Linux Sandbox: add resource limits to NaCl

components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h"
 
 #include <errno.h>
 #include <fcntl.h>
 #include <sys/prctl.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <unistd.h>
 
+#include <limits>
+
 #include "base/basictypes.h"
 #include "base/callback.h"
 #include "base/command_line.h"
 #include "base/compiler_specific.h"
 #include "base/files/scoped_file.h"
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/posix/eintr_wrapper.h"
 #include "build/build_config.h"
 #include "components/nacl/common/nacl_switches.h"
 #include "components/nacl/loader/nonsfi/nonsfi_sandbox.h"
 #include "components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.h"
 #include "content/public/common/content_switches.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
 #include "sandbox/linux/services/credentials.h"
 #include "sandbox/linux/services/namespace_sandbox.h"
 #include "sandbox/linux/services/proc_util.h"
+#include "sandbox/linux/services/resource_limits.h"
 #include "sandbox/linux/services/thread_helpers.h"
 #include "sandbox/linux/suid/client/setuid_sandbox_client.h"
 
 namespace nacl {
 
 namespace {
 
 // This is a poor man's check on whether we are sandboxed.
 bool IsSandboxed() {
   int proc_fd = open("/proc/self/exe", O_RDONLY);
@@ skipping 21 matching lines @@
   }
 
   if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) {
     PLOG(ERROR) << "Failed to set non-dumpable flag";
     return false;
   }
 
   return prctl(PR_GET_DUMPABLE) == 0;
 }
 
+void RestrictAddressSpaceUsage() {
+#if defined(ADDRESS_SANITIZER) || defined(MEMORY_SANITIZER) || \
+    defined(THREAD_SANITIZER)
+  // Sanitizers need to reserve huge chunks of the address space.
+  return;
+#endif
+
+  // Add a limit to the brk() heap that would prevent allocations that can't be

[Mark Seaborn, 2015/02/13 17:11:54]

This probably has no benefit, because glibc will fall back to mmap() when brk()
allocations start failing.  You could perhaps add a comment along the lines of
"what the hell, might as well do this just in case it helps". :-)

[jln (very slow on Chromium), 2015/02/13 18:00:05]

Does NaCl always uses glibc malloc and not tcmalloc?

In tcmalloc I tuned that a while back and it was different between 32 bits and
64 bits and Release and Debug.

Done in any case!

+  // indexed by an int. This helps working around typical security bugs.
+  const rlim_t kNewDataSegmentMaxSize = std::numeric_limits<int>::max();
+  CHECK(sandbox::ResourceLimits::Lower(RLIMIT_DATA, kNewDataSegmentMaxSize));
+
+#if defined(ARCH_CPU_64_BITS)
+  // 128 GB.

[Mark Seaborn, 2015/02/13 17:11:54]

Can you add some explanation of how we picked this, using my explanation from
the issue, please?  i.e. Mention the 88GB minimum for x86-64 NaCl.

[jln (very slow on Chromium), 2015/02/13 18:00:05]

Done.

+  const rlim_t kNewAddressSpaceLimit = 1UL << 37;
+#else
+  const rlim_t kNewAddressSpaceLimit = std::numeric_limits<uint32_t>::max();

[Mark Seaborn, 2015/02/13 17:11:54]

Well, this is no limit at all. :-)  You might as well leave out the call in this
case and save a few bytes of code size.

[jln (very slow on Chromium), 2015/02/13 18:00:05]

This is true because we're enabling this as part of the "layer-2" sandbox (with
seccomp).

But if we didn't have seccomp, this is definitely useful on IA32 if running
under a 64 bits kernel. I'll keep itn as it's nice to not have to rely on
seccomp and have some security in depth.

I added a comment.

[Mark Seaborn, 2015/02/13 18:33:41]

Ah, good point.  I didn't think of that.

+#endif
+  CHECK(sandbox::ResourceLimits::Lower(RLIMIT_AS, kNewAddressSpaceLimit));
+}
+
 }  // namespace
 
 NaClSandbox::NaClSandbox()
     : layer_one_enabled_(false),
       layer_one_sealed_(false),
       layer_two_enabled_(false),
       layer_two_is_nonsfi_(false),
       proc_fd_(-1),
       setuid_sandbox_client_(sandbox::SetuidSandboxClient::Create()) {
   proc_fd_.reset(
@@ skipping 64 matching lines @@
   CHECK_EQ(expected_num_fds, sandbox::ProcUtil::CountOpenFds(proc_fd_.get()));
 }
 
 void NaClSandbox::InitializeLayerTwoSandbox(bool uses_nonsfi_mode) {
   // seccomp-bpf only applies to the current thread, so it's critical to only
   // have a single thread running here.
   DCHECK(!layer_one_sealed_);
   CHECK(IsSingleThreaded());
   CheckForExpectedNumberOfOpenFds();
 
+  RestrictAddressSpaceUsage();
+
   base::ScopedFD proc_self_task(GetProcSelfTask(proc_fd_.get()));
 
   if (uses_nonsfi_mode) {
     layer_two_enabled_ =
         nacl::nonsfi::InitializeBPFSandbox(proc_self_task.Pass());
     layer_two_is_nonsfi_ = true;
   } else {
     layer_two_enabled_ = nacl::InitializeBPFSandbox(proc_self_task.Pass());
   }
 }
@@ skipping 32 matching lines @@
     static const char kNoBpfMsg[] =
         "The seccomp-bpf sandbox is not engaged for NaCl:";
     if (can_be_no_sandbox)
       LOG(ERROR) << kNoBpfMsg << kItIsDangerousMsg;
     else
       LOG(FATAL) << kNoBpfMsg << kItIsNotAllowedMsg;
   }
 }
 
 }  // namespace nacl