blob: 5406f174b4fa4f3a95e725e4e95c1902e3051f57 [file] [log] [blame] [view]
andybonsad92aa32015-08-31 02:27:441# Linux `SUID` Sandbox
andybons3322f762015-08-24 21:37:092
brettw20d800c2016-04-12 00:10:493*IMPORTANT NOTE: The Linux SUID sandbox is almost but not completely removed.
4See https://bugs.chromium.org/p/chromium/issues/detail?id=598454
5This page is mostly out-of-date.*
6
andybonsad92aa32015-08-31 02:27:447With [r20110](https://crrev.com/20110), Chromium on Linux can now sandbox its
8renderers using a `SUID` helper binary. This is one of
9[our layer-1 sandboxing solutions](linux_sandboxing.md).
andybons3322f762015-08-24 21:37:0910
andybonsad92aa32015-08-31 02:27:4411## `SUID` helper executable
12
13The `SUID` helper binary is called `chrome_sandbox` and you must build it
14separately from the main 'chrome' target. To use this sandbox, you have to
15specify its path in the `linux_sandbox_path` GYP variable. When spawning the
sriramsr55d7efa2015-12-09 19:49:1016[zygote process](linux_zygote.md), if the `SUID` sandbox is enabled, Chromium
andybonsad92aa32015-08-31 02:27:4417will check for the sandbox binary at the location specified by
18`linux_sandbox_path`. For Google Chrome, this is set to
19`/opt/google/chrome/chrome-sandbox`, and early version had this value hard coded
20in `chrome/browser/zygote_host_linux.cc`.
andybons3322f762015-08-24 21:37:0921
22
23In order for the sandbox to be used, the following conditions must be met:
andybons3322f762015-08-24 21:37:0924
andybonsad92aa32015-08-31 02:27:4425* The sandbox binary must be executable by the Chromium process.
26* It must be `SUID` and executable by other.
andybons3322f762015-08-24 21:37:0927
andybonsad92aa32015-08-31 02:27:4428If these conditions are met then the sandbox binary is used to launch the zygote
29process. Once the zygote has started, it asks a helper process to chroot it to a
30temp directory.
andybons3322f762015-08-24 21:37:0931
andybonsad92aa32015-08-31 02:27:4432## `CLONE_NEWPID` method
33
34The sandbox does three things to restrict the authority of a sandboxed process.
35The `SUID` helper is responsible for the first two:
36
37* The `SUID` helper chroots the process. This takes away access to the
38 filesystem namespace.
39* The `SUID` helper puts the process in a PID namespace using the
40 `CLONE_NEWPID` option to
41 [clone()](http://www.kernel.org/doc/man-pages/online/pages/man2/clone.2.html).
42 This stops the sandboxed process from being able to `ptrace()` or `kill()`
43 unsandboxed processes.
andybons3322f762015-08-24 21:37:0944
45In addition:
andybonsad92aa32015-08-31 02:27:4446
47* The [Linux Zygote](linux_zygote.md) startup code sets the process to be
48 _undumpable_ using
49 [prctl()](http://www.kernel.org/doc/man-pages/online/pages/man2/prctl.2.html).
50 This stops sandboxed processes from being able to `ptrace()` each other.
51 More specifically, it stops the sandboxed process from being `ptrace()`'d by
52 any other process. This can be switched off with the
53 `--allow-sandbox-debugging` option.
andybons3322f762015-08-24 21:37:0954
55Limitations:
andybons3322f762015-08-24 21:37:0956
andybonsad92aa32015-08-31 02:27:4457* Not all kernel versions support `CLONE_NEWPID`. If the `SUID` helper is run
58 on a kernel that does not support `CLONE_NEWPID`, it will ignore the problem
59 without a warning, but the protection offered by the sandbox will be
60 substantially reduced. See LinuxPidNamespaceSupport for how to test whether
61 your system supports PID namespaces.
62* This does not restrict network access.
63* This does not prevent processes within a given sandbox from sending each
64 other signals or killing each other.
65* Setting a process to be undumpable is not irreversible. A sandboxed process
66 can make itself dumpable again, opening itself up to being taken over by
67 another process (either unsandboxed or within the same sandbox).
68 * Breakpad (the crash reporting tool) makes use of this. If a process
69 crashes, Breakpad makes it dumpable in order to use ptrace() to halt
70 threads and capture the process's state at the time of the crash. This
71 opens a small window of vulnerability.
andybons3322f762015-08-24 21:37:0972
andybonsad92aa32015-08-31 02:27:4473## `setuid()` method
andybons3322f762015-08-24 21:37:0974
andybonsad92aa32015-08-31 02:27:4475_This is an alternative to the `CLONE_NEWPID` method; it is not currently
76implemented in the Chromium codebase._
andybons3322f762015-08-24 21:37:0977
andybonsad92aa32015-08-31 02:27:4478Instead of using `CLONE_NEWPID`, the `SUID` helper can use `setuid()` to put the
79process into a currently-unused UID, which is allocated out of a range of UIDs.
80In order to ensure that the `UID` has not been allocated for another sandbox,
81the `SUID` helper uses
82[getrlimit()](http://www.kernel.org/doc/man-pages/online/pages/man2/getrlimit.2.html)
83to set `RLIMIT_NPROC` temporarily to a soft limit of 1. (Note that the docs
84specify that [setuid()](http://www.kernel.org/doc/man-pages/online/pages/man2/setuid.2.html)
85returns `EAGAIN` if `RLIMIT_NPROC` is exceeded.) We can reset `RLIMIT_NPROC`
86afterwards in order to allow the sandboxed process to fork child processes.
andybons3322f762015-08-24 21:37:0987
andybonsad92aa32015-08-31 02:27:4488As before, the `SUID` helper chroots the process.
89
90As before, LinuxZygote can set itself to be undumpable to stop processes in the
91sandbox from being able to `ptrace()` each other.
andybons3322f762015-08-24 21:37:0992
93Limitations:
andybons3322f762015-08-24 21:37:0994
andybonsad92aa32015-08-31 02:27:4495* It is not possible for an unsandboxed process to `ptrace()` a sandboxed
96 process because they run under different UIDs. This makes debugging harder.
97 There is no equivalent of the `--allow-sandbox-debugging` other than turning
98 the sandbox off with `--no-sandbox`.
99* The `SUID` helper can check that a `UID` is unused before it uses it (hence
100 this is safe if the `SUID` helper is installed into multiple chroots), but
101 it cannot prevent other root processes from putting processes into this
102 `UID` after the sandbox has been started. This means we should make the
103 `UID` range configurable, or distributions should reserve a `UID` range.
andybons3322f762015-08-24 21:37:09104
andybonsad92aa32015-08-31 02:27:44105## `CLONE_NEWNET` method
106
107The `SUID` helper uses
108[CLONE_NEWNET](http://www.kernel.org/doc/man-pages/online/pages/man2/clone.2.html)
109to restrict network access.
andybons3322f762015-08-24 21:37:09110
111## Future work
112
andybonsad92aa32015-08-31 02:27:44113We are splitting the `SUID` sandbox into a separate project which will support
114both the `CLONE_NEWNS` and `setuid()` methods:
115http://code.google.com/p/setuid-sandbox/
andybons3322f762015-08-24 21:37:09116
andybonsad92aa32015-08-31 02:27:44117Having the `SUID` helper as a separate project should make it easier for
118distributions to review and package.
andybons3322f762015-08-24 21:37:09119
120## Possible extensions
121
122## History
123
andybonsad92aa32015-08-31 02:27:44124Older versions of the sandbox helper process will _only_ run
125`/opt/google/chrome/chrome`. This string is hard coded
126(`sandbox/linux/suid/sandbox.cc`). If your package is going to place the
127Chromium binary somewhere else you need to modify this string.
andybons3322f762015-08-24 21:37:09128
129## See also
andybonsad92aa32015-08-31 02:27:44130
131* [LinuxSUIDSandboxDevelopment](linux_suid_sandbox_development.md)
132* [LinuxSandboxing](linux_sandboxing.md)
133* General information on Chromium sandboxing:
xiaoyin.l1003c0b2016-12-06 02:51:17134 https://dev.chromium.org/developers/design-documents/sandbox