[launcherlib] Add checks for invoker. Fixes JB#52956

Check that caller is from the same namespace as the booster and the calling binary is /usr/bin/invoker. Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
5 years ago · 88bf4689e4
parent 3c56c25256
commit 88bf4689e4
3 changed files with 104 additions and 2 deletions
--- a/src/launcherlib/booster.cpp
+++ b/src/launcherlib/booster.cpp
@ -58,6 +58,7 @@ Booster::Booster() :
    m_spaceAvailable(0),
    m_bootMode(false)
 {
+    Connection::setMountNamespace(Connection::getMountNamespace(getpid()));
 }

 Booster::~Booster()
@ -236,8 +237,15 @@ bool Booster::receiveDataFromInvoker(int socketFd)
    // Accept a new invocation.
    if (m_connection->accept(m_appData))
    {
+        // Check that the caller is allowed to invoke apps
+        if (!m_connection->isPermitted())
+        {
+            m_connection->close();
+            return false;
+        }
+
        // Receive application data from the invoker
-        if(!m_connection->receiveApplicationData(m_appData))
+        if (!m_connection->receiveApplicationData(m_appData))
        {
            m_connection->close();
            return false;
--- a/src/launcherlib/connection.cpp
+++ b/src/launcherlib/connection.cpp
@ -23,6 +23,8 @@
 #include <sys/socket.h>
 #include <sys/un.h>       /* for getsockopt */
 #include <sys/stat.h>     /* for chmod */
+#include <limits.h>
+#include <sstream>
 #include <cstring>
 #include <cstdlib>
 #include <cerrno>
@ -30,6 +32,10 @@
 #include <stdexcept>
 #include <sys/syslog.h>

+#define INVOKER_PATH "/usr/bin/invoker"
+
+std::pair<dev_t, ino_t> Connection::s_mntNS = std::pair<dev_t, ino_t>();
+
 Connection::Connection(int socketFd, bool testMode) :
        m_testMode(testMode),
        m_fd(-1),
@ -71,7 +77,7 @@ int Connection::getFd() const
    return m_fd;
 }

-bool Connection::accept(AppData* appData)
+bool Connection::accept(AppData*)
 {
    if (!m_testMode)
    {
@ -105,6 +111,47 @@ void Connection::close()
    }
 }

+
+bool Connection::isPermitted()
+{
+    // Check that caller is in the same namespace and it is invoker
+    // and not something else. This is done to avoid sandboxed app
+    // that sees the socket from escaping the sandbox through booster
+    if (m_fd != -1)
+    {
+        pid_t pid = peerPid();
+        if (pid == 0)
+        {
+            Logger::logError("Connection: %s: getting peer pid failed", __FUNCTION__);
+        }
+        else
+        {
+            // There is a possibility for a race here: if caller can exit
+            // and then invoke a process with the correct binary path and
+            // pid at the right time they could fool us
+
+            if (!s_mntNS.first || getMountNamespace(pid) != s_mntNS)
+            {
+                Logger::logWarning("Connection: %s: invocation from %s (%d) came from different namespace", __FUNCTION__, getExecutablePath(pid), pid);
+            }
+            else
+            {
+                std::string executablePath = getExecutablePath(pid);
+                if (executablePath != INVOKER_PATH)
+                {
+                    Logger::logWarning("Connection: %s: executable %s (%d) is not invoker", __FUNCTION__, executablePath, pid);
+                }
+                else
+                {
+                    Logger::logDebug("Connection: %s: invoker (%d) called, allowing", __FUNCTION__, pid);
+                    return true;
+                }
+            }
+        }
+    }
+    return false;
+}
+
 bool Connection::sendMsg(uint32_t msg)
 {
    if (!m_testMode)
@ -545,3 +592,37 @@ pid_t Connection::peerPid()
    return cr.pid;

 }
+
+void Connection::setMountNamespace(std::pair<dev_t, ino_t> mntNS)
+{
+    s_mntNS = mntNS;
+}
+
+std::pair<dev_t, ino_t> Connection::getMountNamespace(pid_t pid)
+{
+    struct stat sb;
+    std::ostringstream path;
+    path << "/proc/" << pid << "/ns/mnt";
+    if (stat(path.str().c_str(), &sb) == -1)
+    {
+        Logger::logError("Connection: %s: stat failed for pid %d: %s", __FUNCTION__, pid, strerror(errno));
+        return std::pair<dev_t, ino_t>();
+    }
+    return std::pair<dev_t, ino_t>(sb.st_dev, sb.st_ino);
+}
+
+std::string Connection::getExecutablePath(pid_t pid)
+{
+    std::ostringstream path;
+    char exe[PATH_MAX];
+    ssize_t len;
+    static_assert(sizeof(INVOKER_PATH) < sizeof(exe));
+    path << "/proc/" << pid << "/exe";
+    len = readlink(path.str().c_str(), exe, sizeof(exe));
+    if (len < 0 || len >= sizeof(exe))
+    {
+        Logger::logError("Connection: %s: readlink failed for pid %d: %s", __FUNCTION__, pid, strerror(errno));
+        return std::string();
+    }
+    return std::string(exe, len);
+}
--- a/src/launcherlib/connection.h
+++ b/src/launcherlib/connection.h
@ -83,6 +83,15 @@ public:
    //! \brief Send application exit value 
    bool sendExitValue(int value);

+    //! \brief Check if caller is permitted to invoke apps
+    bool isPermitted();
+
+    //! \brief Get device id and inode number pair of a mount namespace
+    static std::pair<dev_t, ino_t> getMountNamespace(pid_t pid);
+
+    //! \brief Set required mount namespace for invoker processes
+    static void setMountNamespace(std::pair<dev_t, ino_t> mntNS);
+
 private:

    /*! \brief Receive actions.
@ -132,6 +141,9 @@ private:
    //! Send process pid
    bool sendPid(pid_t pid);

+    //! Helper method: Get executable path for pid
+    static std::string getExecutablePath(pid_t pid);
+
    //! Send message to a socket. This is a virtual to help unit testing.
    virtual bool sendMsg(uint32_t msg);

@ -160,6 +172,7 @@ private:
    gid_t    m_gid;
    uid_t    m_uid;

+    static std::pair<dev_t, ino_t> s_mntNS;

 #ifdef UNIT_TEST
    friend class Ut_Connection;