[tor-commits] [sandboxed-tor-browser/master] Re-enable normalizing UID/GID on systems that support it.

yawning at torproject.org yawning at torproject.org
Fri Dec 9 01:25:01 UTC 2016


commit 1f82276f539a9033f6c80dd94f1b77749fa6504c
Author: Yawning Angel <yawning at schwanenlied.me>
Date:   Fri Dec 9 01:23:56 2016 +0000

    Re-enable normalizing UID/GID on systems that support it.
    
    USER_NS considered harmful, but if the user is running a kernel that
    supports it, use it.
---
 .../internal/sandbox/hugbox.go                     | 49 +++++++++++++++-------
 1 file changed, 34 insertions(+), 15 deletions(-)

diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go
index c52c879..bbc4333 100644
--- a/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go
+++ b/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go
@@ -71,26 +71,27 @@ type hugbox struct {
 	cmd     string
 	cmdArgs []string
 
-	hostname   string
-	runtimeDir string
-	homeDir    string
-	chdir      string
-	mountProc  bool
-	unshare    unshareOpts
-	stdin      io.Reader
-	stdout     io.Writer
-	stderr     io.Writer
-	seccompFn  func(*os.File) error
-	pdeathSig  syscall.Signal
+	hostname  string
+	homeDir   string
+	chdir     string
+	mountProc bool
+	unshare   unshareOpts
+	stdin     io.Reader
+	stdout    io.Writer
+	stderr    io.Writer
+	seccompFn func(*os.File) error
+	pdeathSig syscall.Signal
 
 	fakeDbus     bool
 	standardLibs bool
 
-	// Internal options, not to be modified except via helpers, unless you
+	// Internal options, not to be *modified* except via helpers, unless you
 	// know what you are doing.
 	bwrapPath string
 	args      []string
 	fileData  [][]byte
+
+	runtimeDir string // Set at creation time.
 }
 
 func (h *hugbox) setenv(k, v string) {
@@ -224,8 +225,17 @@ func (h *hugbox) run() (*exec.Cmd, error) {
 	if h.chdir != "" {
 		fdArgs = append(fdArgs, "--chdir", h.chdir)
 	}
-	passwdBody := fmt.Sprintf("amnesia:x:%d:%d:Debian Live User,,,:/home/amnesia:/bin/bash\n", os.Getuid(), os.Getgid())
-	groupBody := fmt.Sprintf("amnesia:x:%d:\n", os.Getgid())
+
+	uid, gid := os.Getuid(), os.Getgid()
+	if h.unshare.user {
+		uid, gid = 1000, 1000
+		fdArgs = append(fdArgs, []string{
+			"--uid", "1000",
+			"--gid", "1000",
+		}...)
+	}
+	passwdBody := fmt.Sprintf("amnesia:x:%d:%d:Debian Live User,,,:/home/amnesia:/bin/bash\n", uid, gid)
+	groupBody := fmt.Sprintf("amnesia:x:%d:\n", gid)
 	h.file("/etc/passwd", []byte(passwdBody))
 	h.file("/etc/group", []byte(groupBody))
 
@@ -371,7 +381,7 @@ type bwrapInfo struct {
 func newHugbox() (*hugbox, error) {
 	h := &hugbox{
 		unshare: unshareOpts{
-			user:   false, // No point, not enough USER_NS support.
+			user:   false,
 			ipc:    true,
 			pid:    true,
 			net:    true,
@@ -386,6 +396,15 @@ func newHugbox() (*hugbox, error) {
 		standardLibs: true,
 	}
 
+	// This option is considered dangerous and leads to things like
+	// CVE-2016-8655.  But if the user is running with this enabled,
+	// then might as well take advantage of it.
+	if FileExists("/proc/self/ns/user") {
+		Debugf("sandbox: User namespace support detected.")
+		h.unshare.user = true
+		h.runtimeDir = "/run/user/1000"
+	}
+
 	// Look for the bwrap binary in sensible locations.
 	bwrapPaths := []string{
 		"/usr/bin/bwrap",



More information about the tor-commits mailing list