diff options
author | Utkarsh Sanghi <usanghi@chromium.org> | 2015-05-26 14:05:09 -0700 |
---|---|---|
committer | ChromeOS Commit Bot <chromeos-commit-bot@chromium.org> | 2015-06-01 23:47:09 +0000 |
commit | eb21380f1df6769935ffa80aa6a6300d9ce0054d (patch) | |
tree | ec290ef97895a9521c5430bf3d0a51aa3bb9b3a3 | |
parent | 2863c75955f0e50df2ad29587a29b4d5b06779b9 (diff) | |
download | tpm_manager-eb21380f1df6769935ffa80aa6a6300d9ce0054d.tar.gz |
tpm_manager: enable minijail sandboxing
This CL makes tpm_manager daemon run inside a minijail
sandbox. tpm_managerd now runs as tpm_manager user.
This CL also defines the seccomp policy file for amd64 architecture.
BUG=brillo:1039
TEST=run tpm_managerd on a DUT
CQ-DEPEND=CL:273273
Change-Id: Icb8dbf967a05c0bd26c624ff79127504f21aad19
Reviewed-on: https://chromium-review.googlesource.com/273340
Reviewed-by: Utkarsh Sanghi <usanghi@chromium.org>
Commit-Queue: Utkarsh Sanghi <usanghi@chromium.org>
Tested-by: Utkarsh Sanghi <usanghi@chromium.org>
-rw-r--r-- | server/main.cc | 46 | ||||
-rw-r--r-- | server/org.chromium.TpmManager.conf | 7 | ||||
-rw-r--r-- | server/tpm_manager-seccomp-amd64.policy | 60 | ||||
-rw-r--r-- | tpm_manager.gyp | 3 |
4 files changed, 108 insertions, 8 deletions
diff --git a/server/main.cc b/server/main.cc index 829d32e..6333a26 100644 --- a/server/main.cc +++ b/server/main.cc @@ -2,12 +2,15 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. +#include <sysexits.h> #include <string> #include <base/command_line.h> #include <chromeos/daemons/dbus_daemon.h> #include <chromeos/dbus/async_event_sequencer.h> +#include <chromeos/minijail/minijail.h> #include <chromeos/syslog_logging.h> +#include <chromeos/userdb_utils.h> #include "tpm_manager/common/dbus_interface.h" #include "tpm_manager/server/dbus_service.h" @@ -15,15 +18,54 @@ using chromeos::dbus_utils::AsyncEventSequencer; +namespace { + +const uid_t kRootUID = 0; +const char kTpmManagerUser[] = "tpm_manager"; +const char kTpmManagerGroup[] = "tpm_manager"; +const char kTpmManagerSeccompPath[] = + "/usr/share/policy/tpm_managerd-seccomp.policy"; + +void InitMinijailSandbox() { + uid_t tpm_manager_uid; + gid_t tpm_manager_gid; + CHECK(chromeos::userdb::GetUserInfo(kTpmManagerUser, + &tpm_manager_uid, + &tpm_manager_gid)) + << "Error getting tpm_manager uid and gid."; + CHECK_EQ(getuid(), kRootUID) << "TpmManagerDaemon not initialized as root."; + chromeos::Minijail* minijail = chromeos::Minijail::GetInstance(); + struct minijail* jail = minijail->New(); + minijail->DropRoot(jail, kTpmManagerUser, kTpmManagerGroup); + minijail->UseSeccompFilter(jail, kTpmManagerSeccompPath); + minijail->Enter(jail); + minijail->Destroy(jail); + CHECK_EQ(getuid(), tpm_manager_uid) + << "TpmManagerDaemon was not able to drop to tpm_manager user."; + CHECK_EQ(getgid(), tpm_manager_gid) + << "TpmManagerDaemon was not able to drop to tpm_manager group."; +} + +} // namespace + class TpmManagerDaemon : public chromeos::DBusServiceDaemon { public: TpmManagerDaemon() : chromeos::DBusServiceDaemon(tpm_manager::kTpmManagerServiceName) { tpm_manager_service_.reset(new tpm_manager::TpmManagerService); - CHECK(tpm_manager_service_->Initialize()); } protected: + int OnInit() override { + int result = chromeos::DBusServiceDaemon::OnInit(); + if (result != EX_OK) { + LOG(ERROR) << "Error starting tpm_manager dbus daemon."; + return result; + } + CHECK(tpm_manager_service_->Initialize()); + return EX_OK; + } + void RegisterDBusObjectsAsync(AsyncEventSequencer* sequencer) override { dbus_service_.reset(new tpm_manager::DBusService( bus_, tpm_manager_service_.get())); @@ -41,5 +83,7 @@ int main(int argc, char* argv[]) { base::CommandLine::Init(argc, argv); chromeos::InitLog(chromeos::kLogToSyslog | chromeos::kLogToStderr); TpmManagerDaemon daemon; + LOG(INFO) << "TpmManager Daemon Started"; + InitMinijailSandbox(); return daemon.Run(); } diff --git a/server/org.chromium.TpmManager.conf b/server/org.chromium.TpmManager.conf index 1b97005..70eca0f 100644 --- a/server/org.chromium.TpmManager.conf +++ b/server/org.chromium.TpmManager.conf @@ -6,14 +6,7 @@ <allow own="org.chromium.TpmManager" /> <allow send_destination="org.chromium.TpmManager" /> </policy> - <!-- TODO: deny ownership to root. brbug.com/1039--> - <policy user="root"> - <allow own="org.chromium.TpmManager" /> - <allow send_destination="org.chromium.TpmManager" /> - </policy> - <policy context="default"> - <deny own="org.chromium.TpmManager" /> <allow send_destination="org.chromium.TpmManager" /> <!-- introspection denied --> <deny send_destination="org.chromium.TpmManager" diff --git a/server/tpm_manager-seccomp-amd64.policy b/server/tpm_manager-seccomp-amd64.policy index e69de29..7d9ee94 100644 --- a/server/tpm_manager-seccomp-amd64.policy +++ b/server/tpm_manager-seccomp-amd64.policy @@ -0,0 +1,60 @@ +# Copyright 2015 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +# Tested on link +gettid: 1 +getuid: 1 +geteuid: 1 +getgid: 1 +getegid: 1 +getresuid: 1 +getresgid: 1 + +clock_getres: 1 +clock_gettime: 1 +gettimeofday: 1 +time: 1 + +# Allow socket(domain==PF_LOCAL) or socket(domain==PF_NETLINK) +socket: arg0 == 0x1 || arg0 == 0x10 +socketpair: 1 +connect: 1 +getsockname: 1 +pipe: 1 +sendmsg: 1 +sendto: 1 +recvmsg: 1 + +epoll_create: 1 +epoll_wait: 1 +epoll_ctl: 1 +poll: 1 + +read: 1 +write: 1 +close: 1 + +fstat: 1 +stat: 1 +lseek: 1 +fcntl: 1 + +futex: 1 +set_robust_list: 1 +restart_syscall: 1 +exit: 1 +exit_group: 1 +rt_sigreturn: 1 +rt_sigprocmask: 1 +signalfd4: 1 + +brk: 1 +mmap: 1 +madvise: 1 +mprotect: 1 +munmap: 1 + +clone: 1 +#This is attempted but apparently not necessary; return EPERM. +prctl: return 1 diff --git a/tpm_manager.gyp b/tpm_manager.gyp index 45494f8..40aed81 100644 --- a/tpm_manager.gyp +++ b/tpm_manager.gyp @@ -69,6 +69,9 @@ 'sources': [ 'server/main.cc', ], + 'libraries': [ + '-lminijail', + ], 'dependencies': [ 'proto_library', 'server_library', |