108334c51SBrooks Davis // Copyright 2014 The Kyua Authors.
208334c51SBrooks Davis // All rights reserved.
308334c51SBrooks Davis //
408334c51SBrooks Davis // Redistribution and use in source and binary forms, with or without
508334c51SBrooks Davis // modification, are permitted provided that the following conditions are
608334c51SBrooks Davis // met:
708334c51SBrooks Davis //
808334c51SBrooks Davis // * Redistributions of source code must retain the above copyright
908334c51SBrooks Davis // notice, this list of conditions and the following disclaimer.
1008334c51SBrooks Davis // * Redistributions in binary form must reproduce the above copyright
1108334c51SBrooks Davis // notice, this list of conditions and the following disclaimer in the
1208334c51SBrooks Davis // documentation and/or other materials provided with the distribution.
1308334c51SBrooks Davis // * Neither the name of Google Inc. nor the names of its contributors
1408334c51SBrooks Davis // may be used to endorse or promote products derived from this software
1508334c51SBrooks Davis // without specific prior written permission.
1608334c51SBrooks Davis //
1708334c51SBrooks Davis // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
1808334c51SBrooks Davis // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
1908334c51SBrooks Davis // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
2008334c51SBrooks Davis // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
2108334c51SBrooks Davis // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
2208334c51SBrooks Davis // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
2308334c51SBrooks Davis // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
2408334c51SBrooks Davis // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
2508334c51SBrooks Davis // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
2608334c51SBrooks Davis // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
2708334c51SBrooks Davis // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
2808334c51SBrooks Davis
2908334c51SBrooks Davis #include "utils/process/isolation.hpp"
3008334c51SBrooks Davis
3108334c51SBrooks Davis extern "C" {
3208334c51SBrooks Davis #include <sys/stat.h>
3308334c51SBrooks Davis
3408334c51SBrooks Davis #include <grp.h>
3508334c51SBrooks Davis #include <signal.h>
3608334c51SBrooks Davis #include <unistd.h>
3708334c51SBrooks Davis }
3808334c51SBrooks Davis
3908334c51SBrooks Davis #include <cerrno>
4008334c51SBrooks Davis #include <cstdlib>
4108334c51SBrooks Davis #include <cstring>
4208334c51SBrooks Davis #include <iostream>
4308334c51SBrooks Davis
4408334c51SBrooks Davis #include "utils/defs.hpp"
4508334c51SBrooks Davis #include "utils/format/macros.hpp"
4608334c51SBrooks Davis #include "utils/fs/path.hpp"
4708334c51SBrooks Davis #include "utils/env.hpp"
4808334c51SBrooks Davis #include "utils/logging/macros.hpp"
4908334c51SBrooks Davis #include "utils/optional.ipp"
5008334c51SBrooks Davis #include "utils/passwd.hpp"
5108334c51SBrooks Davis #include "utils/sanity.hpp"
5208334c51SBrooks Davis #include "utils/signals/misc.hpp"
5308334c51SBrooks Davis #include "utils/stacktrace.hpp"
5408334c51SBrooks Davis
5508334c51SBrooks Davis namespace fs = utils::fs;
5608334c51SBrooks Davis namespace passwd = utils::passwd;
5708334c51SBrooks Davis namespace process = utils::process;
5808334c51SBrooks Davis namespace signals = utils::signals;
5908334c51SBrooks Davis
6008334c51SBrooks Davis using utils::optional;
6108334c51SBrooks Davis
6208334c51SBrooks Davis
6308334c51SBrooks Davis /// Magic exit code to denote an error while preparing the subprocess.
6408334c51SBrooks Davis const int process::exit_isolation_failure = 124;
6508334c51SBrooks Davis
6608334c51SBrooks Davis
6708334c51SBrooks Davis namespace {
6808334c51SBrooks Davis
6908334c51SBrooks Davis
7008334c51SBrooks Davis static void fail(const std::string&, const int) UTILS_NORETURN;
7108334c51SBrooks Davis
7208334c51SBrooks Davis
7308334c51SBrooks Davis /// Fails the process with an errno-based error message.
7408334c51SBrooks Davis ///
7508334c51SBrooks Davis /// \param message The message to print. The errno-based string will be
7608334c51SBrooks Davis /// appended to this, just like in perror(3).
7708334c51SBrooks Davis /// \param original_errno The error code to format.
7808334c51SBrooks Davis static void
fail(const std::string & message,const int original_errno)7908334c51SBrooks Davis fail(const std::string& message, const int original_errno)
8008334c51SBrooks Davis {
8108334c51SBrooks Davis std::cerr << message << ": " << std::strerror(original_errno) << '\n';
8208334c51SBrooks Davis std::exit(process::exit_isolation_failure);
8308334c51SBrooks Davis }
8408334c51SBrooks Davis
8508334c51SBrooks Davis
8608334c51SBrooks Davis /// Changes the owner of a path.
8708334c51SBrooks Davis ///
8808334c51SBrooks Davis /// This function is intended to be called from a subprocess getting ready to
8908334c51SBrooks Davis /// invoke an external binary. Therefore, if there is any error during the
9008334c51SBrooks Davis /// setup, the new process is terminated with an error code.
9108334c51SBrooks Davis ///
9208334c51SBrooks Davis /// \param file The path to the file or directory to affect.
9308334c51SBrooks Davis /// \param uid The UID to set on the path.
9408334c51SBrooks Davis /// \param gid The GID to set on the path.
9508334c51SBrooks Davis static void
do_chown(const fs::path & file,const uid_t uid,const gid_t gid)9608334c51SBrooks Davis do_chown(const fs::path& file, const uid_t uid, const gid_t gid)
9708334c51SBrooks Davis {
9808334c51SBrooks Davis if (::chown(file.c_str(), uid, gid) == -1)
9908334c51SBrooks Davis fail(F("chown(%s, %s, %s) failed; UID is %s and GID is %s")
10008334c51SBrooks Davis % file % uid % gid % ::getuid() % ::getgid(), errno);
10108334c51SBrooks Davis }
10208334c51SBrooks Davis
10308334c51SBrooks Davis
10408334c51SBrooks Davis /// Resets the environment of the process to a known state.
10508334c51SBrooks Davis ///
10608334c51SBrooks Davis /// \param work_directory Path to the work directory being used.
10708334c51SBrooks Davis ///
10808334c51SBrooks Davis /// \throw std::runtime_error If there is a problem setting up the environment.
10908334c51SBrooks Davis static void
prepare_environment(const fs::path & work_directory)11008334c51SBrooks Davis prepare_environment(const fs::path& work_directory)
11108334c51SBrooks Davis {
11208334c51SBrooks Davis const char* to_unset[] = { "LANG", "LC_ALL", "LC_COLLATE", "LC_CTYPE",
11308334c51SBrooks Davis "LC_MESSAGES", "LC_MONETARY", "LC_NUMERIC",
11408334c51SBrooks Davis "LC_TIME", NULL };
11508334c51SBrooks Davis const char** iter;
11608334c51SBrooks Davis for (iter = to_unset; *iter != NULL; ++iter) {
11708334c51SBrooks Davis utils::unsetenv(*iter);
11808334c51SBrooks Davis }
11908334c51SBrooks Davis
12008334c51SBrooks Davis utils::setenv("HOME", work_directory.str());
12108334c51SBrooks Davis utils::setenv("TMPDIR", work_directory.str());
12208334c51SBrooks Davis utils::setenv("TZ", "UTC");
12308334c51SBrooks Davis }
12408334c51SBrooks Davis
12508334c51SBrooks Davis
12608334c51SBrooks Davis } // anonymous namespace
12708334c51SBrooks Davis
12808334c51SBrooks Davis
12908334c51SBrooks Davis /// Cleans up the container process to run a new child.
13008334c51SBrooks Davis ///
13108334c51SBrooks Davis /// If there is any error during the setup, the new process is terminated
13208334c51SBrooks Davis /// with an error code.
13308334c51SBrooks Davis ///
13408334c51SBrooks Davis /// \param unprivileged_user Unprivileged user to run the test case as.
13508334c51SBrooks Davis /// \param work_directory Path to the test case-specific work directory.
13608334c51SBrooks Davis void
isolate_child(const optional<passwd::user> & unprivileged_user,const fs::path & work_directory)13708334c51SBrooks Davis process::isolate_child(const optional< passwd::user >& unprivileged_user,
13808334c51SBrooks Davis const fs::path& work_directory)
13908334c51SBrooks Davis {
14008334c51SBrooks Davis isolate_path(unprivileged_user, work_directory);
14108334c51SBrooks Davis if (::chdir(work_directory.c_str()) == -1)
14208334c51SBrooks Davis fail(F("chdir(%s) failed") % work_directory, errno);
14308334c51SBrooks Davis
14408334c51SBrooks Davis utils::unlimit_core_size();
14508334c51SBrooks Davis if (!signals::reset_all()) {
14608334c51SBrooks Davis LW("Failed to reset one or more signals to their default behavior");
14708334c51SBrooks Davis }
14808334c51SBrooks Davis prepare_environment(work_directory);
14908334c51SBrooks Davis (void)::umask(0022);
15008334c51SBrooks Davis
15108334c51SBrooks Davis if (unprivileged_user && passwd::current_user().is_root()) {
15208334c51SBrooks Davis const passwd::user& user = unprivileged_user.get();
15308334c51SBrooks Davis
15408334c51SBrooks Davis if (user.gid != ::getgid()) {
15508334c51SBrooks Davis if (::setgid(user.gid) == -1)
15608334c51SBrooks Davis fail(F("setgid(%s) failed; UID is %s and GID is %s")
15708334c51SBrooks Davis % user.gid % ::getuid() % ::getgid(), errno);
15808334c51SBrooks Davis if (::getuid() == 0) {
15908334c51SBrooks Davis ::gid_t groups[1];
16008334c51SBrooks Davis groups[0] = user.gid;
16108334c51SBrooks Davis if (::setgroups(1, groups) == -1)
16208334c51SBrooks Davis fail(F("setgroups(1, [%s]) failed; UID is %s and GID is %s")
16308334c51SBrooks Davis % user.gid % ::getuid() % ::getgid(), errno);
16408334c51SBrooks Davis }
16508334c51SBrooks Davis }
16608334c51SBrooks Davis if (user.uid != ::getuid()) {
16708334c51SBrooks Davis if (::setuid(user.uid) == -1)
16808334c51SBrooks Davis fail(F("setuid(%s) failed; UID is %s and GID is %s")
16908334c51SBrooks Davis % user.uid % ::getuid() % ::getgid(), errno);
17008334c51SBrooks Davis }
17108334c51SBrooks Davis }
17208334c51SBrooks Davis }
17308334c51SBrooks Davis
17408334c51SBrooks Davis
17508334c51SBrooks Davis /// Sets up a path to be writable by a child isolated with isolate_child.
17608334c51SBrooks Davis ///
17708334c51SBrooks Davis /// If there is any error during the setup, the new process is terminated
17808334c51SBrooks Davis /// with an error code.
17908334c51SBrooks Davis ///
18008334c51SBrooks Davis /// The caller should use this to prepare any directory or file that the child
18108334c51SBrooks Davis /// should be able to write to *before* invoking isolate_child(). Note that
18208334c51SBrooks Davis /// isolate_child() will use isolate_path() on the work directory though.
18308334c51SBrooks Davis ///
18408334c51SBrooks Davis /// \param unprivileged_user Unprivileged user to run the test case as.
18508334c51SBrooks Davis /// \param file Path to the file to modify.
18608334c51SBrooks Davis void
isolate_path(const optional<passwd::user> & unprivileged_user,const fs::path & file)18708334c51SBrooks Davis process::isolate_path(const optional< passwd::user >& unprivileged_user,
18808334c51SBrooks Davis const fs::path& file)
18908334c51SBrooks Davis {
19008334c51SBrooks Davis if (!unprivileged_user || !passwd::current_user().is_root())
19108334c51SBrooks Davis return;
19208334c51SBrooks Davis const passwd::user& user = unprivileged_user.get();
19308334c51SBrooks Davis
19408334c51SBrooks Davis const bool change_group = user.gid != ::getgid();
19508334c51SBrooks Davis const bool change_user = user.uid != ::getuid();
19608334c51SBrooks Davis
19708334c51SBrooks Davis if (!change_user && !change_group) {
19808334c51SBrooks Davis // Keep same permissions.
19908334c51SBrooks Davis } else if (change_user && change_group) {
20008334c51SBrooks Davis do_chown(file, user.uid, user.gid);
20108334c51SBrooks Davis } else if (!change_user && change_group) {
20208334c51SBrooks Davis do_chown(file, ::getuid(), user.gid);
20308334c51SBrooks Davis } else {
20408334c51SBrooks Davis INV(change_user && !change_group);
20508334c51SBrooks Davis do_chown(file, user.uid, ::getgid());
20608334c51SBrooks Davis }
20708334c51SBrooks Davis }
208