From 59eb8bf3a8efbc38b35493d2656072c28ddfd1a0 Mon Sep 17 00:00:00 2001 From: Torsten Hilbrich Date: Wed, 21 Nov 2012 11:32:57 +0100 Subject: [PATCH] base-linux: Add chdir after performing chroot This ensures that the cwd of the process is within the chroot environment, improving security for root processes. The cwd after the chroot is the same as before, this is needed to start binaries given as relative path name. --- base-linux/src/core/include/core_linux_syscalls.h | 8 +++++++- base-linux/src/core/pd_session_component.cc | 12 ++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/base-linux/src/core/include/core_linux_syscalls.h b/base-linux/src/core/include/core_linux_syscalls.h index e39ff5b45..6897bb1cc 100644 --- a/base-linux/src/core/include/core_linux_syscalls.h +++ b/base-linux/src/core/include/core_linux_syscalls.h @@ -94,12 +94,18 @@ inline int lx_create_process(int (*entry)(void *), void *stack, void *arg) ** Chroot handling ** *********************/ -inline int lx_chroot(const char *path) +inline int lx_chroot(char const *path) { return lx_syscall(SYS_chroot, path); } +inline int lx_chdir(char const *path) +{ + return lx_syscall(SYS_chdir, path); +} + + inline int lx_getcwd(char *dst, size_t dst_len) { return lx_syscall(SYS_getcwd, dst, dst_len); diff --git a/base-linux/src/core/pd_session_component.cc b/base-linux/src/core/pd_session_component.cc index d6700e1f4..64f233960 100644 --- a/base-linux/src/core/pd_session_component.cc +++ b/base-linux/src/core/pd_session_component.cc @@ -212,6 +212,7 @@ static int _exec_child(Execve_args *arg) /* change to chroot environment */ if (arg->root && arg->root[0]) { + char cwd[1024]; PDBG("arg->root='%s'", arg->root); @@ -220,6 +221,11 @@ static int _exec_child(Execve_args *arg) return -1; } + if (!lx_getcwd(cwd, sizeof(cwd))) { + PERR("Failed to getcwd"); + return -1; + } + PLOG("changing root of %s (PID %d) to %s", arg->filename, lx_getpid(), arg->root); @@ -228,6 +234,12 @@ static int _exec_child(Execve_args *arg) PERR("Syscall chroot failed (errno %d)", ret); return -1; } + + ret = lx_chdir(cwd); + if (ret < 0) { + PERR("chdir to new chroot failed"); + return -1; + } } return lx_execve(arg->filename, arg->argv, arg->envp);