When booster is executing in sandbox as an applicatiom booster, it
needs to verify that command line received from invoker matches
Exec line in application desktop file, application launch is allowed,
and permissions granted are as was expected at the time of booster
launch.
Provide booster-generic@.service that can be used for instantiating
sandboxed application boosters.
D-Bus ipc with sailjaild is modified version of similar code in
sailjailclient. The biggest difference is that this version uses
private connection via libdbus to avoid leaving stray dbus connections
or threads behind when transferring control to application code
without use of exec*() functions.
Remove cap_sys_ptrace from booster executable as makes it impossible
to run the booster within a no-new-privs sandbox.
Fix socket passing from booster instance to booster daemon so that it
works also when invoker is running in different namespace than booster
instance (invoker pid might be unresolvable).
Replace ad-hoc booster argument parsing with getopt_long().
Fix issues with argv handling: using const pointers for non-const
data, passing data by reference between objects that might have
different lifespans and never releasing the dynamically allocated
arrays.
Fix issues with env passing: duplicating invoker env at booster
side as-is can lead to problems like loss of customg session
bus socket address that has been set up by firejail.
If booster bumps into command read problems, bailout immediately
instead of relying on out-of sequence data possibly triggering
exit due to unknown commands.
As an enabler for sharing code between invoker (written in c) and
daemon (written in c++), modify Logger class used by c++ code so
that it is just a wrapper for logging functionality used by invoker.
Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com>
Invoker and booster instance make up a process pair that are meant to exit
at the same time. To arrange this a) when invoker is about to exit, it sends
a terminating signal to booster instance, and b) when booster instance
exits, booster daemon sends a terminating signal to invoker. Overall this
has worked well enough - save some hiccups from potential race conditions -
but it is not compatible with setup where invoker and booster daemon are
running in different namespaces and sending signals is not possible.
There is already an unix domain socket that is kept open for the lifetime of
boosted application - used for transferring application information from
invoker to booster daemon during startup and exit status from booster daemon
to invoker at exit time. This socket can be utilized also for detecting when
peer process exits.
Normally when application (booster instance) exits, booster daemon receives
SIGCHLD, collects application exit reason, forwards it to invoker via
booster socket, and invoker then makes exit with the same exit status as
what application used.
Augment this by having booster daemon watch over booster sockets and
terminate booster instance upon eof on socket. This accomplishes that
application gets killed if/when invoker dies.
Additionally all booster instances are terminated if booster daemon exits
due to SIGTERM.
In general, instead of simply closing booster socket at each end at exit
time, an orderly disconnect is done via: shutdown write end of the socket,
read data until eof is received, then close socket. If this is accomplished
successfully within reasonable time limit, there is no need to send signals
- both peers know that the other end is going to make an appropriate exit.
Previously booster daemon and invoker made an attempt to reproduce
application getting killed by some signal such as as SIGSEGV also at the
invoker side. As this produces false positive crash reports and complicates
things (some of the signals are terminal and can't be handled in
asynchronous manner) this is no longer done - only standard TERM and KILL
signals are used for terminating peers and even then it is done as a last
resort.
Invoker signal handler used non async signal safe functions, those
have been removed.
To ease ad-hoc debugging, logging is automatically switched from syslog to
stderr when booster/invoker is executed from interactive command line.
Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com>
Having all booster sockets reside at the same level in /run/user
directory structure makes it difficult to limit what boosters
sandboxed applications have access to.
Move socket files to booster specific sub-directories. And as an enabler
for sandboxed boosters, add another sub-directory level that can be used
for identifying application specific boosters.
As an example, silica-qt booster socket file path changes from
/run/user/UID/mapplauncherd/silica-qt5
to
/run/user/UID/mapplauncherd/_default/silica-qt5/socket
and sandboxed silica-qt5 booster for application APP would use
/run/user/UID/mapplauncherd/_APP/silica-qt5/socket
Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com>
Comparing signed vs unsigned integers.
Unused static data.
Questionable variable declarations.
Const correctness issues.
Unchecked socket and pipe i/o.
Unchecked chdir() call.
String sender that silently skips null strings while protocol does
not make it possible for receiver to detect such omissions.
Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com>
This allows packagers to set the proper directories to install stuff
too using CMAKE_INSTALL_PREFIX, CMAKE_INSTALL_LIBDIR, etc.
Also make installing systemd unit files optional, for systemd without
systemd, but enable them by default
This is mainly useful for non-glibc systems. Yes, systemd doesn't even run
on non-glibc systems, but elogind does and this way it links to both systemd
and elogind.
However due to switching the way we link to systemd, we now also make
sure systemd is actually installed on the system before we even try to
compile, thus preventing compiler errors when systemd isn't present.
Check that caller is from the same namespace as the booster and the
calling binary is /usr/bin/invoker.
Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
Check that caller is from the same namespace as the booster and the
calling binary is /usr/bin/invoker.
Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
This makes sure that we retain the behaviour we had before for
non-sandboxed apps. This is done to ensure that locking uses appName()
when using for example QML based applications.
Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
Without including libgen.h, basename is not available on Musl.
sourceArgv[0] is a const char* which can not be converted to char*, so
cast it instead
RTLD_DEEPBIND is not available on Musl, only on glibc (since 2.3.4)
ARG_MAX is already defined so it has to be renamed
Even according to glibc itself, <bits/socket.h> should never be included
directly and <sys/socket.h> should, which is already done anyway
Separate cgroups of sandboxed apps. Previously they were all put to the
same group with this change they are in separate groups.
Looking at invoker.c appName and fileName are the same and can be used
interchangeably.
Also change --desktop-file to have a bit more accurate description.
Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
Applications launched via sailjail have their appName set to
/usr/bin/sailjail and that is used to set single instance lock. That
results in not being able to launch multiple different applications
simultaneously via mapplauncher. Mitigate this by using actual
application name for single instance lock.
This implements a very simple way of deducing the application binary
path from sailjail's arguments. It works for most cases and the
remaining cases can be worked around.
Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
Don't trust to UID/GID received from untrusted invoker request when deciding
whether to drop extra groups for non-privileged apps. The application's
rights should depend only on the stated application's privileges and not
on the caller's process rights.
Drop setuid() because the boosters are launched under "nemo" user ID in
user session.
Signed-off-by: Igor Zhbanov <i.zhbanov@omprussia.ru>
Under Linux, setgid() is implemented like the POSIX version with the
_POSIX_SAVED_IDS feature. That means that after "setgid(nemo)" SGID
will be set to "privileged" instead of "nemo". So using "setresuid()"
instead.
Signed-off-by: Igor Zhbanov <i.zhbanov@omprussia.ru>
Bart Ribbers
Raine Makelainen
Simo Piiroinen
Tomi Leppänen
spiiroin
Raine Makelainen
pvuorela
Niels Breet
Chupligin Sergey
Andrew Branson
Andrew Branson
Igor Zhbanov
Andrew den Exter
Andrew den Exter