diff --git a/NEWS b/NEWS index d200ab4f..c337ebbe 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,9 @@ xbps-0.35 (???): + * xbps-uchroot: new utility merged from xbps-packages/xbps-src that + bind mounts and chroots to a target directory. This is a setgid binary + that must have correct owner/group to work correctly. + * xbps-rindex(8): fixed a bug while signing repositories in that sometimes the PEM RSA public key buffer contained unwanted garbage. diff --git a/bin/Makefile b/bin/Makefile index e3a1ea42..16386368 100644 --- a/bin/Makefile +++ b/bin/Makefile @@ -9,5 +9,6 @@ SUBDIRS += xbps-reconfigure SUBDIRS += xbps-remove SUBDIRS += xbps-rindex SUBDIRS += xbps-uhelper +SUBDIRS += xbps-uchroot include ../mk/subdir.mk diff --git a/bin/xbps-uchroot/Makefile b/bin/xbps-uchroot/Makefile new file mode 100644 index 00000000..55c6ec5d --- /dev/null +++ b/bin/xbps-uchroot/Makefile @@ -0,0 +1,7 @@ +TOPDIR = ../.. +-include $(TOPDIR)/config.mk + +BIN = xbps-uchroot +MAN = + +include $(TOPDIR)/mk/prog.mk diff --git a/bin/xbps-uchroot/main.c b/bin/xbps-uchroot/main.c new file mode 100644 index 00000000..74945e69 --- /dev/null +++ b/bin/xbps-uchroot/main.c @@ -0,0 +1,273 @@ +/*- + * Copyright (c) 2014 Juan Romero Pardines. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This is based on linux-user-chroot by Colin Walters, but has been adapted + * specifically for xbps-src use: + * + * - This bind mounts exactly what we need, no support for additional mounts. + * - This uses IPC/PID/mount namespaces, nothing more. + * - Disables namespace features if running in OpenVZ containers. + */ +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include /* PATH_MAX */ + +#ifndef SECBIT_NOROOT +#define SECBIT_NOROOT (1 << 0) +#endif + +#ifndef SECBIT_NOROOT_LOCKED +#define SECBIT_NOROOT_LOCKED (1 << 1) +#endif + +#ifndef PR_SET_NO_NEW_PRIVS +#define PR_SET_NO_NEW_PRIVS 38 +#endif + +static void +die(const char *fmt, ...) +{ + va_list ap; + int save_errno = errno; + + va_start(ap, fmt); + fprintf(stderr, "ERROR "); + vfprintf(stderr, fmt, ap); + fprintf(stderr, " (%s)\n", strerror(save_errno)); + va_end(ap); + exit(EXIT_FAILURE); +} + +static void +usage(const char *p) +{ + printf("Usage: %s [-D dir] [-H dir] [-S dir] \n\n" + "-D Directory to be bind mounted at /xbps-packages\n" + "-H Directory to be bind mounted at /host\n" + "-S Directory to be bind mounted at /\n", p); + exit(EXIT_FAILURE); +} + +static int +fsuid_chdir(uid_t uid, const char *path) +{ + int saveerrno, rv; + + (void)setfsuid(uid); + rv = chdir(path); + saveerrno = errno; + (void)setfsuid(0); + errno = saveerrno; + + return rv; +} + +static int +openvz_container(void) +{ + if ((!access("/proc/vz/vzaquota", R_OK)) && + (!access("/proc/user_beancounters", R_OK))) + return 1; + + return 0; +} + +static void +bindmount(uid_t ruid, const char *chrootdir, const char *dir, const char *dest) +{ + char mountdir[PATH_MAX-1]; + + snprintf(mountdir, sizeof(mountdir), "%s/%s", chrootdir, dest ? dest : dir); + + if (fsuid_chdir(ruid, dir) == -1) + die("Couldn't chdir to %s", dir); + if (mount(".", mountdir, NULL, MS_BIND|MS_PRIVATE, NULL) == -1) + die("Failed to bind mount %s at %s", dir, mountdir); +} + +int +main(int argc, char **argv) +{ + uid_t ruid, euid, suid; + gid_t rgid, egid, sgid; + const char *chrootdir, *distdir, *hostdir, *shmdir, *cmd, *argv0; + char **cmdargs, mountdir[PATH_MAX-1]; + int aidx = 0, clone_flags, child_status = 0; + pid_t child; + + chrootdir = distdir = hostdir = shmdir = cmd = NULL; + argv0 = argv[0]; + argc--; + argv++; + + if (argc < 2) + usage(argv0); + + while (aidx < argc) { + if (strcmp(argv[aidx], "-D") == 0) { + /* distdir */ + distdir = argv[aidx+1]; + aidx += 2; + } else if (strcmp(argv[aidx], "-H") == 0) { + /* hostdir */ + hostdir = argv[aidx+1]; + aidx += 2; + } else if (strcmp(argv[aidx], "-S") == 0) { + /* shmdir */ + shmdir = argv[aidx+1]; + aidx += 2; + } else { + break; + } + } + if ((argc - aidx) < 2) + usage(argv0); + + chrootdir = argv[aidx]; + cmd = argv[aidx+1]; + cmdargs = argv + aidx + 1; + + /* Never allow chrootdir == / */ + if (strcmp(chrootdir, "/") == 0) + die("/ is not allowed to be used as chrootdir"); + + if (getresgid(&rgid, &egid, &sgid) == -1) + die("getresgid"); + + if (getresuid(&ruid, &euid, &suid) == -1) + die("getresuid"); + + if (rgid == 0) + rgid = ruid; + + clone_flags = (SIGCHLD|CLONE_NEWNS|CLONE_NEWIPC|CLONE_NEWUTS|CLONE_NEWPID); + if (openvz_container()) { + /* + * If running in a OpenVZ container simply disable all namespace + * features. + */ + clone_flags &= ~(CLONE_NEWNS|CLONE_NEWIPC|CLONE_NEWUTS|CLONE_NEWPID); + } + + /* Issue the clone(2) syscall with our settings */ + if ((child = syscall(__NR_clone, clone_flags, NULL)) == -1) + die("clone"); + + if (child == 0) { + /* + * Restrict privileges on the child. + */ + if (prctl(PR_SET_NO_NEW_PRIVS, 1) == -1 && errno != EINVAL) { + die("prctl PR_SET_NO_NEW_PRIVS"); + } else if (prctl (PR_SET_SECUREBITS, + SECBIT_NOROOT|SECBIT_NOROOT_LOCKED) == -1) { + die("prctl SECBIT_NOROOT"); + } + if (!openvz_container()) { + /* Make / a private mount */ + if (mount(NULL, "/", "none", MS_PRIVATE|MS_REC, NULL) == -1) + die("mount(/, MS_PRIVATE|MS_REC)"); + /* Remount / with nosuid just in case */ + if (mount (NULL, "/", "none", MS_PRIVATE|MS_REMOUNT|MS_NOSUID, NULL) == -1) + die("mount(/, MS_PRIVATE|MS_REMOUNT|MS_NOSUID"); + } + + /* mount /proc */ + snprintf(mountdir, sizeof(mountdir), "%s/proc", chrootdir); + if (mount("proc", mountdir, "proc", MS_MGC_VAL|MS_PRIVATE, NULL) == -1) + die("Failed to mount %s", mountdir); + + /* bind mount /sys */ + bindmount(ruid, chrootdir, "/sys", NULL); + + /* bind mount /dev */ + bindmount(ruid, chrootdir, "/dev", NULL); + + /* bind mount hostdir if set */ + if (hostdir) + bindmount(ruid, chrootdir, hostdir, "/host"); + + /* bind mount distdir (if set) */ + if (distdir) + bindmount(ruid, chrootdir, distdir, "/xbps-packages"); + + /* bind mount shmdir (if set) */ + if (shmdir) + bindmount(ruid, chrootdir, shmdir, NULL); + + /* move chrootdir to / and chroot to it */ + if (fsuid_chdir(ruid, chrootdir) == -1) + die("Failed to chdir to %s", chrootdir); + + if (mount(".", ".", NULL, MS_BIND|MS_PRIVATE, NULL) == -1) + die("Failed to bind mount %s", chrootdir); + + if (mount(chrootdir, "/", NULL, MS_MOVE, NULL) == -1) + die("Failed to move %s as rootfs", chrootdir); + + if (chroot(".") == -1) + die("Failed to chroot to %s", chrootdir); + + /* Switch back to the gid/uid of invoking process */ + if (setgid(rgid) == -1) + die("setgid child"); + if (setuid(ruid) == -1) + die("setuid child"); + + if (execvp(cmd, cmdargs) == -1) + die("Failed to execute command %s", cmd); + } + /* Switch back to the gid/uid of invoking process also in the parent */ + if (setgid(rgid) == -1) + die("setgid child"); + if (setuid(ruid) == -1) + die("setuid child"); + + /* Wait until the child terminates */ + while (waitpid(child, &child_status, 0) < 0) { + if (errno != EINTR) + die("waitpid"); + } + + if (!WIFEXITED(child_status)) + return -1; + + return WEXITSTATUS(child_status); +}