Create a class for seccomp-bpf sandboxing in content.

content/common/sandbox_seccomp_bpf_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "content/common/seccomp_sandbox.h"
-#include "content/public/common/sandbox_init.h"
-
-#if defined(__i386__) || defined(__x86_64__)
-
-// This is an assert for GYP
-#if !defined(OS_LINUX)
-  #error "Linux specific file compiled on non Linux OS!"
-#endif
-
 #include <asm/unistd.h>
 #include <dlfcn.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <linux/audit.h>
 #include <linux/filter.h>
 #include <signal.h>
 #include <string.h>
 #include <sys/prctl.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <ucontext.h>
 #include <unistd.h>
 
 #include <vector>
 
 #include "base/command_line.h"
-#include "base/file_util.h"
 #include "base/logging.h"
-#include "base/time.h"
 #include "content/common/sandbox_linux.h"
+#include "content/common/sandbox_seccomp_bpf_linux.h"
 #include "content/public/common/content_switches.h"
+
+// These are the only architectures supported for now.
+#if defined(__i386__) || defined(__x86_64__)
+#define SECCOMP_BPF_SANDBOX
+#endif
+
+#if defined(SECCOMP_BPF_SANDBOX)
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
 
 // These are fairly new and not defined in all headers yet.
 #if defined(__x86_64__)
 
 #ifndef __NR_process_vm_readv
   #define __NR_process_vm_readv 310
 #endif
 
 #ifndef __NR_process_vm_writev
   #define __NR_process_vm_writev 311
 #endif
 
 #elif defined(__i386__)
 
 #ifndef __NR_process_vm_readv
   #define __NR_process_vm_readv 347
 #endif
 
 #ifndef __NR_process_vm_writev
   #define __NR_process_vm_writev 348
 #endif
 
 #endif
 
 namespace {
 
-bool IsSingleThreaded() {
-  // Possibly racy, but it's ok because this is more of a debug check to catch
-  // new threaded situations arising during development.
-  int num_threads =
-    file_util::CountFilesCreatedAfter(FilePath("/proc/self/task"),
-                                      base::Time::UnixEpoch());
-
-  // We pass the test if we don't know ( == 0), because the setuid sandbox
-  // will prevent /proc access in some contexts.
-  return num_threads == 1 || num_threads == 0;
-}
-
 inline bool IsChromeOS() {
 #if defined(OS_CHROMEOS)
   return true;
 #else
   return false;
 #endif
 }
 
 void LogSandboxStarted(const std::string& sandbox_name,
                        const std::string& process_type) {
@@ skipping 350 matching lines @@
           "/usr/lib64/va/drivers/i965_drv_video.so";
       dlopen(kI965DrvVideoPath_64, RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
     }
   }
 #endif
 }
 
 // Is the sandbox fully disabled for this process?
 bool ShouldDisableBpfSandbox(const CommandLine& command_line,
                              const std::string& process_type) {
-  if (command_line.HasSwitch(switches::kNoSandbox) ||
-      command_line.HasSwitch(switches::kDisableSeccompFilterSandbox)) {
-    return true;
-  }
-
   if (process_type == switches::kGpuProcess) {
     // The GPU sandbox is disabled by default in ChromeOS, enabled by default on
     // generic Linux.
     // TODO(jorgelo): when we feel comfortable, make this a policy decision
     // instead. (i.e. move this to GetProcessSyscallPolicy) and return an
     // AllowAllPolicy for lack of "--enable-gpu-sandbox".
     bool should_disable;
     if (IsChromeOS()) {
       should_disable = true;
     } else {
@@ skipping 32 matching lines @@
   // This will be our default if we need one.
   return AllowAllPolicy;
 #else
   // On IA32, we only have a small blacklist at the moment.
   (void) process_type;
   return BlacklistPtracePolicy;
 #endif  // __x86_64__
 }
 
 // Initialize the seccomp-bpf sandbox.
-bool InitializeBpfSandbox_x86(const CommandLine& command_line,
-                               const std::string& process_type) {
-  if (ShouldDisableBpfSandbox(command_line, process_type))
-    return false;
-
-  // No matter what, InitializeSandbox() should always be called before threads
-  // are started.
-  // Note: IsSingleThreaded() will be true if /proc is not accessible!
-  if (!IsSingleThreaded()) {
-    std::string error_message = "InitializeSandbox() called with multiple "
-                                "threads in process " + process_type;
-    // TODO(jln): change this into a CHECK() once we are more comfortable it
-    // does not trigger.
-    // On non-DEBUG build, we still log an error
-    LOG(ERROR) << error_message;
-    return false;
-  }
-
-  // TODO(jln): find a way for the Zygote processes under the setuid sandbox to
-  // have a /proc fd and pass it here.
-  // Passing -1 as the /proc fd since we have no special way to have it for
-  // now.
-  if (playground2::Sandbox::supportsSeccompSandbox(-1) !=
-      playground2::Sandbox::STATUS_AVAILABLE) {
-    return false;
-  }
-
+bool StartBpfSandbox_x86(const CommandLine& command_line,
+                         const std::string& process_type) {
   playground2::Sandbox::EvaluateSyscall SyscallPolicy =
       GetProcessSyscallPolicy(command_line, process_type);
 
   // Warms up resources needed by the policy we're about to enable.
   WarmupPolicy(SyscallPolicy);
 
   playground2::Sandbox::setSandboxPolicy(SyscallPolicy, NULL);
   playground2::Sandbox::startSandbox();
 
   return true;
 }
 
-}  // anonymous namespace
+}  // namespace
 
-#endif  // defined(__i386__) || defined(__x86_64__)
+#endif  // SECCOMP_BPF_SANDBOX
 
 namespace content {
 
-void InitializeSandbox() {
-#if defined(__i386__) || defined(__x86_64__)
+// Is seccomp BPF globally enabled?
+bool SandboxSeccompBpf::IsSeccompBpfDesired() {
   const CommandLine& command_line = *CommandLine::ForCurrentProcess();
-  const std::string process_type =
-      command_line.GetSwitchValueASCII(switches::kProcessType);
-  bool seccomp_legacy_started = false;
-  bool seccomp_bpf_started = false;
+  if (!command_line.HasSwitch(switches::kNoSandbox) &&
+      !command_line.HasSwitch(switches::kDisableSeccompFilterSandbox)) {
+    return true;
+  } else {
+    return false;
+  }
+}
 
-  // First, try to enable seccomp-legacy.
-  seccomp_legacy_started =
-      LinuxSandbox::GetInstance()->StartSeccompLegacy(process_type);
-  if (seccomp_legacy_started)
-    LogSandboxStarted("seccomp-legacy", process_type);
+bool SandboxSeccompBpf::SupportsSandbox() {
+#if defined(SECCOMP_BPF_SANDBOX)
+  // TODO(jln): pass the saved proc_fd_ from the LinuxSandbox singleton
+  // here.
+  if (playground2::Sandbox::supportsSeccompSandbox(-1) ==
+      playground2::Sandbox::STATUS_AVAILABLE) {
+    return true;
+  }
+#endif
+  return false;
+}
 
-  // Then, try to enable seccomp-bpf.
-  // If seccomp-legacy is enabled, seccomp-bpf initialization will crash
-  // instead of failing gracefully.
-  // TODO(markus): fix this (crbug.com/139872).
-  if (!seccomp_legacy_started) {
-    seccomp_bpf_started =
-        InitializeBpfSandbox_x86(command_line, process_type);
+bool SandboxSeccompBpf::StartSandbox(const std::string& process_type) {
+#if defined(SECCOMP_BPF_SANDBOX)
+  const CommandLine& command_line = *CommandLine::ForCurrentProcess();
+
+  if (IsSeccompBpfDesired() &&  // Global switches policy.
+      // Process-specific policy.
+      !ShouldDisableBpfSandbox(command_line, process_type) &&
+      SupportsSandbox()) {
+    return StartBpfSandbox_x86(command_line, process_type);
   }
-  if (seccomp_bpf_started)
-    LogSandboxStarted("seccomp-bpf", process_type);
 #endif
+  return false;
 }
 
 }  // namespace content