mirror of
https://github.com/samba-team/samba.git
synced 2025-01-25 06:04:04 +03:00
f88e60644e
This fixes issues with bind compiled with jemalloc. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2922 lines
59 KiB
C
2922 lines
59 KiB
C
/*
|
|
* Copyright (c) 2009 Andrew Tridgell
|
|
* Copyright (c) 2011-2013 Andreas Schneider <asn@samba.org>
|
|
*
|
|
* This program is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
#include "config.h"
|
|
|
|
#include <errno.h>
|
|
#include <stdarg.h>
|
|
#include <stdbool.h>
|
|
#include <stdlib.h>
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <sys/types.h>
|
|
#include <unistd.h>
|
|
#include <grp.h>
|
|
#ifdef HAVE_SYS_SYSCALL_H
|
|
#include <sys/syscall.h>
|
|
#endif
|
|
#ifdef HAVE_SYSCALL_H
|
|
#include <syscall.h>
|
|
#endif
|
|
#include <dlfcn.h>
|
|
#include <limits.h>
|
|
|
|
#include <pthread.h>
|
|
|
|
#ifdef HAVE_GNU_LIB_NAMES_H
|
|
#include <gnu/lib-names.h>
|
|
#endif
|
|
|
|
#ifdef HAVE_GCC_THREAD_LOCAL_STORAGE
|
|
# define UWRAP_THREAD __thread
|
|
#else
|
|
# define UWRAP_THREAD
|
|
#endif
|
|
|
|
#ifdef HAVE_CONSTRUCTOR_ATTRIBUTE
|
|
#define CONSTRUCTOR_ATTRIBUTE __attribute__ ((constructor))
|
|
#else
|
|
#define CONSTRUCTOR_ATTRIBUTE
|
|
#endif /* HAVE_CONSTRUCTOR_ATTRIBUTE */
|
|
|
|
#ifdef HAVE_DESTRUCTOR_ATTRIBUTE
|
|
#define DESTRUCTOR_ATTRIBUTE __attribute__ ((destructor))
|
|
#else
|
|
#define DESTRUCTOR_ATTRIBUTE
|
|
#endif /* HAVE_DESTRUCTOR_ATTRIBUTE */
|
|
|
|
#ifdef HAVE_ADDRESS_SANITIZER_ATTRIBUTE
|
|
#define DO_NOT_SANITIZE_ADDRESS_ATTRIBUTE __attribute__((no_sanitize_address))
|
|
#else /* DO_NOT_SANITIZE_ADDRESS_ATTRIBUTE */
|
|
#define DO_NOT_SANITIZE_ADDRESS_ATTRIBUTE
|
|
#endif /* DO_NOT_SANITIZE_ADDRESS_ATTRIBUTE */
|
|
|
|
/* GCC have printf type attribute check. */
|
|
#ifdef HAVE_FUNCTION_ATTRIBUTE_FORMAT
|
|
#define PRINTF_ATTRIBUTE(a,b) __attribute__ ((__format__ (__printf__, a, b)))
|
|
#else
|
|
#define PRINTF_ATTRIBUTE(a,b)
|
|
#endif /* HAVE_FUNCTION_ATTRIBUTE_FORMAT */
|
|
|
|
#ifndef FALL_THROUGH
|
|
# ifdef HAVE_FALLTHROUGH_ATTRIBUTE
|
|
# define FALL_THROUGH __attribute__ ((fallthrough))
|
|
# else /* HAVE_FALLTHROUGH_ATTRIBUTE */
|
|
# define FALL_THROUGH
|
|
# endif /* HAVE_FALLTHROUGH_ATTRIBUTE */
|
|
#endif /* FALL_THROUGH */
|
|
|
|
#define UWRAP_DLIST_ADD(list,item) do { \
|
|
if (!(list)) { \
|
|
(item)->prev = NULL; \
|
|
(item)->next = NULL; \
|
|
(list) = (item); \
|
|
} else { \
|
|
(item)->prev = NULL; \
|
|
(item)->next = (list); \
|
|
(list)->prev = (item); \
|
|
(list) = (item); \
|
|
} \
|
|
} while (0)
|
|
|
|
#define UWRAP_DLIST_REMOVE(list,item) do { \
|
|
if ((list) == (item)) { \
|
|
(list) = (item)->next; \
|
|
if (list) { \
|
|
(list)->prev = NULL; \
|
|
} \
|
|
} else { \
|
|
if ((item)->prev) { \
|
|
(item)->prev->next = (item)->next; \
|
|
} \
|
|
if ((item)->next) { \
|
|
(item)->next->prev = (item)->prev; \
|
|
} \
|
|
} \
|
|
(item)->prev = NULL; \
|
|
(item)->next = NULL; \
|
|
} while (0)
|
|
|
|
#ifndef SAFE_FREE
|
|
#define SAFE_FREE(x) do { if ((x) != NULL) {free(x); (x)=NULL;} } while(0)
|
|
#endif
|
|
|
|
/*****************
|
|
* LOGGING
|
|
*****************/
|
|
|
|
enum uwrap_dbglvl_e {
|
|
UWRAP_LOG_ERROR = 0,
|
|
UWRAP_LOG_WARN,
|
|
UWRAP_LOG_DEBUG,
|
|
UWRAP_LOG_TRACE
|
|
};
|
|
|
|
#ifndef HAVE_GETPROGNAME
|
|
static const char *getprogname(void)
|
|
{
|
|
#if defined(HAVE_PROGRAM_INVOCATION_SHORT_NAME)
|
|
return program_invocation_short_name;
|
|
#elif defined(HAVE_GETEXECNAME)
|
|
return getexecname();
|
|
#else
|
|
return NULL;
|
|
#endif /* HAVE_PROGRAM_INVOCATION_SHORT_NAME */
|
|
}
|
|
#endif /* HAVE_GETPROGNAME */
|
|
|
|
static void uwrap_log(enum uwrap_dbglvl_e dbglvl, const char *function, const char *format, ...) PRINTF_ATTRIBUTE(3, 4);
|
|
# define UWRAP_LOG(dbglvl, ...) uwrap_log((dbglvl), __func__, __VA_ARGS__)
|
|
|
|
static void uwrap_log(enum uwrap_dbglvl_e dbglvl, const char *function, const char *format, ...)
|
|
{
|
|
char buffer[1024];
|
|
va_list va;
|
|
const char *d;
|
|
unsigned int lvl = 0;
|
|
const char *prefix = "UWRAP";
|
|
const char *progname = getprogname();
|
|
|
|
d = getenv("UID_WRAPPER_DEBUGLEVEL");
|
|
if (d != NULL) {
|
|
lvl = atoi(d);
|
|
}
|
|
|
|
if (lvl < dbglvl) {
|
|
return;
|
|
}
|
|
|
|
va_start(va, format);
|
|
vsnprintf(buffer, sizeof(buffer), format, va);
|
|
va_end(va);
|
|
|
|
switch (dbglvl) {
|
|
case UWRAP_LOG_ERROR:
|
|
prefix = "UWRAP_ERROR";
|
|
break;
|
|
case UWRAP_LOG_WARN:
|
|
prefix = "UWRAP_WARN";
|
|
break;
|
|
case UWRAP_LOG_DEBUG:
|
|
prefix = "UWRAP_DEBUG";
|
|
break;
|
|
case UWRAP_LOG_TRACE:
|
|
prefix = "UWRAP_TRACE";
|
|
break;
|
|
}
|
|
|
|
if (progname == NULL) {
|
|
progname = "<unknown>";
|
|
}
|
|
|
|
fprintf(stderr,
|
|
"%s[%s (%u)] - %s: %s\n",
|
|
prefix,
|
|
progname,
|
|
(int)getpid(),
|
|
function,
|
|
buffer);
|
|
}
|
|
|
|
/*****************
|
|
* LIBC
|
|
*****************/
|
|
|
|
#define LIBC_NAME "libc.so"
|
|
|
|
typedef int (*__libc_setuid)(uid_t uid);
|
|
|
|
typedef uid_t (*__libc_getuid)(void);
|
|
|
|
#ifdef HAVE_SETEUID
|
|
typedef int (*__libc_seteuid)(uid_t euid);
|
|
#endif
|
|
|
|
#ifdef HAVE_SETREUID
|
|
typedef int (*__libc_setreuid)(uid_t ruid, uid_t euid);
|
|
#endif
|
|
|
|
#ifdef HAVE_SETRESUID
|
|
typedef int (*__libc_setresuid)(uid_t ruid, uid_t euid, uid_t suid);
|
|
#endif
|
|
|
|
#ifdef HAVE_GETRESUID
|
|
typedef int (*__libc_getresuid)(uid_t *ruid, uid_t *euid, uid_t *suid);
|
|
#endif
|
|
|
|
typedef uid_t (*__libc_geteuid)(void);
|
|
|
|
typedef int (*__libc_setgid)(gid_t gid);
|
|
|
|
typedef gid_t (*__libc_getgid)(void);
|
|
|
|
#ifdef HAVE_SETEGID
|
|
typedef int (*__libc_setegid)(uid_t egid);
|
|
#endif
|
|
|
|
#ifdef HAVE_SETREGID
|
|
typedef int (*__libc_setregid)(uid_t rgid, uid_t egid);
|
|
#endif
|
|
|
|
#ifdef HAVE_SETRESGID
|
|
typedef int (*__libc_setresgid)(uid_t rgid, uid_t egid, uid_t sgid);
|
|
#endif
|
|
|
|
#ifdef HAVE_GETRESGID
|
|
typedef int (*__libc_getresgid)(gid_t *rgid, gid_t *egid, gid_t *sgid);
|
|
#endif
|
|
|
|
typedef gid_t (*__libc_getegid)(void);
|
|
|
|
typedef int (*__libc_getgroups)(int size, gid_t list[]);
|
|
#ifdef HAVE___GETGROUPS_CHK
|
|
typedef int (*__libc___getgroups_chk)(int size, gid_t list[], size_t listlen);
|
|
#endif
|
|
|
|
typedef int (*__libc_setgroups)(size_t size, const gid_t *list);
|
|
|
|
#ifdef HAVE_SYSCALL
|
|
typedef long int (*__libc_syscall)(long int sysno, ...);
|
|
#endif
|
|
|
|
#define UWRAP_SYMBOL_ENTRY(i) \
|
|
union { \
|
|
__libc_##i f; \
|
|
void *obj; \
|
|
} _libc_##i
|
|
|
|
struct uwrap_libc_symbols {
|
|
UWRAP_SYMBOL_ENTRY(setuid);
|
|
UWRAP_SYMBOL_ENTRY(getuid);
|
|
#ifdef HAVE_SETEUID
|
|
UWRAP_SYMBOL_ENTRY(seteuid);
|
|
#endif
|
|
#ifdef HAVE_SETREUID
|
|
UWRAP_SYMBOL_ENTRY(setreuid);
|
|
#endif
|
|
#ifdef HAVE_SETRESUID
|
|
UWRAP_SYMBOL_ENTRY(setresuid);
|
|
#endif
|
|
#ifdef HAVE_GETRESUID
|
|
UWRAP_SYMBOL_ENTRY(getresuid);
|
|
#endif
|
|
UWRAP_SYMBOL_ENTRY(geteuid);
|
|
UWRAP_SYMBOL_ENTRY(setgid);
|
|
UWRAP_SYMBOL_ENTRY(getgid);
|
|
#ifdef HAVE_SETEGID
|
|
UWRAP_SYMBOL_ENTRY(setegid);
|
|
#endif
|
|
#ifdef HAVE_SETREGID
|
|
UWRAP_SYMBOL_ENTRY(setregid);
|
|
#endif
|
|
#ifdef HAVE_SETRESGID
|
|
UWRAP_SYMBOL_ENTRY(setresgid);
|
|
#endif
|
|
#ifdef HAVE_GETRESGID
|
|
UWRAP_SYMBOL_ENTRY(getresgid);
|
|
#endif
|
|
UWRAP_SYMBOL_ENTRY(getegid);
|
|
UWRAP_SYMBOL_ENTRY(getgroups);
|
|
#ifdef HAVE___GETGROUPS_CHK
|
|
UWRAP_SYMBOL_ENTRY(__getgroups_chk);
|
|
#endif
|
|
UWRAP_SYMBOL_ENTRY(setgroups);
|
|
#ifdef HAVE_SYSCALL
|
|
UWRAP_SYMBOL_ENTRY(syscall);
|
|
#endif
|
|
};
|
|
#undef UWRAP_SYMBOL_ENTRY
|
|
|
|
#define UWRAP_SYMBOL_ENTRY(i) \
|
|
union { \
|
|
__rtld_default_##i f; \
|
|
void *obj; \
|
|
} _rtld_default_##i
|
|
|
|
#ifdef HAVE_SYSCALL
|
|
typedef bool (*__rtld_default_socket_wrapper_syscall_valid)(long int sysno);
|
|
typedef long int (*__rtld_default_socket_wrapper_syscall_va)(long int sysno,
|
|
va_list va);
|
|
#endif
|
|
|
|
struct uwrap_rtld_default_symbols {
|
|
#ifdef HAVE_SYSCALL
|
|
UWRAP_SYMBOL_ENTRY(socket_wrapper_syscall_valid);
|
|
UWRAP_SYMBOL_ENTRY(socket_wrapper_syscall_va);
|
|
#else
|
|
uint8_t dummy;
|
|
#endif
|
|
};
|
|
#undef UWRAP_SYMBOL_ENTRY
|
|
|
|
/*****************
|
|
* LIBPTHREAD
|
|
*****************/
|
|
/* Yeah... I'm pig. I overloading macro here... So what? */
|
|
#define UWRAP_SYMBOL_ENTRY(i) \
|
|
union { \
|
|
__libpthread_##i f; \
|
|
void *obj; \
|
|
} _libpthread_##i
|
|
|
|
typedef int (*__libpthread_pthread_create)(pthread_t *thread,
|
|
const pthread_attr_t *attr,
|
|
void *(*start_routine) (void *),
|
|
void *arg);
|
|
typedef void (*__libpthread_pthread_exit)(void *retval);
|
|
|
|
struct uwrap_libpthread_symbols {
|
|
UWRAP_SYMBOL_ENTRY(pthread_create);
|
|
UWRAP_SYMBOL_ENTRY(pthread_exit);
|
|
};
|
|
#undef UWRAP_SYMBOL_ENTRY
|
|
|
|
/*
|
|
* We keep the virtualised euid/egid/groups information here
|
|
*/
|
|
struct uwrap_thread {
|
|
bool enabled;
|
|
|
|
uid_t ruid;
|
|
uid_t euid;
|
|
uid_t suid;
|
|
|
|
gid_t rgid;
|
|
gid_t egid;
|
|
gid_t sgid;
|
|
|
|
int ngroups;
|
|
gid_t *groups;
|
|
|
|
struct uwrap_thread *next;
|
|
struct uwrap_thread *prev;
|
|
};
|
|
|
|
struct uwrap {
|
|
struct {
|
|
void *handle;
|
|
struct uwrap_libc_symbols symbols;
|
|
} libc;
|
|
|
|
struct {
|
|
struct uwrap_rtld_default_symbols symbols;
|
|
} rtld_default;
|
|
|
|
struct {
|
|
void *handle;
|
|
struct uwrap_libpthread_symbols symbols;
|
|
} libpthread;
|
|
|
|
bool initialised;
|
|
|
|
/* Real uid and gid of user who run uid wrapper */
|
|
uid_t myuid;
|
|
gid_t mygid;
|
|
|
|
struct uwrap_thread *ids;
|
|
};
|
|
|
|
static struct uwrap uwrap;
|
|
|
|
/* Shortcut to the list item */
|
|
static UWRAP_THREAD struct uwrap_thread *uwrap_tls_id;
|
|
|
|
/* The mutex or accessing the id */
|
|
static pthread_mutex_t uwrap_id_mutex = PTHREAD_MUTEX_INITIALIZER;
|
|
|
|
#define uwrap_init_mutex(m) _uwrap_init_mutex(m, #m)
|
|
static int _uwrap_init_mutex(pthread_mutex_t *m, const char *name)
|
|
{
|
|
pthread_mutexattr_t ma;
|
|
bool need_destroy = false;
|
|
int ret = 0;
|
|
|
|
#define __CHECK(cmd) \
|
|
do { \
|
|
ret = cmd; \
|
|
if (ret != 0) { \
|
|
UWRAP_LOG(UWRAP_LOG_ERROR, \
|
|
"%s: %s - failed %d", \
|
|
name, \
|
|
#cmd, \
|
|
ret); \
|
|
goto done; \
|
|
} \
|
|
} while (0)
|
|
|
|
*m = (pthread_mutex_t)PTHREAD_MUTEX_INITIALIZER;
|
|
__CHECK(pthread_mutexattr_init(&ma));
|
|
need_destroy = true;
|
|
__CHECK(pthread_mutexattr_settype(&ma, PTHREAD_MUTEX_ERRORCHECK));
|
|
__CHECK(pthread_mutex_init(m, &ma));
|
|
done:
|
|
if (need_destroy) {
|
|
pthread_mutexattr_destroy(&ma);
|
|
}
|
|
return ret;
|
|
}
|
|
|
|
#define uwrap_mutex_lock(m) _uwrap_mutex_lock(m, #m, __func__, __LINE__)
|
|
static void _uwrap_mutex_lock(pthread_mutex_t *mutex,
|
|
const char *name,
|
|
const char *caller,
|
|
unsigned line)
|
|
{
|
|
int ret;
|
|
|
|
ret = pthread_mutex_lock(mutex);
|
|
if (ret != 0) {
|
|
UWRAP_LOG(UWRAP_LOG_ERROR,
|
|
"PID(%d):PPID(%d): %s(%u): Couldn't lock pthread "
|
|
"mutex(%s) - %s",
|
|
getpid(),
|
|
getppid(),
|
|
caller,
|
|
line,
|
|
name,
|
|
strerror(ret));
|
|
abort();
|
|
}
|
|
}
|
|
|
|
#define uwrap_mutex_unlock(m) _uwrap_mutex_unlock(m, #m, __func__, __LINE__)
|
|
static void _uwrap_mutex_unlock(pthread_mutex_t *mutex,
|
|
const char *name,
|
|
const char *caller,
|
|
unsigned line)
|
|
{
|
|
int ret;
|
|
|
|
ret = pthread_mutex_unlock(mutex);
|
|
if (ret != 0) {
|
|
UWRAP_LOG(UWRAP_LOG_ERROR,
|
|
"PID(%d):PPID(%d): %s(%u): Couldn't unlock pthread "
|
|
"mutex(%s) - %s",
|
|
getpid(),
|
|
getppid(),
|
|
caller,
|
|
line,
|
|
name,
|
|
strerror(ret));
|
|
abort();
|
|
}
|
|
}
|
|
|
|
#define UWRAP_LOCK(m) \
|
|
do { \
|
|
uwrap_mutex_lock(&(m##_mutex)); \
|
|
} while (0)
|
|
|
|
#define UWRAP_UNLOCK(m) \
|
|
do { \
|
|
uwrap_mutex_unlock(&(m##_mutex)); \
|
|
} while (0)
|
|
|
|
/* Add new global locks here please */
|
|
#define UWRAP_REINIT_ALL \
|
|
do { \
|
|
int ret; \
|
|
ret = uwrap_init_mutex(&uwrap_id_mutex); \
|
|
if (ret != 0) \
|
|
exit(-1); \
|
|
} while (0)
|
|
|
|
/* Add new global locks here please */
|
|
#define UWRAP_LOCK_ALL \
|
|
do { \
|
|
UWRAP_LOCK(uwrap_id); \
|
|
} while (0)
|
|
|
|
#define UWRAP_UNLOCK_ALL \
|
|
do { \
|
|
UWRAP_UNLOCK(uwrap_id); \
|
|
} while (0)
|
|
|
|
/*********************************************************
|
|
* UWRAP PROTOTYPES
|
|
*********************************************************/
|
|
|
|
bool uid_wrapper_enabled(void);
|
|
#if ! defined(HAVE_CONSTRUCTOR_ATTRIBUTE) && defined(HAVE_PRAGMA_INIT)
|
|
/* xlC and other oldschool compilers support (only) this */
|
|
#pragma init (uwrap_constructor)
|
|
#endif
|
|
void uwrap_constructor(void) CONSTRUCTOR_ATTRIBUTE;
|
|
#if ! defined(HAVE_DESTRUCTOR_ATTRIBUTE) && defined(HAVE_PRAGMA_FINI)
|
|
#pragma fini (uwrap_destructor)
|
|
#endif
|
|
void uwrap_destructor(void) DESTRUCTOR_ATTRIBUTE;
|
|
|
|
/*********************************************************
|
|
* UWRAP LIBC LOADER FUNCTIONS
|
|
*********************************************************/
|
|
|
|
enum uwrap_lib {
|
|
UWRAP_LIBC,
|
|
UWRAP_LIBPTHREAD,
|
|
};
|
|
|
|
static void *uwrap_load_lib_handle(enum uwrap_lib lib)
|
|
{
|
|
int flags = RTLD_LAZY;
|
|
void *handle = NULL;
|
|
int i;
|
|
|
|
#ifdef RTLD_DEEPBIND
|
|
const char *env_preload = getenv("LD_PRELOAD");
|
|
const char *env_deepbind = getenv("UID_WRAPPER_DISABLE_DEEPBIND");
|
|
bool enable_deepbind = true;
|
|
|
|
/* Don't do a deepbind if we run with libasan */
|
|
if (env_preload != NULL && strlen(env_preload) < 1024) {
|
|
const char *p = strstr(env_preload, "libasan.so");
|
|
if (p != NULL) {
|
|
enable_deepbind = false;
|
|
}
|
|
}
|
|
|
|
if (env_deepbind != NULL && strlen(env_deepbind) >= 1) {
|
|
enable_deepbind = false;
|
|
}
|
|
|
|
if (enable_deepbind) {
|
|
flags |= RTLD_DEEPBIND;
|
|
}
|
|
#endif
|
|
|
|
switch (lib) {
|
|
case UWRAP_LIBC:
|
|
handle = uwrap.libc.handle;
|
|
#ifdef LIBC_SO
|
|
if (handle == NULL) {
|
|
handle = dlopen(LIBC_SO, flags);
|
|
|
|
uwrap.libc.handle = handle;
|
|
}
|
|
#endif
|
|
if (handle == NULL) {
|
|
for (i = 10; i >= 0; i--) {
|
|
char soname[256] = {0};
|
|
|
|
snprintf(soname, sizeof(soname), "libc.so.%d", i);
|
|
handle = dlopen(soname, flags);
|
|
if (handle != NULL) {
|
|
break;
|
|
}
|
|
|
|
/* glibc on Alpha and IA64 is libc.so.6.1 */
|
|
snprintf(soname, sizeof(soname), "libc.so.%d.1", i);
|
|
handle = dlopen(soname, flags);
|
|
if (handle != NULL) {
|
|
break;
|
|
}
|
|
}
|
|
|
|
uwrap.libc.handle = handle;
|
|
}
|
|
break;
|
|
case UWRAP_LIBPTHREAD:
|
|
handle = uwrap.libpthread.handle;
|
|
if (handle == NULL) {
|
|
#ifdef RTLD_NEXT
|
|
/*
|
|
* Because thread sanatizer also overloads
|
|
* pthread_create() and pthread_exit() we need use
|
|
* RTLD_NEXT instead of libpthread.so.0
|
|
*/
|
|
handle = uwrap.libpthread.handle = RTLD_NEXT;
|
|
#else
|
|
handle = dlopen("libpthread.so.0", flags);
|
|
#endif
|
|
if (handle != NULL) {
|
|
break;
|
|
}
|
|
}
|
|
break;
|
|
}
|
|
|
|
if (handle == NULL) {
|
|
#ifdef RTLD_NEXT
|
|
switch (lib) {
|
|
case UWRAP_LIBC:
|
|
handle = uwrap.libc.handle = RTLD_NEXT;
|
|
break;
|
|
case UWRAP_LIBPTHREAD:
|
|
handle = uwrap.libpthread.handle = RTLD_NEXT;
|
|
break;
|
|
}
|
|
#else
|
|
fprintf(stderr,
|
|
"Failed to dlopen library: %s\n",
|
|
dlerror());
|
|
exit(-1);
|
|
#endif
|
|
}
|
|
|
|
return handle;
|
|
}
|
|
|
|
static void *_uwrap_bind_symbol(enum uwrap_lib lib, const char *fn_name)
|
|
{
|
|
void *handle;
|
|
void *func;
|
|
|
|
handle = uwrap_load_lib_handle(lib);
|
|
|
|
func = dlsym(handle, fn_name);
|
|
if (func == NULL) {
|
|
fprintf(stderr,
|
|
"Failed to find %s: %s\n",
|
|
fn_name, dlerror());
|
|
exit(-1);
|
|
}
|
|
|
|
return func;
|
|
}
|
|
|
|
#define uwrap_bind_symbol_libc(sym_name) \
|
|
if (uwrap.libc.symbols._libc_##sym_name.obj == NULL) { \
|
|
uwrap.libc.symbols._libc_##sym_name.obj = \
|
|
_uwrap_bind_symbol(UWRAP_LIBC, #sym_name); \
|
|
}
|
|
|
|
#define uwrap_bind_symbol_libpthread(sym_name) \
|
|
if (uwrap.libpthread.symbols._libpthread_##sym_name.obj == NULL) { \
|
|
uwrap.libpthread.symbols._libpthread_##sym_name.obj = \
|
|
_uwrap_bind_symbol(UWRAP_LIBPTHREAD, #sym_name); \
|
|
}
|
|
|
|
#define uwrap_bind_symbol_rtld_default_optional(sym_name) \
|
|
if (uwrap.rtld_default.symbols._rtld_default_##sym_name.obj == NULL) { \
|
|
uwrap.rtld_default.symbols._rtld_default_##sym_name.obj = \
|
|
dlsym(RTLD_DEFAULT, #sym_name); \
|
|
}
|
|
|
|
/* JEMALLOC: This tells uid_wrapper if it should handle syscall() */
|
|
static bool uwrap_handle_syscall;
|
|
|
|
/* DO NOT call this function during library initialization! */
|
|
static void __uwrap_bind_symbol_all_once(void)
|
|
{
|
|
uwrap_bind_symbol_libc(setuid);
|
|
uwrap_bind_symbol_libc(getuid);
|
|
#ifdef HAVE_SETEUID
|
|
uwrap_bind_symbol_libc(seteuid);
|
|
#endif
|
|
#ifdef HAVE_SETREUID
|
|
uwrap_bind_symbol_libc(setreuid);
|
|
#endif
|
|
#ifdef HAVE_SETRESUID
|
|
uwrap_bind_symbol_libc(setresuid);
|
|
#endif
|
|
#ifdef HAVE_GETRESUID
|
|
uwrap_bind_symbol_libc(getresuid);
|
|
#endif
|
|
uwrap_bind_symbol_libc(geteuid);
|
|
uwrap_bind_symbol_libc(setgid);
|
|
uwrap_bind_symbol_libc(getgid);
|
|
#ifdef HAVE_SETEGID
|
|
uwrap_bind_symbol_libc(setegid);
|
|
#endif
|
|
#ifdef HAVE_SETREGID
|
|
uwrap_bind_symbol_libc(setregid);
|
|
#endif
|
|
|
|
#ifdef HAVE_SETRESGID
|
|
uwrap_bind_symbol_libc(setresgid);
|
|
#endif
|
|
#ifdef HAVE_GETRESGID
|
|
uwrap_bind_symbol_libc(setresgid);
|
|
#endif
|
|
uwrap_bind_symbol_libc(getegid);
|
|
uwrap_bind_symbol_libc(getgroups);
|
|
uwrap_bind_symbol_libc(setgroups);
|
|
#ifdef HAVE_SYSCALL
|
|
uwrap_bind_symbol_libc(syscall);
|
|
uwrap_bind_symbol_rtld_default_optional(socket_wrapper_syscall_valid);
|
|
uwrap_bind_symbol_rtld_default_optional(socket_wrapper_syscall_va);
|
|
#endif
|
|
uwrap_bind_symbol_libpthread(pthread_create);
|
|
uwrap_bind_symbol_libpthread(pthread_exit);
|
|
|
|
uwrap_handle_syscall = true;
|
|
}
|
|
|
|
static void uwrap_bind_symbol_all(void)
|
|
{
|
|
static pthread_once_t all_symbol_binding_once = PTHREAD_ONCE_INIT;
|
|
|
|
pthread_once(&all_symbol_binding_once, __uwrap_bind_symbol_all_once);
|
|
}
|
|
|
|
/*
|
|
* IMPORTANT
|
|
*
|
|
* Functions expeciall from libc need to be loaded individually, you can't load
|
|
* all at once or gdb will segfault at startup. The same applies to valgrind and
|
|
* has probably something todo with with the linker.
|
|
* So we need load each function at the point it is called the first time.
|
|
*/
|
|
static int libc_setuid(uid_t uid)
|
|
{
|
|
uwrap_bind_symbol_all();
|
|
|
|
return uwrap.libc.symbols._libc_setuid.f(uid);
|
|
}
|
|
|
|
static uid_t libc_getuid(void)
|
|
{
|
|
uwrap_bind_symbol_all();
|
|
|
|
return uwrap.libc.symbols._libc_getuid.f();
|
|
}
|
|
|
|
#ifdef HAVE_SETEUID
|
|
static int libc_seteuid(uid_t euid)
|
|
{
|
|
uwrap_bind_symbol_all();
|
|
|
|
return uwrap.libc.symbols._libc_seteuid.f(euid);
|
|
}
|
|
#endif
|
|
|
|
#ifdef HAVE_SETREUID
|
|
static int libc_setreuid(uid_t ruid, uid_t euid)
|
|
{
|
|
uwrap_bind_symbol_all();
|
|
|
|
return uwrap.libc.symbols._libc_setreuid.f(ruid, euid);
|
|
}
|
|
#endif
|
|
|
|
#ifdef HAVE_SETRESUID
|
|
static int libc_setresuid(uid_t ruid, uid_t euid, uid_t suid)
|
|
{
|
|
uwrap_bind_symbol_all();
|
|
|
|
return uwrap.libc.symbols._libc_setresuid.f(ruid, euid, suid);
|
|
}
|
|
#endif
|
|
|
|
#ifdef HAVE_GETRESUID
|
|
static int libc_getresuid(uid_t *ruid, uid_t *euid, uid_t *suid)
|
|
{
|
|
uwrap_bind_symbol_all();
|
|
|
|
return uwrap.libc.symbols._libc_getresuid.f(ruid, euid, suid);
|
|
}
|
|
#endif
|
|
|
|
static uid_t libc_geteuid(void)
|
|
{
|
|
uwrap_bind_symbol_all();
|
|
|
|
return uwrap.libc.symbols._libc_geteuid.f();
|
|
}
|
|
|
|
static int libc_setgid(gid_t gid)
|
|
{
|
|
uwrap_bind_symbol_all();
|
|
|
|
return uwrap.libc.symbols._libc_setgid.f(gid);
|
|
}
|
|
|
|
static gid_t libc_getgid(void)
|
|
{
|
|
uwrap_bind_symbol_all();
|
|
|
|
return uwrap.libc.symbols._libc_getgid.f();
|
|
}
|
|
|
|
#ifdef HAVE_SETEGID
|
|
static int libc_setegid(gid_t egid)
|
|
{
|
|
uwrap_bind_symbol_all();
|
|
|
|
return uwrap.libc.symbols._libc_setegid.f(egid);
|
|
}
|
|
#endif
|
|
|
|
#ifdef HAVE_SETREGID
|
|
static int libc_setregid(gid_t rgid, gid_t egid)
|
|
{
|
|
uwrap_bind_symbol_all();
|
|
|
|
return uwrap.libc.symbols._libc_setregid.f(rgid, egid);
|
|
}
|
|
#endif
|
|
|
|
#ifdef HAVE_SETRESGID
|
|
static int libc_setresgid(gid_t rgid, gid_t egid, gid_t sgid)
|
|
{
|
|
uwrap_bind_symbol_all();
|
|
|
|
return uwrap.libc.symbols._libc_setresgid.f(rgid, egid, sgid);
|
|
}
|
|
#endif
|
|
|
|
#ifdef HAVE_GETRESGID
|
|
static int libc_getresgid(gid_t *rgid, gid_t *egid, gid_t *sgid)
|
|
{
|
|
uwrap_bind_symbol_all();
|
|
|
|
return uwrap.libc.symbols._libc_getresgid.f(rgid, egid, sgid);
|
|
}
|
|
#endif
|
|
|
|
static gid_t libc_getegid(void)
|
|
{
|
|
uwrap_bind_symbol_all();
|
|
|
|
return uwrap.libc.symbols._libc_getegid.f();
|
|
}
|
|
|
|
static int libc_getgroups(int size, gid_t list[])
|
|
{
|
|
uwrap_bind_symbol_all();
|
|
|
|
return uwrap.libc.symbols._libc_getgroups.f(size, list);
|
|
}
|
|
|
|
#ifdef HAVE___GETGROUPS_CHK
|
|
static int libc___getgroups_chk(int size, gid_t list[], size_t listlen)
|
|
{
|
|
uwrap_bind_symbol_libc(__getgroups_chk);
|
|
|
|
return uwrap.libc.symbols._libc___getgroups_chk.f(size,
|
|
list,
|
|
listlen);
|
|
}
|
|
#endif /* HAVE___GETGROUPS_CHK */
|
|
|
|
static int libc_setgroups(size_t size, const gid_t *list)
|
|
{
|
|
uwrap_bind_symbol_all();
|
|
|
|
return uwrap.libc.symbols._libc_setgroups.f(size, list);
|
|
}
|
|
|
|
#ifdef HAVE_SYSCALL
|
|
DO_NOT_SANITIZE_ADDRESS_ATTRIBUTE
|
|
static long int libc_vsyscall(long int sysno, va_list va)
|
|
{
|
|
long int args[8];
|
|
long int rc;
|
|
int i;
|
|
|
|
/*
|
|
* JEMALLOC:
|
|
*
|
|
* This is a workaround to prevent a deadlock in jemalloc calling
|
|
* malloc_init() twice. The first allocation call will trigger a
|
|
* malloc_init() of jemalloc. The functions calls syscall(SYS_open, ...)
|
|
* so it goes to socket or uid wrapper. In this code path we need to
|
|
* avoid any allocation calls. This will prevent the deadlock.
|
|
*
|
|
* We also need to avoid dlopen() as that would trigger the recursion
|
|
* into malloc_init(), so we use dlsym(RTLD_NEXT), until we reached
|
|
* swrap_constructor() or any real socket call at that time
|
|
* swrap_bind_symbol_all() will replace the function pointer again after
|
|
* dlopen of libc.
|
|
*/
|
|
if (uwrap_handle_syscall) {
|
|
uwrap_bind_symbol_all();
|
|
} else if (uwrap.libc.symbols._libc_syscall.obj == NULL) {
|
|
uwrap.libc.symbols._libc_syscall.obj = dlsym(RTLD_NEXT,
|
|
"syscall");
|
|
}
|
|
|
|
for (i = 0; i < 8; i++) {
|
|
args[i] = va_arg(va, long int);
|
|
}
|
|
|
|
rc = uwrap.libc.symbols._libc_syscall.f(sysno,
|
|
args[0],
|
|
args[1],
|
|
args[2],
|
|
args[3],
|
|
args[4],
|
|
args[5],
|
|
args[6],
|
|
args[7]);
|
|
|
|
return rc;
|
|
}
|
|
|
|
static bool uwrap_swrap_syscall_valid(long int sysno)
|
|
{
|
|
uwrap_bind_symbol_all();
|
|
|
|
if (uwrap.rtld_default.symbols._rtld_default_socket_wrapper_syscall_valid.f == NULL) {
|
|
return false;
|
|
}
|
|
|
|
return uwrap.rtld_default.symbols._rtld_default_socket_wrapper_syscall_valid.f(
|
|
sysno);
|
|
}
|
|
|
|
DO_NOT_SANITIZE_ADDRESS_ATTRIBUTE
|
|
static long int uwrap_swrap_syscall_va(long int sysno, va_list va)
|
|
{
|
|
uwrap_bind_symbol_all();
|
|
|
|
if (uwrap.rtld_default.symbols._rtld_default_socket_wrapper_syscall_va.f == NULL) {
|
|
/*
|
|
* Fallback to libc, if socket_wrapper_vsyscall is not
|
|
* available.
|
|
*/
|
|
return libc_vsyscall(sysno, va);
|
|
}
|
|
|
|
return uwrap.rtld_default.symbols._rtld_default_socket_wrapper_syscall_va.f(
|
|
sysno,
|
|
va);
|
|
}
|
|
#endif
|
|
|
|
static int libpthread_pthread_create(pthread_t *thread,
|
|
const pthread_attr_t *attr,
|
|
void *(*start_routine) (void *),
|
|
void *arg)
|
|
{
|
|
uwrap_bind_symbol_all();
|
|
return uwrap.libpthread.symbols._libpthread_pthread_create.f(thread,
|
|
attr,
|
|
start_routine,
|
|
arg);
|
|
}
|
|
|
|
/*
|
|
* This part is "optimistic".
|
|
* Thread can ends without pthread_exit call.
|
|
*/
|
|
static void libpthread_pthread_exit(void *retval)
|
|
{
|
|
uwrap_bind_symbol_all();
|
|
|
|
uwrap.libpthread.symbols._libpthread_pthread_exit.f(retval);
|
|
}
|
|
|
|
static void uwrap_pthread_exit(void *retval)
|
|
{
|
|
struct uwrap_thread *id = uwrap_tls_id;
|
|
|
|
UWRAP_LOG(UWRAP_LOG_DEBUG, "Cleanup thread");
|
|
|
|
UWRAP_LOCK(uwrap_id);
|
|
if (id == NULL) {
|
|
UWRAP_UNLOCK(uwrap_id);
|
|
libpthread_pthread_exit(retval);
|
|
return;
|
|
}
|
|
|
|
UWRAP_DLIST_REMOVE(uwrap.ids, id);
|
|
SAFE_FREE(id->groups);
|
|
SAFE_FREE(id);
|
|
uwrap_tls_id = NULL;
|
|
|
|
UWRAP_UNLOCK(uwrap_id);
|
|
|
|
libpthread_pthread_exit(retval);
|
|
}
|
|
|
|
void pthread_exit(void *retval)
|
|
{
|
|
if (!uid_wrapper_enabled()) {
|
|
libpthread_pthread_exit(retval);
|
|
};
|
|
|
|
uwrap_pthread_exit(retval);
|
|
|
|
/* Calm down gcc warning. */
|
|
exit(666);
|
|
}
|
|
|
|
struct uwrap_pthread_create_args {
|
|
struct uwrap_thread *id;
|
|
void *(*start_routine) (void *);
|
|
void *arg;
|
|
};
|
|
|
|
static void *uwrap_pthread_create_start(void *_a)
|
|
{
|
|
struct uwrap_pthread_create_args *a =
|
|
(struct uwrap_pthread_create_args *)_a;
|
|
void *(*start_routine) (void *) = a->start_routine;
|
|
void *arg = a->arg;
|
|
struct uwrap_thread *id = a->id;
|
|
|
|
SAFE_FREE(a);
|
|
|
|
uwrap_tls_id = id;
|
|
|
|
return start_routine(arg);
|
|
}
|
|
|
|
static int uwrap_pthread_create(pthread_t *thread,
|
|
const pthread_attr_t *attr,
|
|
void *(*start_routine) (void *),
|
|
void *arg)
|
|
{
|
|
struct uwrap_pthread_create_args *args;
|
|
struct uwrap_thread *src_id = uwrap_tls_id;
|
|
int ret;
|
|
|
|
args = malloc(sizeof(struct uwrap_pthread_create_args));
|
|
if (args == NULL) {
|
|
UWRAP_LOG(UWRAP_LOG_ERROR,
|
|
"uwrap_pthread_create: Unable to allocate memory");
|
|
errno = ENOMEM;
|
|
return -1;
|
|
}
|
|
args->start_routine = start_routine;
|
|
args->arg = arg;
|
|
|
|
args->id = calloc(1, sizeof(struct uwrap_thread));
|
|
if (args->id == NULL) {
|
|
SAFE_FREE(args);
|
|
UWRAP_LOG(UWRAP_LOG_ERROR,
|
|
"uwrap_pthread_create: Unable to allocate memory");
|
|
errno = ENOMEM;
|
|
return -1;
|
|
}
|
|
|
|
UWRAP_LOCK(uwrap_id);
|
|
|
|
args->id->groups = calloc(src_id->ngroups, sizeof(gid_t));
|
|
if (args->id->groups == NULL) {
|
|
UWRAP_UNLOCK(uwrap_id);
|
|
SAFE_FREE(args->id);
|
|
SAFE_FREE(args);
|
|
UWRAP_LOG(UWRAP_LOG_ERROR,
|
|
"uwrap_pthread_create: Unable to allocate memory again");
|
|
errno = ENOMEM;
|
|
return -1;
|
|
}
|
|
|
|
args->id->ruid = src_id->ruid;
|
|
args->id->euid = src_id->euid;
|
|
args->id->suid = src_id->suid;
|
|
|
|
args->id->rgid = src_id->rgid;
|
|
args->id->egid = src_id->egid;
|
|
args->id->sgid = src_id->sgid;
|
|
|
|
args->id->enabled = src_id->enabled;
|
|
|
|
args->id->ngroups = src_id->ngroups;
|
|
if (src_id->groups != NULL) {
|
|
memcpy(args->id->groups, src_id->groups,
|
|
sizeof(gid_t) * src_id->ngroups);
|
|
} else {
|
|
SAFE_FREE(args->id->groups);
|
|
}
|
|
|
|
UWRAP_DLIST_ADD(uwrap.ids, args->id);
|
|
UWRAP_UNLOCK(uwrap_id);
|
|
|
|
ret = libpthread_pthread_create(thread, attr,
|
|
uwrap_pthread_create_start,
|
|
args);
|
|
if (ret != 0) {
|
|
return ret;
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
int pthread_create(pthread_t *thread,
|
|
const pthread_attr_t *attr,
|
|
void *(*start_routine) (void *),
|
|
void *arg)
|
|
{
|
|
if (!uid_wrapper_enabled()) {
|
|
return libpthread_pthread_create(thread,
|
|
attr,
|
|
start_routine,
|
|
arg);
|
|
};
|
|
|
|
return uwrap_pthread_create(thread,
|
|
attr,
|
|
start_routine,
|
|
arg);
|
|
}
|
|
|
|
/*********************************************************
|
|
* UWRAP ID HANDLING
|
|
*********************************************************/
|
|
|
|
#define GROUP_STRING_SIZE 16384
|
|
#define GROUP_MAX_COUNT (GROUP_STRING_SIZE / (10 + 1))
|
|
|
|
/**
|
|
* This function exports all the IDs of the current user so if
|
|
* we fork and then exec we can setup uid_wrapper in the new process
|
|
* with those IDs.
|
|
*/
|
|
static void uwrap_export_ids(struct uwrap_thread *id)
|
|
{
|
|
char groups_str[GROUP_STRING_SIZE] = {0};
|
|
size_t groups_str_size = sizeof(groups_str);
|
|
char unsigned_str[16] = {0}; /* We need 10 + 1 (+ 1) */
|
|
int i;
|
|
|
|
/* UIDS */
|
|
snprintf(unsigned_str, sizeof(unsigned_str), "%u", id->ruid);
|
|
setenv("UID_WRAPPER_INITIAL_RUID", unsigned_str, 1);
|
|
|
|
snprintf(unsigned_str, sizeof(unsigned_str), "%u", id->euid);
|
|
setenv("UID_WRAPPER_INITIAL_EUID", unsigned_str, 1);
|
|
|
|
snprintf(unsigned_str, sizeof(unsigned_str), "%u", id->suid);
|
|
setenv("UID_WRAPPER_INITIAL_SUID", unsigned_str, 1);
|
|
|
|
/* GIDS */
|
|
snprintf(unsigned_str, sizeof(unsigned_str), "%u", id->rgid);
|
|
setenv("UID_WRAPPER_INITIAL_RGID", unsigned_str, 1);
|
|
|
|
snprintf(unsigned_str, sizeof(unsigned_str), "%u", id->egid);
|
|
setenv("UID_WRAPPER_INITIAL_EGID", unsigned_str, 1);
|
|
|
|
snprintf(unsigned_str, sizeof(unsigned_str), "%u", id->sgid);
|
|
setenv("UID_WRAPPER_INITIAL_SGID", unsigned_str, 1);
|
|
|
|
if (id->ngroups > GROUP_MAX_COUNT) {
|
|
UWRAP_LOG(UWRAP_LOG_ERROR,
|
|
"ERROR: Number of groups (%u) exceeds maximum value "
|
|
"uid_wrapper can handle (%u).",
|
|
id->ngroups,
|
|
GROUP_MAX_COUNT);
|
|
exit(-1);
|
|
}
|
|
|
|
/* GROUPS */
|
|
for (i = 0; i < id->ngroups; i++) {
|
|
size_t groups_str_len = strlen(groups_str);
|
|
size_t groups_str_avail = groups_str_size - groups_str_len - 1;
|
|
int len;
|
|
|
|
len = snprintf(unsigned_str, sizeof(unsigned_str), ",%u", id->groups[i]);
|
|
if (len <= 1) {
|
|
UWRAP_LOG(UWRAP_LOG_ERROR,
|
|
"snprintf failed for groups[%d]=%u",
|
|
i,
|
|
id->groups[i]);
|
|
break;
|
|
}
|
|
if (((size_t)len) >= groups_str_avail) {
|
|
UWRAP_LOG(UWRAP_LOG_ERROR,
|
|
"groups env string is to small for %d groups",
|
|
i);
|
|
break;
|
|
}
|
|
|
|
len = snprintf(groups_str + groups_str_len,
|
|
groups_str_size - groups_str_len,
|
|
"%s",
|
|
i == 0 ? unsigned_str + 1 : unsigned_str);
|
|
if (len < 1) {
|
|
UWRAP_LOG(UWRAP_LOG_ERROR,
|
|
"snprintf failed to create groups string at groups[%d]=%u",
|
|
i,
|
|
id->groups[i]);
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (id->ngroups == i) {
|
|
setenv("UID_WRAPPER_INITIAL_GROUPS", groups_str, 1);
|
|
|
|
snprintf(unsigned_str, sizeof(unsigned_str), "%u", id->ngroups);
|
|
setenv("UID_WRAPPER_INITIAL_GROUPS_COUNT", unsigned_str, 1);
|
|
}
|
|
}
|
|
|
|
static void uwrap_thread_prepare(void)
|
|
{
|
|
struct uwrap_thread *id = uwrap_tls_id;
|
|
|
|
/*
|
|
* We bind all symbols to avoid deadlocks of the fork is interrupted by
|
|
* a signal handler using a symbol of this library.
|
|
*/
|
|
uwrap_bind_symbol_all();
|
|
|
|
UWRAP_LOCK_ALL;
|
|
|
|
/* uid_wrapper is loaded but not enabled */
|
|
if (id == NULL) {
|
|
return;
|
|
}
|
|
|
|
/*
|
|
* What happens if another atfork prepare functions calls a uwrap
|
|
* function? So disable it in case another atfork prepare function
|
|
* calls a (s)uid function. We disable uid_wrapper only for thread
|
|
* (process) which called fork.
|
|
*/
|
|
id->enabled = false;
|
|
}
|
|
|
|
static void uwrap_thread_parent(void)
|
|
{
|
|
struct uwrap_thread *id = uwrap_tls_id;
|
|
|
|
/* uid_wrapper is loaded but not enabled */
|
|
if (id == NULL) {
|
|
UWRAP_UNLOCK_ALL;
|
|
return;
|
|
}
|
|
|
|
id->enabled = true;
|
|
|
|
UWRAP_UNLOCK_ALL;
|
|
}
|
|
|
|
static void uwrap_thread_child(void)
|
|
{
|
|
struct uwrap_thread *id = uwrap_tls_id;
|
|
struct uwrap_thread *u = uwrap.ids;
|
|
|
|
UWRAP_REINIT_ALL;
|
|
|
|
/* uid_wrapper is loaded but not enabled */
|
|
if (id == NULL) {
|
|
return;
|
|
}
|
|
|
|
/*
|
|
* "Garbage collector" - Inspired by DESTRUCTOR.
|
|
* All threads (except one which called fork()) are dead now.. Dave
|
|
* That's what posix said...
|
|
*/
|
|
while (u != NULL) {
|
|
if (u == id) {
|
|
/* Skip this item. */
|
|
u = uwrap.ids->next;
|
|
continue;
|
|
}
|
|
|
|
UWRAP_DLIST_REMOVE(uwrap.ids, u);
|
|
|
|
SAFE_FREE(u->groups);
|
|
SAFE_FREE(u);
|
|
|
|
u = uwrap.ids;
|
|
}
|
|
|
|
uwrap_export_ids(id);
|
|
|
|
id->enabled = true;
|
|
}
|
|
|
|
static unsigned long uwrap_get_xid_from_env(const char *envname)
|
|
{
|
|
unsigned long xid;
|
|
const char *env = NULL;
|
|
char *endp = NULL;
|
|
|
|
env = getenv(envname);
|
|
if (env == NULL) {
|
|
return ULONG_MAX;
|
|
}
|
|
|
|
if (env[0] == '\0') {
|
|
unsetenv(envname);
|
|
return ULONG_MAX;
|
|
}
|
|
|
|
xid = strtoul(env, &endp, 10);
|
|
unsetenv(envname);
|
|
if (env == endp) {
|
|
return ULONG_MAX;
|
|
}
|
|
|
|
return xid;
|
|
}
|
|
|
|
/*
|
|
* This initializes uid_wrapper with the IDs exported to the environment. Those
|
|
* are normally set after we forked and executed.
|
|
*/
|
|
static void uwrap_init_env(struct uwrap_thread *id)
|
|
{
|
|
const char *env;
|
|
int ngroups = 0;
|
|
unsigned long xid;
|
|
|
|
/* UIDs */
|
|
xid = uwrap_get_xid_from_env("UID_WRAPPER_INITIAL_RUID");
|
|
if (xid != ULONG_MAX) {
|
|
id->ruid = (uid_t)xid;
|
|
}
|
|
|
|
xid = uwrap_get_xid_from_env("UID_WRAPPER_INITIAL_EUID");
|
|
if (xid != ULONG_MAX) {
|
|
id->euid = (uid_t)xid;
|
|
}
|
|
|
|
xid = uwrap_get_xid_from_env("UID_WRAPPER_INITIAL_SUID");
|
|
if (xid != ULONG_MAX) {
|
|
id->suid = (uid_t)xid;
|
|
}
|
|
|
|
/* GIDs */
|
|
xid = uwrap_get_xid_from_env("UID_WRAPPER_INITIAL_RGID");
|
|
if (xid != ULONG_MAX) {
|
|
id->rgid = (gid_t)xid;
|
|
}
|
|
|
|
xid = uwrap_get_xid_from_env("UID_WRAPPER_INITIAL_EGID");
|
|
if (xid != ULONG_MAX) {
|
|
id->egid = (gid_t)xid;
|
|
}
|
|
|
|
xid = uwrap_get_xid_from_env("UID_WRAPPER_INITIAL_SGID");
|
|
if (xid != ULONG_MAX) {
|
|
id->sgid = (gid_t)xid;
|
|
}
|
|
|
|
env = getenv("UID_WRAPPER_INITIAL_GROUPS_COUNT");
|
|
if (env != NULL && env[0] != '\0') {
|
|
char *endp = NULL;
|
|
long n;
|
|
|
|
n = strtol(env, &endp, 10);
|
|
if (env == endp) {
|
|
ngroups = 0;
|
|
} else if (n > 0 && n < GROUP_MAX_COUNT) {
|
|
ngroups = (int)n;
|
|
}
|
|
unsetenv("UID_WRAPPER_INITIAL_GROUPS_COUNT");
|
|
}
|
|
|
|
if (ngroups > 0) {
|
|
int i = 0;
|
|
|
|
id->ngroups = 0;
|
|
|
|
free(id->groups);
|
|
id->groups = calloc(ngroups, sizeof(gid_t));
|
|
if (id->groups == NULL) {
|
|
UWRAP_LOG(UWRAP_LOG_ERROR,
|
|
"Unable to allocate memory");
|
|
exit(-1);
|
|
}
|
|
|
|
env = getenv("UID_WRAPPER_INITIAL_GROUPS");
|
|
if (env != NULL && env[0] != '\0') {
|
|
char *groups_str = NULL;
|
|
char *saveptr = NULL;
|
|
const char *p = NULL;
|
|
|
|
groups_str = strdup(env);
|
|
if (groups_str == NULL) {
|
|
exit(-1);
|
|
}
|
|
|
|
p = strtok_r(groups_str, ",", &saveptr);
|
|
while (p != NULL) {
|
|
id->groups[i] = strtol(p, (char **)NULL, 10);
|
|
i++;
|
|
|
|
p = strtok_r(NULL, ",", &saveptr);
|
|
}
|
|
SAFE_FREE(groups_str);
|
|
}
|
|
|
|
if (i != ngroups) {
|
|
UWRAP_LOG(UWRAP_LOG_ERROR,
|
|
"ERROR: The number of groups (%u) passed, "
|
|
"does not match the number of groups (%u) "
|
|
"we parsed.",
|
|
ngroups,
|
|
i);
|
|
exit(-1);
|
|
}
|
|
|
|
UWRAP_LOG(UWRAP_LOG_DEBUG, "Initialize groups with %s", env);
|
|
id->ngroups = ngroups;
|
|
}
|
|
}
|
|
|
|
static void uwrap_init(void)
|
|
{
|
|
const char *env;
|
|
|
|
UWRAP_LOCK(uwrap_id);
|
|
|
|
if (uwrap.initialised) {
|
|
struct uwrap_thread *id = uwrap_tls_id;
|
|
|
|
if (uwrap.ids == NULL) {
|
|
UWRAP_UNLOCK(uwrap_id);
|
|
return;
|
|
}
|
|
|
|
if (id == NULL) {
|
|
UWRAP_LOG(UWRAP_LOG_ERROR,
|
|
"Invalid id for thread");
|
|
exit(-1);
|
|
}
|
|
|
|
UWRAP_UNLOCK(uwrap_id);
|
|
return;
|
|
}
|
|
|
|
UWRAP_LOG(UWRAP_LOG_DEBUG, "Initialize uid_wrapper");
|
|
|
|
uwrap.initialised = true;
|
|
|
|
env = getenv("UID_WRAPPER");
|
|
if (env != NULL && env[0] == '1') {
|
|
const char *root = getenv("UID_WRAPPER_ROOT");
|
|
struct uwrap_thread *id;
|
|
|
|
id = calloc(1, sizeof(struct uwrap_thread));
|
|
if (id == NULL) {
|
|
UWRAP_LOG(UWRAP_LOG_ERROR,
|
|
"Unable to allocate memory for main id");
|
|
exit(-1);
|
|
}
|
|
|
|
UWRAP_DLIST_ADD(uwrap.ids, id);
|
|
uwrap_tls_id = id;
|
|
|
|
uwrap.myuid = libc_geteuid();
|
|
uwrap.mygid = libc_getegid();
|
|
|
|
/* put us in one group */
|
|
if (root != NULL && root[0] == '1') {
|
|
id->ruid = id->euid = id->suid = 0;
|
|
id->rgid = id->egid = id->sgid = 0;
|
|
|
|
id->groups = malloc(sizeof(gid_t) * 1);
|
|
if (id->groups == NULL) {
|
|
UWRAP_LOG(UWRAP_LOG_ERROR,
|
|
"Unable to allocate memory");
|
|
exit(-1);
|
|
}
|
|
|
|
id->ngroups = 1;
|
|
id->groups[0] = 0;
|
|
|
|
} else {
|
|
id->ruid = id->euid = id->suid = uwrap.myuid;
|
|
id->rgid = id->egid = id->sgid = uwrap.mygid;
|
|
|
|
id->ngroups = libc_getgroups(0, NULL);
|
|
if (id->ngroups == -1) {
|
|
UWRAP_LOG(UWRAP_LOG_ERROR,
|
|
"Unable to call libc_getgroups in uwrap_init.");
|
|
exit(-1);
|
|
}
|
|
id->groups = malloc(sizeof(gid_t) * id->ngroups);
|
|
if (id->groups == NULL) {
|
|
UWRAP_LOG(UWRAP_LOG_ERROR, "Unable to allocate memory");
|
|
exit(-1);
|
|
}
|
|
if (libc_getgroups(id->ngroups, id->groups) == -1) {
|
|
UWRAP_LOG(UWRAP_LOG_ERROR,
|
|
"Unable to call libc_getgroups again in uwrap_init.");
|
|
id->groups = 0;
|
|
/*
|
|
* Deallocation of uwrap.groups is handled by
|
|
* library destructor.
|
|
*/
|
|
exit(-1);
|
|
}
|
|
}
|
|
|
|
uwrap_init_env(id);
|
|
|
|
id->enabled = true;
|
|
|
|
UWRAP_LOG(UWRAP_LOG_DEBUG,
|
|
"Enabled uid_wrapper as %s (real uid=%u)",
|
|
id->ruid == 0 ? "root" : "user",
|
|
(unsigned int)uwrap.myuid);
|
|
}
|
|
|
|
UWRAP_UNLOCK(uwrap_id);
|
|
|
|
UWRAP_LOG(UWRAP_LOG_DEBUG, "Successfully initialized uid_wrapper");
|
|
}
|
|
|
|
bool uid_wrapper_enabled(void)
|
|
{
|
|
struct uwrap_thread *id = uwrap_tls_id;
|
|
bool enabled;
|
|
|
|
if (id == NULL) {
|
|
return false;
|
|
}
|
|
|
|
UWRAP_LOCK(uwrap_id);
|
|
enabled = id->enabled;
|
|
UWRAP_UNLOCK(uwrap_id);
|
|
|
|
return enabled;
|
|
}
|
|
|
|
/*
|
|
* UWRAP_SETxUID FUNCTIONS
|
|
*/
|
|
|
|
static int uwrap_setresuid_args(uid_t ruid, uid_t euid, uid_t suid)
|
|
{
|
|
struct uwrap_thread *id = uwrap_tls_id;
|
|
|
|
UWRAP_LOG(UWRAP_LOG_TRACE,
|
|
"ruid %d -> %d, euid %d -> %d, suid %d -> %d",
|
|
id->ruid, ruid, id->euid, euid, id->suid, suid);
|
|
|
|
if (id->euid != 0) {
|
|
if (ruid != (uid_t)-1 &&
|
|
ruid != id->ruid &&
|
|
ruid != id->euid &&
|
|
ruid != id->suid) {
|
|
errno = EPERM;
|
|
return -1;
|
|
}
|
|
if (euid != (uid_t)-1 &&
|
|
euid != id->ruid &&
|
|
euid != id->euid &&
|
|
euid != id->suid) {
|
|
errno = EPERM;
|
|
return -1;
|
|
}
|
|
if (suid != (uid_t)-1 &&
|
|
suid != id->ruid &&
|
|
suid != id->euid &&
|
|
suid != id->suid) {
|
|
errno = EPERM;
|
|
return -1;
|
|
}
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int uwrap_setresuid_thread(uid_t ruid, uid_t euid, uid_t suid)
|
|
{
|
|
struct uwrap_thread *id = uwrap_tls_id;
|
|
int rc;
|
|
|
|
UWRAP_LOG(UWRAP_LOG_TRACE,
|
|
"ruid %d -> %d, euid %d -> %d, suid %d -> %d",
|
|
id->ruid, ruid, id->euid, euid, id->suid, suid);
|
|
|
|
rc = uwrap_setresuid_args(ruid, euid, suid);
|
|
if (rc != 0) {
|
|
return rc;
|
|
}
|
|
|
|
UWRAP_LOCK(uwrap_id);
|
|
|
|
if (ruid != (uid_t)-1) {
|
|
id->ruid = ruid;
|
|
}
|
|
|
|
if (euid != (uid_t)-1) {
|
|
id->euid = euid;
|
|
}
|
|
|
|
if (suid != (uid_t)-1) {
|
|
id->suid = suid;
|
|
}
|
|
|
|
UWRAP_UNLOCK(uwrap_id);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int uwrap_setresuid(uid_t ruid, uid_t euid, uid_t suid)
|
|
{
|
|
struct uwrap_thread *id = uwrap_tls_id;
|
|
int rc;
|
|
|
|
UWRAP_LOG(UWRAP_LOG_TRACE,
|
|
"ruid %d -> %d, euid %d -> %d, suid %d -> %d",
|
|
id->ruid, ruid, id->euid, euid, id->suid, suid);
|
|
|
|
rc = uwrap_setresuid_args(ruid, euid, suid);
|
|
if (rc != 0) {
|
|
return rc;
|
|
}
|
|
|
|
UWRAP_LOCK(uwrap_id);
|
|
|
|
for (id = uwrap.ids; id; id = id->next) {
|
|
if (ruid != (uid_t)-1) {
|
|
id->ruid = ruid;
|
|
}
|
|
|
|
if (euid != (uid_t)-1) {
|
|
id->euid = euid;
|
|
}
|
|
|
|
if (suid != (uid_t)-1) {
|
|
id->suid = suid;
|
|
}
|
|
}
|
|
|
|
UWRAP_UNLOCK(uwrap_id);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int uwrap_setreuid_args(uid_t ruid, uid_t euid,
|
|
uid_t *_new_ruid,
|
|
uid_t *_new_euid,
|
|
uid_t *_new_suid)
|
|
{
|
|
struct uwrap_thread *id = uwrap_tls_id;
|
|
uid_t new_ruid = -1, new_euid = -1, new_suid = -1;
|
|
|
|
UWRAP_LOG(UWRAP_LOG_TRACE,
|
|
"ruid %d -> %d, euid %d -> %d",
|
|
id->ruid, ruid, id->euid, euid);
|
|
|
|
if (ruid != (uid_t)-1) {
|
|
new_ruid = ruid;
|
|
if (ruid != id->ruid &&
|
|
ruid != id->euid &&
|
|
id->euid != 0) {
|
|
errno = EPERM;
|
|
return -1;
|
|
}
|
|
}
|
|
|
|
if (euid != (uid_t)-1) {
|
|
new_euid = euid;
|
|
if (euid != id->ruid &&
|
|
euid != id->euid &&
|
|
euid != id->suid &&
|
|
id->euid != 0) {
|
|
errno = EPERM;
|
|
return -1;
|
|
}
|
|
}
|
|
|
|
if (ruid != (uid_t) -1 ||
|
|
(euid != (uid_t)-1 && id->ruid != euid)) {
|
|
new_suid = new_euid;
|
|
}
|
|
|
|
*_new_ruid = new_ruid;
|
|
*_new_euid = new_euid;
|
|
*_new_suid = new_suid;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int uwrap_setreuid_thread(uid_t ruid, uid_t euid)
|
|
{
|
|
struct uwrap_thread *id = uwrap_tls_id;
|
|
uid_t new_ruid = -1, new_euid = -1, new_suid = -1;
|
|
int rc;
|
|
|
|
UWRAP_LOG(UWRAP_LOG_TRACE,
|
|
"ruid %d -> %d, euid %d -> %d",
|
|
id->ruid, ruid, id->euid, euid);
|
|
|
|
rc = uwrap_setreuid_args(ruid, euid, &new_ruid, &new_euid, &new_suid);
|
|
if (rc != 0) {
|
|
return rc;
|
|
}
|
|
|
|
return uwrap_setresuid_thread(new_ruid, new_euid, new_suid);
|
|
}
|
|
|
|
#ifdef HAVE_SETREUID
|
|
static int uwrap_setreuid(uid_t ruid, uid_t euid)
|
|
{
|
|
struct uwrap_thread *id = uwrap_tls_id;
|
|
uid_t new_ruid = -1, new_euid = -1, new_suid = -1;
|
|
int rc;
|
|
|
|
UWRAP_LOG(UWRAP_LOG_TRACE,
|
|
"ruid %d -> %d, euid %d -> %d",
|
|
id->ruid, ruid, id->euid, euid);
|
|
|
|
rc = uwrap_setreuid_args(ruid, euid, &new_ruid, &new_euid, &new_suid);
|
|
if (rc != 0) {
|
|
return rc;
|
|
}
|
|
|
|
return uwrap_setresuid(new_ruid, new_euid, new_suid);
|
|
}
|
|
#endif
|
|
|
|
static int uwrap_setuid_args(uid_t uid,
|
|
uid_t *new_ruid,
|
|
uid_t *new_euid,
|
|
uid_t *new_suid)
|
|
{
|
|
struct uwrap_thread *id = uwrap_tls_id;
|
|
|
|
UWRAP_LOG(UWRAP_LOG_TRACE,
|
|
"uid %d -> %d",
|
|
id->ruid, uid);
|
|
|
|
if (uid == (uid_t)-1) {
|
|
errno = EINVAL;
|
|
return -1;
|
|
}
|
|
|
|
if (id->euid == 0) {
|
|
*new_suid = *new_ruid = uid;
|
|
} else if (uid != id->ruid &&
|
|
uid != id->suid) {
|
|
errno = EPERM;
|
|
return -1;
|
|
}
|
|
|
|
*new_euid = uid;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int uwrap_setuid_thread(uid_t uid)
|
|
{
|
|
uid_t new_ruid = -1, new_euid = -1, new_suid = -1;
|
|
int rc;
|
|
|
|
rc = uwrap_setuid_args(uid, &new_ruid, &new_euid, &new_suid);
|
|
if (rc != 0) {
|
|
return rc;
|
|
}
|
|
|
|
return uwrap_setresuid_thread(new_ruid, new_euid, new_suid);
|
|
}
|
|
|
|
static int uwrap_setuid(uid_t uid)
|
|
{
|
|
uid_t new_ruid = -1, new_euid = -1, new_suid = -1;
|
|
int rc;
|
|
|
|
rc = uwrap_setuid_args(uid, &new_ruid, &new_euid, &new_suid);
|
|
if (rc != 0) {
|
|
return rc;
|
|
}
|
|
|
|
return uwrap_setresuid(new_ruid, new_euid, new_suid);
|
|
}
|
|
|
|
/*
|
|
* UWRAP_GETxUID FUNCTIONS
|
|
*/
|
|
|
|
#ifdef HAVE_GETRESUID
|
|
static int uwrap_getresuid(uid_t *ruid, uid_t *euid, uid_t *suid)
|
|
{
|
|
struct uwrap_thread *id = uwrap_tls_id;
|
|
|
|
UWRAP_LOCK(uwrap_id);
|
|
|
|
*ruid = id->ruid;
|
|
*euid = id->euid;
|
|
*suid = id->suid;
|
|
|
|
UWRAP_UNLOCK(uwrap_id);
|
|
|
|
return 0;
|
|
}
|
|
#endif
|
|
|
|
#ifdef HAVE_GETRESGID
|
|
static int uwrap_getresgid(gid_t *rgid, gid_t *egid, gid_t *sgid)
|
|
{
|
|
struct uwrap_thread *id = uwrap_tls_id;
|
|
|
|
UWRAP_LOCK(uwrap_id);
|
|
|
|
*rgid = id->rgid;
|
|
*egid = id->egid;
|
|
*sgid = id->sgid;
|
|
|
|
UWRAP_UNLOCK(uwrap_id);
|
|
|
|
return 0;
|
|
}
|
|
#endif
|
|
|
|
/*
|
|
* UWRAP_SETxGID FUNCTIONS
|
|
*/
|
|
|
|
static int uwrap_setresgid_args(gid_t rgid, gid_t egid, gid_t sgid)
|
|
{
|
|
struct uwrap_thread *id = uwrap_tls_id;
|
|
|
|
UWRAP_LOG(UWRAP_LOG_TRACE,
|
|
"rgid %d -> %d, egid %d -> %d, sgid %d -> %d",
|
|
id->rgid, rgid, id->egid, egid, id->sgid, sgid);
|
|
|
|
if (id->euid != 0) {
|
|
if (rgid != (gid_t)-1 &&
|
|
rgid != id->rgid &&
|
|
rgid != id->egid &&
|
|
rgid != id->sgid) {
|
|
errno = EPERM;
|
|
return -1;
|
|
}
|
|
if (egid != (gid_t)-1 &&
|
|
egid != id->rgid &&
|
|
egid != id->egid &&
|
|
egid != id->sgid) {
|
|
errno = EPERM;
|
|
return -1;
|
|
}
|
|
if (sgid != (gid_t)-1 &&
|
|
sgid != id->rgid &&
|
|
sgid != id->egid &&
|
|
sgid != id->sgid) {
|
|
errno = EPERM;
|
|
return -1;
|
|
}
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int uwrap_setresgid_thread(gid_t rgid, gid_t egid, gid_t sgid)
|
|
{
|
|
struct uwrap_thread *id = uwrap_tls_id;
|
|
int rc;
|
|
|
|
UWRAP_LOG(UWRAP_LOG_TRACE,
|
|
"rgid %d -> %d, egid %d -> %d, sgid %d -> %d",
|
|
id->rgid, rgid, id->egid, egid, id->sgid, sgid);
|
|
|
|
rc = uwrap_setresgid_args(rgid, egid, sgid);
|
|
if (rc != 0) {
|
|
return rc;
|
|
}
|
|
|
|
UWRAP_LOCK(uwrap_id);
|
|
|
|
if (rgid != (gid_t)-1) {
|
|
id->rgid = rgid;
|
|
}
|
|
|
|
if (egid != (gid_t)-1) {
|
|
id->egid = egid;
|
|
}
|
|
|
|
if (sgid != (gid_t)-1) {
|
|
id->sgid = sgid;
|
|
}
|
|
|
|
UWRAP_UNLOCK(uwrap_id);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int uwrap_setresgid(gid_t rgid, gid_t egid, gid_t sgid)
|
|
{
|
|
struct uwrap_thread *id = uwrap_tls_id;
|
|
int rc;
|
|
|
|
UWRAP_LOG(UWRAP_LOG_TRACE,
|
|
"rgid %d -> %d, egid %d -> %d, sgid %d -> %d",
|
|
id->rgid, rgid, id->egid, egid, id->sgid, sgid);
|
|
|
|
rc = uwrap_setresgid_args(rgid, egid, sgid);
|
|
if (rc != 0) {
|
|
return rc;
|
|
}
|
|
|
|
UWRAP_LOCK(uwrap_id);
|
|
|
|
for (id = uwrap.ids; id; id = id->next) {
|
|
if (rgid != (gid_t)-1) {
|
|
id->rgid = rgid;
|
|
}
|
|
|
|
if (egid != (gid_t)-1) {
|
|
id->egid = egid;
|
|
}
|
|
|
|
if (sgid != (gid_t)-1) {
|
|
id->sgid = sgid;
|
|
}
|
|
}
|
|
|
|
UWRAP_UNLOCK(uwrap_id);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int uwrap_setregid_args(gid_t rgid, gid_t egid,
|
|
gid_t *_new_rgid,
|
|
gid_t *_new_egid,
|
|
gid_t *_new_sgid)
|
|
{
|
|
struct uwrap_thread *id = uwrap_tls_id;
|
|
gid_t new_rgid = -1, new_egid = -1, new_sgid = -1;
|
|
|
|
UWRAP_LOG(UWRAP_LOG_TRACE,
|
|
"rgid %d -> %d, egid %d -> %d",
|
|
id->rgid, rgid, id->egid, egid);
|
|
|
|
if (rgid != (gid_t)-1) {
|
|
new_rgid = rgid;
|
|
if (rgid != id->rgid &&
|
|
rgid != id->egid &&
|
|
id->euid != 0) {
|
|
errno = EPERM;
|
|
return -1;
|
|
}
|
|
}
|
|
|
|
if (egid != (gid_t)-1) {
|
|
new_egid = egid;
|
|
if (egid != id->rgid &&
|
|
egid != id->egid &&
|
|
egid != id->sgid &&
|
|
id->euid != 0) {
|
|
errno = EPERM;
|
|
return -1;
|
|
}
|
|
}
|
|
|
|
if (rgid != (gid_t) -1 ||
|
|
(egid != (gid_t)-1 && id->rgid != egid)) {
|
|
new_sgid = new_egid;
|
|
}
|
|
|
|
*_new_rgid = new_rgid;
|
|
*_new_egid = new_egid;
|
|
*_new_sgid = new_sgid;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int uwrap_setregid_thread(gid_t rgid, gid_t egid)
|
|
{
|
|
struct uwrap_thread *id = uwrap_tls_id;
|
|
gid_t new_rgid = -1, new_egid = -1, new_sgid = -1;
|
|
int rc;
|
|
|
|
UWRAP_LOG(UWRAP_LOG_TRACE,
|
|
"rgid %d -> %d, egid %d -> %d",
|
|
id->rgid, rgid, id->egid, egid);
|
|
|
|
rc = uwrap_setregid_args(rgid, egid, &new_rgid, &new_egid, &new_sgid);
|
|
if (rc != 0) {
|
|
return rc;
|
|
}
|
|
|
|
return uwrap_setresgid_thread(new_rgid, new_egid, new_sgid);
|
|
}
|
|
|
|
#ifdef HAVE_SETREGID
|
|
static int uwrap_setregid(gid_t rgid, gid_t egid)
|
|
{
|
|
struct uwrap_thread *id = uwrap_tls_id;
|
|
gid_t new_rgid = -1, new_egid = -1, new_sgid = -1;
|
|
int rc;
|
|
|
|
UWRAP_LOG(UWRAP_LOG_TRACE,
|
|
"rgid %d -> %d, egid %d -> %d",
|
|
id->rgid, rgid, id->egid, egid);
|
|
|
|
rc = uwrap_setregid_args(rgid, egid, &new_rgid, &new_egid, &new_sgid);
|
|
if (rc != 0) {
|
|
return rc;
|
|
}
|
|
|
|
return uwrap_setresgid(new_rgid, new_egid, new_sgid);
|
|
}
|
|
#endif
|
|
|
|
static int uwrap_setgid_args(gid_t gid,
|
|
gid_t *new_rgid,
|
|
gid_t *new_egid,
|
|
gid_t *new_sgid)
|
|
{
|
|
struct uwrap_thread *id = uwrap_tls_id;
|
|
|
|
UWRAP_LOG(UWRAP_LOG_TRACE,
|
|
"gid %d -> %d",
|
|
id->rgid, gid);
|
|
|
|
if (gid == (gid_t)-1) {
|
|
errno = EINVAL;
|
|
return -1;
|
|
}
|
|
|
|
if (id->euid == 0) {
|
|
*new_sgid = *new_rgid = gid;
|
|
} else if (gid != id->rgid &&
|
|
gid != id->sgid) {
|
|
errno = EPERM;
|
|
return -1;
|
|
}
|
|
|
|
*new_egid = gid;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int uwrap_setgid_thread(gid_t gid)
|
|
{
|
|
gid_t new_rgid = -1, new_egid = -1, new_sgid = -1;
|
|
int rc;
|
|
|
|
rc = uwrap_setgid_args(gid, &new_rgid, &new_egid, &new_sgid);
|
|
if (rc != 0) {
|
|
return rc;
|
|
}
|
|
|
|
return uwrap_setresgid_thread(new_rgid, new_egid, new_sgid);
|
|
}
|
|
|
|
static int uwrap_setgid(gid_t gid)
|
|
{
|
|
gid_t new_rgid = -1, new_egid = -1, new_sgid = -1;
|
|
int rc;
|
|
|
|
rc = uwrap_setgid_args(gid, &new_rgid, &new_egid, &new_sgid);
|
|
if (rc != 0) {
|
|
return rc;
|
|
}
|
|
|
|
return uwrap_setresgid(new_rgid, new_egid, new_sgid);
|
|
}
|
|
|
|
/*
|
|
* SETUID
|
|
*/
|
|
int setuid(uid_t uid)
|
|
{
|
|
if (!uid_wrapper_enabled()) {
|
|
return libc_setuid(uid);
|
|
}
|
|
|
|
uwrap_init();
|
|
return uwrap_setuid(uid);
|
|
}
|
|
|
|
#ifdef HAVE_SETEUID
|
|
int seteuid(uid_t euid)
|
|
{
|
|
if (!uid_wrapper_enabled()) {
|
|
return libc_seteuid(euid);
|
|
}
|
|
|
|
/* On FreeBSD the uid_t -1 is set and doesn't produce and error */
|
|
if (euid == (uid_t)-1) {
|
|
errno = EINVAL;
|
|
return -1;
|
|
}
|
|
|
|
uwrap_init();
|
|
return uwrap_setresuid(-1, euid, -1);
|
|
}
|
|
#endif
|
|
|
|
#ifdef HAVE_SETREUID
|
|
int setreuid(uid_t ruid, uid_t euid)
|
|
{
|
|
if (!uid_wrapper_enabled()) {
|
|
return libc_setreuid(ruid, euid);
|
|
}
|
|
|
|
uwrap_init();
|
|
return uwrap_setreuid(ruid, euid);
|
|
}
|
|
#endif
|
|
|
|
#ifdef HAVE_SETRESUID
|
|
int setresuid(uid_t ruid, uid_t euid, uid_t suid)
|
|
{
|
|
if (!uid_wrapper_enabled()) {
|
|
return libc_setresuid(ruid, euid, suid);
|
|
}
|
|
|
|
uwrap_init();
|
|
return uwrap_setresuid(ruid, euid, suid);
|
|
}
|
|
#endif
|
|
|
|
#ifdef HAVE_GETRESUID
|
|
int getresuid(uid_t *ruid, uid_t *euid, uid_t *suid)
|
|
{
|
|
if (!uid_wrapper_enabled()) {
|
|
return libc_getresuid(ruid, euid, suid);
|
|
}
|
|
|
|
uwrap_init();
|
|
return uwrap_getresuid(ruid, euid, suid);
|
|
}
|
|
#endif
|
|
|
|
/*
|
|
* GETUID
|
|
*/
|
|
static uid_t uwrap_getuid(void)
|
|
{
|
|
struct uwrap_thread *id = uwrap_tls_id;
|
|
uid_t uid;
|
|
|
|
UWRAP_LOCK(uwrap_id);
|
|
uid = id->ruid;
|
|
UWRAP_UNLOCK(uwrap_id);
|
|
|
|
return uid;
|
|
}
|
|
|
|
uid_t getuid(void)
|
|
{
|
|
if (!uid_wrapper_enabled()) {
|
|
return libc_getuid();
|
|
}
|
|
|
|
uwrap_init();
|
|
return uwrap_getuid();
|
|
}
|
|
|
|
/*
|
|
* GETEUID
|
|
*/
|
|
static uid_t uwrap_geteuid(void)
|
|
{
|
|
const char *env = getenv("UID_WRAPPER_MYUID");
|
|
struct uwrap_thread *id = uwrap_tls_id;
|
|
uid_t uid;
|
|
|
|
UWRAP_LOCK(uwrap_id);
|
|
uid = id->euid;
|
|
UWRAP_UNLOCK(uwrap_id);
|
|
|
|
/* Disable root and return myuid */
|
|
if (env != NULL && env[0] == '1') {
|
|
uid = uwrap.myuid;
|
|
}
|
|
|
|
return uid;
|
|
}
|
|
|
|
uid_t geteuid(void)
|
|
{
|
|
if (!uid_wrapper_enabled()) {
|
|
return libc_geteuid();
|
|
}
|
|
|
|
uwrap_init();
|
|
return uwrap_geteuid();
|
|
}
|
|
|
|
/*
|
|
* SETGID
|
|
*/
|
|
int setgid(gid_t gid)
|
|
{
|
|
if (!uid_wrapper_enabled()) {
|
|
return libc_setgid(gid);
|
|
}
|
|
|
|
uwrap_init();
|
|
return uwrap_setgid(gid);
|
|
}
|
|
|
|
#ifdef HAVE_SETEGID
|
|
int setegid(gid_t egid)
|
|
{
|
|
if (!uid_wrapper_enabled()) {
|
|
return libc_setegid(egid);
|
|
}
|
|
|
|
/* On FreeBSD the uid_t -1 is set and doesn't produce and error */
|
|
if (egid == (gid_t)-1) {
|
|
errno = EINVAL;
|
|
return -1;
|
|
}
|
|
|
|
uwrap_init();
|
|
return uwrap_setresgid(-1, egid, -1);
|
|
}
|
|
#endif
|
|
|
|
#ifdef HAVE_SETREGID
|
|
int setregid(gid_t rgid, gid_t egid)
|
|
{
|
|
if (!uid_wrapper_enabled()) {
|
|
return libc_setregid(rgid, egid);
|
|
}
|
|
|
|
uwrap_init();
|
|
return uwrap_setregid(rgid, egid);
|
|
}
|
|
#endif
|
|
|
|
#ifdef HAVE_SETRESGID
|
|
int setresgid(gid_t rgid, gid_t egid, gid_t sgid)
|
|
{
|
|
if (!uid_wrapper_enabled()) {
|
|
return libc_setresgid(rgid, egid, sgid);
|
|
}
|
|
|
|
uwrap_init();
|
|
return uwrap_setresgid(rgid, egid, sgid);
|
|
}
|
|
#endif
|
|
|
|
#ifdef HAVE_GETRESGID
|
|
int getresgid(gid_t *rgid, gid_t *egid, gid_t *sgid)
|
|
{
|
|
if (!uid_wrapper_enabled()) {
|
|
return libc_getresgid(rgid, egid, sgid);
|
|
}
|
|
|
|
uwrap_init();
|
|
return uwrap_getresgid(rgid, egid, sgid);
|
|
}
|
|
#endif
|
|
|
|
/*
|
|
* GETGID
|
|
*/
|
|
static gid_t uwrap_getgid(void)
|
|
{
|
|
struct uwrap_thread *id = uwrap_tls_id;
|
|
gid_t gid;
|
|
|
|
UWRAP_LOCK(uwrap_id);
|
|
gid = id->rgid;
|
|
UWRAP_UNLOCK(uwrap_id);
|
|
|
|
return gid;
|
|
}
|
|
|
|
gid_t getgid(void)
|
|
{
|
|
if (!uid_wrapper_enabled()) {
|
|
return libc_getgid();
|
|
}
|
|
|
|
uwrap_init();
|
|
return uwrap_getgid();
|
|
}
|
|
|
|
/*
|
|
* GETEGID
|
|
*/
|
|
static uid_t uwrap_getegid(void)
|
|
{
|
|
struct uwrap_thread *id = uwrap_tls_id;
|
|
gid_t gid;
|
|
|
|
UWRAP_LOCK(uwrap_id);
|
|
gid = id->egid;
|
|
UWRAP_UNLOCK(uwrap_id);
|
|
|
|
return gid;
|
|
}
|
|
|
|
uid_t getegid(void)
|
|
{
|
|
if (!uid_wrapper_enabled()) {
|
|
return libc_getegid();
|
|
}
|
|
|
|
uwrap_init();
|
|
return uwrap_getegid();
|
|
}
|
|
|
|
static int uwrap_setgroups_thread(size_t size, const gid_t *list)
|
|
{
|
|
struct uwrap_thread *id = uwrap_tls_id;
|
|
int rc = -1;
|
|
|
|
UWRAP_LOCK(uwrap_id);
|
|
|
|
if (size == 0) {
|
|
SAFE_FREE(id->groups);
|
|
id->ngroups = 0;
|
|
} else if (size > 0) {
|
|
gid_t *tmp;
|
|
|
|
tmp = realloc(id->groups, sizeof(gid_t) * size);
|
|
if (tmp == NULL) {
|
|
errno = ENOMEM;
|
|
goto out;
|
|
}
|
|
id->groups = tmp;
|
|
id->ngroups = size;
|
|
memcpy(id->groups, list, size * sizeof(gid_t));
|
|
}
|
|
|
|
rc = 0;
|
|
out:
|
|
UWRAP_UNLOCK(uwrap_id);
|
|
|
|
return rc;
|
|
}
|
|
|
|
static int uwrap_setgroups(size_t size, const gid_t *list)
|
|
{
|
|
struct uwrap_thread *id;
|
|
int rc = -1;
|
|
|
|
UWRAP_LOCK(uwrap_id);
|
|
|
|
if (size == 0) {
|
|
for (id = uwrap.ids; id; id = id->next) {
|
|
SAFE_FREE(id->groups);
|
|
id->ngroups = 0;
|
|
|
|
}
|
|
} else if (size > 0) {
|
|
gid_t *tmp;
|
|
|
|
for (id = uwrap.ids; id; id = id->next) {
|
|
tmp = realloc(id->groups, sizeof(gid_t) * size);
|
|
if (tmp == NULL) {
|
|
errno = ENOMEM;
|
|
goto out;
|
|
}
|
|
id->groups = tmp;
|
|
|
|
id->ngroups = size;
|
|
memcpy(id->groups, list, size * sizeof(gid_t));
|
|
}
|
|
}
|
|
|
|
rc = 0;
|
|
out:
|
|
UWRAP_UNLOCK(uwrap_id);
|
|
|
|
return rc;
|
|
}
|
|
|
|
#ifdef HAVE_SETGROUPS_INT
|
|
int setgroups(int size, const gid_t *list)
|
|
#else
|
|
int setgroups(size_t size, const gid_t *list)
|
|
#endif
|
|
{
|
|
if (!uid_wrapper_enabled()) {
|
|
return libc_setgroups(size, list);
|
|
}
|
|
|
|
uwrap_init();
|
|
return uwrap_setgroups(size, list);
|
|
}
|
|
|
|
static int uwrap_getgroups(int size, gid_t *list)
|
|
{
|
|
struct uwrap_thread *id = uwrap_tls_id;
|
|
int ngroups;
|
|
|
|
UWRAP_LOCK(uwrap_id);
|
|
ngroups = id->ngroups;
|
|
|
|
if (size > ngroups) {
|
|
size = ngroups;
|
|
}
|
|
if (size == 0) {
|
|
goto out;
|
|
}
|
|
if (size < ngroups) {
|
|
errno = EINVAL;
|
|
ngroups = -1;
|
|
}
|
|
memcpy(list, id->groups, size * sizeof(gid_t));
|
|
|
|
out:
|
|
UWRAP_UNLOCK(uwrap_id);
|
|
|
|
return ngroups;
|
|
}
|
|
|
|
int getgroups(int size, gid_t *list)
|
|
{
|
|
if (!uid_wrapper_enabled()) {
|
|
return libc_getgroups(size, list);
|
|
}
|
|
|
|
uwrap_init();
|
|
return uwrap_getgroups(size, list);
|
|
}
|
|
|
|
#ifdef HAVE___GETGROUPS_CHK
|
|
static int uwrap___getgroups_chk(int size, gid_t *list, size_t listlen)
|
|
{
|
|
if (size * sizeof(gid_t) > listlen) {
|
|
UWRAP_LOG(UWRAP_LOG_DEBUG, "Buffer overflow detected");
|
|
abort();
|
|
}
|
|
|
|
return uwrap_getgroups(size, list);
|
|
}
|
|
|
|
int __getgroups_chk(int size, gid_t *list, size_t listlen);
|
|
|
|
int __getgroups_chk(int size, gid_t *list, size_t listlen)
|
|
{
|
|
if (!uid_wrapper_enabled()) {
|
|
return libc___getgroups_chk(size, list, listlen);
|
|
}
|
|
|
|
uwrap_init();
|
|
return uwrap___getgroups_chk(size, list, listlen);
|
|
}
|
|
#endif /* HAVE___GETGROUPS_CHK */
|
|
|
|
#if (defined(HAVE_SYS_SYSCALL_H) || defined(HAVE_SYSCALL_H)) \
|
|
&& (defined(SYS_setreuid) || defined(SYS_setreuid32))
|
|
static bool uwrap_is_uwrap_related_syscall(long int sysno)
|
|
{
|
|
switch (sysno) {
|
|
/* gid */
|
|
#ifdef __alpha__
|
|
case SYS_getxgid:
|
|
return true;
|
|
#else
|
|
case SYS_getgid:
|
|
return true;
|
|
#endif
|
|
#ifdef HAVE_LINUX_32BIT_SYSCALLS
|
|
case SYS_getgid32:
|
|
return true;
|
|
#endif
|
|
#ifdef SYS_getegid
|
|
case SYS_getegid:
|
|
return true;
|
|
#ifdef HAVE_LINUX_32BIT_SYSCALLS
|
|
case SYS_getegid32:
|
|
return true;
|
|
#endif
|
|
#endif /* SYS_getegid */
|
|
case SYS_setgid:
|
|
return true;
|
|
#ifdef HAVE_LINUX_32BIT_SYSCALLS
|
|
case SYS_setgid32:
|
|
return true;
|
|
#endif
|
|
case SYS_setregid:
|
|
return true;
|
|
#ifdef HAVE_LINUX_32BIT_SYSCALLS
|
|
case SYS_setregid32:
|
|
return true;
|
|
#endif
|
|
#ifdef SYS_setresgid
|
|
case SYS_setresgid:
|
|
return true;
|
|
#ifdef HAVE_LINUX_32BIT_SYSCALLS
|
|
case SYS_setresgid32:
|
|
return true;
|
|
#endif
|
|
#endif /* SYS_setresgid */
|
|
#if defined(SYS_getresgid) && defined(HAVE_GETRESGID)
|
|
case SYS_getresgid:
|
|
return true;
|
|
#ifdef HAVE_LINUX_32BIT_SYSCALLS
|
|
case SYS_getresgid32:
|
|
return true;
|
|
#endif
|
|
#endif /* SYS_getresgid && HAVE_GETRESGID */
|
|
|
|
/* uid */
|
|
#ifdef __alpha__
|
|
case SYS_getxuid:
|
|
return true;
|
|
#else
|
|
case SYS_getuid:
|
|
return true;
|
|
#endif
|
|
#ifdef HAVE_LINUX_32BIT_SYSCALLS
|
|
case SYS_getuid32:
|
|
return true;
|
|
#endif
|
|
#ifdef SYS_geteuid
|
|
case SYS_geteuid:
|
|
return true;
|
|
#ifdef HAVE_LINUX_32BIT_SYSCALLS
|
|
case SYS_geteuid32:
|
|
return true;
|
|
#endif
|
|
#endif /* SYS_geteuid */
|
|
case SYS_setuid:
|
|
return true;
|
|
#ifdef HAVE_LINUX_32BIT_SYSCALLS
|
|
case SYS_setuid32:
|
|
return true;
|
|
#endif
|
|
case SYS_setreuid:
|
|
return true;
|
|
#ifdef HAVE_LINUX_32BIT_SYSCALLS
|
|
case SYS_setreuid32:
|
|
return true;
|
|
#endif
|
|
#ifdef SYS_setresuid
|
|
case SYS_setresuid:
|
|
return true;
|
|
#ifdef HAVE_LINUX_32BIT_SYSCALLS
|
|
case SYS_setresuid32:
|
|
return true;
|
|
#endif
|
|
#endif /* SYS_setresuid */
|
|
#if defined(SYS_getresuid) && defined(HAVE_GETRESUID)
|
|
case SYS_getresuid:
|
|
return true;
|
|
#ifdef HAVE_LINUX_32BIT_SYSCALLS
|
|
case SYS_getresuid32:
|
|
return true;
|
|
#endif
|
|
#endif /* SYS_getresuid && HAVE_GETRESUID*/
|
|
/* groups */
|
|
case SYS_setgroups:
|
|
return true;
|
|
#ifdef HAVE_LINUX_32BIT_SYSCALLS
|
|
case SYS_setgroups32:
|
|
return true;
|
|
#endif
|
|
default:
|
|
return false;
|
|
}
|
|
}
|
|
|
|
static long int uwrap_syscall (long int sysno, va_list vp)
|
|
{
|
|
long int rc;
|
|
|
|
switch (sysno) {
|
|
/* gid */
|
|
#ifdef __alpha__
|
|
case SYS_getxgid:
|
|
#else
|
|
case SYS_getgid:
|
|
#endif
|
|
#ifdef HAVE_LINUX_32BIT_SYSCALLS
|
|
case SYS_getgid32:
|
|
#endif
|
|
{
|
|
rc = uwrap_getgid();
|
|
}
|
|
break;
|
|
#ifdef SYS_getegid
|
|
case SYS_getegid:
|
|
#ifdef HAVE_LINUX_32BIT_SYSCALLS
|
|
case SYS_getegid32:
|
|
#endif
|
|
{
|
|
rc = uwrap_getegid();
|
|
}
|
|
break;
|
|
#endif /* SYS_getegid */
|
|
case SYS_setgid:
|
|
#ifdef HAVE_LINUX_32BIT_SYSCALLS
|
|
case SYS_setgid32:
|
|
#endif
|
|
{
|
|
gid_t gid = (gid_t) va_arg(vp, gid_t);
|
|
|
|
rc = uwrap_setgid_thread(gid);
|
|
}
|
|
break;
|
|
case SYS_setregid:
|
|
#ifdef HAVE_LINUX_32BIT_SYSCALLS
|
|
case SYS_setregid32:
|
|
#endif
|
|
{
|
|
gid_t rgid = (gid_t) va_arg(vp, gid_t);
|
|
gid_t egid = (gid_t) va_arg(vp, gid_t);
|
|
|
|
rc = uwrap_setregid_thread(rgid, egid);
|
|
}
|
|
break;
|
|
#ifdef SYS_setresgid
|
|
case SYS_setresgid:
|
|
#ifdef HAVE_LINUX_32BIT_SYSCALLS
|
|
case SYS_setresgid32:
|
|
#endif
|
|
{
|
|
gid_t rgid = (gid_t) va_arg(vp, gid_t);
|
|
gid_t egid = (gid_t) va_arg(vp, gid_t);
|
|
gid_t sgid = (gid_t) va_arg(vp, gid_t);
|
|
|
|
rc = uwrap_setresgid_thread(rgid, egid, sgid);
|
|
}
|
|
break;
|
|
#endif /* SYS_setresgid */
|
|
#if defined(SYS_getresgid) && defined(HAVE_GETRESGID)
|
|
case SYS_getresgid:
|
|
#ifdef HAVE_LINUX_32BIT_SYSCALLS
|
|
case SYS_getresgid32:
|
|
#endif
|
|
{
|
|
gid_t *rgid = (gid_t *) va_arg(vp, gid_t *);
|
|
gid_t *egid = (gid_t *) va_arg(vp, gid_t *);
|
|
gid_t *sgid = (gid_t *) va_arg(vp, gid_t *);
|
|
|
|
rc = uwrap_getresgid(rgid, egid, sgid);
|
|
}
|
|
break;
|
|
#endif /* SYS_getresgid && HAVE_GETRESGID */
|
|
|
|
/* uid */
|
|
#ifdef __alpha__
|
|
case SYS_getxuid:
|
|
#else
|
|
case SYS_getuid:
|
|
#endif
|
|
#ifdef HAVE_LINUX_32BIT_SYSCALLS
|
|
case SYS_getuid32:
|
|
#endif
|
|
{
|
|
rc = uwrap_getuid();
|
|
}
|
|
break;
|
|
#ifdef SYS_geteuid
|
|
case SYS_geteuid:
|
|
#ifdef HAVE_LINUX_32BIT_SYSCALLS
|
|
case SYS_geteuid32:
|
|
#endif
|
|
{
|
|
rc = uwrap_geteuid();
|
|
}
|
|
break;
|
|
#endif /* SYS_geteuid */
|
|
case SYS_setuid:
|
|
#ifdef HAVE_LINUX_32BIT_SYSCALLS
|
|
case SYS_setuid32:
|
|
#endif
|
|
{
|
|
uid_t uid = (uid_t) va_arg(vp, uid_t);
|
|
|
|
rc = uwrap_setuid_thread(uid);
|
|
}
|
|
break;
|
|
case SYS_setreuid:
|
|
#ifdef HAVE_LINUX_32BIT_SYSCALLS
|
|
case SYS_setreuid32:
|
|
#endif
|
|
{
|
|
uid_t ruid = (uid_t) va_arg(vp, uid_t);
|
|
uid_t euid = (uid_t) va_arg(vp, uid_t);
|
|
|
|
rc = uwrap_setreuid_thread(ruid, euid);
|
|
}
|
|
break;
|
|
#ifdef SYS_setresuid
|
|
case SYS_setresuid:
|
|
#ifdef HAVE_LINUX_32BIT_SYSCALLS
|
|
case SYS_setresuid32:
|
|
#endif
|
|
{
|
|
uid_t ruid = (uid_t) va_arg(vp, uid_t);
|
|
uid_t euid = (uid_t) va_arg(vp, uid_t);
|
|
uid_t suid = (uid_t) va_arg(vp, uid_t);
|
|
|
|
rc = uwrap_setresuid_thread(ruid, euid, suid);
|
|
}
|
|
break;
|
|
#endif /* SYS_setresuid */
|
|
#if defined(SYS_getresuid) && defined(HAVE_GETRESUID)
|
|
case SYS_getresuid:
|
|
#ifdef HAVE_LINUX_32BIT_SYSCALLS
|
|
case SYS_getresuid32:
|
|
#endif
|
|
{
|
|
uid_t *ruid = (uid_t *) va_arg(vp, uid_t *);
|
|
uid_t *euid = (uid_t *) va_arg(vp, uid_t *);
|
|
uid_t *suid = (uid_t *) va_arg(vp, uid_t *);
|
|
|
|
rc = uwrap_getresuid(ruid, euid, suid);
|
|
}
|
|
break;
|
|
#endif /* SYS_getresuid && HAVE_GETRESUID*/
|
|
/* groups */
|
|
case SYS_setgroups:
|
|
#ifdef HAVE_LINUX_32BIT_SYSCALLS
|
|
case SYS_setgroups32:
|
|
#endif
|
|
{
|
|
size_t size = (size_t) va_arg(vp, size_t);
|
|
gid_t *list = (gid_t *) va_arg(vp, int *);
|
|
|
|
rc = uwrap_setgroups_thread(size, list);
|
|
}
|
|
break;
|
|
default:
|
|
rc = -1;
|
|
errno = ENOSYS;
|
|
break;
|
|
}
|
|
|
|
return rc;
|
|
}
|
|
|
|
#ifdef HAVE_SYSCALL
|
|
#ifdef HAVE_SYSCALL_INT
|
|
int syscall (int sysno, ...)
|
|
#else
|
|
long int syscall (long int sysno, ...)
|
|
#endif
|
|
{
|
|
#ifdef HAVE_SYSCALL_INT
|
|
int rc;
|
|
#else
|
|
long int rc;
|
|
#endif
|
|
va_list va;
|
|
|
|
va_start(va, sysno);
|
|
|
|
/*
|
|
* JEMALLOC:
|
|
*
|
|
* This is a workaround to prevent a deadlock in jemalloc calling
|
|
* malloc_init() twice. The first allocation call will trigger a
|
|
* malloc_init() of jemalloc. The functions calls syscall(SYS_open, ...)
|
|
* so it goes to socket or uid wrapper. In this code path we need to
|
|
* avoid any allocation calls. This will prevent the deadlock.
|
|
*/
|
|
if (!uwrap_handle_syscall) {
|
|
rc = libc_vsyscall(sysno, va);
|
|
va_end(va);
|
|
return rc;
|
|
}
|
|
|
|
/*
|
|
* We need to check for uwrap related syscall numbers before calling
|
|
* uid_wrapper_enabled() otherwise we'd deadlock during the freebsd libc
|
|
* fork() which calls syscall() after invoking uwrap_thread_prepare().
|
|
*/
|
|
if (!uwrap_is_uwrap_related_syscall(sysno)) {
|
|
/*
|
|
* We need to give socket_wrapper a
|
|
* chance to take over...
|
|
*/
|
|
if (uwrap_swrap_syscall_valid(sysno)) {
|
|
rc = uwrap_swrap_syscall_va(sysno, va);
|
|
va_end(va);
|
|
return rc;
|
|
}
|
|
|
|
rc = libc_vsyscall(sysno, va);
|
|
va_end(va);
|
|
return rc;
|
|
}
|
|
|
|
if (!uid_wrapper_enabled()) {
|
|
rc = libc_vsyscall(sysno, va);
|
|
va_end(va);
|
|
return rc;
|
|
}
|
|
|
|
uwrap_init();
|
|
rc = uwrap_syscall(sysno, va);
|
|
va_end(va);
|
|
|
|
return rc;
|
|
}
|
|
|
|
/* used by socket_wrapper */
|
|
bool uid_wrapper_syscall_valid(long int sysno);
|
|
bool uid_wrapper_syscall_valid(long int sysno)
|
|
{
|
|
if (!uwrap_is_uwrap_related_syscall(sysno)) {
|
|
return false;
|
|
}
|
|
|
|
if (!uid_wrapper_enabled()) {
|
|
return false;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
/* used by socket_wrapper */
|
|
long int uid_wrapper_syscall_va(long int sysno, va_list va);
|
|
long int uid_wrapper_syscall_va(long int sysno, va_list va)
|
|
{
|
|
if (!uwrap_is_uwrap_related_syscall(sysno)) {
|
|
errno = ENOSYS;
|
|
return -1;
|
|
}
|
|
|
|
if (!uid_wrapper_enabled()) {
|
|
return libc_vsyscall(sysno, va);
|
|
}
|
|
|
|
uwrap_init();
|
|
|
|
return uwrap_syscall(sysno, va);
|
|
}
|
|
#endif /* HAVE_SYSCALL */
|
|
#endif /* HAVE_SYS_SYSCALL_H || HAVE_SYSCALL_H */
|
|
|
|
/****************************
|
|
* CONSTRUCTOR
|
|
***************************/
|
|
|
|
void uwrap_constructor(void)
|
|
{
|
|
char *glibc_malloc_lock_bug;
|
|
|
|
/*
|
|
* This is a workaround for a bug in glibc < 2.24:
|
|
*
|
|
* The child handler for the malloc() function is called and locks the
|
|
* mutex. Then our child handler is called and we try to call setenv().
|
|
* setenv() wants to malloc and tries to aquire the lock for malloc and
|
|
* we end up in a deadlock.
|
|
*
|
|
* So as a workaround we need to call malloc once before we setup the
|
|
* handlers.
|
|
*
|
|
* See https://sourceware.org/bugzilla/show_bug.cgi?id=16742
|
|
*/
|
|
glibc_malloc_lock_bug = malloc(1);
|
|
if (glibc_malloc_lock_bug == NULL) {
|
|
exit(-1);
|
|
}
|
|
glibc_malloc_lock_bug[0] = '\0';
|
|
|
|
UWRAP_REINIT_ALL;
|
|
|
|
/*
|
|
* If we hold a lock and the application forks, then the child
|
|
* is not able to unlock the mutex and we are in a deadlock.
|
|
* This should prevent such deadlocks.
|
|
*/
|
|
pthread_atfork(&uwrap_thread_prepare,
|
|
&uwrap_thread_parent,
|
|
&uwrap_thread_child);
|
|
|
|
free(glibc_malloc_lock_bug);
|
|
|
|
/* Here is safe place to call uwrap_init() and initialize data
|
|
* for main process.
|
|
*/
|
|
uwrap_init();
|
|
|
|
/* Let socket_wrapper handle syscall() */
|
|
uwrap_handle_syscall = true;
|
|
}
|
|
|
|
/****************************
|
|
* DESTRUCTOR
|
|
***************************/
|
|
|
|
/*
|
|
* This function is called when the library is unloaded and makes sure that
|
|
* resources are freed.
|
|
*/
|
|
void uwrap_destructor(void)
|
|
{
|
|
struct uwrap_thread *u = uwrap.ids;
|
|
|
|
UWRAP_LOCK_ALL;
|
|
|
|
while (u != NULL) {
|
|
UWRAP_DLIST_REMOVE(uwrap.ids, u);
|
|
|
|
SAFE_FREE(u->groups);
|
|
SAFE_FREE(u);
|
|
|
|
u = uwrap.ids;
|
|
}
|
|
|
|
|
|
if (uwrap.libc.handle != NULL
|
|
#ifdef RTLD_NEXT
|
|
&& uwrap.libc.handle != RTLD_NEXT
|
|
#endif
|
|
) {
|
|
dlclose(uwrap.libc.handle);
|
|
}
|
|
|
|
if (uwrap.libpthread.handle != NULL
|
|
#ifdef RTLD_NEXT
|
|
&& uwrap.libpthread.handle != RTLD_NEXT
|
|
#endif
|
|
) {
|
|
dlclose(uwrap.libpthread.handle);
|
|
}
|
|
|
|
UWRAP_UNLOCK_ALL;
|
|
}
|