From 7a2cef31daa66f032965349a571811c6281ed007 Mon Sep 17 00:00:00 2001 From: Simon Fels Date: Tue, 3 Jan 2017 09:11:10 +0100 Subject: [PATCH] Run container as unprivileged for enhanced security On the Android side this requires no change with the current setup. --- src/anbox/container/lxc_container.cpp | 44 ++++++++++++++++++- src/anbox/container/lxc_container.h | 5 ++- .../container/management_api_skeleton.cpp | 2 - src/anbox/container/service.cpp | 2 +- 4 files changed, 47 insertions(+), 6 deletions(-) diff --git a/src/anbox/container/lxc_container.cpp b/src/anbox/container/lxc_container.cpp index 4d959f16..3b5c39eb 100644 --- a/src/anbox/container/lxc_container.cpp +++ b/src/anbox/container/lxc_container.cpp @@ -35,7 +35,8 @@ namespace fs = boost::filesystem; namespace anbox { namespace container { -LxcContainer::LxcContainer() : state_(State::inactive), container_(nullptr) { +LxcContainer::LxcContainer(const network::Credentials &creds) + : state_(State::inactive), container_(nullptr), creds_(creds) { utils::ensure_paths({ config::container_config_path(), config::log_path(), }); @@ -49,6 +50,32 @@ LxcContainer::~LxcContainer() { if (container_) lxc_container_put(container_); } +void LxcContainer::setup_id_maps() { + const auto base_id = 100000; + const auto max_id = 65536; + set_config_item("lxc.id_map", + utils::string_format("u 0 %d %d", base_id, creds_.uid() - 1)); + set_config_item("lxc.id_map", + utils::string_format("g 0 %d %d", base_id, creds_.gid() - 1)); + + // We need to bind the user id for the one running the client side + // process as he is the owner of various socket files we bind mount + // into the container. + set_config_item("lxc.id_map", + utils::string_format("u %d %d 1", creds_.uid(), creds_.uid())); + set_config_item("lxc.id_map", + utils::string_format("g %d %d 1", creds_.gid(), creds_.gid())); + + set_config_item("lxc.id_map", + utils::string_format("u %d %d %d", creds_.uid() + 1, + base_id + creds_.uid() + 1, + max_id - creds_.uid() - 1)); + set_config_item("lxc.id_map", + utils::string_format("g %d %d %d", creds_.uid() + 1, + base_id + creds_.gid() + 1, + max_id - creds_.gid() - 1)); +} + void LxcContainer::start(const Configuration &configuration) { if (getuid() != 0) BOOST_THROW_EXCEPTION( @@ -128,7 +155,20 @@ void LxcContainer::start(const Configuration &configuration) { set_config_item("lxc.aa_profile", "unconfined"); #endif - for (const auto &bind_mount : configuration.bind_mounts) { + setup_id_maps(); + + auto bind_mounts = configuration.bind_mounts; + + // Extra bind-mounts for user-namespace setup + bind_mounts.insert({"/dev/console", "dev/console"}); + bind_mounts.insert({"/dev/full", "dev/full"}); + bind_mounts.insert({"/dev/null", "dev/null"}); + bind_mounts.insert({"/dev/random", "dev/random"}); + bind_mounts.insert({"/dev/tty", "dev/tty"}); + bind_mounts.insert({"/dev/urandom", "dev/urandom"}); + bind_mounts.insert({"/dev/zero", "dev/zero"}); + + for (const auto &bind_mount : bind_mounts) { std::string create_type = "file"; if (fs::is_directory(bind_mount.first)) create_type = "dir"; diff --git a/src/anbox/container/lxc_container.h b/src/anbox/container/lxc_container.h index 4efdd3ca..9302fad6 100644 --- a/src/anbox/container/lxc_container.h +++ b/src/anbox/container/lxc_container.h @@ -19,6 +19,7 @@ #define ANBOX_CONTAINER_LXC_CONTAINER_H_ #include "anbox/container/container.h" +#include "anbox/network/credentials.h" #include @@ -28,7 +29,7 @@ namespace anbox { namespace container { class LxcContainer : public Container { public: - LxcContainer(); + LxcContainer(const network::Credentials &creds); ~LxcContainer(); void start(const Configuration &configuration) override; @@ -37,9 +38,11 @@ class LxcContainer : public Container { private: void set_config_item(const std::string &key, const std::string &value); + void setup_id_maps(); State state_; lxc_container *container_; + network::Credentials creds_; }; } // namespace container } // namespace anbox diff --git a/src/anbox/container/management_api_skeleton.cpp b/src/anbox/container/management_api_skeleton.cpp index f231a44e..6c669c13 100644 --- a/src/anbox/container/management_api_skeleton.cpp +++ b/src/anbox/container/management_api_skeleton.cpp @@ -59,8 +59,6 @@ void ManagementApiSkeleton::start_container( utils::string_format("Failed to start container: %s", err.what())); } - DEBUG(""); - done->Run(); } } // namespace container diff --git a/src/anbox/container/service.cpp b/src/anbox/container/service.cpp index 8df6b529..86ca5abe 100644 --- a/src/anbox/container/service.cpp +++ b/src/anbox/container/service.cpp @@ -77,7 +77,7 @@ void Service::new_client( auto pending_calls = std::make_shared(); auto rpc_channel = std::make_shared(pending_calls, messenger); auto server = std::make_shared( - pending_calls, std::make_shared()); + pending_calls, std::make_shared(messenger->creds())); auto processor = std::make_shared( messenger, pending_calls, server); -- GitLab