only. Add a short option
479 * only if its meaning is intuitive/obvious at a glance.
480 *
481 * Keep this sorted.
482 */
483 static const char optstring[] =
484 "+a:b:c:de::f:g:hik:lm::nprst::u:vwyzB:C:GHIK::LM::NP:R:S:T:UV:Y";
485
486 static const struct option long_options[] = {
487 {"help", no_argument, 0, 'h'},
488 {"mount-dev", no_argument, 0, 'd'},
489 {"ambient", no_argument, 0, OPT_AMBIENT},
490 {"uts", optional_argument, 0, OPT_UTS},
491 {"logging", required_argument, 0, OPT_LOGGING},
492 {"profile", required_argument, 0, OPT_PROFILE},
493 {"preload-library", required_argument, 0, OPT_PRELOAD_LIBRARY},
494 {"seccomp-bpf-binary", required_argument, 0, OPT_SECCOMP_BPF_BINARY},
495 {"add-suppl-group", required_argument, 0, OPT_ADD_SUPPL_GROUP},
496 {"allow-speculative-execution", no_argument, 0,
497 OPT_ALLOW_SPECULATIVE_EXECUTION},
498 {"config", required_argument, 0, OPT_CONFIG},
499 {"env-add", required_argument, 0, OPT_ENV_ADD},
500 {"env-reset", no_argument, 0, OPT_ENV_RESET},
501 {"mount", required_argument, 0, 'k'},
502 {"bind-mount", required_argument, 0, 'b'},
503 {"ns-mount", no_argument, 0, 'v'},
504 {0, 0, 0, 0},
505 };
506
507 /*
508 * Pull the usage string out into the top-level to help with long-lines. We
509 * want the output to be wrapped at 80 cols when it's shown to the user in the
510 * terminal, but we don't want the source wrapped to 80 cols because that will
511 * effectively make terminal output wrap to much lower levels (like <70).
512 */
513 /* clang-format off */
514 static const char help_text[] =
515 "Account (user/group) options:\n"
516 " -u <user> Change uid to <user>.\n"
517 " -g <group> Change gid to <group>.\n"
518 " -G Inherit supplementary groups from new uid.\n"
519 " Incompatible with -y or --add-suppl-group.\n"
520 " -y Keep original uid's supplementary groups.\n"
521 " Incompatible with -G or --add-suppl-group.\n"
522 " --add-suppl-group <group>\n"
523 " Add <group> to the proccess' supplementary groups.\n"
524 " Can be specified multiple times to add several groups.\n"
525 " Incompatible with -y or -G.\n"
526 "\n"
527 "Mount/path options:\n"
528 " -b <src[,dst[,writable]]>, --bind-mount <...>\n"
529 " Bind <src> to <dst>.\n"
530 " -k <src,dst,fstype[,flags[,data]]>, --mount <...>\n"
531 " Mount <src> at <dst>. <flags> and <data> can be specified as\n"
532 " in mount(2). Multiple instances allowed.\n"
533 " -K Do not change share mode of any existing mounts.\n"
534 " -K<mode> Mark all existing mounts as <mode> instead of MS_PRIVATE.\n"
535 " -r Remount /proc read-only (implies -v).\n"
536 " -d, --mount-dev\n"
537 " Create a new /dev with a minimal set of device nodes\n"
538 " (implies -v). See minijail0(1) for exact list.\n"
539 " -t[size] Mount tmpfs at /tmp (implies -v).\n"
540 " Optional argument specifies size (default \"64M\").\n"
541 " -C <dir> chroot(2) to <dir>. Incompatible with -P.\n"
542 " -P <dir> pivot_root(2) to <dir> (implies -v). Incompatible with -C.\n"
543 "\n"
544 "Namespace options:\n"
545 " -N Enter a new cgroup namespace.\n"
546 " -l Enter new IPC namespace.\n"
547 " -v, --ns-mount\n"
548 " Enter new mount namespace.\n"
549 " -V <file> Enter specified mount namespace.\n"
550 " -e[file] Enter new network namespace, or existing |file| if provided.\n"
551 " -p Enter new pid namespace (implies -vr).\n"
552 " -I Run as init (pid 1) inside a new pid namespace (implies -p).\n"
553 " -U Enter new user namespace (implies -p).\n"
554 " -m[<uid> <loweruid> <count>]\n"
555 " Set the uid map of a user namespace (implies -pU).\n"
556 " Same arguments as newuidmap(1); mappings are comma separated.\n"
557 " With no mapping, map the current uid to root.\n"
558 " Incompatible with -b without the 'writable' option.\n"
559 " -M[<gid> <lowergid> <count>]\n"
560 " Set the gid map of a user namespace (implies -pU).\n"
561 " Same arguments as newgidmap(1); mappings are comma separated.\n"
562 " With no mapping, map the current gid to root.\n"
563 " Incompatible with -b without the 'writable' option.\n"
564 " --uts[=name] Enter a new UTS namespace (and set hostname).\n"
565 "\n"
566 "Seccomp options:\n"
567 " -S <file> Set seccomp filter using <file>.\n"
568 " E.g., '-S /usr/share/filters/<prog>.$(uname -m)'.\n"
569 " Requires -n when not running as root.\n"
570 " --seccomp-bpf-binary=<f>\n"
571 " Set a pre-compiled seccomp filter using <f>.\n"
572 " E.g., '-S /usr/share/filters/<prog>.$(uname -m).bpf'.\n"
573 " Requires -n when not running as root.\n"
574 " The user is responsible for ensuring that the binary\n"
575 " was compiled for the correct architecture / kernel version.\n"
576 " -L Report blocked syscalls when using seccomp filter.\n"
577 " If the kernel does not support SECCOMP_RET_LOG, some syscalls\n"
578 " will automatically be allowed (see below).\n"
579 " -Y Synchronize seccomp filters across thread group.\n"
580 " -a <table> Use alternate syscall table <table>.\n"
581 " -s Use seccomp mode 1 (not the same as -S).\n"
582 "\n"
583 "Other options:\n"
584 " --config <file>\n"
585 " Load the Minijail configuration file <file>.\n"
586 " If used, must be specified ahead of other options.\n"
587 " --profile <p>\n"
588 " Configure minijail0 to run with the <p> sandboxing profile,\n"
589 " which is a convenient way to express multiple flags\n"
590 " that are typically used together.\n"
591 " See the minijail0(1) man page for the full list.\n"
592 " -n Set no_new_privs. See prctl(2) for details.\n"
593 " -c <caps> Restrict caps to <caps>.\n"
594 " --ambient Raise ambient capabilities. Requires -c.\n"
595 " -B <mask> Skip setting <mask> securebits when restricting caps (-c).\n"
596 " By default, SECURE_NOROOT, SECURE_NO_SETUID_FIXUP, and \n"
597 " SECURE_KEEP_CAPS (with their respective locks) are set.\n"
598 " -f <file> Write the pid of the jailed process to <file>.\n"
599 " -i Exit immediately after fork(2); i.e. background the program.\n"
600 " -z Don't forward signals to jailed process.\n"
601 " -R <type,cur,max>\n"
602 " Call setrlimit(3); can be specified multiple times.\n"
603 " -T <type> Assume <program> is a <type> ELF binary;\n"
604 " <type> may be 'static' or 'dynamic'.\n"
605 " This will avoid accessing <program> binary before execve(2).\n"
606 " Type 'static' will avoid preload hooking.\n"
607 " -w Create and join a new anonymous session keyring.\n"
608 " --env-reset Clear the current environment instead of having <program>\n"
609 " inherit the active environment. Often used to start <program>\n"
610 " with a minimal sanitized environment.\n"
611 " --env-add <NAME=value>\n"
612 " Sets the specified environment variable <NAME>\n"
613 " in the <program>'s environment before starting it.\n"
614 "\n"
615 "Uncommon options:\n"
616 " --allow-speculative-execution\n"
617 " Allow speculative execution by disabling mitigations.\n"
618 " --preload-library=<file>\n"
619 " Overrides the path to \"" PRELOADPATH "\".\n"
620 " This is only really useful for local testing.\n"
621 " --logging=<output>\n"
622 " Set the logging system output: 'auto' (default),\n"
623 " 'syslog', or 'stderr'.\n"
624 " -h Help (this message).\n"
625 " -H Seccomp filter help message.\n";
626 /* clang-format on */
627
usage(const char * progn)628 static void usage(const char *progn)
629 {
630 printf("Usage: %s [options] [--] <program> [args...]\n\n%s", progn,
631 help_text);
632
633 printf("\nsyscalls allowed when logging (-L):\n ");
634 for (size_t i = 0; i < log_syscalls_len; ++i)
635 printf(" %s", log_syscalls[i]);
636 printf("\n");
637 }
638
seccomp_filter_usage(const char * progn)639 static void seccomp_filter_usage(const char *progn)
640 {
641 const struct syscall_entry *entry = syscall_table;
642 printf("Usage: %s -S <policy.file> <program> [args...]\n\n"
643 "System call names supported:\n",
644 progn);
645 for (; entry->name && entry->nr >= 0; ++entry)
646 printf(" %s [%d]\n", entry->name, entry->nr);
647 printf("\nSee minijail0(5) for example policies.\n");
648 }
649
650 /*
651 * Return the next unconsumed option char/value parsed from
652 * |*conf_entry_list|. |optarg| is updated to point to an argument from
653 * the entry value. If all options have been consumed, |*conf_entry_list|
654 * will be freed and -1 will be returned.
655 */
getopt_from_conf(const struct option * longopts,struct config_entry_list ** conf_entry_list,size_t * conf_index)656 static int getopt_from_conf(const struct option *longopts,
657 struct config_entry_list **conf_entry_list,
658 size_t *conf_index)
659 {
660 int opt = -1;
661 /* If we've consumed all the options in the this config, reset it. */
662 if (*conf_index >= (*conf_entry_list)->num_entries) {
663 free_config_entry_list(*conf_entry_list);
664 *conf_entry_list = NULL;
665 *conf_index = 0;
666 return opt;
667 }
668
669 struct config_entry *entry = &(*conf_entry_list)->entries[*conf_index];
670 /* Look up a matching long option. */
671 size_t i = 0;
672 const struct option *curr_opt;
673 for (curr_opt = &longopts[0]; curr_opt->name != NULL;
674 curr_opt = &longopts[++i])
675 if (strcmp(entry->key, curr_opt->name) == 0)
676 break;
677 if (curr_opt->name == NULL) {
678 errx(1,
679 "Unable to recognize '%s' as Minijail conf entry key, "
680 "please refer to minijail0(5) for syntax and examples.",
681 entry->key);
682 }
683 opt = curr_opt->val;
684 optarg = (char *)entry->value;
685 (*conf_index)++;
686 return opt;
687 }
688
689 /*
690 * Similar to getopt(3), return the next option char/value as it
691 * parses through the CLI argument list. Config entries in
692 * |*conf_entry_list| will be parsed with precendences over cli options.
693 * Same as getopt(3), |optarg| is pointing to the option argument.
694 */
getopt_conf_or_cli(int argc,char * const argv[],struct config_entry_list ** conf_entry_list,size_t * conf_index)695 static int getopt_conf_or_cli(int argc, char *const argv[],
696 struct config_entry_list **conf_entry_list,
697 size_t *conf_index)
698 {
699 int opt = -1;
700 if (*conf_entry_list != NULL)
701 opt =
702 getopt_from_conf(long_options, conf_entry_list, conf_index);
703 if (opt == -1)
704 opt = getopt_long(argc, argv, optstring, long_options, NULL);
705 return opt;
706 }
707
set_child_env(char *** envp,char * arg,char * const environ[])708 static void set_child_env(char ***envp, char *arg, char *const environ[])
709 {
710 /* We expect VAR=value format for arg. */
711 char *delim = strchr(arg, '=');
712 if (!delim) {
713 errx(1, "Expected an argument of the "
714 "form VAR=value (got '%s')", arg);
715 }
716 *delim = '\0';
717 const char *env_value = delim + 1;
718 if (!*envp) {
719 /*
720 * We got our first --env-add. Initialize *envp by
721 * copying our current env to the future child env.
722 */
723 *envp = minijail_copy_env(environ);
724 if (!*envp)
725 err(1, "Failed to allocate memory.");
726 }
727 if (minijail_setenv(envp, arg, env_value, 1))
728 err(1, "minijail_setenv() failed.");
729 }
730
parse_args(struct minijail * j,int argc,char * const argv[],char * const environ[],int * exit_immediately,ElfType * elftype,const char ** preload_path,char *** envp)731 int parse_args(struct minijail *j, int argc, char *const argv[],
732 char *const environ[], int *exit_immediately,
733 ElfType *elftype, const char **preload_path,
734 char ***envp)
735 {
736 enum seccomp_type { None, Strict, Filter, BpfBinaryFilter };
737 enum seccomp_type seccomp = None;
738 int opt;
739 int use_seccomp_filter = 0;
740 int use_seccomp_filter_binary = 0;
741 int use_seccomp_log = 0;
742 int forward = 1;
743 int binding = 0;
744 int chroot = 0, pivot_root = 0;
745 int mount_ns = 0, change_remount = 0;
746 const char *remount_mode = NULL;
747 int inherit_suppl_gids = 0, keep_suppl_gids = 0;
748 int caps = 0, ambient_caps = 0;
749 bool use_uid = false, use_gid = false;
750 uid_t uid = 0;
751 gid_t gid = 0;
752 gid_t *suppl_gids = NULL;
753 size_t suppl_gids_count = 0;
754 char *uidmap = NULL, *gidmap = NULL;
755 int set_uidmap = 0, set_gidmap = 0;
756 size_t tmp_size = 0;
757 const char *filter_path = NULL;
758 int log_to_stderr = -1;
759 struct config_entry_list *conf_entry_list = NULL;
760 size_t conf_index = 0;
761
762 while ((opt = getopt_conf_or_cli(argc, argv, &conf_entry_list,
763 &conf_index)) != -1) {
764 switch (opt) {
765 case 'u':
766 if (use_uid)
767 errx(1, "-u provided multiple times.");
768 use_uid = true;
769 set_user(j, optarg, &uid, &gid);
770 break;
771 case 'g':
772 if (use_gid)
773 errx(1, "-g provided multiple times.");
774 use_gid = true;
775 set_group(j, optarg, &gid);
776 break;
777 case 'n':
778 minijail_no_new_privs(j);
779 break;
780 case 's':
781 if (seccomp != None && seccomp != Strict) {
782 errx(1, "Do not use -s, -S, or "
783 "--seccomp-bpf-binary together");
784 }
785 seccomp = Strict;
786 minijail_use_seccomp(j);
787 break;
788 case 'S':
789 if (seccomp != None && seccomp != Filter) {
790 errx(1, "Do not use -s, -S, or "
791 "--seccomp-bpf-binary together");
792 }
793 seccomp = Filter;
794 minijail_use_seccomp_filter(j);
795 filter_path = optarg;
796 use_seccomp_filter = 1;
797 break;
798 case 'l':
799 minijail_namespace_ipc(j);
800 break;
801 case 'L':
802 if (seccomp == BpfBinaryFilter) {
803 errx(1, "-L does not work with "
804 "--seccomp-bpf-binary");
805 }
806 use_seccomp_log = 1;
807 minijail_log_seccomp_filter_failures(j);
808 break;
809 case 'b':
810 add_binding(j, optarg);
811 binding = 1;
812 break;
813 case 'B':
814 skip_securebits(j, optarg);
815 break;
816 case 'c':
817 caps = 1;
818 use_caps(j, optarg);
819 break;
820 case 'C':
821 use_chroot(j, optarg, &chroot, pivot_root);
822 break;
823 case 'k':
824 add_mount(j, optarg);
825 break;
826 case 'K':
827 remount_mode = optarg;
828 change_remount = 1;
829 break;
830 case 'P':
831 use_pivot_root(j, optarg, &pivot_root, chroot);
832 break;
833 case 'f':
834 if (0 != minijail_write_pid_file(j, optarg))
835 errx(1, "Could not prepare pid file path");
836 break;
837 case 't':
838 minijail_namespace_vfs(j);
839 if (!tmp_size) {
840 /*
841 * Avoid clobbering |tmp_size| if it was already
842 * set.
843 */
844 tmp_size = DEFAULT_TMP_SIZE;
845 }
846 if (optarg != NULL &&
847 0 != parse_size(&tmp_size, optarg)) {
848 errx(1, "Invalid /tmp tmpfs size");
849 }
850 break;
851 case 'v':
852 minijail_namespace_vfs(j);
853 /*
854 * Set the default mount propagation in the command-line
855 * tool to MS_SLAVE.
856 *
857 * When executing the sandboxed program in a new mount
858 * namespace the Minijail library will by default
859 * remount all mounts with the MS_PRIVATE flag. While
860 * this is an appropriate, safe default for the library,
861 * MS_PRIVATE can be problematic: unmount events will
862 * not propagate into mountpoints marked as MS_PRIVATE.
863 * This means that if a mount is unmounted in the root
864 * mount namespace, it will not be unmounted in the
865 * non-root mount namespace.
866 * This in turn can be problematic because activity in
867 * the non-root mount namespace can now directly
868 * influence the root mount namespace (e.g. preventing
869 * re-mounts of said mount), which would be a privilege
870 * inversion.
871 *
872 * Setting the default in the command-line to MS_SLAVE
873 * will still prevent mounts from leaking out of the
874 * non-root mount namespace but avoid these
875 * privilege-inversion issues.
876 * For cases where mounts should not flow *into* the
877 * namespace either, the user can pass -Kprivate.
878 * Note that mounts are marked as MS_PRIVATE by default
879 * by the kernel, so unless the init process (like
880 * systemd) or something else marks them as shared, this
881 * won't do anything.
882 */
883 minijail_remount_mode(j, MS_SLAVE);
884 mount_ns = 1;
885 break;
886 case 'V':
887 minijail_namespace_enter_vfs(j, optarg);
888 break;
889 case 'r':
890 minijail_remount_proc_readonly(j);
891 break;
892 case 'G':
893 if (keep_suppl_gids)
894 errx(1, "-y and -G are not compatible");
895 minijail_inherit_usergroups(j);
896 inherit_suppl_gids = 1;
897 break;
898 case 'y':
899 if (inherit_suppl_gids)
900 errx(1, "-y and -G are not compatible");
901 minijail_keep_supplementary_gids(j);
902 keep_suppl_gids = 1;
903 break;
904 case 'N':
905 minijail_namespace_cgroups(j);
906 break;
907 case 'p':
908 minijail_namespace_pids(j);
909 break;
910 case 'e':
911 if (optarg)
912 minijail_namespace_enter_net(j, optarg);
913 else
914 minijail_namespace_net(j);
915 break;
916 case 'i':
917 *exit_immediately = 1;
918 break;
919 case 'H':
920 seccomp_filter_usage(argv[0]);
921 exit(0);
922 case 'I':
923 minijail_namespace_pids(j);
924 minijail_run_as_init(j);
925 break;
926 case 'U':
927 minijail_namespace_user(j);
928 minijail_namespace_pids(j);
929 break;
930 case 'm':
931 set_uidmap = 1;
932 if (uidmap) {
933 free(uidmap);
934 uidmap = NULL;
935 }
936 if (optarg)
937 uidmap = xstrdup(optarg);
938 break;
939 case 'M':
940 set_gidmap = 1;
941 if (gidmap) {
942 free(gidmap);
943 gidmap = NULL;
944 }
945 if (optarg)
946 gidmap = xstrdup(optarg);
947 break;
948 case 'a':
949 if (0 != minijail_use_alt_syscall(j, optarg))
950 errx(1, "Could not set alt-syscall table");
951 break;
952 case 'R':
953 add_rlimit(j, optarg);
954 break;
955 case 'T':
956 if (!strcmp(optarg, "static"))
957 *elftype = ELFSTATIC;
958 else if (!strcmp(optarg, "dynamic"))
959 *elftype = ELFDYNAMIC;
960 else {
961 errx(1, "ELF type must be 'static' or "
962 "'dynamic'");
963 }
964 break;
965 case 'w':
966 minijail_new_session_keyring(j);
967 break;
968 case 'Y':
969 minijail_set_seccomp_filter_tsync(j);
970 break;
971 case 'z':
972 forward = 0;
973 break;
974 case 'd':
975 minijail_namespace_vfs(j);
976 minijail_mount_dev(j);
977 break;
978 /* Long options. */
979 case OPT_AMBIENT:
980 ambient_caps = 1;
981 minijail_set_ambient_caps(j);
982 break;
983 case OPT_UTS:
984 minijail_namespace_uts(j);
985 if (optarg)
986 minijail_namespace_set_hostname(j, optarg);
987 break;
988 case OPT_LOGGING:
989 if (!strcmp(optarg, "auto"))
990 log_to_stderr = -1;
991 else if (!strcmp(optarg, "syslog"))
992 log_to_stderr = 0;
993 else if (!strcmp(optarg, "stderr"))
994 log_to_stderr = 1;
995 else
996 errx(1,
997 "--logger must be 'syslog' or 'stderr'");
998 break;
999 case OPT_PROFILE:
1000 use_profile(j, optarg, &pivot_root, chroot, &tmp_size);
1001 break;
1002 case OPT_PRELOAD_LIBRARY:
1003 *preload_path = optarg;
1004 break;
1005 case OPT_SECCOMP_BPF_BINARY:
1006 if (seccomp != None && seccomp != BpfBinaryFilter) {
1007 errx(1, "Do not use -s, -S, or "
1008 "--seccomp-bpf-binary together");
1009 }
1010 if (use_seccomp_log == 1)
1011 errx(1, "-L does not work with "
1012 "--seccomp-bpf-binary");
1013 seccomp = BpfBinaryFilter;
1014 minijail_use_seccomp_filter(j);
1015 filter_path = optarg;
1016 use_seccomp_filter_binary = 1;
1017 break;
1018 case OPT_ADD_SUPPL_GROUP:
1019 suppl_group_add(&suppl_gids_count, &suppl_gids, optarg);
1020 break;
1021 case OPT_ALLOW_SPECULATIVE_EXECUTION:
1022 minijail_set_seccomp_filter_allow_speculation(j);
1023 break;
1024 case OPT_CONFIG: {
1025 if (conf_entry_list != NULL) {
1026 errx(1, "Nested config file specification is "
1027 "not allowed.");
1028 }
1029 conf_entry_list = new_config_entry_list();
1030 conf_index = 0;
1031 #if defined(BLOCK_NOEXEC_CONF)
1032 /*
1033 * Check the conf file is in a exec mount.
1034 * With a W^X invariant, it excludes writable
1035 * mounts.
1036 */
1037 struct statfs conf_statfs;
1038 if (statfs(optarg, &conf_statfs) != 0)
1039 err(1, "statfs(%s) failed.", optarg);
1040 if ((conf_statfs.f_flags & MS_NOEXEC) != 0)
1041 errx(1,
1042 "Conf file must be in a exec "
1043 "mount: %s",
1044 optarg);
1045 #endif
1046 #if defined(ENFORCE_ROOTFS_CONF)
1047 /* Make sure the conf file is in the same device as the
1048 * rootfs. */
1049 struct stat root_stat;
1050 struct stat conf_stat;
1051 if (stat("/", &root_stat) != 0)
1052 err(1, "stat(/) failed.");
1053 if (stat(optarg, &conf_stat) != 0)
1054 err(1, "stat(%s) failed.", optarg);
1055 if (root_stat.st_dev != conf_stat.st_dev)
1056 errx(1, "Conf file must be in the rootfs.");
1057 #endif
1058 attribute_cleanup_fp FILE *config_file =
1059 fopen(optarg, "re");
1060 if (!config_file)
1061 err(1, "Failed to open %s", optarg);
1062 if (!parse_config_file(config_file, conf_entry_list)) {
1063 errx(
1064 1,
1065 "Unable to parse %s as Minijail conf file, "
1066 "please refer to minijail0(5) for syntax "
1067 "and examples.",
1068 optarg);
1069 }
1070 break;
1071 }
1072 case OPT_ENV_ADD:
1073 /*
1074 * We either copy our current env to the child env
1075 * then add the requested envvar to it, or just
1076 * add the requested envvar to the already existing
1077 * envp.
1078 */
1079 set_child_env(envp, optarg, environ);
1080 break;
1081 case OPT_ENV_RESET:
1082 if (*envp && *envp != environ) {
1083 /*
1084 * We already started to initialize the future
1085 * child env, because we got some --env-add
1086 * earlier on the command-line, so first,
1087 * free the memory we allocated.
1088 * If |*envp| happens to point to |environ|,
1089 * don't attempt to free it.
1090 */
1091 minijail_free_env(*envp);
1092 }
1093 /* Allocate an empty environment for the child. */
1094 *envp = calloc(1, sizeof(char *));
1095 if (!*envp)
1096 err(1, "Failed to allocate memory.");
1097 break;
1098 default:
1099 usage(argv[0]);
1100 exit(opt == 'h' ? 0 : 1);
1101 }
1102 }
1103
1104 if (log_to_stderr == -1) {
1105 /* Autodetect default logging output. */
1106 log_to_stderr = isatty(STDIN_FILENO) ? 1 : 0;
1107 }
1108 if (log_to_stderr) {
1109 init_logging(LOG_TO_FD, STDERR_FILENO, LOG_INFO);
1110 /*
1111 * When logging to stderr, ensure the FD survives the jailing.
1112 */
1113 if (0 !=
1114 minijail_preserve_fd(j, STDERR_FILENO, STDERR_FILENO)) {
1115 errx(1, "Could not preserve stderr");
1116 }
1117 }
1118
1119 /* Set up uid/gid mapping. */
1120 if (set_uidmap || set_gidmap) {
1121 set_ugid_mapping(j, set_uidmap, uid, uidmap, set_gidmap, gid,
1122 gidmap);
1123 }
1124
1125 /* Can only set ambient caps when using regular caps. */
1126 if (ambient_caps && !caps) {
1127 errx(1, "Can't set ambient capabilities (--ambient) "
1128 "without actually using capabilities (-c)");
1129 }
1130
1131 /* Set up signal handlers in minijail unless asked not to. */
1132 if (forward)
1133 minijail_forward_signals(j);
1134
1135 /*
1136 * Only allow bind mounts when entering a chroot, using pivot_root, or
1137 * a new mount namespace.
1138 */
1139 if (binding && !(chroot || pivot_root || mount_ns)) {
1140 errx(1, "Bind mounts require a chroot, pivot_root, or "
1141 " new mount namespace");
1142 }
1143
1144 /*
1145 * / is only remounted when entering a new mount namespace, so unless
1146 * that's set there is no need for the -K/-K<mode> flags.
1147 */
1148 if (change_remount && !mount_ns) {
1149 errx(1, "No need to use -K (skip remounting '/') or "
1150 "-K<mode> (remount '/' as <mode>) "
1151 "without -v (new mount namespace).\n"
1152 "Do you need to add '-v' explicitly?");
1153 }
1154
1155 /* Configure the remount flag here to avoid having -v override it. */
1156 if (change_remount) {
1157 if (remount_mode != NULL) {
1158 set_remount_mode(j, remount_mode);
1159 } else {
1160 minijail_skip_remount_private(j);
1161 }
1162 }
1163
1164 /*
1165 * Proceed in setting the supplementary gids specified on the
1166 * cmdline options.
1167 */
1168 if (suppl_gids_count) {
1169 minijail_set_supplementary_gids(j, suppl_gids_count,
1170 suppl_gids);
1171 free(suppl_gids);
1172 }
1173
1174 /*
1175 * We parse seccomp filters here to make sure we've collected all
1176 * cmdline options.
1177 */
1178 if (use_seccomp_filter) {
1179 minijail_parse_seccomp_filters(j, filter_path);
1180 } else if (use_seccomp_filter_binary) {
1181 struct sock_fprog filter;
1182 read_seccomp_filter(filter_path, &filter);
1183 minijail_set_seccomp_filters(j, &filter);
1184 free((void *)filter.filter);
1185 }
1186
1187 /* Mount a tmpfs under /tmp and set its size. */
1188 if (tmp_size)
1189 minijail_mount_tmp_size(j, tmp_size);
1190
1191 /*
1192 * Copy our current env to the child if its |*envp| has not
1193 * already been initialized from --env-(reset|add) usage.
1194 */
1195 if (!*envp) {
1196 *envp = minijail_copy_env(environ);
1197 if (!*envp)
1198 err(1, "Failed to allocate memory.");
1199 }
1200
1201 /*
1202 * There should be at least one additional unparsed argument: the
1203 * executable name.
1204 */
1205 if (argc == optind) {
1206 usage(argv[0]);
1207 exit(1);
1208 }
1209
1210 if (*elftype == ELFERROR) {
1211 /*
1212 * -T was not specified.
1213 * Get the path to the program adjusted for changing root.
1214 */
1215 char *program_path =
1216 minijail_get_original_path(j, argv[optind]);
1217
1218 /* Check that we can access the target program. */
1219 if (access(program_path, X_OK)) {
1220 errx(1, "Target program '%s' is not accessible",
1221 argv[optind]);
1222 }
1223
1224 /* Check if target is statically or dynamically linked. */
1225 *elftype = get_elf_linkage(program_path);
1226 free(program_path);
1227 }
1228
1229 /*
1230 * Setting capabilities need either a dynamically-linked binary, or the
1231 * use of ambient capabilities for them to be able to survive an
1232 * execve(2).
1233 */
1234 if (caps && *elftype == ELFSTATIC && !ambient_caps) {
1235 errx(1, "Can't run statically-linked binaries with capabilities"
1236 " (-c) without also setting ambient capabilities. "
1237 "Try passing --ambient.");
1238 }
1239
1240 return optind;
1241 }
1242