c – 在linux上的另一个线程中检测程序启动

我试图通过(除其他事项外)在启动后对它们进行chroot来沙箱ELF二进制文件.为此,使用CLONE_FS标记克隆的子进程执行chroot,而父进程通过调用exec函数运行二进制文件.

如果chroot在程序加载完所需的共享库之后发生,那么这个技巧实际上是有效的.问题是我无法找到一种方法来检测其他进程实际发生的时间.有什么办法吗?

解决方法:

您可以使用preload库,其中包含在main()之前执行的函数,具有CAP_SYS_CHROOT允许文件系统功能的辅助二进制文件,以及两者之间的Unix域套接字对.

帮助程序二进制文件创建套接字对,然后使用clone(CLONE_FS)来分叉共享文件系统信息的帮助程序进程,设置LD_PRELOAD以加载预加载库,并执行沙盒二进制文件. (exec重置沙箱二进制文件系统功能的功能,因此沙盒二进制文件根本没有任何额外的权限.)

帮助程序进程将CAP_SYS_CHROOT添加到有效集,等待沙盒二进制文件(预加载库)通过套接字通知它,调用chroot(),并通知沙盒二进制文件(预加载库)成功.

注意:绝对不需要标记辅助二进制setuid root,或者为沙盒二进制文件提供任何功能或特权.我们可以用最小的权限来做到这一点:CAP_SYS_CHROOT capability就足够了.

我更喜欢只将二进制文件的功能添加到允许的集合中,这样二进制文件本身就必须在chroot()工作之前将功能添加到有效集合中.我觉得这种方法减少了可能的安装/管理员错误的影响.如果您不同意,请随意省略exec.c中的相应代码,并在Makefile的setcap命令中使用= pe而不是= p.

这里的好处是preload库也可以插入所需的C函数,并使用unix域套接字从helper进程获取必要的信息;您甚至可以使用SCM_RIGHTS辅助消息将文件描述符从chroot外部传输到沙盒二进制文件. (实质上,这就是fakeroot所做的,但反过来说:你可以选择沙盒二进制文件可以从chroot环境之外访问哪些文件而不是假冒chrooted环境.)只要让帮助程序进程保持活动状态就可以了.套接字的另一端仍然是打开的,因此它将在沙盒二进制退出后退出.

下面是我的示例实现,它将辅助进程作为沙盒二进制文件的子进程启动,辅助进程在启动沙盒main()之前退出(并预先加载库).

exec.c:

#define _GNU_SOURCE
#define _POSIX_C_SOURCE 200809L
#include <unistd.h>
#include <sys/capability.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/mman.h>
#include <sched.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <errno.h>

#ifndef  SOCKET_FD
#error SOCKET_FD not defined!
#endif

#ifndef  LIBRARY_PATH
#error LIBRARY_PATH not defined!
#endif

static size_t            helper_stack_size = 32768;
static void             *helper_stack = NULL;
static const char       *helper_chroot = NULL;
static const cap_value_t helper_cap[] = { CAP_SYS_CHROOT };
static const int         helper_caps = sizeof helper_cap / sizeof helper_cap[0];
static int               socket_fd[2] = { -1, -1 };

#ifdef __hppa
#define helper_endstack  (helper_stack)
#else
#define helper_endstack  ((void *)((char *)helper_stack + helper_stack_size - 1))
#endif

static int helper_main(void *arg)
{
    const char *const argv0 = arg;
    pid_t pid;
    cap_t caps;

    close(socket_fd[0]);

    /* Read the target PID. */
    {   char       *p = (char *)(&pid);
        char *const q = (char *)(&pid) + sizeof pid;
        ssize_t     n;

        while (p < q) {
            n = recv(socket_fd[1], p, (size_t)(q - p), MSG_WAITALL);
            if (n > (ssize_t)0)
                p += n;
            else
            if (n != (ssize_t)-1) {
                fprintf(stderr, "%s: %s.\n", argv0, strerror(EIO));
                return 127;
            } else
            if (errno != EINTR) {
                fprintf(stderr, "%s: %s.\n", argv0, strerror(errno));
                return 127;
            }
        }
    }

    if (pid < (pid_t)2) {
        shutdown(socket_fd[1], SHUT_RDWR);
        close(socket_fd[1]);
        return 127;
    }

    /* Enable CAP_SYS_CHROOT. */
    caps = cap_get_proc();
    if (cap_set_flag(caps, CAP_EFFECTIVE, helper_caps, helper_cap, CAP_SET)) {
        shutdown(socket_fd[1], SHUT_RDWR);
        close(socket_fd[1]);
        fprintf(stderr, "%s: %s.\n", argv0, strerror(errno));
        return 127;
    }
    if (cap_set_proc(caps)) {
        shutdown(socket_fd[1], SHUT_RDWR);
        close(socket_fd[1]);
        fprintf(stderr, "%s: %s.\n", argv0, strerror(errno));
        return 127;
    }

    /* Target is ready to be chrooted, so do it now. */
    if (chroot(helper_chroot)) {
        shutdown(socket_fd[1], SHUT_RDWR);
        close(socket_fd[1]);
        fprintf(stderr, "%s: Cannot chroot: %s.\n", argv0, strerror(errno));
        return 127;
    }

    /* Send my own pid, so this process will be reaped. */
    {   const char       *p = (char *)(&pid);
        const char *const q = (char *)(&pid) + sizeof pid;
        ssize_t           n;

        pid = getpid();

        while (p < q) {
            n = send(socket_fd[1], p, (size_t)(q - p), MSG_NOSIGNAL);
            if (n > (ssize_t)0)
                p += n;
            else
            if (n != (ssize_t)-1) {
                fprintf(stderr, "%s: %s.\n", argv0, strerror(EIO));
                return 127;
            } else
            if (errno != EINTR) {
                fprintf(stderr, "%s: %s.\n", argv0, strerror(errno));
                return 127;
            }
        }
    }

    /* We won't be sending anything else. */
    shutdown(socket_fd[1], SHUT_WR);

    /* Ignore further input; wait for other end to close descriptor. */
    {   char    buf[16];
        ssize_t n;

        while (1) {
            n = recv(socket_fd[1], buf, sizeof buf, 0);
            if (n > (ssize_t)0)
                continue;
            else
            if (n == (ssize_t)0)
                break;
            else
            if (n != (ssize_t)-1) {
                fprintf(stderr, "%s: %s.\n", argv0, strerror(EIO));
                return 127;
            } else
            if (errno == EPIPE)
                break;
            else
            if (errno != EINTR) {
                fprintf(stderr, "%s: %s.\n", argv0, strerror(errno));
                return 127;
            }
        }
    }

    /* Close the socket, and exit. */
    shutdown(socket_fd[1], SHUT_RDWR);
    close(socket_fd[1]);
    return 0;
}

int main(int argc, char *argv[])
{
   if (argc < 4 || !strcmp(argv[1], "-h") || !strcmp(argv[1], "--help")) {
        fprintf(stderr, "\n");
        fprintf(stderr, "Usage: %s [ -h | --help ]\n", argv[0]);
        fprintf(stderr, "       %s CHROOT WORKDIR COMMAND [ ARGS ... ]\n", argv[0]);
        fprintf(stderr, "\n");
        fprintf(stderr, "Note: . is a valid WORKDIR.\n");
        fprintf(stderr, "\n");
        return 1;
    }

    if (chdir(argv[2])) {
        fprintf(stderr, "%s: %s.\n", argv[2], strerror(errno));
        return 1;
    }

    helper_stack = mmap(NULL, helper_stack_size, PROT_READ | PROT_WRITE,
                              MAP_ANONYMOUS | MAP_PRIVATE | MAP_STACK | MAP_GROWSDOWN, -1, (off_t)0);
    if ((void *)helper_stack == MAP_FAILED) {
        fprintf(stderr, "Cannot create helper process stack: %s.\n", strerror(errno));
        return 1;
    }
    helper_chroot = argv[1];

    if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_fd)) {
        fprintf(stderr, "Cannot create an Unix domain stream socket pair: %s.\n", strerror(errno));
        return 1;
    }

    if (clone(helper_main, helper_endstack, CLONE_FS, argv[0]) == -1) {
        fprintf(stderr, "Cannot clone a helper process: %s.\n", strerror(errno));
        close(socket_fd[0]);
        close(socket_fd[1]);
        return 1;
    }

    close(socket_fd[1]);
    if (socket_fd[0] != SOCKET_FD) {
        if (dup2(socket_fd[0], SOCKET_FD) == -1) {
            fprintf(stderr, "Cannot move stream socket: %s.\n", strerror(errno));
            close(socket_fd[0]);
            close(SOCKET_FD);
            return 1;
        }
        close(socket_fd[0]);
    }

    setenv("LD_PRELOAD", LIBRARY_PATH, 1);

    /* Capabilities are reset over an execve(). */
    execvp(argv[3], argv + 3);

    close(SOCKET_FD);
    fprintf(stderr, "%s: %s.\n", argv[3], strerror(errno));
    return 1;
}

premain.c:

#define _POSIX_C_SOURCE 200809L
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <fcntl.h>
#include <string.h>
#include <errno.h>

#ifndef SOCKET_FD
#error SOCKET_FD is not defined!
#endif

static void init(void) __attribute__ ((constructor (65535)));

static void init(void)
{
    pid_t pid;

    /* Note: We could probably only remove libpremain.so
     *       from the value, instead of clearing it altogether. */
    unsetenv("LD_PRELOAD");

    /* Verify SOCKFD is an Unix domain socket. */
    {   struct sockaddr_un  addr;
        socklen_t           addrlen = sizeof addr;
        memset(&addr, 0, sizeof addr);

        errno = EIO;
        if (getsockname(SOCKET_FD, (struct sockaddr *)&addr, &addrlen))
            switch (errno) {

            case EBADF:
                /* SOCKET_FD is not open. Continue as if libpremain.so was never loaded. */
                errno = 0;
                return;

            case ENOTSOCK:
                /* SOCKET_FD is not a socket. Continue as if libpremain.so was never loaded. */
                errno = 0;
                return;

            default:
                /* All other errors are fatal. */
                exit(127);
            }

        if (addr.sun_family != AF_UNIX) {
            /* SOCKET_FD is not an Unix domain socket. Continue as if libpremain.so was never loaded. */
            errno = 0;
            return;
        }
    }

    /* Make SOCKET_FD blocking and close-on-exec. */
    if (fcntl(SOCKET_FD, F_SETFD, (long)FD_CLOEXEC) ||
        fcntl(SOCKET_FD, F_SETFL, (long)0L))
        exit(127);

    /* Send our PID. */
    {   const char       *p = (const char *)(&pid);
        const char *const q = (const char *)(&pid) + sizeof pid;

        pid = getpid();

        while (p < q) {
            ssize_t n = send(SOCKET_FD, p, (size_t)(q - p), MSG_NOSIGNAL);
            if (n > (ssize_t)0)
                p += n;
            else
            if (n != (ssize_t)-1)
                exit(127);
            else
            if (errno != EINTR)
                exit(127);
        }
    }

    /* Receive the PID from the other end. */
    {   char       *p = (char *)(&pid);
        char *const q = (char *)(&pid) + sizeof pid;

        pid = (pid_t)-1;

        while (p < q) {
            ssize_t n = recv(SOCKET_FD, p, (size_t)(q - p), MSG_WAITALL);
            if (n > (ssize_t)0)
                p += n;
            else
            if (n != (ssize_t)-1)
                exit(127);
            else
            if (errno != EINTR)
                exit(127);
        }
    }

    shutdown(SOCKET_FD, SHUT_RDWR);
    close(SOCKET_FD);

    /* If the PID is > 1, we wait for it to exit.
     * If an error occurs, it's not a problem. */
    if (pid > (pid_t)1) {
        pid_t p;
        do {
            p = waitpid(pid, NULL, 0);
        } while (p == (pid_t)-1 && errno == EINTR);
    }

    /* All done. */
    return;
}

Makefile文件:

CC  := gcc
CFLAGS  := -Wall -O3
LD  := $(CC)
LDFLAGS := -lcap

PREFIX  := /usr
BINDIR  := $(PREFIX)/bin
LIBDIR  := $(PREFIX)/lib

SOCKFD  := 15

.PHONY: all clean

all: clean libpremain.so exec-chroot

clean:
    rm -f libpremain.so exec-chroot

libpremain.so: premain.c
    $(CC) $(CFLAGS) -DSOCKET_FD=$(SOCKFD) -fPIC -shared $^ -ldl -Wl,-soname,$@ $(LDFLAGS) -o $@

exec-chroot: exec.c
    $(CC) $(CFLAGS) -DSOCKET_FD=$(SOCKFD) -DLIBRARY_PATH='"'$(LIBDIR)/libpremain.so'"' $^ $(LDFLAGS) -o $@

install: libpremain.so exec-chroot
    sudo rm -f $(LIBDIR)/libpremain.so $(BINDIR)/exec-chroot
    sudo install -o `id -un` -g `id -gn` -m 00770 libpremain.so $(LIBDIR)/libpremain.so
    sudo install -o `id -un` -g `id -gn` -m 00770 exec-chroot $(BINDIR)/exec-chroot
    sudo setcap 'cap_sys_chroot=p' $(BINDIR)/exec-chroot

uninstall:
    sudo rm -f $(LIBDIR)/libpremain.so $(BINDIR)/exec-chroot

请注意,Makefile中的缩进是使用制表符,而不是空格.跑

make PREFIX=/usr/local clean install

编译并安装到/usr/local,但只能由当前用户执行.您也可以使用全部清除仅重新编译所有内容,或卸载以卸载二进制文件

这确实需要libcap库.它作为内核的一部分进行维护,但您可能需要安装libcap-dev或libcap-devel或类似命名的包来获取所有必需的文件以对其进行编译.

安装后,您可以运行,例如

exec-chroot /tmp /tmp ls -alF /

运行ls -alF / in / tmp chrooted到/ tmp. Ubuntu机器上的输出通常是这样的

drwxrwxrwt 11    0    0  4096 May 29 23:55 ./
drwxrwxrwt 11    0    0  4096 May 29 23:55 ../
drwxrwxrwt  2    0    0  4096 May 29 17:15 .ICE-unix/
-r--r--r--  1    0    0    11 May 29 17:15 .X0-lock
drwxrwxrwt  2    0    0  4096 May 29 17:15 .X11-unix/
drwx------  2 1000 1000  4096 May 29 17:15 .esd-1000/
drwx------  2    0    0 16384 Dec  2  2011 lost+found/
drwx------  2 1000 1000  4096 May 29 17:15 pulse-xxxxxxxxx/
drwx------  2    0    0  4096 May 29 17:15 pulse-yyyyyyyyy/

所有者和组分别为0(root)和1000(user),因为passrod和group数据库在chroot中是不可访问的.但是,正如我已经提到的,可以通过修改和扩展上述代码来解决它.

虽然我确实试图通过仔细的错误处理来编写代码,但我并没有真正考虑到错误条件或安全问题的整体操作;这就是安装文件只能由当前用户访问的原因.

有问题吗?

上一篇:linux – PTRACE_O_TRACEEXEC与它的缺席有什么区别?


下一篇:Linux系统用户角色划分