Share the zygote's fopen overrides with nacl_helper.

content/zygote/zygote_main_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <dlfcn.h>
 #include <fcntl.h>
 #include <pthread.h>
 #include <stdio.h>
 #include <sys/socket.h>
 #include <sys/stat.h>
@@ skipping 18 matching lines @@
 #include "content/common/font_config_ipc_linux.h"
 #include "content/common/pepper_plugin_registry.h"
 #include "content/common/sandbox_methods_linux.h"
 #include "content/common/seccomp_sandbox.h"
 #include "content/common/zygote_commands_linux.h"
 #include "content/public/common/content_switches.h"
 #include "content/public/common/main_function_params.h"
 #include "content/public/common/sandbox_linux.h"
 #include "content/public/common/zygote_fork_delegate_linux.h"
 #include "content/zygote/zygote_linux.h"
+#include "sandbox/linux/services/libc_urandom_override.h"
 #include "skia/ext/SkFontHost_fontconfig_control.h"
 #include "unicode/timezone.h"
 
 #if defined(OS_LINUX)
 #include <sys/epoll.h>
 #include <sys/prctl.h>
 #include <sys/signal.h>
 #else
 #include <signal.h>
 #endif
 
 namespace content {
 
 // See http://code.google.com/p/chromium/wiki/LinuxZygote
 
-static const char kUrandomDevPath[] = "/dev/urandom";
-
 // The SUID sandbox sets this environment variable to a file descriptor
 // over which we can signal that we have completed our startup and can be
 // chrooted.
 static const char kSUIDSandboxVar[] = "SBX_D";
 
 // With SELinux we can carve out a precise sandbox, so we don't have to play
 // with intercepting libc calls.
 #if !defined(CHROMIUM_SELINUX)
 
 static void ProxyLocaltimeCallToBrowser(time_t input, struct tm* output,
@@ skipping 68 matching lines @@
 // Our first attempt involved some assembly to patch the GOT of the current
 // module. This worked, but was platform specific and doesn't catch the case
 // where a library makes a call rather than current module.
 //
 // We also considered patching the function in place, but this would again by
 // platform specific and the above technique seems to work well enough.
 
 typedef struct tm* (*LocaltimeFunction)(const time_t* timep);
 typedef struct tm* (*LocaltimeRFunction)(const time_t* timep,
                                          struct tm* result);
-typedef FILE* (*FopenFunction)(const char* path, const char* mode);
-typedef int (*XstatFunction)(int version, const char *path, struct stat *buf);
-typedef int (*Xstat64Function)(int version, const char *path,
-                               struct stat64 *buf);
 
 static pthread_once_t g_libc_localtime_funcs_guard = PTHREAD_ONCE_INIT;
 static LocaltimeFunction g_libc_localtime;
 static LocaltimeFunction g_libc_localtime64;
 static LocaltimeRFunction g_libc_localtime_r;
 static LocaltimeRFunction g_libc_localtime64_r;
 
-// http://crbug.com/123263, see below.
-#if !defined(ADDRESS_SANITIZER)
-static pthread_once_t g_libc_file_io_funcs_guard = PTHREAD_ONCE_INIT;
-static FopenFunction g_libc_fopen;
-static FopenFunction g_libc_fopen64;
-static XstatFunction g_libc_xstat;
-static Xstat64Function g_libc_xstat64;
-#endif
-
 static void InitLibcLocaltimeFunctions() {
   g_libc_localtime = reinterpret_cast<LocaltimeFunction>(
       dlsym(RTLD_NEXT, "localtime"));
   g_libc_localtime64 = reinterpret_cast<LocaltimeFunction>(
       dlsym(RTLD_NEXT, "localtime64"));
   g_libc_localtime_r = reinterpret_cast<LocaltimeRFunction>(
       dlsym(RTLD_NEXT, "localtime_r"));
   g_libc_localtime64_r = reinterpret_cast<LocaltimeRFunction>(
       dlsym(RTLD_NEXT, "localtime64_r"));
 
@@ skipping 85 matching lines @@
   if (g_am_zygote_or_renderer) {
     ProxyLocaltimeCallToBrowser(*timep, result, NULL, 0);
     return result;
   } else {
     CHECK_EQ(0, pthread_once(&g_libc_localtime_funcs_guard,
                              InitLibcLocaltimeFunctions));
     return g_libc_localtime64_r(timep, result);
   }
 }
 
-// TODO(sergeyu): Currently this code doesn't work properly under ASAN
-// - it crashes content_unittests. Make sure it works properly and
-// enable it here. http://crbug.com/123263
-#if !defined(ADDRESS_SANITIZER)
-
-static void InitLibcFileIOFunctions() {
-  g_libc_fopen = reinterpret_cast<FopenFunction>(
-      dlsym(RTLD_NEXT, "fopen"));
-  g_libc_fopen64 = reinterpret_cast<FopenFunction>(
-      dlsym(RTLD_NEXT, "fopen64"));
-
-  if (!g_libc_fopen) {
-    LOG(FATAL) << "Failed to get fopen() from libc.";
-  } else if (!g_libc_fopen64) {
-#if !defined(OS_OPENBSD) && !defined(OS_FREEBSD)
-    LOG(WARNING) << "Failed to get fopen64() from libc. Using fopen() instead.";
-#endif  // !defined(OS_OPENBSD) && !defined(OS_FREEBSD)
-    g_libc_fopen64 = g_libc_fopen;
-  }
-
-  // TODO(sergeyu): This works only on systems with glibc. Fix it to
-  // work properly on other systems if necessary.
-  g_libc_xstat = reinterpret_cast<XstatFunction>(
-      dlsym(RTLD_NEXT, "__xstat"));
-  g_libc_xstat64 = reinterpret_cast<Xstat64Function>(
-      dlsym(RTLD_NEXT, "__xstat64"));
-
-  if (!g_libc_xstat) {
-    LOG(FATAL) << "Failed to get __xstat() from libc.";
-  }
-  if (!g_libc_xstat64) {
-    LOG(WARNING) << "Failed to get __xstat64() from libc.";
-  }
-}
-
-// fopen() and fopen64() are intercepted here so that NSS can open
-// /dev/urandom to seed its random number generator. NSS is used by
-// remoting in the sendbox.
-
-// fopen() call may be redirected to fopen64() in stdio.h using
-// __REDIRECT(), which sets asm name for fopen() to "fopen64". This
-// means that we cannot override fopen() directly here. Instead the
-// the code below defines fopen_override() function with asm name
-// "fopen", so that all references to fopen() will resolve to this
-// function.
-__attribute__ ((__visibility__("default")))
-FILE* fopen_override(const char* path, const char* mode)  __asm__ ("fopen");
-
-__attribute__ ((__visibility__("default")))
-FILE* fopen_override(const char* path, const char* mode) {
-  if (g_am_zygote_or_renderer && strcmp(path, kUrandomDevPath) == 0) {
-    int fd = HANDLE_EINTR(dup(base::GetUrandomFD()));
-    if (fd < 0) {
-      PLOG(ERROR) << "dup() failed.";
-      return NULL;
-    }
-    return fdopen(fd, mode);
-  } else {
-    CHECK_EQ(0, pthread_once(&g_libc_file_io_funcs_guard,
-                             InitLibcFileIOFunctions));
-    return g_libc_fopen(path, mode);
-  }
-}
-
-__attribute__ ((__visibility__("default")))
-FILE* fopen64(const char* path, const char* mode) {
-  if (g_am_zygote_or_renderer && strcmp(path, kUrandomDevPath) == 0) {
-    int fd = HANDLE_EINTR(dup(base::GetUrandomFD()));
-    if (fd < 0) {
-      PLOG(ERROR) << "dup() failed.";
-      return NULL;
-    }
-    return fdopen(fd, mode);
-  } else {
-    CHECK_EQ(0, pthread_once(&g_libc_file_io_funcs_guard,
-                             InitLibcFileIOFunctions));
-    return g_libc_fopen64(path, mode);
-  }
-}
-
-// stat() is subject to the same problem as fopen(), so we have to use
-// the same trick to override it.
-__attribute__ ((__visibility__("default")))
-int xstat_override(int version,
-                   const char *path,
-                   struct stat *buf)  __asm__ ("__xstat");
-
-__attribute__ ((__visibility__("default")))
-int xstat_override(int version, const char *path, struct stat *buf) {
-  if (g_am_zygote_or_renderer && strcmp(path, kUrandomDevPath) == 0) {
-    int result = __fxstat(version, base::GetUrandomFD(), buf);
-    return result;
-  } else {
-    CHECK_EQ(0, pthread_once(&g_libc_file_io_funcs_guard,
-                             InitLibcFileIOFunctions));
-    return g_libc_xstat(version, path, buf);
-  }
-}
-
-__attribute__ ((__visibility__("default")))
-int xstat64_override(int version,
-                     const char *path,
-                     struct stat64 *buf)  __asm__ ("__xstat64");
-
-__attribute__ ((__visibility__("default")))
-int xstat64_override(int version, const char *path, struct stat64 *buf) {
-  if (g_am_zygote_or_renderer && strcmp(path, kUrandomDevPath) == 0) {
-    int result = __fxstat64(version, base::GetUrandomFD(), buf);
-    return result;
-  } else {
-    CHECK_EQ(0, pthread_once(&g_libc_file_io_funcs_guard,
-                             InitLibcFileIOFunctions));
-    CHECK(g_libc_xstat64);
-    return g_libc_xstat64(version, path, buf);
-  }
-}
-
-#endif  // !ADDRESS_SANITIZER
-
 #endif  // !CHROMIUM_SELINUX
 
 // This function triggers the static and lazy construction of objects that need
 // to be created before imposing the sandbox.
 static void PreSandboxInit() {
   base::RandUint64();
 
   base::SysInfo::MaxSharedMemorySize();
 
   // ICU DateFormat class (used in base/time_format.cc) needs to get the
@@ skipping 217 matching lines @@
       new FontConfigIPC(Zygote::kMagicSandboxIPCDescriptor));
   return true;
 }
 
 #endif  // CHROMIUM_SELINUX
 
 bool ZygoteMain(const MainFunctionParams& params,
                 ZygoteForkDelegate* forkdelegate) {
 #if !defined(CHROMIUM_SELINUX)
   g_am_zygote_or_renderer = true;
+  sandbox::InitLibcUrandomOverrides();
 #endif
 
   int proc_fd_for_seccomp = -1;
 #if defined(SECCOMP_SANDBOX)
   if (SeccompSandboxEnabled()) {
     // The seccomp sandbox needs access to files in /proc, which might be denied
     // after one of the other sandboxes have been started. So, obtain a suitable
     // file handle in advance.
     proc_fd_for_seccomp = open("/proc", O_DIRECTORY | O_RDONLY);
     if (proc_fd_for_seccomp < 0) {
@@ skipping 57 matching lines @@
     }
   }
 #endif  // SECCOMP_SANDBOX
 
   Zygote zygote(sandbox_flags, forkdelegate, proc_fd_for_seccomp);
   // This function call can return multiple times, once per fork().
   return zygote.ProcessRequests();
 }
 
 }  // namespace content