Redirect fopen("/dev/urandom") so that NSS can properly seed it's RNG.

content/browser/zygote_main_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/zygote_host_impl_linux.h"
 
 #include <dlfcn.h>
 #include <fcntl.h>
 #include <pthread.h>
+#include <stdio.h>
 #include <sys/socket.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <unistd.h>
 
 #include "base/basictypes.h"
 #include "base/command_line.h"
 #include "base/eintr_wrapper.h"
 #include "base/file_path.h"
 #include "base/file_util.h"
 #include "base/global_descriptors_posix.h"
 #include "base/hash_tables.h"
 #include "base/linux_util.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/pickle.h"
 #include "base/process_util.h"
 #include "base/rand_util.h"
+#include "base/rand_util_c.h"
 #include "base/sys_info.h"
 #include "build/build_config.h"
 #include "crypto/nss_util.h"
 #include "content/common/chrome_descriptors.h"
 #include "content/common/font_config_ipc_linux.h"
 #include "content/common/pepper_plugin_registry.h"
 #include "content/common/sandbox_methods_linux.h"
 #include "content/common/seccomp_sandbox.h"
 #include "content/common/set_process_title.h"
 #include "content/common/unix_domain_socket_posix.h"
@@ skipping 19 matching lines @@
 #include <selinux/context.h>
 #endif
 
 // http://code.google.com/p/chromium/wiki/LinuxZygote
 
 static const int kBrowserDescriptor = 3;
 static const int kMagicSandboxIPCDescriptor = 5;
 static const int kZygoteIdDescriptor = 7;
 static bool g_suid_sandbox_active = false;
 
+static char kUrandomDevPath[] = "/dev/urandom";

[agl, 2012/04/10 15:18:13]

const

[Sergey Ulanov, 2012/04/10 17:21:01]

Done.

+
 #if defined(SECCOMP_SANDBOX)
 static int g_proc_fd = -1;
 #endif
 
 #if defined(CHROMIUM_SELINUX)
 static void SELinuxTransitionToTypeOrDie(const char* type) {
   security_context_t security_context;
   if (getcon(&security_context))
     LOG(FATAL) << "Cannot get SELinux context";
 
@@ skipping 548 matching lines @@
 // Our first attempt involved some assembly to patch the GOT of the current
 // module. This worked, but was platform specific and doesn't catch the case
 // where a library makes a call rather than current module.
 //
 // We also considered patching the function in place, but this would again by
 // platform specific and the above technique seems to work well enough.
 
 typedef struct tm* (*LocaltimeFunction)(const time_t* timep);
 typedef struct tm* (*LocaltimeRFunction)(const time_t* timep,
                                          struct tm* result);
+typedef FILE* (*FopenFunction)(const char* path, const char* mode);
 
 static pthread_once_t g_libc_localtime_funcs_guard = PTHREAD_ONCE_INIT;
 static LocaltimeFunction g_libc_localtime;
 static LocaltimeRFunction g_libc_localtime_r;
 
+static pthread_once_t g_libc_fopen_funcs_guard = PTHREAD_ONCE_INIT;
+static FopenFunction g_libc_fopen;
+static FopenFunction g_libc_fopen64;
+
 static void InitLibcLocaltimeFunctions() {
   g_libc_localtime = reinterpret_cast<LocaltimeFunction>(
                          dlsym(RTLD_NEXT, "localtime"));
   g_libc_localtime_r = reinterpret_cast<LocaltimeRFunction>(
                          dlsym(RTLD_NEXT, "localtime_r"));
 
   if (!g_libc_localtime || !g_libc_localtime_r) {
     // http://code.google.com/p/chromium/issues/detail?id=16800
     //
     // Nvidia's libGL.so overrides dlsym for an unknown reason and replaces
@@ skipping 29 matching lines @@
   if (g_am_zygote_or_renderer) {
     ProxyLocaltimeCallToBrowser(*timep, result, NULL, 0);
     return result;
   } else {
     CHECK_EQ(0, pthread_once(&g_libc_localtime_funcs_guard,
                              InitLibcLocaltimeFunctions));
     return g_libc_localtime_r(timep, result);
   }
 }
 
+static void InitLibcFopenFunctions() {
+  g_libc_fopen = reinterpret_cast<FopenFunction>(
+                         dlsym(RTLD_NEXT, "fopen"));

[agl, 2012/04/10 15:18:13]

nit: indentation here should be four spaces from the start of the previous line
I think. Same a couple of lines down.

[Sergey Ulanov, 2012/04/10 17:21:01]

Done.

+  g_libc_fopen64 = reinterpret_cast<FopenFunction>(
+                         dlsym(RTLD_NEXT, "fopen64"));
+
+  if (!g_libc_fopen || !g_libc_fopen64) {
+    LOG(ERROR) << "Failed to get fopen() from glibc.";
+  }
+}
+
+// fopen() and fopen64() are intercepted here so that NSS can open
+// /dev/urandom to seed it's random number generator. NSS is used by
+// remoting in the sendbox.
+
+// fopen() call may be redirected to fopen64() in stdio.h using
+// __REDIRECT(), which sets asm name for fopen() to "fopen64". This
+// means that we cannot override fopen() directly here. Instead the
+// the code below defines fopen_override() function with asm name
+// "fopen", so that all references to fopen() will resolve to this
+// function.
+__attribute__ ((__visibility__("default")))
+FILE* fopen_override(const char* path, const char* mode)  __asm__ ("fopen");

[agl, 2012/04/10 15:18:13]

nit: blank line between these.

[Sergey Ulanov, 2012/04/10 17:21:01]

Done.

+__attribute__ ((__visibility__("default")))
+FILE* fopen_override(const char* path, const char* mode) {
+  if (g_am_zygote_or_renderer && strcmp(path, kUrandomDevPath) == 0) {
+    int fd = dup(GetUrandomFD());

[agl, 2012/04/10 15:18:13]

needs to be wrapped with HANDLE_EINTR

[Sergey Ulanov, 2012/04/10 17:21:01]

Done.

+    if (fd < 0) {
+      LOG(ERROR) << "dup() failed.";

[agl, 2012/04/10 15:18:13]

PLOG

[Sergey Ulanov, 2012/04/10 17:21:01]

Done.

+      return NULL;
+    }
+    return fdopen(fd, mode);
+  } else {
+    CHECK_EQ(0, pthread_once(&g_libc_fopen_funcs_guard,
+                             InitLibcFopenFunctions));
+    return g_libc_fopen(path, mode);
+  }
+}
+
+__attribute__ ((__visibility__("default")))
+FILE* fopen64(const char* path, const char* mode) {
+  if (g_am_zygote_or_renderer && strcmp(path, kUrandomDevPath) == 0) {
+    int fd = dup(GetUrandomFD());

[agl, 2012/04/10 15:18:13]

needs to be wrapped with HANDLE_EINTR

[Sergey Ulanov, 2012/04/10 17:21:01]

Done.

+    if (fd < 0) {
+      PLOG(ERROR) << "dup() failed.";
+      return NULL;
+    }
+    return fdopen(fd, mode);
+  } else {
+    CHECK_EQ(0, pthread_once(&g_libc_fopen_funcs_guard,
+                             InitLibcFopenFunctions));
+    return g_libc_fopen64(path, mode);
+  }
+}
+
 #endif  // !CHROMIUM_SELINUX
 
 // This function triggers the static and lazy construction of objects that need
 // to be created before imposing the sandbox.
 static void PreSandboxInit() {
   base::RandUint64();
 
   base::SysInfo::MaxSharedMemorySize();
 
   // ICU DateFormat class (used in base/time_format.cc) needs to get the
@@ skipping 174 matching lines @@
       VLOG(1) << "Enabling experimental Seccomp sandbox.";
       sandbox_flags |= ZygoteHostImpl::kSandboxSeccomp;
     }
   }
 #endif  // SECCOMP_SANDBOX
 
   Zygote zygote(sandbox_flags, forkdelegate);
   // This function call can return multiple times, once per fork().
   return zygote.ProcessRequests();
 }