Redirect fopen("/dev/urandom") so that NSS can properly seed it's RNG.

content/browser/zygote_main_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/zygote_host_impl_linux.h"
 
 #include <dlfcn.h>
 #include <fcntl.h>
 #include <pthread.h>
+#include <stdio.h>
 #include <sys/socket.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <unistd.h>
 
 #include "base/basictypes.h"
 #include "base/command_line.h"
 #include "base/eintr_wrapper.h"
 #include "base/file_path.h"
 #include "base/file_util.h"
 #include "base/global_descriptors_posix.h"
 #include "base/hash_tables.h"
 #include "base/linux_util.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/pickle.h"
 #include "base/process_util.h"
 #include "base/rand_util.h"
+#include "base/rand_util_c.h"
 #include "base/sys_info.h"
 #include "build/build_config.h"
 #include "crypto/nss_util.h"
 #include "content/common/chrome_descriptors.h"
 #include "content/common/font_config_ipc_linux.h"
 #include "content/common/pepper_plugin_registry.h"
 #include "content/common/sandbox_methods_linux.h"
 #include "content/common/seccomp_sandbox.h"
 #include "content/common/set_process_title.h"
 #include "content/common/unix_domain_socket_posix.h"
@@ skipping 587 matching lines @@
 // Our first attempt involved some assembly to patch the GOT of the current
 // module. This worked, but was platform specific and doesn't catch the case
 // where a library makes a call rather than current module.
 //
 // We also considered patching the function in place, but this would again by
 // platform specific and the above technique seems to work well enough.
 
 typedef struct tm* (*LocaltimeFunction)(const time_t* timep);
 typedef struct tm* (*LocaltimeRFunction)(const time_t* timep,
                                          struct tm* result);
+typedef FILE* (*FopenFunction)(const char* path, const char* mode);
 
 static pthread_once_t g_libc_localtime_funcs_guard = PTHREAD_ONCE_INIT;
 static LocaltimeFunction g_libc_localtime;
 static LocaltimeRFunction g_libc_localtime_r;
 
+static pthread_once_t g_libc_fopen_funcs_guard = PTHREAD_ONCE_INIT;
+static FopenFunction g_libc_fopen;
+static FopenFunction g_libc_fopen64;
+
 static void InitLibcLocaltimeFunctions() {
   g_libc_localtime = reinterpret_cast<LocaltimeFunction>(
                          dlsym(RTLD_NEXT, "localtime"));
   g_libc_localtime_r = reinterpret_cast<LocaltimeRFunction>(
                          dlsym(RTLD_NEXT, "localtime_r"));
 
   if (!g_libc_localtime || !g_libc_localtime_r) {
     // http://code.google.com/p/chromium/issues/detail?id=16800
     //
     // Nvidia's libGL.so overrides dlsym for an unknown reason and replaces
@@ skipping 29 matching lines @@
   if (g_am_zygote_or_renderer) {
     ProxyLocaltimeCallToBrowser(*timep, result, NULL, 0);
     return result;
   } else {
     CHECK_EQ(0, pthread_once(&g_libc_localtime_funcs_guard,
                              InitLibcLocaltimeFunctions));
     return g_libc_localtime_r(timep, result);
   }
 }
 
+static void InitLibcFopenFunctions() {
+  g_libc_fopen = reinterpret_cast<FopenFunction>(
+                         dlsym(RTLD_NEXT, "fopen"));
+  g_libc_fopen64 = reinterpret_cast<FopenFunction>(
+                         dlsym(RTLD_NEXT, "fopen64"));
+
+  if (!g_libc_fopen || !g_libc_fopen64) {
+    LOG(ERROR) << "Failed to get fopen() from glibc.";
+  }
+}
+
+__attribute__ ((__visibility__("default")))
+FILE* fopen(const char* path, const char* mode)  __asm__ ("fopen");
+FILE* fopen(const char* path, const char* mode) {
+  if (g_am_zygote_or_renderer && strcmp(path, "/dev/urandom") == 0) {

[Ben Chan, 2012/04/10 02:17:15]

static const char kDevUrandomFile[] = "/dev/urandom";

strncmp(path, kDevUrandomFile, sizeof(kDevUrandomFile)) == 0

[Sergey Ulanov, 2012/04/10 03:02:53]

How would that be better than strcmp()? It would also match /dev/urandom0, etc.
Is that what we want?

[Ben Chan, 2012/04/10 03:24:41]

strcmp should be fine. But I think it's still good to define kDevUrandomFile[],
probably exposed from URandomFD.

[Sergey Ulanov, 2012/04/10 06:03:38]

Done.

+    int fd = dup(GetUrandomFD());
+    if (fd < 0) {
+      LOG(ERROR) << "dup() failed.";
+      return NULL;
+    }
+    return fdopen(fd, mode);
+  } else {
+    CHECK_EQ(0, pthread_once(&g_libc_fopen_funcs_guard,
+                             InitLibcFopenFunctions));
+    return g_libc_fopen(path, mode);
+  }
+}
+
+__attribute__ ((__visibility__("default")))
+FILE* fopen64(const char* path, const char* mode) {
+  if (g_am_zygote_or_renderer && strcmp(path, "/dev/urandom") == 0) {
+    int fd = dup(GetUrandomFD());
+    if (fd < 0) {
+      PLOG(ERROR) << "dup() failed.";
+      return NULL;
+    }
+     return fdopen(fd, mode);

[Ben Chan, 2012/04/10 02:17:15]

indentation

[Sergey Ulanov, 2012/04/10 03:02:53]

Done.

+  } else {
+    CHECK_EQ(0, pthread_once(&g_libc_fopen_funcs_guard,
+                             InitLibcFopenFunctions));
+    return g_libc_fopen64(path, mode);
+  }
+}
+
 #endif  // !CHROMIUM_SELINUX
 
 // This function triggers the static and lazy construction of objects that need
 // to be created before imposing the sandbox.
 static void PreSandboxInit() {
   base::RandUint64();
 
   base::SysInfo::MaxSharedMemorySize();
 
   // ICU DateFormat class (used in base/time_format.cc) needs to get the
@@ skipping 174 matching lines @@
       VLOG(1) << "Enabling experimental Seccomp sandbox.";
       sandbox_flags |= ZygoteHostImpl::kSandboxSeccomp;
     }
   }
 #endif  // SECCOMP_SANDBOX
 
   Zygote zygote(sandbox_flags, forkdelegate);
   // This function call can return multiple times, once per fork().
   return zygote.ProcessRequests();
 }