Share the zygote's fopen overrides with nacl_helper.

content/zygote/zygote_libc_override_linux.cc

+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <dlfcn.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <sys/stat.h>
+
+#include "base/eintr_wrapper.h"
+#include "base/logging.h"
+#include "base/rand_util.h"
+
+// Note: this file is used by the zygote and nacl_helper.
+
+namespace content {
+
+// With SELinux we can carve out a precise sandbox, so we don't have to play
+// with intercepting libc calls.
+#if !defined(CHROMIUM_SELINUX)
+
+bool g_am_zygote_or_renderer = false;
+
+// TODO(sergeyu): Currently this code doesn't work properly under ASAN
+// - it crashes content_unittests. Make sure it works properly and
+// enable it here. http://crbug.com/123263
+#if !defined(ADDRESS_SANITIZER)
+
+static const char kUrandomDevPath[] = "/dev/urandom";
+
+// Sandbox interception of libc calls.
+//
+// Because we are running in a sandbox certain libc calls will fail (localtime
+// being the motivating example - it needs to read /etc/localtime). We need to

[Sergey Ulanov, 2012/07/10 22:42:04]

this comment is about localtime(), so it should be kept in zygote_main_linux.cc

[Nick Bray (chromium), 2012/07/11 00:06:11]

Done.

+// intercept these calls and proxy them to the browser. However, these calls
+// may come from us or from our libraries. In some cases we can't just change
+// our code.
+//
+// It's for these cases that we have the following setup:
+//
+// We define global functions for those functions which we wish to override.
+// Since we will be first in the dynamic resolution order, the dynamic linker
+// will point callers to our versions of these functions. However, we have the
+// same binary for both the browser and the renderers, which means that our
+// overrides will apply in the browser too.
+//
+// The global |g_am_zygote_or_renderer| is true iff we are in a zygote or
+// renderer process. It's set in ZygoteMain and inherited by the renderers when
+// they fork. (This means that it'll be incorrect for global constructor
+// functions and before ZygoteMain is called - beware).
+//
+// Our replacement functions can check this global and either proxy
+// the call to the browser over the sandbox IPC
+// (http://code.google.com/p/chromium/wiki/LinuxSandboxIPC) or they can use
+// dlsym with RTLD_NEXT to resolve the symbol, ignoring any symbols in the
+// current module.
+//
+// Other avenues:
+//
+// Our first attempt involved some assembly to patch the GOT of the current
+// module. This worked, but was platform specific and doesn't catch the case
+// where a library makes a call rather than current module.
+//
+// We also considered patching the function in place, but this would again by
+// platform specific and the above technique seems to work well enough.
+
+typedef FILE* (*FopenFunction)(const char* path, const char* mode);
+typedef int (*XstatFunction)(int version, const char *path, struct stat *buf);
+typedef int (*Xstat64Function)(int version, const char *path,
+                               struct stat64 *buf);
+
+static pthread_once_t g_libc_file_io_funcs_guard = PTHREAD_ONCE_INIT;
+static FopenFunction g_libc_fopen;
+static FopenFunction g_libc_fopen64;
+static XstatFunction g_libc_xstat;
+static Xstat64Function g_libc_xstat64;
+
+static void InitLibcFileIOFunctions() {
+  g_libc_fopen = reinterpret_cast<FopenFunction>(
+      dlsym(RTLD_NEXT, "fopen"));
+  g_libc_fopen64 = reinterpret_cast<FopenFunction>(
+      dlsym(RTLD_NEXT, "fopen64"));
+
+  if (!g_libc_fopen) {
+    LOG(FATAL) << "Failed to get fopen() from libc.";
+  } else if (!g_libc_fopen64) {
+#if !defined(OS_OPENBSD) && !defined(OS_FREEBSD)
+    LOG(WARNING) << "Failed to get fopen64() from libc. Using fopen() instead.";
+#endif  // !defined(OS_OPENBSD) && !defined(OS_FREEBSD)
+    g_libc_fopen64 = g_libc_fopen;
+  }
+
+  // TODO(sergeyu): This works only on systems with glibc. Fix it to
+  // work properly on other systems if necessary.
+  g_libc_xstat = reinterpret_cast<XstatFunction>(
+      dlsym(RTLD_NEXT, "__xstat"));
+  g_libc_xstat64 = reinterpret_cast<Xstat64Function>(
+      dlsym(RTLD_NEXT, "__xstat64"));
+
+  if (!g_libc_xstat) {
+    LOG(FATAL) << "Failed to get __xstat() from libc.";
+  }
+  if (!g_libc_xstat64) {
+    LOG(WARNING) << "Failed to get __xstat64() from libc.";
+  }
+}
+
+// fopen() and fopen64() are intercepted here so that NSS can open
+// /dev/urandom to seed its random number generator. NSS is used by
+// remoting in the sendbox.
+
+// fopen() call may be redirected to fopen64() in stdio.h using
+// __REDIRECT(), which sets asm name for fopen() to "fopen64". This
+// means that we cannot override fopen() directly here. Instead the
+// the code below defines fopen_override() function with asm name
+// "fopen", so that all references to fopen() will resolve to this
+// function.
+__attribute__ ((__visibility__("default")))
+FILE* fopen_override(const char* path, const char* mode)  __asm__ ("fopen");
+
+__attribute__ ((__visibility__("default")))
+FILE* fopen_override(const char* path, const char* mode) {
+  if (g_am_zygote_or_renderer && strcmp(path, kUrandomDevPath) == 0) {
+    int fd = HANDLE_EINTR(dup(base::GetUrandomFD()));
+    if (fd < 0) {
+      PLOG(ERROR) << "dup() failed.";
+      return NULL;
+    }
+    return fdopen(fd, mode);
+  } else {
+    CHECK_EQ(0, pthread_once(&g_libc_file_io_funcs_guard,
+                             InitLibcFileIOFunctions));
+    return g_libc_fopen(path, mode);
+  }
+}
+
+__attribute__ ((__visibility__("default")))
+FILE* fopen64(const char* path, const char* mode) {
+  if (g_am_zygote_or_renderer && strcmp(path, kUrandomDevPath) == 0) {
+    int fd = HANDLE_EINTR(dup(base::GetUrandomFD()));
+    if (fd < 0) {
+      PLOG(ERROR) << "dup() failed.";
+      return NULL;
+    }
+    return fdopen(fd, mode);
+  } else {
+    CHECK_EQ(0, pthread_once(&g_libc_file_io_funcs_guard,
+                             InitLibcFileIOFunctions));
+    return g_libc_fopen64(path, mode);
+  }
+}
+
+// stat() is subject to the same problem as fopen(), so we have to use
+// the same trick to override it.
+__attribute__ ((__visibility__("default")))
+int xstat_override(int version,
+                   const char *path,
+                   struct stat *buf)  __asm__ ("__xstat");
+
+__attribute__ ((__visibility__("default")))
+int xstat_override(int version, const char *path, struct stat *buf) {
+  if (g_am_zygote_or_renderer && strcmp(path, kUrandomDevPath) == 0) {
+    int result = __fxstat(version, base::GetUrandomFD(), buf);
+    return result;
+  } else {
+    CHECK_EQ(0, pthread_once(&g_libc_file_io_funcs_guard,
+                             InitLibcFileIOFunctions));
+    return g_libc_xstat(version, path, buf);
+  }
+}
+
+__attribute__ ((__visibility__("default")))
+int xstat64_override(int version,
+                     const char *path,
+                     struct stat64 *buf)  __asm__ ("__xstat64");
+
+__attribute__ ((__visibility__("default")))
+int xstat64_override(int version, const char *path, struct stat64 *buf) {
+  if (g_am_zygote_or_renderer && strcmp(path, kUrandomDevPath) == 0) {
+    int result = __fxstat64(version, base::GetUrandomFD(), buf);
+    return result;
+  } else {
+    CHECK_EQ(0, pthread_once(&g_libc_file_io_funcs_guard,
+                             InitLibcFileIOFunctions));
+    CHECK(g_libc_xstat64);
+    return g_libc_xstat64(version, path, buf);
+  }
+}
+
+#endif  // !ADDRESS_SANITIZER
+
+#endif  // !CHROMIUM_SELINUX
+
+}  // namespace content