NaCl Linux: create NaClSandbox class

components/nacl/loader/nacl_helper_linux.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // A mini-zygote specifically for Native Client.
 
 #include "components/nacl/loader/nacl_helper_linux.h"
 
 #include <errno.h>
 #include <fcntl.h>
@@ skipping 14 matching lines @@
 #include "base/memory/scoped_ptr.h"
 #include "base/message_loop/message_loop.h"
 #include "base/posix/eintr_wrapper.h"
 #include "base/posix/global_descriptors.h"
 #include "base/posix/unix_domain_socket_linux.h"
 #include "base/process/kill.h"
 #include "base/process/process_handle.h"
 #include "base/rand_util.h"
 #include "components/nacl/common/nacl_switches.h"
 #include "components/nacl/loader/nacl_listener.h"
-#include "components/nacl/loader/nacl_sandbox_linux.h"
-#include "components/nacl/loader/nonsfi/nonsfi_sandbox.h"
+#include "components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h"
 #include "content/public/common/content_descriptors.h"
 #include "content/public/common/zygote_fork_delegate_linux.h"
 #include "crypto/nss_util.h"
 #include "ipc/ipc_descriptors.h"
 #include "ipc/ipc_switches.h"
-#include "sandbox/linux/services/credentials.h"
 #include "sandbox/linux/services/libc_urandom_override.h"
-#include "sandbox/linux/services/thread_helpers.h"
-#include "sandbox/linux/suid/client/setuid_sandbox_client.h"
 
 namespace {
 
 struct NaClLoaderSystemInfo {
   size_t prereserved_sandbox_size;
   long number_of_cores;
 };
 
-// This is a poor man's check on whether we are sandboxed.
-bool IsSandboxed() {
-  int proc_fd = open("/proc/self/exe", O_RDONLY);
-  if (proc_fd >= 0) {
-    close(proc_fd);
-    return false;
-  }
-  return true;
-}
-
-void InitializeLayerOneSandbox() {
-  // Check that IsSandboxed() works. We should not be sandboxed at this point.
-  CHECK(!IsSandboxed()) << "Unexpectedly sandboxed!";
-  scoped_ptr<sandbox::SetuidSandboxClient>
-      setuid_sandbox_client(sandbox::SetuidSandboxClient::Create());
-  PCHECK(0 == IGNORE_EINTR(close(
-                  setuid_sandbox_client->GetUniqueToChildFileDescriptor())));
-  const bool suid_sandbox_child = setuid_sandbox_client->IsSuidSandboxChild();
-  const bool is_init_process = 1 == getpid();
-  CHECK_EQ(is_init_process, suid_sandbox_child);
-
-  if (suid_sandbox_child) {
-    // Make sure that no directory file descriptor is open, as it would bypass
-    // the setuid sandbox model.
-    sandbox::Credentials credentials;
-    CHECK(!credentials.HasOpenDirectory(-1));
-
-    // Get sandboxed.
-    CHECK(setuid_sandbox_client->ChrootMe());
-    CHECK(IsSandboxed());
-  }
-}
-
-void InitializeLayerTwoSandbox(bool uses_nonsfi_mode) {
-  if (uses_nonsfi_mode) {
-    const bool can_be_no_sandbox = CommandLine::ForCurrentProcess()->HasSwitch(
-        switches::kNaClDangerousNoSandboxNonSfi);
-    const bool setuid_sandbox_enabled = IsSandboxed();
-    if (!setuid_sandbox_enabled) {
-      if (can_be_no_sandbox)
-        LOG(ERROR) << "DANGEROUS: Running non-SFI NaCl without SUID sandbox!";
-      else
-        LOG(FATAL) << "SUID sandbox is mandatory for non-SFI NaCl";
-    }
-    const bool bpf_sandbox_initialized = nacl::nonsfi::InitializeBPFSandbox();
-    if (!bpf_sandbox_initialized) {
-      if (can_be_no_sandbox) {
-        LOG(ERROR)
-            << "DANGEROUS: Running non-SFI NaCl without seccomp-bpf sandbox!";
-      } else {
-        LOG(FATAL) << "Could not initialize NaCl's second "
-                   << "layer sandbox (seccomp-bpf) for non-SFI mode.";
-      }
-    }
-  } else {
-    const bool bpf_sandbox_initialized = InitializeBPFSandbox();
-    if (!bpf_sandbox_initialized) {
-      LOG(ERROR) << "Could not initialize NaCl's second "
-                 << "layer sandbox (seccomp-bpf) for SFI mode.";
-    }
-  }
-}
-
 // Replace |file_descriptor| with the reading end of a closed pipe.
 void ReplaceFDWithDummy(int file_descriptor) {
   // Make sure that file_descriptor is an open descriptor.
   PCHECK(-1 != fcntl(file_descriptor, F_GETFD, 0));
   int pipefd[2];
   PCHECK(0 == pipe(pipefd));
   PCHECK(-1 != dup2(pipefd[0], file_descriptor));
   PCHECK(0 == IGNORE_EINTR(close(pipefd[0])));
   PCHECK(0 == IGNORE_EINTR(close(pipefd[1])));
 }
 
 // The child must mimic the behavior of zygote_main_linux.cc on the child
 // side of the fork. See zygote_main_linux.cc:HandleForkRequest from
 //   if (!child) {
 void BecomeNaClLoader(const std::vector<int>& child_fds,
                       const NaClLoaderSystemInfo& system_info,
-                      bool uses_nonsfi_mode) {
+                      bool uses_nonsfi_mode,
+                      nacl::NaClSandbox* nacl_sandbox) {
+  DCHECK(nacl_sandbox);
   VLOG(1) << "NaCl loader: setting up IPC descriptor";
   // Close or shutdown IPC channels that we don't need anymore.
   PCHECK(0 == IGNORE_EINTR(close(kNaClZygoteDescriptor)));
   // In Non-SFI mode, it's important to close any non-expected IPC channels.
   if (uses_nonsfi_mode) {
     // The low-level kSandboxIPCChannel is used by renderers and NaCl for
     // various operations. See the LinuxSandbox::METHOD_* methods. NaCl uses
     // LinuxSandbox::METHOD_MAKE_SHARED_MEMORY_SEGMENT in SFI mode, so this
     // should only be closed in Non-SFI mode.
     // This file descriptor is insidiously used by a number of APIs. Closing it
     // could lead to difficult to debug issues. Instead of closing it, replace
     // it with a dummy.
     const int sandbox_ipc_channel =
         base::GlobalDescriptors::kBaseDescriptor + kSandboxIPCChannel;
 
     ReplaceFDWithDummy(sandbox_ipc_channel);
   }
 
-  InitializeLayerTwoSandbox(uses_nonsfi_mode);
+  // Finish layer-1 sandbox initialization and initialize the layer-2 sandbox.
+  CHECK(!nacl_sandbox->HasOpenDirectory());
+  nacl_sandbox->InitializeLayerTwoSandbox(uses_nonsfi_mode);
+  nacl_sandbox->SealLayerOneSandbox();
+  nacl_sandbox->CheckSandboxingStateWithPolicy();
+
   base::GlobalDescriptors::GetInstance()->Set(
       kPrimaryIPCChannel,
       child_fds[content::ZygoteForkDelegate::kBrowserFDIndex]);
 
   base::MessageLoopForIO main_message_loop;
   NaClListener listener;
   listener.set_uses_nonsfi_mode(uses_nonsfi_mode);
   listener.set_prereserved_sandbox_size(system_info.prereserved_sandbox_size);
   listener.set_number_of_cores(system_info.number_of_cores);
   listener.Listen();
   _exit(0);
 }
 
 // Start the NaCl loader in a child created by the NaCl loader Zygote.
 void ChildNaClLoaderInit(const std::vector<int>& child_fds,
                          const NaClLoaderSystemInfo& system_info,
                          bool uses_nonsfi_mode,
+                         nacl::NaClSandbox* nacl_sandbox,
                          const std::string& channel_id) {
   const int parent_fd = child_fds[content::ZygoteForkDelegate::kParentFDIndex];
   const int dummy_fd = child_fds[content::ZygoteForkDelegate::kDummyFDIndex];
 
   bool validack = false;
   base::ProcessId real_pid;
   // Wait until the parent process has discovered our PID.  We
   // should not fork any child processes (which the seccomp
   // sandbox does) until then, because that can interfere with the
   // parent's discovery of our PID.
@@ skipping 12 matching lines @@
     if (nread < 0)
       perror("read");
     LOG(ERROR) << "read returned " << nread;
   }
 
   if (IGNORE_EINTR(close(dummy_fd)) != 0)
     LOG(ERROR) << "close(dummy_fd) failed";
   if (IGNORE_EINTR(close(parent_fd)) != 0)
     LOG(ERROR) << "close(parent_fd) failed";
   if (validack) {
-    BecomeNaClLoader(child_fds, system_info, uses_nonsfi_mode);
+    BecomeNaClLoader(child_fds, system_info, uses_nonsfi_mode, nacl_sandbox);
   } else {
     LOG(ERROR) << "Failed to synch with zygote";
   }
   _exit(1);
 }
 
 // Handle a fork request from the Zygote.
 // Some of this code was lifted from
 // content/browser/zygote_main_linux.cc:ForkWithRealPid()
 bool HandleForkRequest(const std::vector<int>& child_fds,
                        const NaClLoaderSystemInfo& system_info,
+                       nacl::NaClSandbox* nacl_sandbox,
                        PickleIterator* input_iter,
                        Pickle* output_pickle) {
   bool uses_nonsfi_mode;
   if (!input_iter->ReadBool(&uses_nonsfi_mode)) {
     LOG(ERROR) << "Could not read uses_nonsfi_mode status";
     return false;
   }
 
   std::string channel_id;
   if (!input_iter->ReadString(&channel_id)) {
     LOG(ERROR) << "Could not read channel_id string";
     return false;
   }
 
   if (content::ZygoteForkDelegate::kNumPassedFDs != child_fds.size()) {
     LOG(ERROR) << "nacl_helper: unexpected number of fds, got "
         << child_fds.size();
     return false;
   }
 
   VLOG(1) << "nacl_helper: forking";
   pid_t child_pid = fork();
   if (child_pid < 0) {
     PLOG(ERROR) << "*** fork() failed.";
   }
 
   if (child_pid == 0) {
-    ChildNaClLoaderInit(child_fds, system_info, uses_nonsfi_mode, channel_id);
+    ChildNaClLoaderInit(
+        child_fds, system_info, uses_nonsfi_mode, nacl_sandbox, channel_id);
     NOTREACHED();
   }
 
   // I am the parent.
   // First, close the dummy_fd so the sandbox won't find me when
   // looking for the child's pid in /proc. Also close other fds.
   for (size_t i = 0; i < child_fds.size(); i++) {
     if (IGNORE_EINTR(close(child_fds[i])) != 0)
       LOG(ERROR) << "close(child_fds[i]) failed";
   }
@@ skipping 34 matching lines @@
 }
 
 // Honor a command |command_type|. Eventual command parameters are
 // available in |input_iter| and eventual file descriptors attached to
 // the command are in |attached_fds|.
 // Reply to the command on |reply_fds|.
 bool HonorRequestAndReply(int reply_fd,
                           int command_type,
                           const std::vector<int>& attached_fds,
                           const NaClLoaderSystemInfo& system_info,
+                          nacl::NaClSandbox* nacl_sandbox,
                           PickleIterator* input_iter) {
   Pickle write_pickle;
   bool have_to_reply = false;
   // Commands must write anything to send back to |write_pickle|.
   switch (command_type) {
     case nacl::kNaClForkRequest:
-      have_to_reply = HandleForkRequest(attached_fds, system_info,
-                                        input_iter, &write_pickle);
+      have_to_reply = HandleForkRequest(
+          attached_fds, system_info, nacl_sandbox, input_iter, &write_pickle);
       break;
     case nacl::kNaClGetTerminationStatusRequest:
       have_to_reply =
           HandleGetTerminationStatusRequest(input_iter, &write_pickle);
       break;
     default:
       LOG(ERROR) << "Unsupported command from Zygote";
       return false;
   }
   if (!have_to_reply)
     return false;
   const std::vector<int> empty;  // We never send file descriptors back.
   if (!UnixDomainSocket::SendMsg(reply_fd, write_pickle.data(),
                                  write_pickle.size(), empty)) {
     LOG(ERROR) << "*** send() to zygote failed";
     return false;
   }
   return true;
 }
 
 // Read a request from the Zygote from |zygote_ipc_fd| and handle it.
 // Die on EOF from |zygote_ipc_fd|.
 bool HandleZygoteRequest(int zygote_ipc_fd,
-                         const NaClLoaderSystemInfo& system_info) {
+                         const NaClLoaderSystemInfo& system_info,
+                         nacl::NaClSandbox* nacl_sandbox) {
   std::vector<int> fds;
   char buf[kNaClMaxIPCMessageLength];
   const ssize_t msglen = UnixDomainSocket::RecvMsg(zygote_ipc_fd,
       &buf, sizeof(buf), &fds);
   // If the Zygote has started handling requests, we should be sandboxed via
   // the setuid sandbox.
-  if (!IsSandboxed()) {
+  if (!nacl_sandbox->layer_one_enabled()) {
     LOG(ERROR) << "NaCl helper process running without a sandbox!\n"
       << "Most likely you need to configure your SUID sandbox "
       << "correctly";
   }
   if (msglen == 0 || (msglen == -1 && errno == ECONNRESET)) {
     // EOF from the browser. Goodbye!
     _exit(0);
   }
   if (msglen < 0) {
     PLOG(ERROR) << "nacl_helper: receive from zygote failed";
     return false;
   }
 
   Pickle read_pickle(buf, msglen);
   PickleIterator read_iter(read_pickle);
   int command_type;
   if (!read_iter.ReadInt(&command_type)) {
     LOG(ERROR) << "Unable to read command from Zygote";
     return false;
   }
-  return HonorRequestAndReply(zygote_ipc_fd, command_type, fds, system_info,
-                              &read_iter);
+  return HonorRequestAndReply(
+      zygote_ipc_fd, command_type, fds, system_info, nacl_sandbox, &read_iter);
 }
 
 static const char kNaClHelperReservedAtZero[] = "reserved_at_zero";
 static const char kNaClHelperRDebug[] = "r_debug";
 
 // Since we were started by nacl_helper_bootstrap rather than in the
 // usual way, the debugger cannot figure out where our executable
 // or the dynamic linker or the shared libraries are in memory,
 // so it won't find any symbols.  But we can fake it out to find us.
 //
@@ skipping 96 matching lines @@
   // NSS is needed to perform hashing for validation caching.
   crypto::LoadNSSLibraries();
 #endif
   const NaClLoaderSystemInfo system_info = {
     CheckReservedAtZero(),
     sysconf(_SC_NPROCESSORS_ONLN)
   };
 
   CheckRDebug(argv[0]);
 
+  scoped_ptr<nacl::NaClSandbox> nacl_sandbox(new nacl::NaClSandbox);
   // Make sure that the early initialization did not start any spurious
   // threads.
 #if !defined(THREAD_SANITIZER)
-  CHECK(sandbox::ThreadHelpers::IsSingleThreaded(-1));
+  CHECK(nacl_sandbox->IsSingleThreaded());
 #endif
 
-  InitializeLayerOneSandbox();
+  const bool is_init_process = 1 == getpid();
+  nacl_sandbox->InitializeLayerOneSandbox();
+  CHECK_EQ(is_init_process, nacl_sandbox->layer_one_enabled());
 
   const std::vector<int> empty;
   // Send the zygote a message to let it know we are ready to help
   if (!UnixDomainSocket::SendMsg(kNaClZygoteDescriptor,
                                  kNaClHelperStartupAck,
                                  sizeof(kNaClHelperStartupAck), empty)) {
     LOG(ERROR) << "*** send() to zygote failed";
   }
 
   // Now handle requests from the Zygote.
   while (true) {
-    bool request_handled = HandleZygoteRequest(kNaClZygoteDescriptor,
-                                               system_info);
+    bool request_handled = HandleZygoteRequest(
+        kNaClZygoteDescriptor, system_info, nacl_sandbox.get());
     // Do not turn this into a CHECK() without thinking about robustness
     // against malicious IPC requests.
     DCHECK(request_handled);
   }
   NOTREACHED();
 }