OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "sandbox/linux/services/broker_process.h" | 5 #include "sandbox/linux/services/broker_process.h" |
6 | 6 |
7 #include <fcntl.h> | 7 #include <fcntl.h> |
8 #include <sys/socket.h> | 8 #include <sys/socket.h> |
9 #include <sys/stat.h> | 9 #include <sys/stat.h> |
10 #include <sys/types.h> | 10 #include <sys/types.h> |
(...skipping 49 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
60 // we're ok to allow in the broker. | 60 // we're ok to allow in the broker. |
61 // I.e. here is where we wouldn't add O_RESET_FILE_SYSTEM. | 61 // I.e. here is where we wouldn't add O_RESET_FILE_SYSTEM. |
62 bool IsAllowedOpenFlags(int flags) { | 62 bool IsAllowedOpenFlags(int flags) { |
63 // First, check the access mode | 63 // First, check the access mode |
64 const int access_mode = flags & O_ACCMODE; | 64 const int access_mode = flags & O_ACCMODE; |
65 if (access_mode != O_RDONLY && access_mode != O_WRONLY && | 65 if (access_mode != O_RDONLY && access_mode != O_WRONLY && |
66 access_mode != O_RDWR) { | 66 access_mode != O_RDWR) { |
67 return false; | 67 return false; |
68 } | 68 } |
69 | 69 |
70 // We only support a 2-parameters open, so we forbid O_CREAT. | |
Markus (顧孟勤)
2013/01/09 05:38:47
We might have to support O_CREAT at some point. Bu
| |
71 if (flags & O_CREAT) { | |
72 return false; | |
73 } | |
74 | |
70 // Some flags affect the behavior of the current process. We don't support | 75 // Some flags affect the behavior of the current process. We don't support |
71 // them and don't allow them for now. | 76 // them and don't allow them for now. |
72 if (flags & ForCurrentProcessFlagsMask()) { | 77 if (flags & ForCurrentProcessFlagsMask()) { |
73 return false; | 78 return false; |
74 } | 79 } |
75 | 80 |
76 // Now check that all the flags are known to us. | 81 // Now check that all the flags are known to us. |
77 const int creation_and_status_flags = flags & ~O_ACCMODE; | 82 const int creation_and_status_flags = flags & ~O_ACCMODE; |
78 | 83 |
79 const int known_flags = | 84 const int known_flags = |
80 O_APPEND | O_ASYNC | O_CLOEXEC | O_CREAT | O_DIRECT | | 85 O_APPEND | O_ASYNC | O_CLOEXEC | O_CREAT | O_DIRECT | |
Markus (顧孟勤)
2013/01/09 05:38:47
I still feel that this code is confusing and hard
| |
81 O_DIRECTORY | O_EXCL | O_LARGEFILE | O_NOATIME | O_NOCTTY | | 86 O_DIRECTORY | O_EXCL | O_LARGEFILE | O_NOATIME | O_NOCTTY | |
82 O_NOFOLLOW | O_NONBLOCK | O_NDELAY | O_SYNC | O_TRUNC; | 87 O_NOFOLLOW | O_NONBLOCK | O_NDELAY | O_SYNC | O_TRUNC; |
83 | 88 |
84 const int unknown_flags = ~known_flags; | 89 const int unknown_flags = ~known_flags; |
85 const bool has_unknown_flags = creation_and_status_flags & unknown_flags; | 90 const bool has_unknown_flags = creation_and_status_flags & unknown_flags; |
86 return !has_unknown_flags; | 91 return !has_unknown_flags; |
87 } | 92 } |
88 | 93 |
89 } // namespace | 94 } // namespace |
90 | 95 |
(...skipping 190 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
281 | 286 |
282 const char* file_to_open = NULL; | 287 const char* file_to_open = NULL; |
283 const bool safe_to_open_file = GetFileNameIfAllowedAccess( | 288 const bool safe_to_open_file = GetFileNameIfAllowedAccess( |
284 requested_filename.c_str(), flags, &file_to_open); | 289 requested_filename.c_str(), flags, &file_to_open); |
285 | 290 |
286 if (safe_to_open_file) { | 291 if (safe_to_open_file) { |
287 CHECK(file_to_open); | 292 CHECK(file_to_open); |
288 // O_CLOEXEC doesn't hurt (even though we won't execve()), and this | 293 // O_CLOEXEC doesn't hurt (even though we won't execve()), and this |
289 // property won't be passed to the client. | 294 // property won't be passed to the client. |
290 // We may want to think about O_NONBLOCK as well. | 295 // We may want to think about O_NONBLOCK as well. |
291 int opened_fd = open(file_to_open, flags | O_CLOEXEC); | 296 // We're doing a 2-parameter open, so we don't support O_CREAT. It doesn't |
297 // hurt to always pass a third argument though. | |
298 int opened_fd = open(file_to_open, flags | O_CLOEXEC, 0); | |
292 if (opened_fd < 0) { | 299 if (opened_fd < 0) { |
293 write_pickle.WriteInt(-errno); | 300 write_pickle.WriteInt(-errno); |
294 } else { | 301 } else { |
295 // Success. | 302 // Success. |
296 opened_files.push_back(opened_fd); | 303 opened_files.push_back(opened_fd); |
297 write_pickle.WriteInt(0); | 304 write_pickle.WriteInt(0); |
298 } | 305 } |
299 } else { | 306 } else { |
300 write_pickle.WriteInt(-EPERM); | 307 write_pickle.WriteInt(-EPERM); |
301 } | 308 } |
(...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
342 GetFileNameInWhitelist(allowed_w_files_, requested_filename, | 349 GetFileNameInWhitelist(allowed_w_files_, requested_filename, |
343 file_to_open); | 350 file_to_open); |
344 return allowed_for_read_and_write; | 351 return allowed_for_read_and_write; |
345 } | 352 } |
346 default: | 353 default: |
347 return false; | 354 return false; |
348 } | 355 } |
349 } | 356 } |
350 | 357 |
351 } // namespace sandbox. | 358 } // namespace sandbox. |
OLD | NEW |