OLD | NEW |
(Empty) | |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "sandbox/linux/services/broker_process.h" |
| 6 |
| 7 #include <fcntl.h> |
| 8 #include <sys/socket.h> |
| 9 #include <sys/stat.h> |
| 10 #include <sys/types.h> |
| 11 #include <unistd.h> |
| 12 |
| 13 #include <algorithm> |
| 14 #include <string> |
| 15 #include <vector> |
| 16 |
| 17 #include "base/basictypes.h" |
| 18 #include "base/logging.h" |
| 19 #include "base/pickle.h" |
| 20 #include "base/posix/eintr_wrapper.h" |
| 21 #include "base/posix/unix_domain_socket.h" |
| 22 |
| 23 namespace { |
| 24 |
| 25 static const int kCommandOpen = 'O'; |
| 26 static const size_t kMaxMessageLength = 4096; |
| 27 |
| 28 // Some flags will need special treatment on the client side and are not |
| 29 // supported for now. |
| 30 int ForCurrentProcessFlagsMask() { |
| 31 return O_CLOEXEC | O_NONBLOCK; |
| 32 } |
| 33 |
| 34 // Check whether |requested_filename| is in |allowed_file_names|. |
| 35 // See GetFileNameIfAllowedAccess() for an explaination of |file_to_open|. |
| 36 // async signal safe if |file_to_open| is NULL. |
| 37 // TODO(jln): assert signal safety. |
| 38 bool GetFileNameInWhitelist(const std::vector<std::string>& allowed_file_names, |
| 39 const std::string& requested_filename, |
| 40 const char** file_to_open) { |
| 41 if (file_to_open && *file_to_open) { |
| 42 // Make sure that callers never pass a non-empty string. In case callers |
| 43 // wrongly forget to check the return value and look at the string |
| 44 // instead, this could catch bugs. |
| 45 RAW_LOG(FATAL, "*file_to_open should be NULL"); |
| 46 return false; |
| 47 } |
| 48 std::vector<std::string>::const_iterator it; |
| 49 it = std::find(allowed_file_names.begin(), allowed_file_names.end(), |
| 50 requested_filename); |
| 51 if (it < allowed_file_names.end()) { // requested_filename was found? |
| 52 if (file_to_open) |
| 53 *file_to_open = it->c_str(); |
| 54 return true; |
| 55 } |
| 56 return false; |
| 57 } |
| 58 |
| 59 // We maintain a list of flags that have been reviewed for "sanity" and that |
| 60 // we're ok to allow in the broker. |
| 61 // I.e. here is where we wouldn't add O_RESET_FILE_SYSTEM. |
| 62 bool IsAllowedOpenFlags(int flags) { |
| 63 // First, check the access mode |
| 64 const int access_mode = flags & O_ACCMODE; |
| 65 if (access_mode != O_RDONLY && access_mode != O_WRONLY && |
| 66 access_mode != O_RDWR) { |
| 67 return false; |
| 68 } |
| 69 |
| 70 // Some flags affect the behavior of the current process. We don't support |
| 71 // them and don't allow them for now. |
| 72 if (flags & ForCurrentProcessFlagsMask()) { |
| 73 return false; |
| 74 } |
| 75 |
| 76 // Now check that all the flags are known to us. |
| 77 const int creation_and_status_flags = flags & ~O_ACCMODE; |
| 78 |
| 79 const int known_flags = |
| 80 O_APPEND | O_ASYNC | O_CLOEXEC | O_CREAT | O_DIRECT | |
| 81 O_DIRECTORY | O_EXCL | O_LARGEFILE | O_NOATIME | O_NOCTTY | |
| 82 O_NOFOLLOW | O_NONBLOCK | O_NDELAY | O_SYNC | O_TRUNC; |
| 83 |
| 84 const int unknown_flags = ~known_flags; |
| 85 const bool has_unknown_flags = creation_and_status_flags & unknown_flags; |
| 86 return !has_unknown_flags; |
| 87 } |
| 88 |
| 89 } // namespace |
| 90 |
| 91 namespace sandbox { |
| 92 |
| 93 BrokerProcess::BrokerProcess(const std::vector<std::string>& allowed_r_files, |
| 94 const std::vector<std::string>& allowed_w_files, |
| 95 bool fast_check_in_client, |
| 96 bool quiet_failures_for_tests) |
| 97 : initialized_(false), |
| 98 is_child_(false), |
| 99 fast_check_in_client_(fast_check_in_client), |
| 100 quiet_failures_for_tests_(quiet_failures_for_tests), |
| 101 broker_pid_(-1), |
| 102 allowed_r_files_(allowed_r_files), |
| 103 allowed_w_files_(allowed_w_files), |
| 104 ipc_socketpair_(-1) { |
| 105 } |
| 106 |
| 107 BrokerProcess::~BrokerProcess() { |
| 108 if (initialized_ && ipc_socketpair_ != -1) { |
| 109 void (HANDLE_EINTR(close(ipc_socketpair_))); |
| 110 } |
| 111 } |
| 112 |
| 113 bool BrokerProcess::Init(void* sandbox_callback) { |
| 114 CHECK(!initialized_); |
| 115 CHECK_EQ(sandbox_callback, (void*) NULL) << |
| 116 "sandbox_callback is not implemented"; |
| 117 int socket_pair[2]; |
| 118 // Use SOCK_SEQPACKET, because we need to preserve message boundaries |
| 119 // but we also want to be notified (recvmsg should return and not block) |
| 120 // when the connection has been broken (one of the processes died). |
| 121 if (socketpair(AF_UNIX, SOCK_SEQPACKET, 0, socket_pair)) { |
| 122 LOG(ERROR) << "Failed to create socketpair"; |
| 123 return false; |
| 124 } |
| 125 |
| 126 int child_pid = fork(); |
| 127 if (child_pid == -1) { |
| 128 (void) HANDLE_EINTR(close(socket_pair[0])); |
| 129 (void) HANDLE_EINTR(close(socket_pair[1])); |
| 130 return false; |
| 131 } |
| 132 if (child_pid) { |
| 133 // We are the parent and we have just forked our broker process. |
| 134 (void) HANDLE_EINTR(close(socket_pair[0])); |
| 135 // We should only be able to write to the IPC channel. We'll always send |
| 136 // a new file descriptor to receive the reply on. |
| 137 shutdown(socket_pair[1], SHUT_RD); |
| 138 ipc_socketpair_ = socket_pair[1]; |
| 139 is_child_ = false; |
| 140 broker_pid_ = child_pid; |
| 141 initialized_ = true; |
| 142 return true; |
| 143 } else { |
| 144 // We are the broker. |
| 145 (void) HANDLE_EINTR(close(socket_pair[1])); |
| 146 // We should only be able to read from this IPC channel. We will send our |
| 147 // replies on a new file descriptor attached to the requests. |
| 148 shutdown(socket_pair[0], SHUT_WR); |
| 149 ipc_socketpair_ = socket_pair[0]; |
| 150 is_child_ = true; |
| 151 // TODO(jln): activate a sandbox here. |
| 152 initialized_ = true; |
| 153 for (;;) { |
| 154 HandleRequest(); |
| 155 } |
| 156 _exit(1); |
| 157 } |
| 158 NOTREACHED(); |
| 159 } |
| 160 |
| 161 // This function needs to be async signal safe. |
| 162 int BrokerProcess::Open(const char* pathname, int flags) const { |
| 163 RAW_CHECK(initialized_); // async signal safe CHECK(). |
| 164 if (!pathname) |
| 165 return -EFAULT; |
| 166 // There is no point in forwarding a request that we know will be denied. |
| 167 // Of course, the real security check needs to be on the other side of the |
| 168 // IPC. |
| 169 if (fast_check_in_client_) { |
| 170 if (!GetFileNameIfAllowedAccess(pathname, flags, NULL)) |
| 171 return -EPERM; |
| 172 } |
| 173 |
| 174 Pickle write_pickle; |
| 175 write_pickle.WriteInt(kCommandOpen); |
| 176 write_pickle.WriteString(pathname); |
| 177 write_pickle.WriteInt(flags); |
| 178 RAW_CHECK(write_pickle.size() <= kMaxMessageLength); |
| 179 |
| 180 int returned_fd = -1; |
| 181 uint8_t reply_buf[kMaxMessageLength]; |
| 182 // Send a request (in write_pickle) as well that will include a new |
| 183 // temporary socketpair (created internally by SendRecvMsg()). |
| 184 // Then read the reply on this new socketpair in reply_buf and put an |
| 185 // eventual attached file descriptor in |returned_fd|. |
| 186 // TODO(jln): this API needs some rewriting and documentation. |
| 187 ssize_t msg_len = UnixDomainSocket::SendRecvMsg(ipc_socketpair_, |
| 188 reply_buf, |
| 189 sizeof(reply_buf), |
| 190 &returned_fd, |
| 191 write_pickle); |
| 192 if (msg_len <= 0) { |
| 193 if (!quiet_failures_for_tests_) |
| 194 RAW_LOG(ERROR, "Could not make request to broker process"); |
| 195 return -ENOMEM; |
| 196 } |
| 197 |
| 198 Pickle read_pickle(reinterpret_cast<char*>(reply_buf), msg_len); |
| 199 PickleIterator iter(read_pickle); |
| 200 int return_value = -1; |
| 201 // Now deserialize the return value and eventually return the file |
| 202 // descriptor. |
| 203 if (read_pickle.ReadInt(&iter, &return_value)) { |
| 204 if (return_value < 0) { |
| 205 RAW_CHECK(returned_fd == -1); |
| 206 return return_value; |
| 207 } else { |
| 208 // We have a real file descriptor to return. |
| 209 RAW_CHECK(returned_fd >= 0); |
| 210 return returned_fd; |
| 211 } |
| 212 } else { |
| 213 RAW_LOG(ERROR, "Could not read pickle"); |
| 214 return -1; |
| 215 } |
| 216 } |
| 217 |
| 218 // Handle a request on the IPC channel ipc_socketpair_. |
| 219 // A request should have a file descriptor attached on which we will reply and |
| 220 // that we will then close. |
| 221 // A request should start with an int that will be used as the command type. |
| 222 bool BrokerProcess::HandleRequest() const { |
| 223 |
| 224 std::vector<int> fds; |
| 225 char buf[kMaxMessageLength]; |
| 226 errno = 0; |
| 227 const ssize_t msg_len = UnixDomainSocket::RecvMsg(ipc_socketpair_, buf, |
| 228 sizeof(buf), &fds); |
| 229 |
| 230 if (msg_len == 0 || (msg_len == -1 && errno == ECONNRESET)) { |
| 231 // EOF from our parent, or our parent died, we should die. |
| 232 _exit(0); |
| 233 } |
| 234 |
| 235 // The parent should send exactly one file descriptor, on which we |
| 236 // will write the reply. |
| 237 if (msg_len < 0 || fds.size() != 1 || fds.at(0) < 0) { |
| 238 PLOG(ERROR) << "Error reading message from the client"; |
| 239 return false; |
| 240 } |
| 241 |
| 242 const int temporary_ipc = fds.at(0); |
| 243 |
| 244 Pickle pickle(buf, msg_len); |
| 245 PickleIterator iter(pickle); |
| 246 int command_type; |
| 247 if (pickle.ReadInt(&iter, &command_type)) { |
| 248 bool r = false; |
| 249 // Go through all the possible IPC messages. |
| 250 switch (command_type) { |
| 251 case kCommandOpen: |
| 252 // We reply on the file descriptor sent to us via the IPC channel. |
| 253 r = HandleOpenRequest(temporary_ipc, pickle, iter); |
| 254 (void) HANDLE_EINTR(close(temporary_ipc)); |
| 255 return r; |
| 256 default: |
| 257 NOTREACHED(); |
| 258 return false; |
| 259 } |
| 260 } |
| 261 |
| 262 LOG(ERROR) << "Error parsing IPC request"; |
| 263 return false; |
| 264 } |
| 265 |
| 266 // Handle an open request contained in |read_pickle| and send the reply |
| 267 // on |reply_ipc|. |
| 268 bool BrokerProcess::HandleOpenRequest(int reply_ipc, |
| 269 const Pickle& read_pickle, |
| 270 PickleIterator iter) const { |
| 271 std::string requested_filename; |
| 272 int flags = 0; |
| 273 if (!read_pickle.ReadString(&iter, &requested_filename) || |
| 274 !read_pickle.ReadInt(&iter, &flags)) { |
| 275 return -1; |
| 276 } |
| 277 |
| 278 Pickle write_pickle; |
| 279 std::vector<int> opened_files; |
| 280 |
| 281 const char* file_to_open = NULL; |
| 282 const bool safe_to_open_file = GetFileNameIfAllowedAccess( |
| 283 requested_filename.c_str(), flags, &file_to_open); |
| 284 |
| 285 if (safe_to_open_file) { |
| 286 CHECK(file_to_open); |
| 287 // O_CLOEXEC doesn't hurt (even though we won't execve()), and this |
| 288 // property won't be passed to the client. |
| 289 // We may want to think about O_NONBLOCK as well. |
| 290 int opened_fd = open(file_to_open, flags | O_CLOEXEC); |
| 291 if (opened_fd < 0) { |
| 292 write_pickle.WriteInt(-errno); |
| 293 } else { |
| 294 // Success. |
| 295 opened_files.push_back(opened_fd); |
| 296 write_pickle.WriteInt(0); |
| 297 } |
| 298 } else { |
| 299 write_pickle.WriteInt(-EPERM); |
| 300 } |
| 301 |
| 302 CHECK_LE(write_pickle.size(), kMaxMessageLength); |
| 303 ssize_t sent = UnixDomainSocket::SendMsg(reply_ipc, write_pickle.data(), |
| 304 write_pickle.size(), opened_files); |
| 305 |
| 306 // Close anything we have opened in this process. |
| 307 for (std::vector<int>::iterator it = opened_files.begin(); |
| 308 it < opened_files.end(); ++it) { |
| 309 (void) HANDLE_EINTR(close(*it)); |
| 310 } |
| 311 |
| 312 if (sent <= 0) { |
| 313 LOG(ERROR) << "Could not send IPC reply"; |
| 314 return false; |
| 315 } |
| 316 return true; |
| 317 } |
| 318 |
| 319 // For paranoia, if |file_to_open| is not NULL, we will return the matching |
| 320 // string from the white list. |
| 321 // Async signal safe only if |file_to_open| is NULL. |
| 322 // Even if an attacker managed to fool the string comparison mechanism, we |
| 323 // would not open an attacker-controlled file name. |
| 324 // Return true if access should be allowed, false otherwise. |
| 325 bool BrokerProcess::GetFileNameIfAllowedAccess(const char* requested_filename, |
| 326 int requested_flags, const char** file_to_open) const { |
| 327 if (!IsAllowedOpenFlags(requested_flags)) { |
| 328 return false; |
| 329 } |
| 330 switch (requested_flags & O_ACCMODE) { |
| 331 case O_RDONLY: |
| 332 return GetFileNameInWhitelist(allowed_r_files_, requested_filename, |
| 333 file_to_open); |
| 334 case O_WRONLY: |
| 335 return GetFileNameInWhitelist(allowed_w_files_, requested_filename, |
| 336 file_to_open); |
| 337 case O_RDWR: |
| 338 { |
| 339 bool allowed_for_read_and_write = |
| 340 GetFileNameInWhitelist(allowed_r_files_, requested_filename, NULL) && |
| 341 GetFileNameInWhitelist(allowed_w_files_, requested_filename, |
| 342 file_to_open); |
| 343 return allowed_for_read_and_write; |
| 344 } |
| 345 default: |
| 346 return false; |
| 347 } |
| 348 } |
| 349 |
| 350 } // namespace sandbox. |
OLD | NEW |