Merge pull request #41 from input-output-hk/escape-hatch

add an escape-hatch option to allow things like xdg-open to work inside the sandbox
2024-08-15 09:50:25 +03:00 · 2018-10-21 19:41:26 -05:00 · 2018-10-21 19:41:26 -05:00 · 113d8c6b42
commit 113d8c6b42
parent 014d3a6209 7f12322399
1 changed files with 75 additions and 4 deletions
--- a/nix-user-chroot/main.cpp
+++ b/nix-user-chroot/main.cpp
@ -26,6 +26,10 @@
 using namespace std;

 #define err_exit(format, ...) { fprintf(stderr, format ": %s\n", ##__VA_ARGS__, strerror(errno)); exit(EXIT_FAILURE); }
+static int child_proc(const char *rootdir, const char *nixdir, uint8_t clear_env, list<struct DirMapping> dirMappings, list<struct SetEnv> envMappings, const char *executable, char * const new_argv[]);
+
+volatile uint8_t child_died = 0;
+int child_pid = 0;

 static void usage(const char *pname) {
    fprintf(stderr, "Usage: %s -n <nixpath> -- <command>\n", pname);
@ -33,6 +37,7 @@ static void usage(const char *pname) {
    fprintf(stderr, "\t-m <src>:<src>\tmap src on the host to dest in the sandbox\n");
    fprintf(stderr, "\t-d\tdelete all default dir mappings, may break things\n");
    fprintf(stderr, "\t-p <var>\tpreserve the value of a variable across the -c clear\n");
+    fprintf(stderr, "\t-e\tadd an /escape-hatch to the sandbox, and run (outside the sandbox) any strings written to it\n");

    exit(EXIT_FAILURE);
 }
@ -91,8 +96,15 @@ struct DirMapping parseMapping(string input) {
  return (struct DirMapping){ src, dest };
 }

+static void handle_child_death(int signo, siginfo_t *info, void *context) {
+  if ( (child_pid == 0) || (info->si_pid == child_pid) ) {
+    child_died = 1;
+  }
+}
+
 int main(int argc, char *argv[]) {
  uint8_t clear_env = 0;
+  uint8_t enable_escape_hatch = 0;
  char *nixdir = NULL;
  list<struct DirMapping> dirMappings;
  list<struct SetEnv> envMappings;
@ -111,11 +123,14 @@ int main(int argc, char *argv[]) {
 #undef x

  int opt;
-  while ((opt = getopt(argc, argv, "cn:m:dp:")) != -1) {
+  while ((opt = getopt(argc, argv, "cen:m:dp:")) != -1) {
    switch (opt) {
    case 'c':
      clear_env = 1;
      break;
+    case 'e':
+      enable_escape_hatch = 1;
+      break;
    case 'n':
      // determine absolute directory for nix dir
      nixdir = realpath(optarg, NULL);
@ -163,6 +178,62 @@ int main(int argc, char *argv[]) {
    err_exit("mkdtemp(%s)", template_);
  }

+  int unrace[2];
+
+  if (pipe(unrace)) {
+    err_exit("pipe()");
+  }
+
+  struct sigaction handle_child;
+  handle_child.sa_sigaction = handle_child_death;
+  handle_child.sa_flags = SA_SIGINFO;
+
+  struct sigaction old_handler;
+  if (sigaction(SIGCHLD, &handle_child, &old_handler)) {
+    err_exit("sigaction()");
+  }
+
+  int child;
+  child = child_pid = fork();
+  if (child < 0) {
+    err_exit("fork()");
+  } else if (child == 0) {
+    sigaction(SIGCHLD, &old_handler, NULL);
+    close(unrace[1]);
+    char buf[10];
+    read(unrace[0], buf, 10);
+    close(unrace[0]);
+    return child_proc(rootdir, nixdir, clear_env, dirMappings, envMappings, argv[optind], argv + optind);
+  } else {
+    close(unrace[0]);
+    char fifopath[PATH_MAX];
+    if (enable_escape_hatch) {
+      snprintf(fifopath, PATH_MAX, "%s/escape-hatch", rootdir);
+      mkfifo(fifopath, 0600);
+    }
+    close(unrace[1]);
+    if (enable_escape_hatch) {
+      char buffer[1024];
+      while (!child_died) {
+        int fd = open(fifopath, O_RDONLY);
+        if (fd < 0) {
+          if (errno == EINTR) continue;
+          fprintf(stderr, "error opening escape-hatch: %s\n", strerror(errno));
+          continue;
+        }
+        int size = read(fd, buffer, 1024);
+        buffer[size] = 0;
+        system(buffer);
+        close(fd);
+      }
+    }
+    int status;
+    int ret = waitpid(child, &status, 0);
+    return WEXITSTATUS(status);
+  }
+}
+
+static int child_proc(const char *rootdir, const char *nixdir, uint8_t clear_env, list<struct DirMapping> dirMappings, list<struct SetEnv> envMappings, const char *executable, char * const new_argv[]) {
  // get uid, gid before going to new namespace
  uid_t uid = getuid();
  gid_t gid = getgid();
@ -170,7 +241,7 @@ int main(int argc, char *argv[]) {
  // "unshare" into new namespace
  if (unshare(CLONE_NEWNS | CLONE_NEWUSER) < 0) {
    if (errno == EPERM) {
-      fputs("Run the following as root to enable unprivileged namespace use:\nsysctl -w kernel.unprivileged_userns_clone=1 ; echo kernel.unprivileged_userns_clone=1 > /etc/sysctl.d/nix-user-chroot.conf\n\n", stderr);
+      fputs("Run the following to enable unprivileged namespace use:\nsudo bash -c \"sysctl -w kernel.unprivileged_userns_clone=1 ; echo kernel.unprivileged_userns_clone=1 > /etc/sysctl.d/nix-user-chroot.conf\"\n\n", stderr);
      exit(EXIT_FAILURE);
    } else {
      err_exit("unshare()");
@ -230,6 +301,6 @@ int main(int argc, char *argv[]) {
  }

  // execute the command
-  execvp(argv[optind], argv + optind);
-  err_exit("execvp(%s)", argv[optind]);
+  execvp(executable, new_argv);
+  err_exit("execvp(%s)", executable);
 }