154 lines
4.9 KiB
C
154 lines
4.9 KiB
C
/* libminijailpreload.c - preload hack library
|
|
* Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
|
|
* Use of this source code is governed by a BSD-style license that can be
|
|
* found in the LICENSE file.
|
|
*
|
|
* This library is preloaded into every program launched by minijail_run().
|
|
* DO NOT EXPORT ANY SYMBOLS FROM THIS LIBRARY. They will replace other symbols
|
|
* in the programs it is preloaded into and cause impossible-to-debug failures.
|
|
* See the minijail0.1 for a design explanation.
|
|
*/
|
|
|
|
#include "libminijail.h"
|
|
#include "libminijail-private.h"
|
|
#include "util.h"
|
|
|
|
#include <dlfcn.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <sys/types.h>
|
|
#include <syslog.h>
|
|
#include <unistd.h>
|
|
|
|
static int (*real_main) (int, char **, char **);
|
|
static void *libc_handle;
|
|
|
|
static void truncate_preload_env(char **envp, const char *name)
|
|
{
|
|
char *env_value = minijail_getenv(envp, name);
|
|
if (env_value) {
|
|
/*
|
|
* if we have more than just libminijailpreload.so in
|
|
* LD_PRELOAD, cut out libminijailpreload.so from it,
|
|
* as it is guaranteed to always be last in the
|
|
* LD_PRELOAD list.
|
|
*/
|
|
char *last_space = strrchr(env_value, ' ');
|
|
if (last_space) {
|
|
*last_space = '\0';
|
|
} else {
|
|
/* Only our lib was in LD_PRELOAD, just unset it. */
|
|
minijail_unsetenv(envp, name);
|
|
}
|
|
}
|
|
}
|
|
|
|
/** @brief Fake main(), spliced in before the real call to main() by
|
|
* __libc_start_main (see below).
|
|
* We get serialized commands from our invoking process over an fd specified
|
|
* by an environment variable (kFdEnvVar). The environment variable is a list
|
|
* of key=value pairs (see move_commands_to_env); we use them to construct a
|
|
* jail, then enter it.
|
|
*/
|
|
static int fake_main(int argc, char **argv, char **envp)
|
|
{
|
|
char *fd_name = getenv(kFdEnvVar);
|
|
int fd = -1;
|
|
struct minijail *j;
|
|
if (geteuid() != getuid() || getegid() != getgid()) {
|
|
/*
|
|
* If we didn't do this check, an attacker could set kFdEnvVar
|
|
* for any setuid program that uses libminijail to cause it to
|
|
* get capabilities or a uid it did not expect.
|
|
*/
|
|
/* TODO(wad): why would libminijail interact here? */
|
|
return MINIJAIL_ERR_PRELOAD;
|
|
}
|
|
if (!fd_name)
|
|
return MINIJAIL_ERR_PRELOAD;
|
|
fd = atoi(fd_name);
|
|
if (fd < 0)
|
|
return MINIJAIL_ERR_PRELOAD;
|
|
|
|
j = minijail_new();
|
|
if (!j)
|
|
die("preload: out of memory");
|
|
if (minijail_from_fd(fd, j))
|
|
die("preload: failed to parse minijail from parent");
|
|
close(fd);
|
|
|
|
minijail_unsetenv(envp, kFdEnvVar);
|
|
|
|
truncate_preload_env(envp, kLdPreloadEnvVar);
|
|
|
|
/* Strip out flags meant for the parent. */
|
|
minijail_preenter(j);
|
|
minijail_enter(j);
|
|
minijail_destroy(j);
|
|
dlclose(libc_handle);
|
|
return real_main(argc, argv, envp);
|
|
}
|
|
|
|
/** @brief LD_PRELOAD override of __libc_start_main.
|
|
*
|
|
* It is really best if you do not look too closely at this function. We need
|
|
* to ensure that some of our code runs before the target program (see the
|
|
* minijail0.1 file in this directory for high-level details about this), and
|
|
* the only available place to hook is this function, which is normally
|
|
* responsible for calling main(). Our LD_PRELOAD will overwrite the real
|
|
* __libc_start_main with this one, so we have to look up the real one from
|
|
* libc and invoke it with a pointer to the fake main() we'd like to run before
|
|
* the real main(). We can't just run our setup code *here* because
|
|
* __libc_start_main is responsible for setting up the C runtime environment,
|
|
* so we can't rely on things like malloc() being available yet.
|
|
*/
|
|
|
|
int API __libc_start_main(int (*main)(int, char **, char **), int argc,
|
|
char **ubp_av, void (*init)(void), void (*fini)(void),
|
|
void (*rtld_fini)(void), void(*stack_end))
|
|
{
|
|
void *sym;
|
|
/*
|
|
* This hack is unfortunately required by C99 - casting directly from
|
|
* void* to function pointers is left undefined. See POSIX.1-2003, the
|
|
* Rationale for the specification of dlsym(), and dlsym(3). This
|
|
* deliberately violates strict-aliasing rules, but gcc can't tell.
|
|
*/
|
|
union {
|
|
int (*fn)(int (*main)(int, char **, char **), int argc,
|
|
char **ubp_av, void (*init)(void), void (*fini)(void),
|
|
void (*rtld_fini)(void), void(*stack_end));
|
|
void *symval;
|
|
} real_libc_start_main;
|
|
|
|
/*
|
|
* We hold this handle for the duration of the real __libc_start_main()
|
|
* and drop it just before calling the real main().
|
|
*/
|
|
libc_handle = dlopen("libc.so.6", RTLD_NOW);
|
|
|
|
if (!libc_handle) {
|
|
syslog(LOG_ERR, "can't dlopen() libc");
|
|
/*
|
|
* We dare not use abort() here because it will run atexit()
|
|
* handlers and try to flush stdio.
|
|
*/
|
|
_exit(1);
|
|
}
|
|
sym = dlsym(libc_handle, "__libc_start_main");
|
|
if (!sym) {
|
|
syslog(LOG_ERR, "can't find the real __libc_start_main()");
|
|
_exit(1);
|
|
}
|
|
real_libc_start_main.symval = sym;
|
|
real_main = main;
|
|
|
|
/*
|
|
* Note that we swap fake_main in for main - fake_main knows that it
|
|
* should call real_main after it's done.
|
|
*/
|
|
return real_libc_start_main.fn(fake_main, argc, ubp_av, init, fini,
|
|
rtld_fini, stack_end);
|
|
}
|