crashpad/util/posix/drop_privileges.cc
Mark Mentovai e956a8252f Port the util library to Android
With this change, it is possible to build crashpad_util for Android with
clang. I built with NDK 13b (clang 3.8) at API 24 (current), API 21
(used by Chrome in 64-bit builds), and API 16 (used by Chrome in 32-bit
builds).

 - In WeakFileHandleFileWriter::WriteIoVec(): Android does not expose
   the IOV_MAX macro, but its value can be obtained by calling
   sysconf(_SC_IOV_MAX).
 - In CloseMultipleNowOrOnExec(): API 21 removes getdtablesize(). Skip
   it, because it returned the same thing as sysconf(_SC_OPEN_MAX),
   which is already consulted.
 - Throughout: Various #ifdefs checking for OS_LINUX have been extended
   to also check for OS_ANDROID. In Chrome’s build_config.h (and thus
   mini_chromium’s), OS_LINUX is not defined when OS_ANDROID is.

This has not been tested beyond building the crashpad_util target.

BUG=crashpad:30

Change-Id: Ieb0bed736029d2d776c534e30e534f186e6fb663
Reviewed-on: https://chromium-review.googlesource.com/405267
Reviewed-by: Robert Sesek <rsesek@chromium.org>
2016-10-31 15:23:43 +00:00

92 lines
3.9 KiB
C++
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

// Copyright 2014 The Crashpad Authors. All rights reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include <unistd.h>
#include "base/logging.h"
#include "build/build_config.h"
namespace crashpad {
void DropPrivileges() {
gid_t gid = getgid();
uid_t uid = getuid();
#if defined(OS_MACOSX)
// Based on the POSIX.1-2008 2013 edition documentation for setreuid() and
// setregid(), setreuid() and setregid() alone should be sufficient to drop
// privileges. The standard specifies that the saved ID should be set to the
// effective ID whenever the real ID is not -1, or whenever the effective ID
// is set not equal to the real ID. This code never specifies -1, so the
// setreuid() and setregid() alone should work according to the standard.
//
// In practice, on Mac OS X, setuid() and setgid() (or seteuid() and
// setegid()) must be called first. Otherwise, setreuid() and setregid() do
// not alter the saved IDs, leaving open the possibility for future privilege
// escalation.
//
// The problem exists in 10.9.5 xnu-2422.115.4/bsd/kern/kern_prot.c
// setreuid(). Based on its comments, it purports to set the svuid to the new
// euid when the old svuid doesnt match one of the new ruid and euid. This
// isnt how POSIX.1-2008 says it should behave, but it should work for this
// functions purposes. In reality, setreuid() doesnt even do this: it sets
// the svuid to the old euid, which does not drop privileges when the old euid
// is different from the desired euid. The workaround of calling setuid() or
// seteuid() before setreuid() works because it sets the euid so that by the
// time setreuid() runs, the old euid is actually the value that ought to be
// set as the svuid. setregid() is similar. This bug is filed as radar
// 18987552.
//
// setuid() and setgid() alone will only set the saved IDs when running as
// root. When running a setuid non-root or setgid program, they do not alter
// the saved ID, and do not effect a permanent privilege drop.
gid_t egid = getegid();
PCHECK(setgid(gid) == 0) << "setgid";
PCHECK(setregid(gid, gid) == 0) << "setregid";
uid_t euid = geteuid();
PCHECK(setuid(uid) == 0) << "setuid";
PCHECK(setreuid(uid, uid) == 0) << "setreuid";
if (uid != 0) {
// Because the setXid()+setreXid() interface to change IDs is fragile,
// ensure that privileges cannot be regained. This can only be done if the
// real user ID (and now the effective user ID as well) is not root, because
// root always has permission to change identity.
if (euid != uid) {
CHECK_EQ(seteuid(euid), -1);
}
if (egid != gid) {
CHECK_EQ(setegid(egid), -1);
}
}
#elif defined(OS_LINUX) || defined(OS_ANDROID)
PCHECK(setresgid(gid, gid, gid) == 0) << "setresgid";
PCHECK(setresuid(uid, uid, uid) == 0) << "setresuid";
// Dont check to see if privileges can be regained on Linux, because on
// Linux, its not as simple as ensuring that this cant be done if non-root.
// Instead, the ability to change user and group IDs are controlled by the
// CAP_SETUID and CAP_SETGID capabilities, which may be granted to non-root
// processes. Since the setresXid() interface is well-defined, it shouldnt be
// necessary to perform any additional checking anyway.
//
// TODO(mark): Drop CAP_SETUID and CAP_SETGID if present and non-root?
#else
#error Port this function to your system.
#endif
}
} // namespace crashpad