commit 1f82276f539a9033f6c80dd94f1b77749fa6504c
Author: Yawning Angel <[email protected]>
Date: Fri Dec 9 01:23:56 2016 +0000
Re-enable normalizing UID/GID on systems that support it.
USER_NS considered harmful, but if the user is running a kernel that
supports it, use it.
---
.../internal/sandbox/hugbox.go | 49 +++++++++++++++-------
1 file changed, 34 insertions(+), 15 deletions(-)
diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go
b/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go
index c52c879..bbc4333 100644
--- a/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go
+++ b/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go
@@ -71,26 +71,27 @@ type hugbox struct {
cmd string
cmdArgs []string
- hostname string
- runtimeDir string
- homeDir string
- chdir string
- mountProc bool
- unshare unshareOpts
- stdin io.Reader
- stdout io.Writer
- stderr io.Writer
- seccompFn func(*os.File) error
- pdeathSig syscall.Signal
+ hostname string
+ homeDir string
+ chdir string
+ mountProc bool
+ unshare unshareOpts
+ stdin io.Reader
+ stdout io.Writer
+ stderr io.Writer
+ seccompFn func(*os.File) error
+ pdeathSig syscall.Signal
fakeDbus bool
standardLibs bool
- // Internal options, not to be modified except via helpers, unless you
+ // Internal options, not to be *modified* except via helpers, unless you
// know what you are doing.
bwrapPath string
args []string
fileData [][]byte
+
+ runtimeDir string // Set at creation time.
}
func (h *hugbox) setenv(k, v string) {
@@ -224,8 +225,17 @@ func (h *hugbox) run() (*exec.Cmd, error) {
if h.chdir != "" {
fdArgs = append(fdArgs, "--chdir", h.chdir)
}
- passwdBody := fmt.Sprintf("amnesia:x:%d:%d:Debian Live
User,,,:/home/amnesia:/bin/bash\n", os.Getuid(), os.Getgid())
- groupBody := fmt.Sprintf("amnesia:x:%d:\n", os.Getgid())
+
+ uid, gid := os.Getuid(), os.Getgid()
+ if h.unshare.user {
+ uid, gid = 1000, 1000
+ fdArgs = append(fdArgs, []string{
+ "--uid", "1000",
+ "--gid", "1000",
+ }...)
+ }
+ passwdBody := fmt.Sprintf("amnesia:x:%d:%d:Debian Live
User,,,:/home/amnesia:/bin/bash\n", uid, gid)
+ groupBody := fmt.Sprintf("amnesia:x:%d:\n", gid)
h.file("/etc/passwd", []byte(passwdBody))
h.file("/etc/group", []byte(groupBody))
@@ -371,7 +381,7 @@ type bwrapInfo struct {
func newHugbox() (*hugbox, error) {
h := &hugbox{
unshare: unshareOpts{
- user: false, // No point, not enough USER_NS support.
+ user: false,
ipc: true,
pid: true,
net: true,
@@ -386,6 +396,15 @@ func newHugbox() (*hugbox, error) {
standardLibs: true,
}
+ // This option is considered dangerous and leads to things like
+ // CVE-2016-8655. But if the user is running with this enabled,
+ // then might as well take advantage of it.
+ if FileExists("/proc/self/ns/user") {
+ Debugf("sandbox: User namespace support detected.")
+ h.unshare.user = true
+ h.runtimeDir = "/run/user/1000"
+ }
+
// Look for the bwrap binary in sensible locations.
bwrapPaths := []string{
"/usr/bin/bwrap",
_______________________________________________
tor-commits mailing list
[email protected]
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits
