Linux sandbox: change API to start the sandbox

sandbox/linux/seccomp-bpf/sandbox_bpf.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
 
 // Some headers on Android are missing cdefs: crbug.com/172337.
 // (We can't use OS_ANDROID here since build_config.h is not included).
 #if defined(ANDROID)
 #include <sys/cdefs.h>
@@ skipping 24 matching lines @@
 #include "sandbox/linux/seccomp-bpf/codegen.h"
 #include "sandbox/linux/seccomp-bpf/die.h"
 #include "sandbox/linux/seccomp-bpf/errorcode.h"
 #include "sandbox/linux/seccomp-bpf/linux_seccomp.h"
 #include "sandbox/linux/seccomp-bpf/syscall.h"
 #include "sandbox/linux/seccomp-bpf/syscall_iterator.h"
 #include "sandbox/linux/seccomp-bpf/trap.h"
 #include "sandbox/linux/seccomp-bpf/verifier.h"
 #include "sandbox/linux/services/linux_syscalls.h"
 #include "sandbox/linux/services/syscall_wrappers.h"
+#include "sandbox/linux/services/thread_helpers.h"
 
 using sandbox::bpf_dsl::Allow;
 using sandbox::bpf_dsl::Error;
 using sandbox::bpf_dsl::ResultExpr;
 
 namespace sandbox {
 
 namespace {
 
 const int kExpectedExitCode = 100;
@@ skipping 60 matching lines @@
 void TryVsyscallProcess(void) {
   time_t current_time;
   // time() is implemented as a vsyscall. With an older glibc, with
   // vsyscall=emulate and some versions of the seccomp BPF patch
   // we may get SIGKILL-ed. Detect this!
   if (time(&current_time) != static_cast<time_t>(-1)) {
     sys_exit_group(kExpectedExitCode);
   }
 }
 
-bool IsSingleThreaded(int proc_fd) {
-  if (proc_fd < 0) {
-    // Cannot determine whether program is single-threaded. Hope for
-    // the best...
-    return true;
-  }
-
-  struct stat sb;
-  int task = -1;
-  if ((task = openat(proc_fd, "self/task", O_RDONLY | O_DIRECTORY)) < 0 ||
-      fstat(task, &sb) != 0 || sb.st_nlink != 3 || IGNORE_EINTR(close(task))) {
-    if (task >= 0) {
-      if (IGNORE_EINTR(close(task))) {
-      }
-    }
-    return false;
-  }
-  return true;
+bool IsSingleThreaded(int proc_task_fd) {
+  return ThreadHelpers::IsSingleThreaded(proc_task_fd);
 }
 
 }  // namespace
 
 SandboxBPF::SandboxBPF()
-    : quiet_(false), proc_fd_(-1), sandbox_has_started_(false), policy_() {
+    : quiet_(false), proc_task_fd_(-1), sandbox_has_started_(false), policy_() {
 }
 
 SandboxBPF::~SandboxBPF() {
+  if (proc_task_fd_ != -1)
+    IGNORE_EINTR(close(proc_task_fd_));
 }
 
 bool SandboxBPF::IsValidSyscallNumber(int sysnum) {
   return SyscallSet::IsValid(sysnum);
 }
 
 bool SandboxBPF::RunFunctionInPolicy(void (*code_in_sandbox)(),
                                      scoped_ptr<bpf_dsl::Policy> policy) {
   // Block all signals before forking a child process. This prevents an
   // attacker from manipulating our test by sending us an unexpected signal.
   sigset_t old_mask, new_mask;
   if (sigfillset(&new_mask) || sigprocmask(SIG_BLOCK, &new_mask, &old_mask)) {
     SANDBOX_DIE("sigprocmask() failed");
   }
   int fds[2];
   if (pipe2(fds, O_NONBLOCK | O_CLOEXEC)) {
     SANDBOX_DIE("pipe() failed");
   }
 
   if (fds[0] <= 2 || fds[1] <= 2) {
     SANDBOX_DIE("Process started without standard file descriptors");
   }
 
   // This code is using fork() and should only ever run single-threaded.
   // Most of the code below is "async-signal-safe" and only minor changes
   // would be needed to support threads.
-  DCHECK(IsSingleThreaded(proc_fd_));
+  DCHECK(IsSingleThreaded(proc_task_fd_));
   pid_t pid = fork();
   if (pid < 0) {
     // Die if we cannot fork(). We would probably fail a little later
     // anyway, as the machine is likely very close to running out of
     // memory.
     // But what we don't want to do is return "false", as a crafty
     // attacker might cause fork() to fail at will and could trick us
     // into running without a sandbox.
     sigprocmask(SIG_SETMASK, &old_mask, NULL);  // OK, if it fails
     SANDBOX_DIE("fork() failed unexpectedly");
@@ skipping 86 matching lines @@
 }
 
 bool SandboxBPF::KernelSupportSeccompBPF() {
   return RunFunctionInPolicy(ProbeProcess,
                              scoped_ptr<bpf_dsl::Policy>(new ProbePolicy())) &&
          RunFunctionInPolicy(TryVsyscallProcess,
                              scoped_ptr<bpf_dsl::Policy>(new AllowAllPolicy()));
 }
 
 // static
-SandboxBPF::SandboxStatus SandboxBPF::SupportsSeccompSandbox(int proc_fd) {
-  // It the sandbox is currently active, we clearly must have support for
-  // sandboxing.
-  if (status_ == STATUS_ENABLED) {
-    return status_;
-  }
-
-  // Even if the sandbox was previously available, something might have
-  // changed in our run-time environment. Check one more time.
-  if (status_ == STATUS_AVAILABLE) {
-    if (!IsSingleThreaded(proc_fd)) {
-      status_ = STATUS_UNAVAILABLE;
-    }
-    return status_;
-  }
-
-  if (status_ == STATUS_UNAVAILABLE && IsSingleThreaded(proc_fd)) {
-    // All state transitions resulting in STATUS_UNAVAILABLE are immediately
-    // preceded by STATUS_AVAILABLE. Furthermore, these transitions all
-    // happen, if and only if they are triggered by the process being multi-
-    // threaded.
-    // In other words, if a single-threaded process is currently in the
-    // STATUS_UNAVAILABLE state, it is safe to assume that sandboxing is
-    // actually available.
-    status_ = STATUS_AVAILABLE;
+SandboxBPF::SandboxStatus SandboxBPF::SupportsSeccompSandbox() {
+  if (status_ != STATUS_UNKNOWN) {
     return status_;
   }
 
   // If we have not previously checked for availability of the sandbox or if
   // we otherwise don't believe to have a good cached value, we have to
   // perform a thorough check now.
-  if (status_ == STATUS_UNKNOWN) {
-    // We create our own private copy of a "Sandbox" object. This ensures that
-    // the object does not have any policies configured, that might interfere
-    // with the tests done by "KernelSupportSeccompBPF()".
-    SandboxBPF sandbox;
 
-    // By setting "quiet_ = true" we suppress messages for expected and benign
-    // failures (e.g. if the current kernel lacks support for BPF filters).
-    sandbox.quiet_ = true;
-    sandbox.set_proc_fd(proc_fd);
-    status_ = sandbox.KernelSupportSeccompBPF() ? STATUS_AVAILABLE
-                                                : STATUS_UNSUPPORTED;
+  // We create our own private copy of a "Sandbox" object. This ensures that
+  // the object does not have any policies configured, that might interfere
+  // with the tests done by "KernelSupportSeccompBPF()".
+  SandboxBPF sandbox;
 
-    // As we are performing our tests from a child process, the run-time
-    // environment that is visible to the sandbox is always guaranteed to be
-    // single-threaded. Let's check here whether the caller is single-
-    // threaded. Otherwise, we mark the sandbox as temporarily unavailable.
-    if (status_ == STATUS_AVAILABLE && !IsSingleThreaded(proc_fd)) {
-      status_ = STATUS_UNAVAILABLE;
-    }
-  }
+  // By setting "quiet_ = true" we suppress messages for expected and benign
+  // failures (e.g. if the current kernel lacks support for BPF filters).
+  // TODO(jln): use kernel API to check for seccomp support now that things
+  // have stabilized.
+  sandbox.quiet_ = true;
+  status_ =
+      sandbox.KernelSupportSeccompBPF() ? STATUS_AVAILABLE : STATUS_UNSUPPORTED;
+
   return status_;
 }
 
 // static
 SandboxBPF::SandboxStatus
 SandboxBPF::SupportsSeccompThreadFilterSynchronization() {
   // Applying NO_NEW_PRIVS, a BPF filter, and synchronizing the filter across
   // the thread group are all handled atomically by this syscall.
   const int rv = syscall(
       __NR_seccomp, SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, NULL);
 
   if (rv == -1 && errno == EFAULT) {
     return STATUS_AVAILABLE;
   } else {
     // TODO(jln): turn these into DCHECK after 417888 is considered fixed.
     CHECK_EQ(-1, rv);
     CHECK(ENOSYS == errno || EINVAL == errno);
     return STATUS_UNSUPPORTED;
   }
 }
 
-void SandboxBPF::set_proc_fd(int proc_fd) { proc_fd_ = proc_fd; }
+void SandboxBPF::set_proc_task_fd(int proc_task_fd) {
+  proc_task_fd_ = proc_task_fd;
+}
 
 bool SandboxBPF::StartSandbox(SandboxThreadState thread_state) {
   CHECK(thread_state == PROCESS_SINGLE_THREADED ||
         thread_state == PROCESS_MULTI_THREADED);
 
   if (status_ == STATUS_UNSUPPORTED || status_ == STATUS_UNAVAILABLE) {
     SANDBOX_DIE(
         "Trying to start sandbox, even though it is known to be "
         "unavailable");
     return false;
   } else if (sandbox_has_started_) {
     SANDBOX_DIE(
         "Cannot repeatedly start sandbox. Create a separate Sandbox "
         "object instead.");
     return false;
   }
-  if (proc_fd_ < 0) {
-    proc_fd_ = open("/proc", O_RDONLY | O_DIRECTORY);
-  }
-  if (proc_fd_ < 0) {
-    // For now, continue in degraded mode, if we can't access /proc.
-    // In the future, we might want to tighten this requirement.
-  }
 
   bool supports_tsync =
       SupportsSeccompThreadFilterSynchronization() == STATUS_AVAILABLE;
 
   if (thread_state == PROCESS_SINGLE_THREADED) {
-    if (!IsSingleThreaded(proc_fd_)) {
+    if (!IsSingleThreaded(proc_task_fd_)) {
       SANDBOX_DIE("Cannot start sandbox; process is already multi-threaded");
       return false;
     }
   } else if (thread_state == PROCESS_MULTI_THREADED) {
-    if (IsSingleThreaded(proc_fd_)) {
+    if (IsSingleThreaded(proc_task_fd_)) {
       SANDBOX_DIE("Cannot start sandbox; "
                   "process may be single-threaded when reported as not");
       return false;
     }
     if (!supports_tsync) {
       SANDBOX_DIE("Cannot start sandbox; kernel does not support synchronizing "
                   "filters for a threadgroup");
       return false;
     }
   }
 
   // We no longer need access to any files in /proc. We want to do this
   // before installing the filters, just in case that our policy denies
   // close().
-  if (proc_fd_ >= 0) {
-    if (IGNORE_EINTR(close(proc_fd_))) {
+  if (proc_task_fd_ >= 0) {
+    if (IGNORE_EINTR(close(proc_task_fd_))) {
       SANDBOX_DIE("Failed to close file descriptor for /proc");
       return false;
     }
-    proc_fd_ = -1;
+    proc_task_fd_ = -1;
   }
 
   // Install the filters.
   InstallFilter(supports_tsync || thread_state == PROCESS_MULTI_THREADED);
 
   // We are now inside the sandbox.
   status_ = STATUS_ENABLED;
 
   return true;
 }
@@ skipping 92 matching lines @@
                        static_cast<intptr_t>(args.args[1]),
                        static_cast<intptr_t>(args.args[2]),
                        static_cast<intptr_t>(args.args[3]),
                        static_cast<intptr_t>(args.args[4]),
                        static_cast<intptr_t>(args.args[5]));
 }
 
 SandboxBPF::SandboxStatus SandboxBPF::status_ = STATUS_UNKNOWN;
 
 }  // namespace sandbox