static int
OpenDeletedDirectory()
{
// We don't need this directory to persist between invocations of
// the program (nor need it to be cleaned up if something goes wrong
// here, because mkdtemp will choose a fresh name), so /tmp as
// specified by FHS is adequate.
char path[] = "/tmp/mozsandbox.XXXXXX";
if (!mkdtemp(path)) {
SANDBOX_LOG_ERROR("mkdtemp: %s", strerror(errno));
return -1;
}
int fd = HANDLE_EINTR(open(path, O_RDONLY | O_DIRECTORY));
if (fd < 0) {
SANDBOX_LOG_ERROR("open %s: %s", path, strerror(errno));
// Try to clean up. Shouldn't fail, but livable if it does.
DebugOnly<bool> ok = HANDLE_EINTR(rmdir(path)) == 0;
MOZ_ASSERT(ok);
return -1;
}
if (HANDLE_EINTR(rmdir(path)) != 0) {
SANDBOX_LOG_ERROR("rmdir %s: %s", path, strerror(errno));
AlwaysClose(fd);
return -1;
}
return fd;
}
void
SandboxChroot::ThreadMain()
{
// First, drop everything that isn't CAP_SYS_CHROOT. (This code
// assumes that this thread already has effective CAP_SYS_CHROOT,
// because Prepare() checked for it before creating this thread.)
LinuxCapabilities caps;
caps.Effective(CAP_SYS_CHROOT) = true;
if (!caps.SetCurrent()) {
SANDBOX_LOG_ERROR("capset: %s", strerror(errno));
MOZ_CRASH("Can't limit chroot thread's capabilities");
}
MOZ_ALWAYS_ZERO(pthread_mutex_lock(&mMutex));
MOZ_ASSERT(mCommand == NO_THREAD);
mCommand = NO_COMMAND;
MOZ_ALWAYS_ZERO(pthread_cond_signal(&mWakeup));
while (mCommand == NO_COMMAND) {
MOZ_ALWAYS_ZERO(pthread_cond_wait(&mWakeup, &mMutex));
}
if (mCommand == DO_CHROOT) {
MOZ_ASSERT(mFd >= 0);
if (!ChrootToFileDesc(mFd)) {
MOZ_CRASH("Failed to chroot");
}
} else {
MOZ_ASSERT(mCommand == JUST_EXIT);
}
if (mFd >= 0) {
AlwaysClose(mFd);
mFd = -1;
}
mCommand = NO_THREAD;
MOZ_ALWAYS_ZERO(pthread_mutex_unlock(&mMutex));
// Drop the remaining capabilities; see note in SandboxChroot.h
// about the potential unreliability of pthread_join.
if (!LinuxCapabilities().SetCurrent()) {
MOZ_CRASH("can't drop capabilities");
}
}
static int
OpenDeletedDirectory()
{
// We don't need this directory to persist between invocations of
// the program (nor need it to be cleaned up if something goes wrong
// here, because mkdtemp will choose a fresh name), so /tmp as
// specified by FHS is adequate.
//
// However, this needs a filesystem where a deleted directory can
// still be used, and /tmp is sometimes not that; e.g., aufs(5),
// often used for containers, will cause the chroot() to fail with
// ESTALE (bug 1162965). So this uses /dev/shm if possible instead.
char tmpPath[] = "/tmp/mozsandbox.XXXXXX";
char shmPath[] = "/dev/shm/mozsandbox.XXXXXX";
char* path;
if (mkdtemp(shmPath)) {
path = shmPath;
} else if (mkdtemp(tmpPath)) {
path = tmpPath;
} else {
SANDBOX_LOG_ERROR("mkdtemp: %s", strerror(errno));
return -1;
}
int fd = HANDLE_EINTR(open(path, O_RDONLY | O_DIRECTORY));
if (fd < 0) {
SANDBOX_LOG_ERROR("open %s: %s", path, strerror(errno));
// Try to clean up. Shouldn't fail, but livable if it does.
DebugOnly<bool> ok = HANDLE_EINTR(rmdir(path)) == 0;
MOZ_ASSERT(ok);
return -1;
}
if (HANDLE_EINTR(rmdir(path)) != 0) {
SANDBOX_LOG_ERROR("rmdir %s: %s", path, strerror(errno));
AlwaysClose(fd);
return -1;
}
return fd;
}