Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-20 16:55:40 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
562c4e7b57
gecko-dev/security/sandbox/linux/SandboxChroot.h
Jed Davis ba1cc023b7 Bug 1151607 - Step 2: Apply net/ipc namespace separation and chroot to media plugins. r=kang 
This needs more unit tests for the various pieces of what's going on
here (LinuxCapabilities, SandboxChroot, UnshareUserNamespace()) but
that's nontrivial due to needing a single-threaded process -- and
currently they can't be run on Mozilla's CI anyway due to needing user
namespaces, and local testing can just try using GMP and manually
inspecting the child process.  So that will be a followup.
2015-04-10 18:05:19 -07:00

67 lines
2.0 KiB
C++
Raw Blame History

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef mozilla_SandboxChroot_h
#define mozilla_SandboxChroot_h
#include <pthread.h>
#include "mozilla/Attributes.h"
// This class uses the chroot(2) system call and Linux namespaces to
// revoke the process's access to the filesystem. It requires that
// the process be able to create user namespaces; this is the
// kHasUserNamespaces in common/SandboxInfo.h.
//
// Usage: call Prepare() from a thread with CAP_SYS_CHROOT in its
// effective capability set, then later call Invoke() when ready to
// drop filesystem access. Prepare() creates a thread to do the
// chrooting, so the caller can (and should!) drop its own
// capabilities afterwards. When Invoke() returns, the thread will
// have exited.
//
// (Exception: on Android/B2G <= KitKat, because of how pthread_join
// is implemented, the thread may still exist, but it will not have
// capabilities. Accordingly, on such systems, be careful about
// namespaces or other resources the thread might have inherited.)
//
// Prepare() can fail (return false); for example, if it doesn't have
// CAP_SYS_CHROOT or if it can't create a directory to chroot into.
//
// The root directory will be empty and deleted, so the process will
// not be able to create new entries in it regardless of permissions.
namespace mozilla {
class SandboxChroot final {
public:
SandboxChroot();
~SandboxChroot();
bool Prepare();
void Invoke();
private:
enum Command {
NO_THREAD,
NO_COMMAND,
DO_CHROOT,
JUST_EXIT,
};
pthread_t mThread;
pthread_mutex_t mMutex;
pthread_cond_t mWakeup;
Command mCommand;
int mFd;
void ThreadMain();
static void* StaticThreadMain(void* aVoidPtr);
bool SendCommand(Command aComm);
};
} // namespace mozilla
#endif // mozilla_SandboxChroot_h
Reference in New Issue View Git Blame Copy Permalink