Linux: make current InitializeSandbox() private.

content/common/sandbox_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <fcntl.h>
 #include <sys/resource.h>
 #include <sys/stat.h>
 #include <sys/time.h>
 #include <sys/types.h>
 
 #include <limits>
 
 #include "base/command_line.h"
 #include "base/file_util.h"
 #include "base/logging.h"
 #include "base/memory/singleton.h"
 #include "base/posix/eintr_wrapper.h"
 #include "base/time.h"
 #include "content/common/sandbox_linux.h"
 #include "content/common/seccomp_sandbox.h"
 #include "content/common/sandbox_seccomp_bpf_linux.h"
 #include "content/public/common/content_switches.h"
 #include "content/public/common/sandbox_linux.h"
 #include "sandbox/linux/suid/client/setuid_sandbox_client.h"
 
+using content::LinuxSandbox;
+
 namespace {
 
 void LogSandboxStarted(const std::string& sandbox_name) {
   const CommandLine& command_line = *CommandLine::ForCurrentProcess();
   const std::string process_type =
       command_line.GetSwitchValueASCII(switches::kProcessType);
   const std::string activated_sandbox =
       "Activated " + sandbox_name + " sandbox for process type: " +
       process_type + ".";
 #if defined(OS_CHROMEOS)
@@ skipping 16 matching lines @@
 #else
   // On by default. Allow turning off with a switch.
   return !command_line->HasSwitch(switches::kDisableSeccompSandbox);
 #endif  // NDEBUG
 #endif  // SECCOMP_SANDBOX
   return false;
 }
 
 // Our "policy" on whether or not to enable seccomp-legacy. Only renderers are
 // supported.
-bool ShouldEnableSeccompLegacy(const std::string& process_type) {
+bool ShouldEnableSeccompLegacy(LinuxSandbox::SandboxConfig sandbox_config) {
   if (IsSeccompLegacyDesired() &&
-      process_type == switches::kRendererProcess) {
+      sandbox_config == LinuxSandbox::SANDBOX_CONFIG_RENDERER) {
     return true;
   } else {
     return false;
   }
 }
 
 bool AddResourceLimit(int resource, rlim_t limit) {
   struct rlimit old_rlimit;
   if (getrlimit(resource, &old_rlimit))
     return false;
@@ skipping 74 matching lines @@
     } else {
       seccomp_bpf_supported_ = true;
     }
   }
   pre_initialized_ = true;
 }
 
 // Once we finally know our process type, we can cleanup proc_fd_
 // or pass it to seccomp-legacy.
 void LinuxSandbox::PreinitializeSandboxFinish(
-    const std::string& process_type) {
+    LinuxSandbox::SandboxConfig sandbox_config) {
   CHECK(pre_initialized_);
   if (proc_fd_ >= 0) {
-    if (ShouldEnableSeccompLegacy(process_type)) {
+    if (ShouldEnableSeccompLegacy(sandbox_config)) {
 #if defined(SECCOMP_SANDBOX)
       SeccompSandboxSetProcFd(proc_fd_);
 #endif
     } else {
       DCHECK_GE(proc_fd_, 0);
       CHECK_EQ(HANDLE_EINTR(close(proc_fd_)), 0);
     }
     proc_fd_ = -1;
   }
 }
 
-void LinuxSandbox::PreinitializeSandbox(const std::string& process_type) {
+void LinuxSandbox::PreinitializeSandbox(
+  LinuxSandbox::SandboxConfig sandbox_config) {
   PreinitializeSandboxBegin();
-  PreinitializeSandboxFinish(process_type);
+  PreinitializeSandboxFinish(sandbox_config);
+}
+
+bool LinuxSandbox::InitializeSandbox(
+    enum LinuxSandbox::SandboxConfig sandbox_config) {
+  bool seccomp_legacy_started = false;
+  bool seccomp_bpf_started = false;
+  LinuxSandbox* linux_sandbox = LinuxSandbox::GetInstance();
+  const std::string process_type =
+      CommandLine::ForCurrentProcess()->GetSwitchValueASCII(
+          switches::kProcessType);
+
+  // No matter what, it's always an error to call InitializeSandbox() after
+  // threads have been created.
+  if (!linux_sandbox->IsSingleThreaded()) {
+    std::string error_message = "InitializeSandbox() called with multiple "
+                                "threads in process " + process_type;
+    // TODO(jln): change this into a CHECK() once we are more comfortable it
+    // does not trigger.
+    LOG(ERROR) << error_message;
+    return false;
+  }
+
+  // Attempt to limit the future size of the address space of the process.
+  linux_sandbox->LimitAddressSpace(sandbox_config);
+
+  // First, try to enable seccomp-bpf.
+  seccomp_bpf_started = linux_sandbox->StartSeccompBpf(sandbox_config);
+
+  // If that fails, try to enable seccomp-legacy.
+  if (!seccomp_bpf_started) {
+    seccomp_legacy_started = linux_sandbox->StartSeccompLegacy(sandbox_config);
+  }
+
+  return seccomp_legacy_started || seccomp_bpf_started;
 }
 
 int LinuxSandbox::GetStatus() const {
   CHECK(pre_initialized_);
   int sandbox_flags = 0;
   if (setuid_sandbox_client_->IsSandboxed()) {
     sandbox_flags |= kSandboxLinuxSUID;
     if (setuid_sandbox_client_->IsInNewPIDNamespace())
       sandbox_flags |= kSandboxLinuxPIDNS;
     if (setuid_sandbox_client_->IsInNewNETNamespace())
       sandbox_flags |= kSandboxLinuxNetNS;
   }
 
-  if (seccomp_bpf_supported() &&
-      SandboxSeccompBpf::ShouldEnableSeccompBpf(switches::kRendererProcess)) {
+  if (seccomp_bpf_supported() && SandboxSeccompBpf::ShouldEnableSeccompBpf(
+      LinuxSandbox::SANDBOX_CONFIG_RENDERER)) {
     // We report whether the sandbox will be activated when renderers go
     // through sandbox initialization.
     sandbox_flags |= kSandboxLinuxSeccompBpf;
   }
 
   // We only try to enable seccomp-legacy when seccomp-bpf is not supported
   // or not enabled.
   if (!(sandbox_flags & kSandboxLinuxSeccompBpf) &&
       seccomp_legacy_supported() &&
-      ShouldEnableSeccompLegacy(switches::kRendererProcess)) {
+      ShouldEnableSeccompLegacy(LinuxSandbox::SANDBOX_CONFIG_RENDERER)) {
     // Same here, what we report is what we will do for the renderer.
     sandbox_flags |= kSandboxLinuxSeccompLegacy;
   }
   return sandbox_flags;
 }
 
 bool LinuxSandbox::IsSingleThreaded() const {
   // TODO(jln): re-implement this properly and use our proc_fd_ if available.
   // Possibly racy, but it's ok because this is more of a debug check to catch
   // new threaded situations arising during development.
@@ skipping 15 matching lines @@
 bool LinuxSandbox::seccomp_bpf_started() const {
   return seccomp_bpf_started_;
 }
 
 sandbox::SetuidSandboxClient*
     LinuxSandbox::setuid_sandbox_client() const {
   return setuid_sandbox_client_.get();
 }
 
 // For seccomp-legacy, we implement the policy inline, here.
-bool LinuxSandbox::StartSeccompLegacy(const std::string& process_type) {
+bool LinuxSandbox::StartSeccompLegacy(
+  LinuxSandbox::SandboxConfig sandbox_config) {
   if (!pre_initialized_)
-    PreinitializeSandbox(process_type);
-  if (seccomp_legacy_supported() && ShouldEnableSeccompLegacy(process_type)) {
+    PreinitializeSandbox(sandbox_config);
+  if (seccomp_legacy_supported() && ShouldEnableSeccompLegacy(sandbox_config)) {
     // SupportsSeccompSandbox() returns a cached result, as we already
     // called it earlier in the PreinitializeSandbox(). Thus, it is OK for us
     // to not pass in a file descriptor for "/proc".
 #if defined(SECCOMP_SANDBOX)
     if (SupportsSeccompSandbox(-1)) {
       StartSeccompSandbox();
       LogSandboxStarted("seccomp-legacy");
       return true;
     }
 #endif
   }
   return false;
 }
 
 // For seccomp-bpf, we use the SandboxSeccompBpf class.
-bool LinuxSandbox::StartSeccompBpf(const std::string& process_type) {
+bool LinuxSandbox::StartSeccompBpf(
+    LinuxSandbox::SandboxConfig sandbox_config) {
   CHECK(!seccomp_bpf_started_);
   if (!pre_initialized_)
-    PreinitializeSandbox(process_type);
+    PreinitializeSandbox(sandbox_config);
   if (seccomp_bpf_supported())
-    seccomp_bpf_started_ = SandboxSeccompBpf::StartSandbox(process_type);
+    seccomp_bpf_started_ = SandboxSeccompBpf::StartSandbox(sandbox_config);
 
   if (seccomp_bpf_started_)
     LogSandboxStarted("seccomp-bpf");
 
   return seccomp_bpf_started_;
 }
 
 bool LinuxSandbox::seccomp_legacy_supported() const {
   CHECK(pre_initialized_);
   return seccomp_legacy_supported_;
 }
 
 bool LinuxSandbox::seccomp_bpf_supported() const {
   CHECK(pre_initialized_);
   return seccomp_bpf_supported_;
 }
 
-bool LinuxSandbox::LimitAddressSpace(const std::string& process_type) {
-  (void) process_type;
+bool LinuxSandbox::LimitAddressSpace(
+    LinuxSandbox::SandboxConfig sandbox_config) {
+  (void) sandbox_config;
 #if !defined(ADDRESS_SANITIZER)
   CommandLine* command_line = CommandLine::ForCurrentProcess();
   if (command_line->HasSwitch(switches::kNoSandbox)) {
     return false;
   }
 
   // Limit the address space to 4GB.
   // This is in the hope of making some kernel exploits more complex and less
   // reliable. It also limits sprays a little on 64-bit.
   rlim_t address_space_limit = std::numeric_limits<uint32_t>::max();
 #if defined(__LP64__)
   // On 64 bits, V8 and possibly others will reserve massive memory ranges and
   // rely on on-demand paging for allocation.  Unfortunately, even
   // MADV_DONTNEED ranges  count towards RLIMIT_AS so this is not an option.
   // See crbug.com/169327 for a discussion.
   // For now, increase limit to 16GB for renderer and worker processes to
   // accomodate.
-  if (process_type == switches::kRendererProcess ||
-      process_type == switches::kWorkerProcess) {
+  if (sandbox_config == LinuxSandbox::SANDBOX_CONFIG_RENDERER ||
+      sandbox_config == LinuxSandbox::SANDBOX_CONFIG_WORKER) {
     address_space_limit = 1L << 34;
   }
 #endif  // defined(__LP64__)
 
   // On all platforms, add a limit to the brk() heap that would prevent
   // allocations that can't be index by an int.
   const rlim_t kNewDataSegmentMaxSize = std::numeric_limits<int>::max();
 
   bool limited_as = AddResourceLimit(RLIMIT_AS, address_space_limit);
   bool limited_data = AddResourceLimit(RLIMIT_DATA, kNewDataSegmentMaxSize);
   return limited_as && limited_data;
 #else
   return false;
 #endif  // !defined(ADDRESS_SANITIZER)
 }
 
 }  // namespace content