OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <dirent.h> | |
5 #include <fcntl.h> | 6 #include <fcntl.h> |
6 #include <sys/resource.h> | 7 #include <sys/resource.h> |
7 #include <sys/stat.h> | 8 #include <sys/stat.h> |
8 #include <sys/time.h> | 9 #include <sys/time.h> |
9 #include <sys/types.h> | 10 #include <sys/types.h> |
10 | 11 |
11 #include <limits> | 12 #include <limits> |
12 | 13 |
13 #include "base/bind.h" | 14 #include "base/bind.h" |
14 #include "base/callback_helpers.h" | 15 #include "base/callback_helpers.h" |
15 #include "base/command_line.h" | 16 #include "base/command_line.h" |
16 #include "base/logging.h" | 17 #include "base/logging.h" |
17 #include "base/memory/singleton.h" | 18 #include "base/memory/singleton.h" |
18 #include "base/posix/eintr_wrapper.h" | 19 #include "base/posix/eintr_wrapper.h" |
20 #include "base/strings/string_number_conversions.h" | |
19 #include "base/time/time.h" | 21 #include "base/time/time.h" |
20 #include "content/common/sandbox_linux.h" | 22 #include "content/common/sandbox_linux.h" |
21 #include "content/common/sandbox_seccomp_bpf_linux.h" | 23 #include "content/common/sandbox_seccomp_bpf_linux.h" |
22 #include "content/public/common/content_switches.h" | 24 #include "content/public/common/content_switches.h" |
23 #include "content/public/common/sandbox_linux.h" | 25 #include "content/public/common/sandbox_linux.h" |
24 #include "sandbox/linux/suid/client/setuid_sandbox_client.h" | 26 #include "sandbox/linux/suid/client/setuid_sandbox_client.h" |
25 | 27 |
26 namespace { | 28 namespace { |
27 | 29 |
28 void LogSandboxStarted(const std::string& sandbox_name) { | 30 void LogSandboxStarted(const std::string& sandbox_name) { |
(...skipping 24 matching lines...) Expand all Loading... | |
53 } | 55 } |
54 | 56 |
55 bool IsRunningTSAN() { | 57 bool IsRunningTSAN() { |
56 #if defined(THREAD_SANITIZER) | 58 #if defined(THREAD_SANITIZER) |
57 return true; | 59 return true; |
58 #else | 60 #else |
59 return false; | 61 return false; |
60 #endif | 62 #endif |
61 } | 63 } |
62 | 64 |
65 struct DIRDeleter { | |
66 void operator()(DIR *d) { | |
67 CHECK(closedir(d) == 0); | |
68 } | |
69 }; | |
70 | |
63 } // namespace | 71 } // namespace |
64 | 72 |
65 namespace content { | 73 namespace content { |
66 | 74 |
67 LinuxSandbox::LinuxSandbox() | 75 LinuxSandbox::LinuxSandbox() |
68 : proc_fd_(-1), | 76 : proc_fd_(-1), |
69 seccomp_bpf_started_(false), | 77 seccomp_bpf_started_(false), |
70 pre_initialized_(false), | 78 pre_initialized_(false), |
79 sealed_(false), | |
71 seccomp_bpf_supported_(false), | 80 seccomp_bpf_supported_(false), |
72 setuid_sandbox_client_(sandbox::SetuidSandboxClient::Create()) { | 81 setuid_sandbox_client_(sandbox::SetuidSandboxClient::Create()) { |
73 if (setuid_sandbox_client_ == NULL) { | 82 if (setuid_sandbox_client_ == NULL) { |
74 LOG(FATAL) << "Failed to instantiate the setuid sandbox client."; | 83 LOG(FATAL) << "Failed to instantiate the setuid sandbox client."; |
75 } | 84 } |
76 } | 85 } |
77 | 86 |
78 LinuxSandbox::~LinuxSandbox() { | 87 LinuxSandbox::~LinuxSandbox() { |
79 } | 88 } |
80 | 89 |
81 LinuxSandbox* LinuxSandbox::GetInstance() { | 90 LinuxSandbox* LinuxSandbox::GetInstance() { |
82 LinuxSandbox* instance = Singleton<LinuxSandbox>::get(); | 91 LinuxSandbox* instance = Singleton<LinuxSandbox>::get(); |
83 CHECK(instance); | 92 CHECK(instance); |
84 return instance; | 93 return instance; |
85 } | 94 } |
86 | 95 |
87 #if defined(ADDRESS_SANITIZER) && defined(OS_LINUX) | 96 #if defined(ADDRESS_SANITIZER) && defined(OS_LINUX) |
88 // ASan API call to notify the tool the sandbox is going to be turned on. | 97 // ASan API call to notify the tool the sandbox is going to be turned on. |
89 extern "C" void __sanitizer_sandbox_on_notify(void *reserved); | 98 extern "C" void __sanitizer_sandbox_on_notify(void *reserved); |
90 #endif | 99 #endif |
91 | 100 |
92 void LinuxSandbox::PreinitializeSandbox() { | 101 void LinuxSandbox::PreinitializeSandbox() { |
93 CHECK(!pre_initialized_); | 102 CHECK(!pre_initialized_); |
103 CHECK(!sealed_); | |
94 seccomp_bpf_supported_ = false; | 104 seccomp_bpf_supported_ = false; |
95 #if defined(ADDRESS_SANITIZER) && defined(OS_LINUX) | 105 #if defined(ADDRESS_SANITIZER) && defined(OS_LINUX) |
96 // ASan needs to open some resources before the sandbox is enabled. | 106 // ASan needs to open some resources before the sandbox is enabled. |
97 // This should not fork, not launch threads, not open a directory. | 107 // This should not fork, not launch threads, not open a directory. |
98 __sanitizer_sandbox_on_notify(/*reserved*/NULL); | 108 __sanitizer_sandbox_on_notify(/*reserved*/NULL); |
99 #endif | 109 #endif |
100 | 110 |
101 #if !defined(NDEBUG) | 111 OpenProc(); |
102 // Open proc_fd_ only in Debug mode so that forgetting to close it doesn't | 112 |
103 // produce a sandbox escape in Release mode. | |
104 proc_fd_ = open("/proc", O_DIRECTORY | O_RDONLY); | |
105 CHECK_GE(proc_fd_, 0); | |
106 #endif // !defined(NDEBUG) | |
107 // We "pre-warm" the code that detects supports for seccomp BPF. | 113 // We "pre-warm" the code that detects supports for seccomp BPF. |
108 if (SandboxSeccompBpf::IsSeccompBpfDesired()) { | 114 if (SandboxSeccompBpf::IsSeccompBpfDesired()) { |
109 if (!SandboxSeccompBpf::SupportsSandbox()) { | 115 if (!SandboxSeccompBpf::SupportsSandbox()) { |
110 VLOG(1) << "Lacking support for seccomp-bpf sandbox."; | 116 VLOG(1) << "Lacking support for seccomp-bpf sandbox."; |
111 } else { | 117 } else { |
112 seccomp_bpf_supported_ = true; | 118 seccomp_bpf_supported_ = true; |
113 } | 119 } |
114 } | 120 } |
115 pre_initialized_ = true; | 121 pre_initialized_ = true; |
116 } | 122 } |
117 | 123 |
118 bool LinuxSandbox::InitializeSandbox() { | 124 bool LinuxSandbox::InitializeSandbox() { |
119 bool seccomp_bpf_started = false; | 125 bool seccomp_bpf_started = false; |
120 LinuxSandbox* linux_sandbox = LinuxSandbox::GetInstance(); | 126 LinuxSandbox* linux_sandbox = LinuxSandbox::GetInstance(); |
127 CHECK(!linux_sandbox->sealed_); | |
121 // We need to make absolutely sure that our sandbox is "sealed" before | 128 // We need to make absolutely sure that our sandbox is "sealed" before |
122 // InitializeSandbox does exit. | 129 // InitializeSandbox does exit. |
123 base::ScopedClosureRunner sandbox_sealer( | 130 base::ScopedClosureRunner sandbox_sealer( |
124 base::Bind(&LinuxSandbox::SealSandbox, base::Unretained(linux_sandbox))); | 131 base::Bind(&LinuxSandbox::SealSandbox, base::Unretained(linux_sandbox))); |
125 const std::string process_type = | 132 const std::string process_type = |
126 CommandLine::ForCurrentProcess()->GetSwitchValueASCII( | 133 CommandLine::ForCurrentProcess()->GetSwitchValueASCII( |
127 switches::kProcessType); | 134 switches::kProcessType); |
128 | 135 |
129 // No matter what, it's always an error to call InitializeSandbox() after | 136 // No matter what, it's always an error to call InitializeSandbox() after |
130 // threads have been created. | 137 // threads have been created. |
131 if (!linux_sandbox->IsSingleThreaded()) { | 138 if (!linux_sandbox->IsSingleThreaded()) { |
132 std::string error_message = "InitializeSandbox() called with multiple " | 139 std::string error_message = "InitializeSandbox() called with multiple " |
133 "threads in process " + process_type; | 140 "threads in process " + process_type; |
134 // TSAN starts a helper thread. So we don't start the sandbox and don't | 141 // TSAN starts a helper thread. So we don't start the sandbox and don't |
135 // even report an error about it. | 142 // even report an error about it. |
136 if (IsRunningTSAN()) | 143 if (IsRunningTSAN()) |
137 return false; | 144 return false; |
138 // The GPU process is allowed to call InitializeSandbox() with threads for | 145 // The GPU process is allowed to call InitializeSandbox() with threads for |
139 // now, because it loads third party libraries. | 146 // now, because it loads third party libraries. |
140 if (process_type != switches::kGpuProcess) | 147 if (process_type != switches::kGpuProcess) |
141 CHECK(false) << error_message; | 148 CHECK(false) << error_message; |
142 LOG(ERROR) << error_message; | 149 LOG(ERROR) << error_message; |
143 return false; | 150 return false; |
144 } | 151 } |
145 | 152 |
153 if (linux_sandbox->HasOpenDirectories()) { | |
154 LOG(FATAL) << "InitializeSandbox() called after unexpected directories " | |
155 "have been opened- the setuid sandbox may be at risk, if " | |
156 "the BPF sandbox is not running."; | |
157 } | |
158 | |
146 // Attempt to limit the future size of the address space of the process. | 159 // Attempt to limit the future size of the address space of the process. |
147 linux_sandbox->LimitAddressSpace(process_type); | 160 linux_sandbox->LimitAddressSpace(process_type); |
148 | 161 |
149 // First, try to enable seccomp-bpf. | 162 // First, try to enable seccomp-bpf. |
150 seccomp_bpf_started = linux_sandbox->StartSeccompBpf(process_type); | 163 seccomp_bpf_started = linux_sandbox->StartSeccompBpf(process_type); |
151 | 164 |
152 return seccomp_bpf_started; | 165 return seccomp_bpf_started; |
153 } | 166 } |
154 | 167 |
155 int LinuxSandbox::GetStatus() const { | 168 int LinuxSandbox::GetStatus() const { |
(...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
201 } | 214 } |
202 | 215 |
203 // At least "..", "." and the current thread should be present. | 216 // At least "..", "." and the current thread should be present. |
204 CHECK_LE(3UL, task_stat.st_nlink); | 217 CHECK_LE(3UL, task_stat.st_nlink); |
205 // Counting threads via /proc/self/task could be racy. For the purpose of | 218 // Counting threads via /proc/self/task could be racy. For the purpose of |
206 // determining if the current proces is monothreaded it works: if at any | 219 // determining if the current proces is monothreaded it works: if at any |
207 // time it becomes monothreaded, it'll stay so. | 220 // time it becomes monothreaded, it'll stay so. |
208 return task_stat.st_nlink == 3; | 221 return task_stat.st_nlink == 3; |
209 } | 222 } |
210 | 223 |
224 bool LinuxSandbox::OpenProc() { | |
jln (very slow on Chromium)
2013/11/01 18:55:37
Please, remove this.
Mostyn Bramley-Moore
2013/11/01 22:22:40
Done.
| |
225 CHECK(!sealed_); | |
226 #if !defined(NDEBUG) | |
227 if (proc_fd_ == -1) { | |
228 // Open proc_fd_ only in Debug mode so that forgetting to close it doesn't | |
229 // produce a sandbox escape in Release mode. | |
230 proc_fd_ = open("/proc", O_DIRECTORY | O_RDONLY); | |
231 CHECK_GE(proc_fd_, 0); | |
232 } | |
233 return true; | |
234 #else | |
235 return false; | |
236 #endif // !defined(NDEBUG) | |
237 } | |
238 | |
239 bool LinuxSandbox::HasOpenDirectories() { | |
240 CHECK(!sealed_); | |
241 if (!OpenProc()) { | |
jln (very slow on Chromium)
2013/11/01 18:55:37
You don't need to do the OpenProc() thing, it adds
Mostyn Bramley-Moore
2013/11/01 22:22:40
Done- I assume you mean errno == ENOENT ?
| |
242 // We must not be in debug mode, so guess false; | |
243 return false; | |
244 } | |
245 | |
246 int proc_self_fd = openat(proc_fd_, "self/fd", O_RDONLY|O_DIRECTORY); | |
247 CHECK(proc_self_fd != -1); | |
248 | |
249 // Ownership of proc_self_fd is transferred here, it must not be closed | |
250 // or modified afterwards except via dir. | |
251 DIR *dir = fdopendir(proc_self_fd); | |
jln (very slow on Chromium)
2013/11/01 18:55:37
Style: I don't like it but the style is T* ptr, no
Mostyn Bramley-Moore
2013/11/01 22:22:40
Done.
| |
252 CHECK(dir); | |
253 scoped_ptr<DIR, DIRDeleter> dir_fd(dir); | |
jln (very slow on Chromium)
2013/11/01 18:55:37
Just have directly:
scoped_ptr<DIR, DIRDeleter> d
Mostyn Bramley-Moore
2013/11/01 22:22:40
Done.
| |
254 | |
255 struct dirent e, *de; | |
jln (very slow on Chromium)
2013/11/01 18:55:37
Style: on two different lines
Unfortunately the st
Mostyn Bramley-Moore
2013/11/01 22:22:40
Done.
| |
256 while (!readdir_r(dir, &e, &de) && de) { | |
257 if (strcmp(e.d_name, ".") == 0 || strcmp(e.d_name, "..") == 0) | |
258 continue; | |
259 | |
260 int fd_num; | |
261 CHECK(base::StringToInt(e.d_name, &fd_num)); | |
262 if (fd_num == proc_fd_ || fd_num == proc_self_fd) { | |
263 continue; | |
264 } | |
265 | |
266 struct stat s; | |
267 // It's OK to use proc_self_fd here, fstatat won't modify it. | |
jln (very slow on Chromium)
2013/11/01 18:55:37
Maybe it's more readable with dirfd(dir.get()) ? Y
Mostyn Bramley-Moore
2013/11/01 22:22:40
IMO it's more obvious to people reading this code
| |
268 CHECK(fstatat(proc_self_fd, e.d_name, &s, 0) == 0); | |
269 if (S_ISDIR(s.st_mode)) { | |
270 return true; | |
271 } | |
272 } | |
273 | |
274 // No open unmanaged directories found. \o/ | |
275 return false; | |
276 } | |
277 | |
211 bool LinuxSandbox::seccomp_bpf_started() const { | 278 bool LinuxSandbox::seccomp_bpf_started() const { |
212 return seccomp_bpf_started_; | 279 return seccomp_bpf_started_; |
213 } | 280 } |
214 | 281 |
215 sandbox::SetuidSandboxClient* | 282 sandbox::SetuidSandboxClient* |
216 LinuxSandbox::setuid_sandbox_client() const { | 283 LinuxSandbox::setuid_sandbox_client() const { |
217 return setuid_sandbox_client_.get(); | 284 return setuid_sandbox_client_.get(); |
218 } | 285 } |
219 | 286 |
220 // For seccomp-bpf, we use the SandboxSeccompBpf class. | 287 // For seccomp-bpf, we use the SandboxSeccompBpf class. |
(...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
275 return false; | 342 return false; |
276 #endif // !defined(ADDRESS_SANITIZER) | 343 #endif // !defined(ADDRESS_SANITIZER) |
277 } | 344 } |
278 | 345 |
279 void LinuxSandbox::SealSandbox() { | 346 void LinuxSandbox::SealSandbox() { |
280 if (proc_fd_ >= 0) { | 347 if (proc_fd_ >= 0) { |
281 int ret = HANDLE_EINTR(close(proc_fd_)); | 348 int ret = HANDLE_EINTR(close(proc_fd_)); |
282 CHECK_EQ(0, ret); | 349 CHECK_EQ(0, ret); |
283 proc_fd_ = -1; | 350 proc_fd_ = -1; |
284 } | 351 } |
352 sealed_ = true; | |
285 } | 353 } |
286 | 354 |
287 } // namespace content | 355 } // namespace content |
288 | 356 |
OLD | NEW |