summaryrefslogtreecommitdiffstats
path: root/security/sandbox/linux/SandboxChroot.h
diff options
context:
space:
mode:
Diffstat (limited to 'security/sandbox/linux/SandboxChroot.h')
-rw-r--r--security/sandbox/linux/SandboxChroot.h66
1 files changed, 66 insertions, 0 deletions
diff --git a/security/sandbox/linux/SandboxChroot.h b/security/sandbox/linux/SandboxChroot.h
new file mode 100644
index 000000000..3ad89b732
--- /dev/null
+++ b/security/sandbox/linux/SandboxChroot.h
@@ -0,0 +1,66 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_SandboxChroot_h
+#define mozilla_SandboxChroot_h
+
+#include <pthread.h>
+
+#include "mozilla/Attributes.h"
+
+// This class uses the chroot(2) system call and Linux namespaces to
+// revoke the process's access to the filesystem. It requires that
+// the process be able to create user namespaces; this is the
+// kHasUserNamespaces in SandboxInfo.h.
+//
+// Usage: call Prepare() from a thread with CAP_SYS_CHROOT in its
+// effective capability set, then later call Invoke() when ready to
+// drop filesystem access. Prepare() creates a thread to do the
+// chrooting, so the caller can (and should!) drop its own
+// capabilities afterwards. When Invoke() returns, the thread will
+// have exited.
+//
+// (Exception: on Android/B2G <= KitKat, because of how pthread_join
+// is implemented, the thread may still exist, but it will not have
+// capabilities. Accordingly, on such systems, be careful about
+// namespaces or other resources the thread might have inherited.)
+//
+// Prepare() can fail (return false); for example, if it doesn't have
+// CAP_SYS_CHROOT or if it can't create a directory to chroot into.
+//
+// The root directory will be empty and deleted, so the process will
+// not be able to create new entries in it regardless of permissions.
+
+namespace mozilla {
+
+class SandboxChroot final {
+public:
+ SandboxChroot();
+ ~SandboxChroot();
+ bool Prepare();
+ void Invoke();
+private:
+ enum Command {
+ NO_THREAD,
+ NO_COMMAND,
+ DO_CHROOT,
+ JUST_EXIT,
+ };
+
+ pthread_t mThread;
+ pthread_mutex_t mMutex;
+ pthread_cond_t mWakeup;
+ Command mCommand;
+ int mFd;
+
+ void ThreadMain();
+ static void* StaticThreadMain(void* aVoidPtr);
+ bool SendCommand(Command aComm);
+};
+
+} // namespace mozilla
+
+#endif // mozilla_SandboxChroot_h