commit 7ad0525c601aa45414f56193760e3d08dd9cdae4 Author: Yawning Angel yawning@schwanenlied.me Date: Thu Dec 8 19:51:51 2016 +0000

Normalize the sandbox UID/GID to 1000/1000.

* Always unshare the USER namespace (Yes, I know this is scary, but all caps are dropped by bwrap prior to exec()ing the command in the container, and PR_SET_NO_NEW_PRIVS is called). * Make the PulseAudio socket finder do the right thing, when XDG_RUNTIME_DIR is set to something non-standard. * Switch the container /etc/passwd and /etc/group files to be go-bindata-ed since they are now static. --- data/group | 1 + data/passwd | 1 + .../internal/sandbox/hugbox.go | 23 ++++++++++++---------- .../internal/sandbox/pulse.go | 7 ++++++- 4 files changed, 21 insertions(+), 11 deletions(-)

diff --git a/data/group b/data/group new file mode 100644 index 0000000..cbaebb5 --- /dev/null +++ b/data/group @@ -0,0 +1 @@ +amnesia:x:1000: diff --git a/data/passwd b/data/passwd new file mode 100644 index 0000000..bed4f72 --- /dev/null +++ b/data/passwd @@ -0,0 +1 @@ +amnesia:x:1000:1000:Debian Live User,,,:/home/amnesia:/bin/bash diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go index 0707c57..98b2ec7 100644 --- a/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go +++ b/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go @@ -35,7 +35,7 @@ import ( )

type unshareOpts struct { - user bool + // user bool ipc bool pid bool net bool @@ -45,9 +45,11 @@ type unshareOpts struct {

func (u *unshareOpts) toArgs() []string { var args []string - if u.user { - args = append(args, "--unshare-user-try") - } + + // A new user namespace is created unconditionally, so that gid/uids + // can be normalized. + args = append(args, "--unshare-user") + if u.ipc { args = append(args, "--unshare-ipc") } @@ -223,10 +225,11 @@ func (h *hugbox) run() (*exec.Cmd, error) { if h.chdir != "" { fdArgs = append(fdArgs, "--chdir", h.chdir) } - passwdBody := fmt.Sprintf("amnesia:x:%d:%d:Debian Live User,,,:/home/amnesia:/bin/bash\n", os.Getuid(), os.Getgid()) - groupBody := fmt.Sprintf("amnesia:x:%d:\n", os.Getgid()) - h.file("/etc/passwd", []byte(passwdBody)) - h.file("/etc/group", []byte(groupBody)) + + fdArgs = append(fdArgs, "--uid", "1000") + fdArgs = append(fdArgs, "--gid", "1000") + h.assetFile("/etc/passwd", "passwd") + h.assetFile("/etc/group", "group")

if h.fakeDbus { h.setupDbus() @@ -370,7 +373,7 @@ type bwrapInfo struct { func newHugbox() (*hugbox, error) { h := &hugbox{ unshare: unshareOpts{ - user: true, + // user: true, ipc: true, pid: true, net: true, @@ -379,7 +382,7 @@ func newHugbox() (*hugbox, error) { }, hostname: "amnesia", mountProc: true, - runtimeDir: filepath.Join("/run", "user", fmt.Sprintf("%d", os.Getuid())), + runtimeDir: filepath.Join("/run", "user", "1000"), homeDir: "/home/amnesia", pdeathSig: syscall.SIGTERM, standardLibs: true, diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/pulse.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/pulse.go index 5a005a5..6cb2ce1 100644 --- a/src/cmd/sandboxed-tor-browser/internal/sandbox/pulse.go +++ b/src/cmd/sandboxed-tor-browser/internal/sandbox/pulse.go @@ -43,7 +43,12 @@ func (h *hugbox) enablePulseAudio() error { // along with the modern default locations. sockPath := os.Getenv(pulseServer) if sockPath == "" { - sockPath = filepath.Join(h.runtimeDir, "pulse", "native") + hostRuntimeDir := os.Getenv("XDG_RUNTIME_DIR") + if hostRuntimeDir == "" { + // Should never happen, the app requires/uses XDG_RUNTIME_DIR. + return fmt.Errorf("hugbox: BUG: Couldn't determine XDG_RUNTIME_DIR") + } + sockPath = filepath.Join(hostRuntimeDir, "pulse", "native") } else if strings.HasPrefix(sockPath, unixPrefix) { sockPath = strings.TrimPrefix(sockPath, unixPrefix) } else {