/* libminijailpreload.c - preload hack library * Copyright (c) 2011 The Chromium OS Authors. All rights reserved. * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. * * This library is preloaded into every program launched by minijail_run(). * DO NOT EXPORT ANY SYMBOLS FROM THIS LIBRARY. They will replace other symbols * in the programs it is preloaded into and cause impossible-to-debug failures. * See the minijail0.1 for a design explanation. */ #include "libminijail.h" #include "libminijail-private.h" #include <dlfcn.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/types.h> #include <syslog.h> #include <unistd.h> static int (*real_main) (int, char **, char **); static void *libc_handle; static void die(const char *failed) { syslog(LOG_ERR, "libminijail: %s", failed); abort(); } static void unset_in_env(char **envp, const char *name) { int i; for (i = 0; envp[i]; i++) if (!strncmp(envp[i], name, strlen(name))) envp[i][0] = '\0'; } /** @brief Fake main(), spliced in before the real call to main() by * __libc_start_main (see below). * We get serialized commands from our invoking process over an fd specified * by an environment variable (kFdEnvVar). The environment variable is a list * of key=value pairs (see move_commands_to_env); we use them to construct a * jail, then enter it. */ static int fake_main(int argc, char **argv, char **envp) { char *fd_name = getenv(kFdEnvVar); int fd = -1; struct minijail *j; if (geteuid() != getuid() || getegid() != getgid()) { /* * If we didn't do this check, an attacker could set kFdEnvVar * for any setuid program that uses libminijail to cause it to * get capabilities or a uid it did not expect. */ /* TODO(wad): why would libminijail interact here? */ return MINIJAIL_ERR_PRELOAD; } if (!fd_name) return MINIJAIL_ERR_PRELOAD; fd = atoi(fd_name); if (fd < 0) return MINIJAIL_ERR_PRELOAD; j = minijail_new(); if (!j) die("preload: out of memory"); if (minijail_from_fd(fd, j)) die("preload: failed to parse minijail from parent"); close(fd); /* TODO(ellyjones): this trashes existing preloads, so one can't do: * LD_PRELOAD="/tmp/test.so libminijailpreload.so" prog; the * descendants of prog will have no LD_PRELOAD set at all. */ unset_in_env(envp, kLdPreloadEnvVar); /* Strip out flags meant for the parent. */ minijail_preenter(j); minijail_enter(j); minijail_destroy(j); dlclose(libc_handle); return real_main(argc, argv, envp); } /** @brief LD_PRELOAD override of __libc_start_main. * * It is really best if you do not look too closely at this function. We need * to ensure that some of our code runs before the target program (see the * minijail0.1 file in this directory for high-level details about this), and * the only available place to hook is this function, which is normally * responsible for calling main(). Our LD_PRELOAD will overwrite the real * __libc_start_main with this one, so we have to look up the real one from * libc and invoke it with a pointer to the fake main() we'd like to run before * the real main(). We can't just run our setup code *here* because * __libc_start_main is responsible for setting up the C runtime environment, * so we can't rely on things like malloc() being available yet. */ int API __libc_start_main(int (*main)(int, char **, char **), int argc, char **ubp_av, void (*init)(void), void (*fini)(void), void (*rtld_fini)(void), void(*stack_end)) { void *sym; /* * This hack is unfortunately required by C99 - casting directly from * void* to function pointers is left undefined. See POSIX.1-2003, the * Rationale for the specification of dlsym(), and dlsym(3). This * deliberately violates strict-aliasing rules, but gcc can't tell. */ union { int (*fn)(int (*main)(int, char **, char **), int argc, char **ubp_av, void (*init)(void), void (*fini)(void), void (*rtld_fini)(void), void(*stack_end)); void *symval; } real_libc_start_main; /* * We hold this handle for the duration of the real __libc_start_main() * and drop it just before calling the real main(). */ libc_handle = dlopen("libc.so.6", RTLD_NOW); if (!libc_handle) { syslog(LOG_ERR, "can't dlopen() libc"); /* * We dare not use abort() here because it will run atexit() * handlers and try to flush stdio. */ _exit(1); } sym = dlsym(libc_handle, "__libc_start_main"); if (!sym) { syslog(LOG_ERR, "can't find the real __libc_start_main()"); _exit(1); } real_libc_start_main.symval = sym; real_main = main; /* * Note that we swap fake_main in for main - fake_main knows that it * should call real_main after it's done. */ return real_libc_start_main.fn(fake_main, argc, ubp_av, init, fini, rtld_fini, stack_end); }