Linux Sandbox: split the GPU policies to their own file.

content/common/sandbox_linux.cc

-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include <dirent.h>
-#include <fcntl.h>
-#include <sys/resource.h>
-#include <sys/stat.h>
-#include <sys/time.h>
-#include <sys/types.h>
-
-#include <limits>
-
-#include "base/bind.h"
-#include "base/callback_helpers.h"
-#include "base/command_line.h"
-#include "base/logging.h"
-#include "base/memory/singleton.h"
-#include "base/posix/eintr_wrapper.h"
-#include "base/strings/string_number_conversions.h"
-#include "base/time/time.h"
-#include "content/common/sandbox_linux.h"
-#include "content/common/sandbox_seccomp_bpf_linux.h"
-#include "content/public/common/content_switches.h"
-#include "content/public/common/sandbox_linux.h"
-#include "sandbox/linux/services/credentials.h"
-#include "sandbox/linux/suid/client/setuid_sandbox_client.h"
-
-namespace {
-
-void LogSandboxStarted(const std::string& sandbox_name) {
-  const CommandLine& command_line = *CommandLine::ForCurrentProcess();
-  const std::string process_type =
-      command_line.GetSwitchValueASCII(switches::kProcessType);
-  const std::string activated_sandbox =
-      "Activated " + sandbox_name + " sandbox for process type: " +
-      process_type + ".";
-#if defined(OS_CHROMEOS)
-  LOG(WARNING) << activated_sandbox;
-#else
-  VLOG(1) << activated_sandbox;
-#endif
-}
-
-bool AddResourceLimit(int resource, rlim_t limit) {
-  struct rlimit old_rlimit;
-  if (getrlimit(resource, &old_rlimit))
-    return false;
-  // Make sure we don't raise the existing limit.
-  const struct rlimit new_rlimit = {
-      std::min(old_rlimit.rlim_cur, limit),
-      std::min(old_rlimit.rlim_max, limit)
-      };
-  int rc = setrlimit(resource, &new_rlimit);
-  return rc == 0;
-}
-
-bool IsRunningTSAN() {
-#if defined(THREAD_SANITIZER)
-  return true;
-#else
-  return false;
-#endif
-}
-
-}  // namespace
-
-namespace content {
-
-LinuxSandbox::LinuxSandbox()
-    : proc_fd_(-1),
-      seccomp_bpf_started_(false),
-      pre_initialized_(false),
-      seccomp_bpf_supported_(false),
-      setuid_sandbox_client_(sandbox::SetuidSandboxClient::Create()) {
-  if (setuid_sandbox_client_ == NULL) {
-    LOG(FATAL) << "Failed to instantiate the setuid sandbox client.";
-  }
-}
-
-LinuxSandbox::~LinuxSandbox() {
-}
-
-LinuxSandbox* LinuxSandbox::GetInstance() {
-  LinuxSandbox* instance = Singleton<LinuxSandbox>::get();
-  CHECK(instance);
-  return instance;
-}
-
-#if defined(ADDRESS_SANITIZER) && defined(OS_LINUX)
-// ASan API call to notify the tool the sandbox is going to be turned on.
-extern "C" void __sanitizer_sandbox_on_notify(void *reserved);
-#endif
-
-void LinuxSandbox::PreinitializeSandbox() {
-  CHECK(!pre_initialized_);
-  seccomp_bpf_supported_ = false;
-#if defined(ADDRESS_SANITIZER) && defined(OS_LINUX)
-  // ASan needs to open some resources before the sandbox is enabled.
-  // This should not fork, not launch threads, not open a directory.
-  __sanitizer_sandbox_on_notify(/*reserved*/NULL);
-#endif
-
-#if !defined(NDEBUG)
-  // Open proc_fd_ only in Debug mode so that forgetting to close it doesn't
-  // produce a sandbox escape in Release mode.
-  proc_fd_ = open("/proc", O_DIRECTORY | O_RDONLY);
-  CHECK_GE(proc_fd_, 0);
-#endif  // !defined(NDEBUG)
-  // We "pre-warm" the code that detects supports for seccomp BPF.
-  if (SandboxSeccompBPF::IsSeccompBPFDesired()) {
-    if (!SandboxSeccompBPF::SupportsSandbox()) {
-      VLOG(1) << "Lacking support for seccomp-bpf sandbox.";
-    } else {
-      seccomp_bpf_supported_ = true;
-    }
-  }
-  pre_initialized_ = true;
-}
-
-bool LinuxSandbox::InitializeSandbox() {
-  bool seccomp_bpf_started = false;
-  LinuxSandbox* linux_sandbox = LinuxSandbox::GetInstance();
-  // We need to make absolutely sure that our sandbox is "sealed" before
-  // InitializeSandbox does exit.
-  base::ScopedClosureRunner sandbox_sealer(
-      base::Bind(&LinuxSandbox::SealSandbox, base::Unretained(linux_sandbox)));
-  const std::string process_type =
-      CommandLine::ForCurrentProcess()->GetSwitchValueASCII(
-          switches::kProcessType);
-
-  // No matter what, it's always an error to call InitializeSandbox() after
-  // threads have been created.
-  if (!linux_sandbox->IsSingleThreaded()) {
-    std::string error_message = "InitializeSandbox() called with multiple "
-                                "threads in process " + process_type;
-    // TSAN starts a helper thread. So we don't start the sandbox and don't
-    // even report an error about it.
-    if (IsRunningTSAN())
-      return false;
-    // The GPU process is allowed to call InitializeSandbox() with threads for
-    // now, because it loads third party libraries.
-    if (process_type != switches::kGpuProcess)
-      CHECK(false) << error_message;
-    LOG(ERROR) << error_message;
-    return false;
-  }
-
-  DCHECK(!linux_sandbox->HasOpenDirectories()) <<
-      "InitializeSandbox() called after unexpected directories have been " <<
-      "opened. This breaks the security of the setuid sandbox.";
-
-  // Attempt to limit the future size of the address space of the process.
-  linux_sandbox->LimitAddressSpace(process_type);
-
-  // First, try to enable seccomp-bpf.
-  seccomp_bpf_started = linux_sandbox->StartSeccompBPF(process_type);
-
-  return seccomp_bpf_started;
-}
-
-int LinuxSandbox::GetStatus() const {
-  CHECK(pre_initialized_);
-  int sandbox_flags = 0;
-  if (setuid_sandbox_client_->IsSandboxed()) {
-    sandbox_flags |= kSandboxLinuxSUID;
-    if (setuid_sandbox_client_->IsInNewPIDNamespace())
-      sandbox_flags |= kSandboxLinuxPIDNS;
-    if (setuid_sandbox_client_->IsInNewNETNamespace())
-      sandbox_flags |= kSandboxLinuxNetNS;
-  }
-
-  if (seccomp_bpf_supported() &&
-      SandboxSeccompBPF::ShouldEnableSeccompBPF(switches::kRendererProcess)) {
-    // We report whether the sandbox will be activated when renderers go
-    // through sandbox initialization.
-    sandbox_flags |= kSandboxLinuxSeccompBPF;
-  }
-
-  return sandbox_flags;
-}
-
-// Threads are counted via /proc/self/task. This is a little hairy because of
-// PID namespaces and existing sandboxes, so "self" must really be used instead
-// of using the pid.
-bool LinuxSandbox::IsSingleThreaded() const {
-  struct stat task_stat;
-  int fstat_ret;
-  if (proc_fd_ >= 0) {
-    // If a handle to /proc is available, use it. This allows to bypass file
-    // system restrictions.
-    fstat_ret = fstatat(proc_fd_, "self/task/", &task_stat, 0);
-  } else {
-    // Otherwise, make an attempt to access the file system directly.
-    fstat_ret = fstatat(AT_FDCWD, "/proc/self/task/", &task_stat, 0);
-  }
-  // In Debug mode, it's mandatory to be able to count threads to catch bugs.
-#if !defined(NDEBUG)
-  // Using DCHECK here would be incorrect. DCHECK can be enabled in non
-  // official release mode.
-  CHECK_EQ(0, fstat_ret) << "Could not count threads, the sandbox was not "
-                         << "pre-initialized properly.";
-#endif  // !defined(NDEBUG)
-  if (fstat_ret) {
-    // Pretend to be monothreaded if it can't be determined (for instance the
-    // setuid sandbox is already engaged but no proc_fd_ is available).
-    return true;
-  }
-
-  // At least "..", "." and the current thread should be present.
-  CHECK_LE(3UL, task_stat.st_nlink);
-  // Counting threads via /proc/self/task could be racy. For the purpose of
-  // determining if the current proces is monothreaded it works: if at any
-  // time it becomes monothreaded, it'll stay so.
-  return task_stat.st_nlink == 3;
-}
-
-bool LinuxSandbox::seccomp_bpf_started() const {
-  return seccomp_bpf_started_;
-}
-
-sandbox::SetuidSandboxClient*
-    LinuxSandbox::setuid_sandbox_client() const {
-  return setuid_sandbox_client_.get();
-}
-
-// For seccomp-bpf, we use the SandboxSeccompBPF class.
-bool LinuxSandbox::StartSeccompBPF(const std::string& process_type) {
-  CHECK(!seccomp_bpf_started_);
-  if (!pre_initialized_)
-    PreinitializeSandbox();
-  if (seccomp_bpf_supported())
-    seccomp_bpf_started_ = SandboxSeccompBPF::StartSandbox(process_type);
-
-  if (seccomp_bpf_started_)
-    LogSandboxStarted("seccomp-bpf");
-
-  return seccomp_bpf_started_;
-}
-
-bool LinuxSandbox::seccomp_bpf_supported() const {
-  CHECK(pre_initialized_);
-  return seccomp_bpf_supported_;
-}
-
-bool LinuxSandbox::LimitAddressSpace(const std::string& process_type) {
-  (void) process_type;
-#if !defined(ADDRESS_SANITIZER)
-  CommandLine* command_line = CommandLine::ForCurrentProcess();
-  if (command_line->HasSwitch(switches::kNoSandbox)) {
-    return false;
-  }
-
-  // Limit the address space to 4GB.
-  // This is in the hope of making some kernel exploits more complex and less
-  // reliable. It also limits sprays a little on 64-bit.
-  rlim_t address_space_limit = std::numeric_limits<uint32_t>::max();
-#if defined(__LP64__)
-  // On 64 bits, V8 and possibly others will reserve massive memory ranges and
-  // rely on on-demand paging for allocation.  Unfortunately, even
-  // MADV_DONTNEED ranges  count towards RLIMIT_AS so this is not an option.
-  // See crbug.com/169327 for a discussion.
-  // On the GPU process, irrespective of V8, we can exhaust a 4GB address space
-  // under normal usage, see crbug.com/271119
-  // For now, increase limit to 16GB for renderer and worker and gpu processes
-  // to accomodate.
-  if (process_type == switches::kRendererProcess ||
-      process_type == switches::kWorkerProcess ||
-      process_type == switches::kGpuProcess) {
-    address_space_limit = 1L << 34;
-  }
-#endif  // defined(__LP64__)
-
-  // On all platforms, add a limit to the brk() heap that would prevent
-  // allocations that can't be index by an int.
-  const rlim_t kNewDataSegmentMaxSize = std::numeric_limits<int>::max();
-
-  bool limited_as = AddResourceLimit(RLIMIT_AS, address_space_limit);
-  bool limited_data = AddResourceLimit(RLIMIT_DATA, kNewDataSegmentMaxSize);
-  return limited_as && limited_data;
-#else
-  return false;
-#endif  // !defined(ADDRESS_SANITIZER)
-}
-
-bool LinuxSandbox::HasOpenDirectories() {
-  return sandbox::Credentials().HasOpenDirectory(proc_fd_);
-}
-
-void LinuxSandbox::SealSandbox() {
-  if (proc_fd_ >= 0) {
-    int ret = IGNORE_EINTR(close(proc_fd_));
-    CHECK_EQ(0, ret);
-    proc_fd_ = -1;
-  }
-}
-
-}  // namespace content
-