vp-build/xbps-src/libexec/chroot.c

127 lines
3.8 KiB
C

/*-
* Copyright (c) 2010-2011 Juan Romero Pardines.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/*
* chroot() to target directory by using the CAP_CHROOT
* capability set on the file.
*
* As security measure it only allows to chroot when the target directory
* is owned by the same user executing the process and it has read/write
* permission on it.
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdbool.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <limits.h>
#include <sys/stat.h>
#include <sys/mount.h>
#include <sys/capability.h>
#define _PROGNAME "xbps-src-capchroot"
void
usage(void)
{
fprintf(stderr, "Usage: %s <newroot> <args>\n", _PROGNAME);
exit(EXIT_FAILURE);
}
int
main(int argc, char **argv)
{
cap_t cap;
cap_flag_value_t effective, permitted;
struct stat st;
char *path;
if (argc < 3)
usage();
cap = cap_get_proc();
if (cap == NULL) {
fprintf(stderr, "cap_get_proc() returned %s!\n",
strerror(errno));
exit(EXIT_FAILURE);
}
cap_get_flag(cap, CAP_SYS_CHROOT, CAP_EFFECTIVE, &effective);
cap_get_flag(cap, CAP_SYS_CHROOT, CAP_PERMITTED, &permitted);
if ((effective != CAP_SET) && (permitted != CAP_SET)) {
fprintf(stderr, "ERROR: missing 'cap_sys_chroot' capability!\n"
"Please set it with: setcap cap_sys_chroot=ep %s'\n",
argv[0]);
cap_free(cap);
exit(EXIT_FAILURE);
}
cap_free(cap);
if ((path = realpath(argv[1], NULL)) == NULL) {
fprintf(stderr, "ERROR: realpath() %s\n", strerror(errno));
exit(EXIT_FAILURE);
}
/* Disallow chroot to '/' */
if (strcmp(path, "/") == 0) {
fprintf(stderr, "ERROR: chroot to / is not allowed!\n");
exit(EXIT_FAILURE);
}
/*
* Check that uid/gid owns the dir and has rx perms on the
* new target root and it is a directory.
*/
if (stat(path, &st) == -1) {
fprintf(stderr, "ERROR: stat() on %s: %s\n",
path, strerror(errno));
exit(EXIT_FAILURE);
}
if (S_ISDIR(st.st_mode) == 0) {
fprintf(stderr, "ERROR: '%s' not a directory!\n", path);
exit(EXIT_FAILURE);
}
if ((st.st_uid != getuid()) && (st.st_gid != getgid()) &&
(st.st_mode & (S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP))) {
fprintf(stderr, "ERROR: wrong permissions on %s!\n", path);
exit(EXIT_FAILURE);
}
/* All ok, change root and process argv on the target root dir. */
if (chroot(path) == -1) {
fprintf(stderr, "ERROR: chroot() on %s: %s\n", argv[1],
strerror(errno));
exit(EXIT_FAILURE);
}
if (chdir("/") == -1) {
fprintf(stderr, "ERROR: chdir(): %s\n", strerror(errno));
exit(EXIT_FAILURE);
}
argv += 2;
(void)execvp(argv[0], argv);
exit(EXIT_FAILURE);
}