Share the zygote's fopen overrides with nacl_helper.

content/zygote/zygote_main_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <dlfcn.h>
 #include <fcntl.h>
 #include <pthread.h>
 #include <stdio.h>
 #include <sys/socket.h>
 #include <sys/stat.h>
@@ skipping 17 matching lines @@
 #include "crypto/nss_util.h"
 #include "content/common/font_config_ipc_linux.h"
 #include "content/common/pepper_plugin_registry.h"
 #include "content/common/sandbox_methods_linux.h"
 #include "content/common/seccomp_sandbox.h"
 #include "content/common/zygote_commands_linux.h"
 #include "content/public/common/content_switches.h"
 #include "content/public/common/main_function_params.h"
 #include "content/public/common/sandbox_linux.h"
 #include "content/public/common/zygote_fork_delegate_linux.h"
+#include "content/zygote/zygote_libc_override_linux.h"
 #include "content/zygote/zygote_linux.h"
 #include "skia/ext/SkFontHost_fontconfig_control.h"
 #include "unicode/timezone.h"
 
 #if defined(OS_LINUX)
 #include <sys/epoll.h>
 #include <sys/prctl.h>
 #include <sys/signal.h>
 #else
 #include <signal.h>
 #endif
 
 namespace content {
 
 // See http://code.google.com/p/chromium/wiki/LinuxZygote
 
-static const char kUrandomDevPath[] = "/dev/urandom";
-
 // The SUID sandbox sets this environment variable to a file descriptor
 // over which we can signal that we have completed our startup and can be
 // chrooted.
 static const char kSUIDSandboxVar[] = "SBX_D";
 
 // With SELinux we can carve out a precise sandbox, so we don't have to play
 // with intercepting libc calls.
 #if !defined(CHROMIUM_SELINUX)
 
 static void ProxyLocaltimeCallToBrowser(time_t input, struct tm* output,
@@ skipping 27 matching lines @@
   if (timezone_out_len) {
     const size_t copy_len = std::min(timezone_out_len - 1, timezone.size());
     memcpy(timezone_out, timezone.data(), copy_len);
     timezone_out[copy_len] = 0;
     output->tm_zone = timezone_out;
   } else {
     output->tm_zone = NULL;
   }
 }
 
-static bool g_am_zygote_or_renderer = false;
-
 // Sandbox interception of libc calls.
 //
-// Because we are running in a sandbox certain libc calls will fail (localtime
-// being the motivating example - it needs to read /etc/localtime). We need to
-// intercept these calls and proxy them to the browser. However, these calls
-// may come from us or from our libraries. In some cases we can't just change
-// our code.
-//
-// It's for these cases that we have the following setup:
-//
-// We define global functions for those functions which we wish to override.
-// Since we will be first in the dynamic resolution order, the dynamic linker
-// will point callers to our versions of these functions. However, we have the
-// same binary for both the browser and the renderers, which means that our
-// overrides will apply in the browser too.
-//
-// The global |g_am_zygote_or_renderer| is true iff we are in a zygote or
-// renderer process. It's set in ZygoteMain and inherited by the renderers when
-// they fork. (This means that it'll be incorrect for global constructor
-// functions and before ZygoteMain is called - beware).
-//
-// Our replacement functions can check this global and either proxy
-// the call to the browser over the sandbox IPC
-// (http://code.google.com/p/chromium/wiki/LinuxSandboxIPC) or they can use
-// dlsym with RTLD_NEXT to resolve the symbol, ignoring any symbols in the
-// current module.
-//
-// Other avenues:
-//
-// Our first attempt involved some assembly to patch the GOT of the current
-// module. This worked, but was platform specific and doesn't catch the case
-// where a library makes a call rather than current module.
-//
-// We also considered patching the function in place, but this would again by
-// platform specific and the above technique seems to work well enough.
+// See zygote_libc_override_linux.cc for more details.  Interception of
+// localtime is implemented here because it is not shared with nacl_helper.
 
 typedef struct tm* (*LocaltimeFunction)(const time_t* timep);
 typedef struct tm* (*LocaltimeRFunction)(const time_t* timep,
                                          struct tm* result);
-typedef FILE* (*FopenFunction)(const char* path, const char* mode);
-typedef int (*XstatFunction)(int version, const char *path, struct stat *buf);
-typedef int (*Xstat64Function)(int version, const char *path,
-                               struct stat64 *buf);
 
 static pthread_once_t g_libc_localtime_funcs_guard = PTHREAD_ONCE_INIT;
 static LocaltimeFunction g_libc_localtime;
 static LocaltimeFunction g_libc_localtime64;
 static LocaltimeRFunction g_libc_localtime_r;
 static LocaltimeRFunction g_libc_localtime64_r;
 
-// http://crbug.com/123263, see below.
-#if !defined(ADDRESS_SANITIZER)
-static pthread_once_t g_libc_file_io_funcs_guard = PTHREAD_ONCE_INIT;
-static FopenFunction g_libc_fopen;
-static FopenFunction g_libc_fopen64;
-static XstatFunction g_libc_xstat;
-static Xstat64Function g_libc_xstat64;
-#endif
-
 static void InitLibcLocaltimeFunctions() {
   g_libc_localtime = reinterpret_cast<LocaltimeFunction>(
       dlsym(RTLD_NEXT, "localtime"));
   g_libc_localtime64 = reinterpret_cast<LocaltimeFunction>(
       dlsym(RTLD_NEXT, "localtime64"));
   g_libc_localtime_r = reinterpret_cast<LocaltimeRFunction>(
       dlsym(RTLD_NEXT, "localtime_r"));
   g_libc_localtime64_r = reinterpret_cast<LocaltimeRFunction>(
       dlsym(RTLD_NEXT, "localtime64_r"));
 
@@ skipping 85 matching lines @@
   if (g_am_zygote_or_renderer) {
     ProxyLocaltimeCallToBrowser(*timep, result, NULL, 0);
     return result;
   } else {
     CHECK_EQ(0, pthread_once(&g_libc_localtime_funcs_guard,
                              InitLibcLocaltimeFunctions));
     return g_libc_localtime64_r(timep, result);
   }
 }
 
-// TODO(sergeyu): Currently this code doesn't work properly under ASAN
-// - it crashes content_unittests. Make sure it works properly and
-// enable it here. http://crbug.com/123263
-#if !defined(ADDRESS_SANITIZER)
-
-static void InitLibcFileIOFunctions() {
-  g_libc_fopen = reinterpret_cast<FopenFunction>(
-      dlsym(RTLD_NEXT, "fopen"));
-  g_libc_fopen64 = reinterpret_cast<FopenFunction>(
-      dlsym(RTLD_NEXT, "fopen64"));
-
-  if (!g_libc_fopen) {
-    LOG(FATAL) << "Failed to get fopen() from libc.";
-  } else if (!g_libc_fopen64) {
-#if !defined(OS_OPENBSD) && !defined(OS_FREEBSD)
-    LOG(WARNING) << "Failed to get fopen64() from libc. Using fopen() instead.";
-#endif  // !defined(OS_OPENBSD) && !defined(OS_FREEBSD)
-    g_libc_fopen64 = g_libc_fopen;
-  }
-
-  // TODO(sergeyu): This works only on systems with glibc. Fix it to
-  // work properly on other systems if necessary.
-  g_libc_xstat = reinterpret_cast<XstatFunction>(
-      dlsym(RTLD_NEXT, "__xstat"));
-  g_libc_xstat64 = reinterpret_cast<Xstat64Function>(
-      dlsym(RTLD_NEXT, "__xstat64"));
-
-  if (!g_libc_xstat) {
-    LOG(FATAL) << "Failed to get __xstat() from libc.";
-  }
-  if (!g_libc_xstat64) {
-    LOG(WARNING) << "Failed to get __xstat64() from libc.";
-  }
-}
-
-// fopen() and fopen64() are intercepted here so that NSS can open
-// /dev/urandom to seed its random number generator. NSS is used by
-// remoting in the sendbox.
-
-// fopen() call may be redirected to fopen64() in stdio.h using
-// __REDIRECT(), which sets asm name for fopen() to "fopen64". This
-// means that we cannot override fopen() directly here. Instead the
-// the code below defines fopen_override() function with asm name
-// "fopen", so that all references to fopen() will resolve to this
-// function.
-__attribute__ ((__visibility__("default")))
-FILE* fopen_override(const char* path, const char* mode)  __asm__ ("fopen");
-
-__attribute__ ((__visibility__("default")))
-FILE* fopen_override(const char* path, const char* mode) {
-  if (g_am_zygote_or_renderer && strcmp(path, kUrandomDevPath) == 0) {
-    int fd = HANDLE_EINTR(dup(base::GetUrandomFD()));
-    if (fd < 0) {
-      PLOG(ERROR) << "dup() failed.";
-      return NULL;
-    }
-    return fdopen(fd, mode);
-  } else {
-    CHECK_EQ(0, pthread_once(&g_libc_file_io_funcs_guard,
-                             InitLibcFileIOFunctions));
-    return g_libc_fopen(path, mode);
-  }
-}
-
-__attribute__ ((__visibility__("default")))
-FILE* fopen64(const char* path, const char* mode) {
-  if (g_am_zygote_or_renderer && strcmp(path, kUrandomDevPath) == 0) {
-    int fd = HANDLE_EINTR(dup(base::GetUrandomFD()));
-    if (fd < 0) {
-      PLOG(ERROR) << "dup() failed.";
-      return NULL;
-    }
-    return fdopen(fd, mode);
-  } else {
-    CHECK_EQ(0, pthread_once(&g_libc_file_io_funcs_guard,
-                             InitLibcFileIOFunctions));
-    return g_libc_fopen64(path, mode);
-  }
-}
-
-// stat() is subject to the same problem as fopen(), so we have to use
-// the same trick to override it.
-__attribute__ ((__visibility__("default")))
-int xstat_override(int version,
-                   const char *path,
-                   struct stat *buf)  __asm__ ("__xstat");
-
-__attribute__ ((__visibility__("default")))
-int xstat_override(int version, const char *path, struct stat *buf) {
-  if (g_am_zygote_or_renderer && strcmp(path, kUrandomDevPath) == 0) {
-    int result = __fxstat(version, base::GetUrandomFD(), buf);
-    return result;
-  } else {
-    CHECK_EQ(0, pthread_once(&g_libc_file_io_funcs_guard,
-                             InitLibcFileIOFunctions));
-    return g_libc_xstat(version, path, buf);
-  }
-}
-
-__attribute__ ((__visibility__("default")))
-int xstat64_override(int version,
-                     const char *path,
-                     struct stat64 *buf)  __asm__ ("__xstat64");
-
-__attribute__ ((__visibility__("default")))
-int xstat64_override(int version, const char *path, struct stat64 *buf) {
-  if (g_am_zygote_or_renderer && strcmp(path, kUrandomDevPath) == 0) {
-    int result = __fxstat64(version, base::GetUrandomFD(), buf);
-    return result;
-  } else {
-    CHECK_EQ(0, pthread_once(&g_libc_file_io_funcs_guard,
-                             InitLibcFileIOFunctions));
-    CHECK(g_libc_xstat64);
-    return g_libc_xstat64(version, path, buf);
-  }
-}
-
-#endif  // !ADDRESS_SANITIZER
-
 #endif  // !CHROMIUM_SELINUX
 
 // This function triggers the static and lazy construction of objects that need
 // to be created before imposing the sandbox.
 static void PreSandboxInit() {
   base::RandUint64();
 
   base::SysInfo::MaxSharedMemorySize();
 
   // ICU DateFormat class (used in base/time_format.cc) needs to get the
@@ skipping 294 matching lines @@
     }
   }
 #endif  // SECCOMP_SANDBOX
 
   Zygote zygote(sandbox_flags, forkdelegate, proc_fd_for_seccomp);
   // This function call can return multiple times, once per fork().
   return zygote.ProcessRequests();
 }
 
 }  // namespace content