| OLD | NEW |
|---|
| 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox_impl.h" | 5 #include "sandbox_impl.h" |
| 6 | 6 |
| 7 #include "library.h" | 7 #include "library.h" |
| 8 #include "syscall_entrypoint.h" | 8 #include "syscall_entrypoint.h" |
| 9 #include "system_call_table.h" | 9 #include "system_call_table.h" |
| 10 | 10 |
| 11 namespace playground { | 11 namespace playground { |
| 12 | 12 |
| 13 // Global variables | 13 // Global variables |
| 14 int Sandbox::proc_self_ = -1; | 14 int Sandbox::proc_ = -1; |
| 15 int Sandbox::proc_self_maps_ = -1; | 15 int Sandbox::proc_self_maps_ = -1; |
| 16 enum Sandbox::SandboxStatus Sandbox::status_ = STATUS_UNKNOWN; | 16 enum Sandbox::SandboxStatus Sandbox::status_ = STATUS_UNKNOWN; |
| 17 int Sandbox::pid_; | 17 int Sandbox::pid_; |
| 18 int Sandbox::processFdPub_; | 18 int Sandbox::processFdPub_; |
| 19 int Sandbox::cloneFdPub_ | 19 int Sandbox::cloneFdPub_ |
| 20 // This is necessary to locate the symbol from assembly code on | 20 // This is necessary to locate the symbol from assembly code on |
| 21 // x86-64 (with %rip-relative addressing) in order for this to work | 21 // x86-64 (with %rip-relative addressing) in order for this to work |
| 22 // in relocatable code (a .so or a PIE). On i386 this is not | 22 // in relocatable code (a .so or a PIE). On i386 this is not |
| 23 // necessary but it does not hurt. | 23 // necessary but it does not hurt. |
| 24 __attribute__((visibility("internal"))); | 24 __attribute__((visibility("internal"))); |
| (...skipping 162 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 187 !sendFd(processFd, proc_self_maps, -1, NULL, 0)) { | 187 !sendFd(processFd, proc_self_maps, -1, NULL, 0)) { |
| 188 failure: | 188 failure: |
| 189 die("Cannot access /proc/self/maps"); | 189 die("Cannot access /proc/self/maps"); |
| 190 } | 190 } |
| 191 int dummy; | 191 int dummy; |
| 192 if (read(sys, processFd, &dummy, sizeof(dummy)) != sizeof(dummy)) { | 192 if (read(sys, processFd, &dummy, sizeof(dummy)) != sizeof(dummy)) { |
| 193 goto failure; | 193 goto failure; |
| 194 } | 194 } |
| 195 } | 195 } |
| 196 | 196 |
| 197 int Sandbox::supportsSeccompSandbox(int proc_self) { | 197 int Sandbox::supportsSeccompSandbox(int proc) { |
| 198 if (status_ != STATUS_UNKNOWN) { | 198 if (status_ != STATUS_UNKNOWN) { |
| 199 return status_ != STATUS_UNSUPPORTED; | 199 return status_ != STATUS_UNSUPPORTED; |
| 200 } | 200 } |
| 201 int fds[2]; | 201 int fds[2]; |
| 202 SysCalls sys; | 202 SysCalls sys; |
| 203 if (sys.pipe(fds)) { | 203 if (sys.pipe(fds)) { |
| 204 status_ = STATUS_UNSUPPORTED; | 204 status_ = STATUS_UNSUPPORTED; |
| 205 return 0; | 205 return 0; |
| 206 } | 206 } |
| 207 pid_t pid; | 207 pid_t pid; |
| 208 switch ((pid = sys.fork())) { | 208 switch ((pid = sys.fork())) { |
| 209 case -1: | 209 case -1: |
| 210 status_ = STATUS_UNSUPPORTED; | 210 status_ = STATUS_UNSUPPORTED; |
| 211 return 0; | 211 return 0; |
| 212 case 0: { | 212 case 0: { |
| 213 int devnull = sys.open("/dev/null", O_RDWR, 0); | 213 int devnull = sys.open("/dev/null", O_RDWR, 0); |
| 214 if (devnull >= 0) { | 214 if (devnull >= 0) { |
| 215 sys.dup2(devnull, 0); | 215 sys.dup2(devnull, 0); |
| 216 sys.dup2(devnull, 1); | 216 sys.dup2(devnull, 1); |
| 217 sys.dup2(devnull, 2); | 217 sys.dup2(devnull, 2); |
| 218 sys.close(devnull); | 218 sys.close(devnull); |
| 219 } | 219 } |
| 220 if (proc_self >= 0) { | 220 if (proc >= 0) { |
| 221 setProcSelf(sys.dup(proc_self)); | 221 setProcFd(sys.dup(proc)); |
| 222 } | 222 } |
| 223 startSandbox(); | 223 startSandbox(); |
| 224 write(sys, fds[1], "", 1); | 224 write(sys, fds[1], "", 1); |
| 225 | 225 |
| 226 // Try to tell the trusted thread to shut down the entire process in an | 226 // Try to tell the trusted thread to shut down the entire process in an |
| 227 // orderly fashion | 227 // orderly fashion |
| 228 defaultSystemCallHandler(__NR_exit_group, 0, 0, 0, 0, 0, 0); | 228 defaultSystemCallHandler(__NR_exit_group, 0, 0, 0, 0, 0, 0); |
| 229 | 229 |
| 230 // If that did not work (e.g. because the kernel does not know about the | 230 // If that did not work (e.g. because the kernel does not know about the |
| 231 // exit_group() system call), make a direct _exit() system call instead. | 231 // exit_group() system call), make a direct _exit() system call instead. |
| (...skipping 12 matching lines...) Expand all Loading... |
| 244 } else { | 244 } else { |
| 245 status_ = STATUS_AVAILABLE; | 245 status_ = STATUS_AVAILABLE; |
| 246 } | 246 } |
| 247 int rc; | 247 int rc; |
| 248 (void)NOINTR_SYS(sys.waitpid(pid, &rc, 0)); | 248 (void)NOINTR_SYS(sys.waitpid(pid, &rc, 0)); |
| 249 (void)NOINTR_SYS(sys.close(fds[0])); | 249 (void)NOINTR_SYS(sys.close(fds[0])); |
| 250 return status_ != STATUS_UNSUPPORTED; | 250 return status_ != STATUS_UNSUPPORTED; |
| 251 } | 251 } |
| 252 } | 252 } |
| 253 | 253 |
| 254 void Sandbox::setProcSelf(int proc_self) { | 254 void Sandbox::setProcFd(int proc) { |
| 255 proc_self_ = proc_self; | 255 proc_ = proc; |
| 256 } | 256 } |
| 257 | 257 |
| 258 void Sandbox::startSandbox() { | 258 void Sandbox::startSandbox() { |
| 259 if (status_ == STATUS_UNSUPPORTED) { | 259 if (status_ == STATUS_UNSUPPORTED) { |
| 260 die("The seccomp sandbox is not supported on this computer"); | 260 die("The seccomp sandbox is not supported on this computer"); |
| 261 } else if (status_ == STATUS_ENABLED) { | 261 } else if (status_ == STATUS_ENABLED) { |
| 262 return; | 262 return; |
| 263 } | 263 } |
| 264 | 264 |
| 265 SysCalls sys; | 265 SysCalls sys; |
| 266 if (proc_self_ >= 0) { | 266 if (proc_ >= 0) { |
| 267 proc_self_maps_ = sys.openat(proc_self_, "maps", O_RDONLY, 0); | 267 proc_self_maps_ = sys.openat(proc_, "self/maps", O_RDONLY, 0); |
| 268 if (NOINTR_SYS(sys.close(proc_self_))) { | 268 if (NOINTR_SYS(sys.close(proc_))) { |
| 269 die("Failed to close proc_self_"); | 269 die("Failed to close file descriptor pointing to /proc"); |
| 270 } | 270 } |
| 271 proc_self_ = -1; | 271 proc_ = -1; |
| 272 } | 272 } |
| 273 if (proc_self_maps_ < 0) { | 273 if (proc_self_maps_ < 0) { |
| 274 proc_self_maps_ = sys.open("/proc/self/maps", O_RDONLY, 0); | 274 proc_self_maps_ = sys.open("/proc/self/maps", O_RDONLY, 0); |
| 275 if (proc_self_maps_ < 0) { | 275 if (proc_self_maps_ < 0) { |
| 276 die("Cannot access \"/proc/self/maps\""); | 276 die("Cannot access \"/proc/self/maps\""); |
| 277 } | 277 } |
| 278 } | 278 } |
| 279 | 279 |
| 280 // The pid is unchanged for the entire program, so we can retrieve it once | 280 // The pid is unchanged for the entire program, so we can retrieve it once |
| 281 // and store it in a global variable. | 281 // and store it in a global variable. |
| (...skipping 104 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 386 } entrypoint; | 386 } entrypoint; |
| 387 *entrypoint.get_syscall_entrypoint() = syscallEntryPointNoFrame; | 387 *entrypoint.get_syscall_entrypoint() = syscallEntryPointNoFrame; |
| 388 | 388 |
| 389 // We can no longer check for sandboxing support at this point, but we also | 389 // We can no longer check for sandboxing support at this point, but we also |
| 390 // know for a fact that it is available (as we just turned it on). So update | 390 // know for a fact that it is available (as we just turned it on). So update |
| 391 // the status to reflect this information. | 391 // the status to reflect this information. |
| 392 status_ = STATUS_ENABLED; | 392 status_ = STATUS_ENABLED; |
| 393 } | 393 } |
| 394 | 394 |
| 395 } // namespace | 395 } // namespace |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 10389201:
Change the sandbox API to require passing in a copy of /proc instead of (Closed)
Base URL: http://seccompsandbox.googlecode.com/svn/trunk/