OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_LINUX_H_ | 5 #ifndef CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_LINUX_H_ |
6 #define CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_LINUX_H_ | 6 #define CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_LINUX_H_ |
7 | 7 |
8 #include <string> | 8 #include <string> |
9 #include <vector> | 9 #include <vector> |
10 | 10 |
(...skipping 11 matching lines...) Expand all Loading... | |
22 template <typename T> struct DefaultSingletonTraits; | 22 template <typename T> struct DefaultSingletonTraits; |
23 namespace base { | 23 namespace base { |
24 class Thread; | 24 class Thread; |
25 } | 25 } |
26 namespace sandbox { class SetuidSandboxClient; } | 26 namespace sandbox { class SetuidSandboxClient; } |
27 | 27 |
28 namespace content { | 28 namespace content { |
29 | 29 |
30 // A singleton class to represent and change our sandboxing state for the | 30 // A singleton class to represent and change our sandboxing state for the |
31 // three main Linux sandboxes. | 31 // three main Linux sandboxes. |
32 // The sandboxing model allows using two layers of sandboxing. The first layer | |
33 // can be implement either with unprivileged namespaces or with the setuid | |
rickyz (no longer on Chrome)
2015/02/11 22:59:56
nit: implemented
jln (very slow on Chromium)
2015/02/11 23:13:06
Done.
| |
34 // sandbox. This class provides a way to engage the namespace sandbox, but does | |
35 // not deal with the legacy setuid sandbox directly. | |
36 // The second layer is mainly based on seccomp-bpf and is engaged with | |
37 // InitializeSandbox(). InitializeSandbox() is also responsible for "sealing" | |
38 // the first layer of sandboxing. That is, InitializeSandbox must always be | |
39 // called to have any meaningful sandboxing at all. | |
32 class LinuxSandbox { | 40 class LinuxSandbox { |
33 public: | 41 public: |
34 // This is a list of sandbox IPC methods which the renderer may send to the | 42 // This is a list of sandbox IPC methods which the renderer may send to the |
35 // sandbox host. See http://code.google.com/p/chromium/wiki/LinuxSandboxIPC | 43 // sandbox host. See http://code.google.com/p/chromium/wiki/LinuxSandboxIPC |
36 // This isn't the full list, values < 32 are reserved for methods called from | 44 // This isn't the full list, values < 32 are reserved for methods called from |
37 // Skia. | 45 // Skia. |
38 enum LinuxSandboxIPCMethods { | 46 enum LinuxSandboxIPCMethods { |
39 METHOD_GET_FALLBACK_FONT_FOR_CHAR = 32, | 47 METHOD_GET_FALLBACK_FONT_FOR_CHAR = 32, |
40 METHOD_LOCALTIME = 33, | 48 METHOD_LOCALTIME = 33, |
41 DEPRECATED_METHOD_GET_CHILD_WITH_INODE = 34, | 49 DEPRECATED_METHOD_GET_CHILD_WITH_INODE = 34, |
42 METHOD_GET_STYLE_FOR_STRIKE = 35, | 50 METHOD_GET_STYLE_FOR_STRIKE = 35, |
43 METHOD_MAKE_SHARED_MEMORY_SEGMENT = 36, | 51 METHOD_MAKE_SHARED_MEMORY_SEGMENT = 36, |
44 METHOD_MATCH_WITH_FALLBACK = 37, | 52 METHOD_MATCH_WITH_FALLBACK = 37, |
45 }; | 53 }; |
46 | 54 |
47 // Get our singleton instance. | 55 // Get our singleton instance. |
48 static LinuxSandbox* GetInstance(); | 56 static LinuxSandbox* GetInstance(); |
49 | 57 |
50 // Do some initialization that can only be done before any of the sandboxes | 58 // Do some initialization that can only be done before any of the sandboxes |
51 // are enabled. If using the setuid sandbox, this should be called manually | 59 // are enabled. If using the setuid sandbox, this should be called manually |
52 // before the setuid sandbox is engaged. | 60 // before the setuid sandbox is engaged. |
53 // Security: When this runs, it is imperative that either InitializeSandbox() | 61 // Security: When this runs, it is imperative that either InitializeSandbox() |
54 // runs as well or that all file descriptors returned in | 62 // runs as well or that all file descriptors returned in |
55 // GetFileDescriptorsToClose() get closed. | 63 // GetFileDescriptorsToClose() get closed. |
56 // Otherwise file descriptors that bypass the security of the setuid sandbox | 64 // Otherwise file descriptors that bypass the security of the setuid sandbox |
57 // would be kept open. One must be particularly careful if a process performs | 65 // would be kept open. One must be particularly careful if a process performs |
58 // a fork(). | 66 // a fork(). |
59 void PreinitializeSandbox(); | 67 void PreinitializeSandbox(); |
60 | 68 |
69 // Check that the current process is the init process of a new PID | |
70 // namespace and then proceed to drop access to the file system by using | |
71 // a new unprivileged namespace. This is a layer-1 sandbox. | |
72 // This requires "sealing" the sandbox later to be effective by calling | |
rickyz (no longer on Chrome)
2015/02/11 22:59:56
Maybe: In order for this sandbox to be effective,
jln (very slow on Chromium)
2015/02/11 23:13:06
Done.
| |
73 // InitializeSandbox(). | |
74 void EngageNamespaceSandbox(); | |
75 | |
61 // Return a list of file descriptors to close if PreinitializeSandbox() ran | 76 // Return a list of file descriptors to close if PreinitializeSandbox() ran |
62 // but InitializeSandbox() won't. Avoid using. | 77 // but InitializeSandbox() won't. Avoid using. |
63 // TODO(jln): get rid of this hack. | 78 // TODO(jln): get rid of this hack. |
64 std::vector<int> GetFileDescriptorsToClose(); | 79 std::vector<int> GetFileDescriptorsToClose(); |
65 | 80 |
66 // Initialize the sandbox with the given pre-built configuration. Currently | 81 // Seal the layer-1 sandbox and initialize the layer-2 sandbox with the given |
67 // seccomp-bpf and address space limitations (the setuid sandbox works | 82 // pre-built configuration. |
68 // differently and is set-up in the Zygote). This will instantiate the | 83 // Currently seccomp-bpf and address space limitations (the setuid sandbox |
rickyz (no longer on Chrome)
2015/02/11 22:59:56
I'm a little confused by this comment and also can
jln (very slow on Chromium)
2015/02/11 23:13:06
Ooch, this comment was a mess. Hopefully it's bett
| |
84 // works differently and is set-up in the Zygote). This will instantiate the | |
69 // LinuxSandbox singleton if it doesn't already exist. | 85 // LinuxSandbox singleton if it doesn't already exist. |
70 // This function should only be called without any thread running. | 86 // This function should only be called without any thread running. |
71 static bool InitializeSandbox(); | 87 static bool InitializeSandbox(); |
72 | 88 |
73 // Stop |thread| in a way that can be trusted by the sandbox. | 89 // Stop |thread| in a way that can be trusted by the sandbox. |
74 static void StopThread(base::Thread* thread); | 90 static void StopThread(base::Thread* thread); |
75 | 91 |
76 // Returns the status of the renderer, worker and ppapi sandbox. Can only | 92 // Returns the status of the renderer, worker and ppapi sandbox. Can only |
77 // be queried after going through PreinitializeSandbox(). This is a bitmask | 93 // be queried after going through PreinitializeSandbox(). This is a bitmask |
78 // and uses the constants defined in "enum LinuxSandboxStatus". Since the | 94 // and uses the constants defined in "enum LinuxSandboxStatus". Since the |
(...skipping 72 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
151 #if defined(ANY_OF_AMTLU_SANITIZER) | 167 #if defined(ANY_OF_AMTLU_SANITIZER) |
152 scoped_ptr<__sanitizer_sandbox_arguments> sanitizer_args_; | 168 scoped_ptr<__sanitizer_sandbox_arguments> sanitizer_args_; |
153 #endif | 169 #endif |
154 | 170 |
155 DISALLOW_COPY_AND_ASSIGN(LinuxSandbox); | 171 DISALLOW_COPY_AND_ASSIGN(LinuxSandbox); |
156 }; | 172 }; |
157 | 173 |
158 } // namespace content | 174 } // namespace content |
159 | 175 |
160 #endif // CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_LINUX_H_ | 176 #endif // CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_LINUX_H_ |
OLD | NEW |