aboutsummaryrefslogtreecommitdiff
/* GNU Guix --- Functional package management for GNU
   Copyright (C) 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org>

   This file is part of GNU Guix.

   GNU Guix is free software; you can redistribute it and/or modify it
   under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 3 of the License, or (at
   your option) any later version.

   GNU Guix is distributed in the hope that it will be useful, but
   WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.  */

/* Make the given @WRAPPED_PROGRAM@ relocatable by executing it in a separate
   mount namespace where the store is mounted in its right place.

   We would happily do that in Scheme using 'call-with-container'.  However,
   this very program needs to be relocatable, so it needs to be statically
   linked, which complicates things (Guile's modules can hardly be "linked"
   into a single executable.)  */

#define _GNU_SOURCE
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sched.h>
#include <sys/mount.h>
#include <errno.h>
#include <libgen.h>
#include <limits.h>
#include <string.h>
#include <assert.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <fcntl.h>
#include <dirent.h>
#include <sys/syscall.h>
#include <sys/prctl.h>

/* Whether we're building the ld.so/libfakechroot wrapper.  */
#define HAVE_EXEC_WITH_LOADER						\
  (defined PROGRAM_INTERPRETER) && (defined LOADER_AUDIT_MODULE)	\
  && (defined FAKECHROOT_LIBRARY)

/* The original store, "/gnu/store" by default.  */
static const char original_store[] = "@STORE_DIRECTORY@";


/* Like 'malloc', but abort if 'malloc' returns NULL.  */
static void *
xmalloc (size_t size)
{
  void *result = malloc (size);
  assert (result != NULL);
  return result;
}

/* Concatenate DIRECTORY, a slash, and FILE.  Return the result, which the
   caller must eventually free.  */
static char *
concat (const char *directory, const char *file)
{
  char *result = xmalloc (strlen (directory) + 2 + strlen (file));

  strcpy (result, directory);
  strcat (result, "/");
  strcat (result, file);
  return result;
}

static void
mkdir_p (const char *directory)
{
  if (strcmp (directory, "/") != 0)
    {
      char *parent = dirname (strdupa (directory));
      mkdir_p (parent);
      int err = mkdir (directory, 0700);
      if (err < 0 && errno != EEXIST)
	assert_perror (errno);
    }
}

static void
rm_rf (const char *directory)
{
  DIR *stream = opendir (directory);

  for (struct dirent *entry = readdir (stream);
       entry != NULL;
       entry = readdir (stream))
    {
      if (strcmp (entry->d_name, ".") == 0
	  || strcmp (entry->d_name, "..") == 0)
	continue;

      char *full = concat (directory, entry->d_name);

      int err = unlink (full);
      if (err < 0)
	{
	  if (errno == EISDIR)
	    /* Recurse (we expect a shallow directory structure so there's
	       little risk of stack overflow.)  */
	    rm_rf (full);
	  else
	    assert_perror (errno);
	}

      free (full);
    }

  closedir (stream);

  int err = rmdir (directory);
  if (err < 0 && errno != ENOENT)
    assert_perror (errno);
}

/* Make TARGET a bind-mount of SOURCE.  Take into account ENTRY's type, which
   corresponds to SOURCE.  */
static int
bind_mount (const char *source, const struct dirent *entry,
	    const char *target)
{
  if (entry->d_type == DT_DIR)
    {
      int err = mkdir (target, 0700);
      if (err != 0)
	return err;
    }
  else
    close (open (target, O_WRONLY | O_CREAT));

  return mount (source, target, "none",
		MS_BIND | MS_REC | MS_RDONLY, NULL);
}

#if HAVE_EXEC_WITH_LOADER

/* Make TARGET a symlink to SOURCE.  */
static int
make_symlink (const char *source, const struct dirent *entry,
	      const char *target)
{
  return symlink (source, target);
}

#endif

/* Mirror with FIRMLINK all the top-level entries in SOURCE to TARGET.  */
static void
mirror_directory (const char *source, const char *target,
		  int (* firmlink) (const char *, const struct dirent *,
				    const char *))
{
  DIR *stream = opendir (source);

  for (struct dirent *entry = readdir (stream);
       entry != NULL;
       entry = readdir (stream))
    {
      /* XXX: Some file systems may not report a useful 'd_type'.  Ignore them
	 for now.  */
      assert (entry->d_type != DT_UNKNOWN);

      if (strcmp (entry->d_name, ".") == 0
	  || strcmp (entry->d_name, "..") == 0)
	continue;

      char *abs_source = concat (source, entry->d_name);
      char *new_entry = concat (target, entry->d_name);

      if (entry->d_type == DT_LNK)
	{
	  char target[PATH_MAX];

	  ssize_t result = readlink (abs_source, target, sizeof target - 1);
	  if (result > 0)
	    {
	      target[result] = '\0';
	      int err = symlink (target, new_entry);
	      if (err < 0)
		assert_perror (errno);
	    }
	}
      else
	{
	  /* Create the mount point.  */
	  int err = firmlink (abs_source, entry, new_entry);

	  /* It used to be that only directories could be bind-mounted.  Thus,
	     keep going if we fail to bind-mount a non-directory entry.
	     That's OK because regular files in the root file system are
	     usually uninteresting.  */
	  if (err != 0 && entry->d_type != DT_DIR)
	    assert_perror (errno);

	  free (new_entry);
	  free (abs_source);
	}
    }

  closedir (stream);
}

/* Write the user/group ID map for PID to FILE, mapping ID to itself.  See
   user_namespaces(7).  */
static void
write_id_map (pid_t pid, const char *file, int id)
{
  char id_map_file[100];
  snprintf (id_map_file, sizeof id_map_file, "/proc/%d/%s", pid, file);

  char id_map[100];

  /* Map root and the current user.  */
  int len = snprintf (id_map, sizeof id_map, "%d %d 1\n", id, id);
  int fd = open (id_map_file, O_WRONLY);
  if (fd < 0)
    assert_perror (errno);

  int n = write (fd, id_map, len);
  if (n < 0)
    assert_perror (errno);

  close (fd);
}

/* Disallow setgroups(2) for PID.  */
static void
disallow_setgroups (pid_t pid)
{
  char file[100];

  snprintf (file, sizeof file, "/proc/%d/setgroups", pid);

  int fd = open (file, O_WRONLY);
  if (fd < 0)
    assert_perror (errno);

  int err = write (fd, "deny", 5);
  if (err < 0)
    assert_perror (errno);

  close (fd);
}

/* Run the wrapper program in a separate mount user namespace.  Return only
   upon failure.  */
static void
exec_in_user_namespace (const char *store, int argc, char *argv[])
{
  /* Spawn @WRAPPED_PROGRAM@ in a separate namespace where STORE is
     bind-mounted in the right place.  */
  int err, is_tmpfs;
  char *new_root = mkdtemp (strdup ("/tmp/guix-exec-XXXXXX"));
  char *new_store = concat (new_root, original_store);
  char *cwd = get_current_dir_name ();

  /* Become the new parent of grand-children when their parent dies.  */
  prctl (PR_SET_CHILD_SUBREAPER, 1);

  /* Optionally, make NEW_ROOT a tmpfs.  That way, if we have to leave it
     behind because there are sub-processes still running when this wrapper
     exits, it's OK.  */
  err = mount ("none", new_root, "tmpfs", 0, NULL);
  is_tmpfs = (err == 0);

  /* Create a child with separate namespaces and set up bind-mounts from
     there.  That way, bind-mounts automatically disappear when the child
     exits, which simplifies cleanup for the parent.  Note: clone is more
     convenient than fork + unshare since the parent can directly write
     the child uid_map/gid_map files.  */
  pid_t child = syscall (SYS_clone, SIGCHLD | CLONE_NEWNS | CLONE_NEWUSER,
			 NULL, NULL, NULL);
  switch (child)
    {
    case 0:
      /* Note: Due to <https://bugzilla.kernel.org/show_bug.cgi?id=183461>
	 we cannot make NEW_ROOT a tmpfs (which would have saved the need
	 for 'rm_rf'.)  */
      mirror_directory ("/", new_root, bind_mount);
      mkdir_p (new_store);
      err = mount (store, new_store, "none", MS_BIND | MS_REC | MS_RDONLY,
		   NULL);
      if (err < 0)
	assert_perror (errno);

      chdir (new_root);
      err = chroot (new_root);
      if (err < 0)
	assert_perror (errno);

      /* Change back to where we were before chroot'ing.  */
      chdir (cwd);

      int err = execv ("@WRAPPED_PROGRAM@", argv);
      if (err < 0)
	assert_perror (errno);
      break;

    case -1:
      /* Failure: user namespaces not supported.  */
      fprintf (stderr, "%s: error: 'clone' failed: %m\n", argv[0]);
      rm_rf (new_root);
      free (new_root);
      break;

    default:
      {
	/* Map the current user/group ID in the child's namespace (the
	   default is to get the "overflow UID", i.e., the UID of
	   "nobody").  We must first disallow 'setgroups' for that
	   process.  */
	disallow_setgroups (child);
	write_id_map (child, "uid_map", getuid ());
	write_id_map (child, "gid_map", getgid ());

	int status, status_other;
	waitpid (child, &status, 0);

	chdir ("/");				  /* avoid EBUSY */
	if (is_tmpfs)
	  {
	    /* NEW_ROOT lives on in child processes and we no longer need it
	       to exist as an empty directory in the global namespace.  */
	    umount (new_root);
	    rmdir (new_root);
	  }
	/* Check whether there are child processes left.  If there are none,
	   we can remove NEW_ROOT just fine.  Conversely, if there are
	   processes left (for example because this wrapper's child forked),
	   we have to leave NEW_ROOT behind so that those processes can still
	   access their root file system (XXX).  */
	else if (waitpid (-1 , &status_other, WNOHANG) == -1)
	  rm_rf (new_root);

	free (new_root);

	if (WIFEXITED (status))
	  exit (WEXITSTATUS (status));
	else
	  /* Abnormal termination cannot really be reproduced, so exit
	     with 255.  */
	  exit (255);
      }
    }
}


#ifdef PROOT_PROGRAM

/* Execute the wrapped program with PRoot, passing it ARGC and ARGV, and
   "bind-mounting" STORE in the right place.  */
static void
exec_with_proot (const char *store, int argc, char *argv[])
{
  int proot_specific_argc = 4;
  int proot_argc = argc + proot_specific_argc;
  char *proot_argv[proot_argc + 1], *proot;
  char bind_spec[strlen (store) + 1 + sizeof original_store];

  strcpy (bind_spec, store);
  strcat (bind_spec, ":");
  strcat (bind_spec, original_store);

  proot = concat (store, PROOT_PROGRAM);

  proot_argv[0] = proot;
  proot_argv[1] = "-b";
  proot_argv[2] = bind_spec;
  proot_argv[3] = "@WRAPPED_PROGRAM@";

  for (int i = 0; i < argc; i++)
    proot_argv[i + proot_specific_argc] = argv[i + 1];

  proot_argv[proot_argc] = NULL;

  /* Seccomp support seems to invariably lead to segfaults; disable it by
     default.  */
  setenv ("PROOT_NO_SECCOMP", "1", 0);

  int err = execv (proot, proot_argv);
  if (err < 0)
    assert_perror (errno);
}

#endif


#if HAVE_EXEC_WITH_LOADER

/* Traverse PATH, a NULL-terminated string array, and return a colon-separated
   search path where each item of PATH has been relocated to STORE.  The
   result is malloc'd.  */
static char *
relocated_search_path (const char *path[], const char *store)
{
  char *new_path;
  size_t size = 0;

  for (size_t i = 0; path[i] != NULL; i++)
    size += strlen (store) + strlen (path[i]) + 1;  /* upper bound */

  new_path = xmalloc (size + 1);
  new_path[0] = '\0';

  for (size_t i = 0; path[i] != NULL; i++)
    {
      if (strncmp (path[i], original_store,
		   sizeof original_store - 1) == 0)
	{
	  strcat (new_path, store);
	  strcat (new_path, path[i] + sizeof original_store - 1);
	}
      else
	strcat (new_path, path[i]);	  /* possibly $ORIGIN */

      strcat (new_path, ":");
    }

  new_path[strlen (new_path) - 1] = '\0'; /* Remove trailing colon.  */

  return new_path;
}

/* Concatenate PATH1 and PATH2 with a colon in between.  The result is
   potentially malloc'd.  */
static char *
concat_paths (const char *path1, const char *path2)
{
  if (path1[0] == '\0')
    return (char *) path2;
  else
    {
      char *result = xmalloc (strlen (path1) + strlen (path2) + 2);
      strcpy (result, path1);
      strcat (result, ":");
      strcat (result, path2);
      return result;
    }
}

/* Execute the wrapped program by invoking the loader (ld.so) directly,
   passing it the audit module and preloading libfakechroot.so.  */
static void
exec_with_loader (const char *store, int argc, char *argv[])
{
  static const char *audit_library_path[] = LOADER_AUDIT_RUNPATH;
  char *loader = concat (store,
			 PROGRAM_INTERPRETER + sizeof original_store);
  size_t loader_specific_argc = 8;
  size_t loader_argc = argc + loader_specific_argc;
  char *loader_argv[loader_argc + 1];
  loader_argv[0] = argv[0];
  loader_argv[1] = "--audit";
  loader_argv[2] = concat (store,
			   LOADER_AUDIT_MODULE + sizeof original_store);

  /* The audit module depends on libc.so and libgcc_s.so so honor
     AUDIT_LIBRARY_PATH.  Additionally, honor $LD_LIBRARY_PATH if set.  */
  loader_argv[3] = "--library-path";
  loader_argv[4] =
    concat_paths (getenv ("LD_LIBRARY_PATH") ?: "",
		  relocated_search_path (audit_library_path, store));

  loader_argv[5] = "--preload";
  loader_argv[6] = concat (store,
			   FAKECHROOT_LIBRARY + sizeof original_store);
  loader_argv[7] = concat (store,
			   "@WRAPPED_PROGRAM@" + sizeof original_store);

  for (size_t i = 0; i < argc; i++)
    loader_argv[i + loader_specific_argc] = argv[i + 1];

  loader_argv[loader_argc] = NULL;

  /* Set up the root directory.  */
  int err;
  char *new_root = mkdtemp (strdup ("/tmp/guix-exec-XXXXXX"));
  mirror_directory ("/", new_root, make_symlink);

  /* 'mirror_directory' created a symlink for the ancestor of ORIGINAL_STORE,
     typically "/gnu".  Remove that entry so we can create NEW_STORE
     below.  */
  const char *slash = strchr (original_store + 1, '/');
  const char *top = slash != NULL
    ? strndupa (original_store, slash - original_store)
    : original_store;
  char *new_store_top = concat (new_root, top);
  unlink (new_store_top);

  /* Now create the store under NEW_ROOT.  */
  char *new_store = concat (new_root, original_store);
  char *new_store_parent = dirname (strdup (new_store));
  mkdir_p (new_store_parent);
  err = symlink (store, new_store);
  if (err < 0)
    assert_perror (errno);

#ifdef GCONV_DIRECTORY
  /* Tell libc where to find its gconv modules.  This is necessary because
     gconv uses non-interposable 'open' calls.  */
  char *gconv_path = concat (store,
			     GCONV_DIRECTORY + sizeof original_store);
  setenv ("GCONV_PATH", gconv_path, 1);
  free (gconv_path);
#endif

  setenv ("FAKECHROOT_BASE", new_root, 1);

  /* Become the new parent of grand-children when their parent dies.  */
  prctl (PR_SET_CHILD_SUBREAPER, 1);

  pid_t child = fork ();
  switch (child)
    {
    case 0:
      err = execv (loader, loader_argv);
      if (err < 0)
	assert_perror (errno);
      exit (EXIT_FAILURE);
      break;

    case -1:
      assert_perror (errno);
      exit (EXIT_FAILURE);
      break;

    default:
      {
  	int status, status_other;
	waitpid (child, &status, 0);

	/* If there are child processes still running, leave NEW_ROOT around
	   so they can still access it.  XXX: In that case NEW_ROOT is left
	   behind.  */
	if (waitpid (-1 , &status_other, WNOHANG) == -1)
	  {
	    chdir ("/");			  /* avoid EBUSY */
	    rm_rf (new_root);
	  }

	free (new_root);
	close (2);			/* flushing stderr should be silent */

	if (WIFEXITED (status))
	  exit (WEXITSTATUS (status));
	else
	  /* Abnormal termination cannot really be reproduced, so exit
	     with 255.  */
	  exit (255);
      }
    }
}

#endif


/* Execution engines.  */

struct engine
{
  const char *name;
  void (* exec) (const char *, int, char **);
};

static void
buffer_stderr (void)
{
  static char stderr_buffer[4096];
  setvbuf (stderr, stderr_buffer, _IOFBF, sizeof stderr_buffer);
}

/* The default engine: choose a robust method.  */
static void
exec_default (const char *store, int argc, char *argv[])
{
  /* Buffer stderr so that nothing's displayed if 'exec_in_user_namespace'
     fails but 'exec_with_proot' works.  */
  buffer_stderr ();

  exec_in_user_namespace (store, argc, argv);
#ifdef PROOT_PROGRAM
  exec_with_proot (store, argc, argv);
#endif
}

/* The "performance" engine: choose performance over robustness.  */
static void
exec_performance (const char *store, int argc, char *argv[])
{
  buffer_stderr ();

  exec_in_user_namespace (store, argc, argv);
#if HAVE_EXEC_WITH_LOADER
  exec_with_loader (store, argc, argv);
#endif
}

/* List of supported engines.  */
static const struct engine engines[] =
  {
   { "default", exec_default },
   { "performance", exec_performance },
   { "userns", exec_in_user_namespace },
#ifdef PROOT_PROGRAM
   { "proot", exec_with_proot },
#endif
#if HAVE_EXEC_WITH_LOADER
   { "fakechroot", exec_with_loader },
#endif
   { NULL, NULL }
  };

/* Return the "execution engine" to use.  */
static const struct engine *
execution_engine (void)
{
  const char *str = getenv ("GUIX_EXECUTION_ENGINE");

  if (str == NULL)
    str = "default";

 try:
  for (const struct engine *engine = engines;
       engine->name != NULL;
       engine++)
    {
      if (strcmp (engine->name, str) == 0)
	return engine;
    }

  fprintf (stderr, "%s: unsupported Guix execution engine; ignoring\n",
	   str);
  str = "default";
  goto try;
}


int
main (int argc, char *argv[])
{
  ssize_t size;
  char self[PATH_MAX];
  size = readlink ("/proc/self/exe", self, sizeof self - 1);
  assert (size > 0);
  self[size] = '\0';

  /* SELF is something like "/home/ludo/.local/gnu/store/…-foo/bin/ls" and we
     want to extract "/home/ludo/.local/gnu/store".  */
  size_t index = strlen (self)
    - strlen (WRAPPER_PROGRAM) + strlen (original_store);
  char *store = strdup (self);
  store[index] = '\0';

  struct stat statbuf;

  /* If STORE is already at the "right" place, we can execute
     @WRAPPED_PROGRAM@ right away.  This is not just an optimization: it's
     needed when running one of these wrappers from within an unshare'd
     namespace, because 'unshare' fails with EPERM in that context.  */
  if (strcmp (store, original_store) != 0
      && lstat ("@WRAPPED_PROGRAM@", &statbuf) != 0)
    {
      const struct engine *engine = execution_engine ();
      engine->exec (store, argc, argv);

      /* If we reach this point, that's because ENGINE failed to do the
	 job.  */
      fprintf (stderr, "\
This may be because \"user namespaces\" are not supported on this system.\n\
Consequently, we cannot run '@WRAPPED_PROGRAM@',\n\
unless you move it to the '@STORE_DIRECTORY@' directory.\n\
\n\
Please refer to the 'guix pack' documentation for more information.\n");
      return EXIT_FAILURE;
    }

  /* The executable is available under @STORE_DIRECTORY@, so we can now
     execute it.  */
  int err = execv ("@WRAPPED_PROGRAM@", argv);
  if (err < 0)
    assert_perror (errno);

  return EXIT_FAILURE;
}