Linux sandbox: change API to start the sandbox

content/common/sandbox_linux/sandbox_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <dirent.h>
 #include <fcntl.h>
 #include <sys/resource.h>
 #include <sys/stat.h>
 #include <sys/time.h>
 #include <sys/types.h>
 #include <unistd.h>
 
 #include <limits>
+#include <string>
+#include <vector>
 
 #include "base/bind.h"
 #include "base/callback_helpers.h"
 #include "base/command_line.h"
 #include "base/debug/stack_trace.h"
 #include "base/files/scoped_file.h"
 #include "base/logging.h"
 #include "base/macros.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/memory/singleton.h"
@@ skipping 59 matching lines @@
 #endif
 }
 
 // Try to open /proc/self/task/ with the help of |proc_fd|. |proc_fd| can be
 // -1. Will return -1 on error and set errno like open(2).
 int OpenProcTaskFd(int proc_fd) {
   int proc_self_task = -1;
   if (proc_fd >= 0) {
     // If a handle to /proc is available, use it. This allows to bypass file
     // system restrictions.
-    proc_self_task = openat(proc_fd, "self/task/", O_RDONLY | O_DIRECTORY);
+    proc_self_task =
+        openat(proc_fd, "self/task/", O_RDONLY | O_DIRECTORY | O_CLOEXEC);
   } else {
     // Otherwise, make an attempt to access the file system directly.
-    proc_self_task = open("/proc/self/task/", O_RDONLY | O_DIRECTORY);
+    proc_self_task =
+        open("/proc/self/task/", O_RDONLY | O_DIRECTORY | O_CLOEXEC);
   }
   return proc_self_task;
 }
 
 }  // namespace
 
 namespace content {
 
 LinuxSandbox::LinuxSandbox()
     : proc_fd_(-1),
       seccomp_bpf_started_(false),
       sandbox_status_flags_(kSandboxLinuxInvalid),
       pre_initialized_(false),
       seccomp_bpf_supported_(false),
       yama_is_enforcing_(false),
+      initialize_sandbox_ran_(false),
       setuid_sandbox_client_(sandbox::SetuidSandboxClient::Create())
 {
   if (setuid_sandbox_client_ == NULL) {
     LOG(FATAL) << "Failed to instantiate the setuid sandbox client.";
   }
 #if defined(ANY_OF_AMTLU_SANITIZER)
   sanitizer_args_ = make_scoped_ptr(new __sanitizer_sandbox_arguments);
   *sanitizer_args_ = {0};
 #endif
 }
 
 LinuxSandbox::~LinuxSandbox() {
+  if (pre_initialized_) {
+    CHECK(initialize_sandbox_ran_);
+  }
 }
 
 LinuxSandbox* LinuxSandbox::GetInstance() {
   LinuxSandbox* instance = Singleton<LinuxSandbox>::get();
   CHECK(instance);
   return instance;
 }
 
 void LinuxSandbox::PreinitializeSandbox() {
   CHECK(!pre_initialized_);
   seccomp_bpf_supported_ = false;
 #if defined(ANY_OF_AMTLU_SANITIZER)
   // Sanitizers need to open some resources before the sandbox is enabled.
   // This should not fork, not launch threads, not open a directory.
   __sanitizer_sandbox_on_notify(sanitizer_args());
   sanitizer_args_.reset();
 #endif
 
 #if !defined(NDEBUG)
   // The in-process stack dumping needs to open /proc/self/maps and cache
   // its contents before the sandbox is enabled.  It also pre-opens the
   // object files that are already loaded in the process address space.
   base::debug::EnableInProcessStackDumpingForSandbox();
+#endif  // !defined(NDEBUG)
 
-  // Open proc_fd_ only in Debug mode so that forgetting to close it doesn't
-  // produce a sandbox escape in Release mode.
+  // Open proc_fd_. It would break the security of the setuid sandbox if it was
+  // not closed.
+  // If LinuxSandbox::PreinitializeSandbox() runs, InitializeSandbox() must run
+  // as well.
   proc_fd_ = open("/proc", O_DIRECTORY | O_RDONLY | O_CLOEXEC);
   CHECK_GE(proc_fd_, 0);
-#endif  // !defined(NDEBUG)
   // We "pre-warm" the code that detects supports for seccomp BPF.
   if (SandboxSeccompBPF::IsSeccompBPFDesired()) {
     if (!SandboxSeccompBPF::SupportsSandbox()) {
       VLOG(1) << "Lacking support for seccomp-bpf sandbox.";
     } else {
       seccomp_bpf_supported_ = true;
     }
   }
 
   // Yama is a "global", system-level status. We assume it will not regress
   // after startup.
   const int yama_status = Yama::GetStatus();
   yama_is_enforcing_ = (yama_status & Yama::STATUS_PRESENT) &&
                        (yama_status & Yama::STATUS_ENFORCING);
   pre_initialized_ = true;
 }
 
+std::vector<int> LinuxSandbox::GetFileDescriptorsToClose() {
+  return std::vector<int>{proc_fd_};
+}
+
 bool LinuxSandbox::InitializeSandbox() {
   LinuxSandbox* linux_sandbox = LinuxSandbox::GetInstance();
   return linux_sandbox->InitializeSandboxImpl();
 }
 
 void LinuxSandbox::StopThread(base::Thread* thread) {
   LinuxSandbox* linux_sandbox = LinuxSandbox::GetInstance();
   linux_sandbox->StopThreadImpl(thread);
 }
 
@@ skipping 22 matching lines @@
     }
   }
 
   return sandbox_status_flags_;
 }
 
 // Threads are counted via /proc/self/task. This is a little hairy because of
 // PID namespaces and existing sandboxes, so "self" must really be used instead
 // of using the pid.
 bool LinuxSandbox::IsSingleThreaded() const {
-  bool is_single_threaded = false;
   base::ScopedFD proc_self_task(OpenProcTaskFd(proc_fd_));
 
-// In Debug mode, it's mandatory to be able to count threads to catch bugs.
-#if !defined(NDEBUG)
-  // Using CHECK here since we want to check all the cases where
-  // !defined(NDEBUG)
-  // gets built.
   CHECK(proc_self_task.is_valid())
       << "Could not count threads, the sandbox was not "
       << "pre-initialized properly.";
-#endif  // !defined(NDEBUG)
 
-  if (!proc_self_task.is_valid()) {
-    // Pretend to be monothreaded if it can't be determined (for instance the
-    // setuid sandbox is already engaged but no proc_fd_ is available).
-    is_single_threaded = true;
-  } else {
-    is_single_threaded =
-        sandbox::ThreadHelpers::IsSingleThreaded(proc_self_task.get());
-  }
+  const bool is_single_threaded =
+      sandbox::ThreadHelpers::IsSingleThreaded(proc_self_task.get());
 
   return is_single_threaded;
 }
 
 bool LinuxSandbox::seccomp_bpf_started() const {
   return seccomp_bpf_started_;
 }
 
 sandbox::SetuidSandboxClient*
     LinuxSandbox::setuid_sandbox_client() const {
   return setuid_sandbox_client_.get();
 }
 
 // For seccomp-bpf, we use the SandboxSeccompBPF class.
 bool LinuxSandbox::StartSeccompBPF(const std::string& process_type) {
   CHECK(!seccomp_bpf_started_);
   CHECK(pre_initialized_);
-  if (seccomp_bpf_supported())
-    seccomp_bpf_started_ = SandboxSeccompBPF::StartSandbox(process_type);
+  if (seccomp_bpf_supported()) {
+    base::ScopedFD proc_self_task(OpenProcTaskFd(proc_fd_));
+    seccomp_bpf_started_ =
+        SandboxSeccompBPF::StartSandbox(process_type, proc_self_task.Pass());
+  }
 
-  if (seccomp_bpf_started_)
+  if (seccomp_bpf_started_) {
     LogSandboxStarted("seccomp-bpf");
+  }
 
   return seccomp_bpf_started_;
 }
 
 bool LinuxSandbox::InitializeSandboxImpl() {
+  DCHECK(!initialize_sandbox_ran_);
+  initialize_sandbox_ran_ = true;
+
   base::CommandLine* command_line = base::CommandLine::ForCurrentProcess();
   const std::string process_type =
       command_line->GetSwitchValueASCII(switches::kProcessType);
 
   // We need to make absolutely sure that our sandbox is "sealed" before
   // returning.
   // Unretained() since the current object is a Singleton.
   base::ScopedClosureRunner sandbox_sealer(
       base::Bind(&LinuxSandbox::SealSandbox, base::Unretained(this)));
   // Make sure that this function enables sandboxes as promised by GetStatus().
@@ skipping 136 matching lines @@
 
 void LinuxSandbox::StopThreadAndEnsureNotCounted(base::Thread* thread) const {
   DCHECK(thread);
   base::ScopedFD proc_self_task(OpenProcTaskFd(proc_fd_));
   PCHECK(proc_self_task.is_valid());
   CHECK(sandbox::ThreadHelpers::StopThreadAndWatchProcFS(proc_self_task.get(),
                                                          thread));
 }
 
 }  // namespace content