Linux sandbox: plumb timezone calls through the sandbox

chrome/browser/zygote_main_linux.cc

 // Copyright (c) 2009 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <unistd.h>
 #include <sys/epoll.h>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <sys/signal.h>
 #include <sys/prctl.h>
 #include <sys/wait.h>
 
 #include "base/command_line.h"
 #include "base/eintr_wrapper.h"
 #include "base/global_descriptors_posix.h"
 #include "base/pickle.h"
 #include "base/rand_util.h"
 #include "base/unix_domain_socket_posix.h"
 
 #include "chrome/browser/zygote_host_linux.h"
 #include "chrome/common/chrome_descriptors.h"
 #include "chrome/common/main_function_params.h"
 #include "chrome/common/process_watcher.h"
+#include "chrome/common/sandbox_methods_linux.h"
 
 #include "skia/ext/SkFontHost_fontconfig_control.h"
 
 // http://code.google.com/p/chromium/wiki/LinuxZygote
 
+static const int kMagicSandboxIPCDescriptor = 5;
+
 // This is the object which implements the zygote. The ZygoteMain function,
 // which is called from ChromeMain, at the the bottom and simple constructs one
 // of these objects and runs it.
 class Zygote {
  public:
   bool ProcessRequests() {
     // A SOCK_SEQPACKET socket is installed in fd 3. We get commands from the
     // browser on it.
     // A SOCK_DGRAM is installed in fd 4. This is the sandbox IPC channel.
     // See http://code.google.com/p/chromium/wiki/LinuxSandboxIPC
@@ skipping 150 matching lines @@
 
    error:
     LOG(WARNING) << "Error parsing fork request from browser";
     for (std::vector<int>::const_iterator
          i = fds.begin(); i != fds.end(); ++i)
       close(*i);
     return false;
   }
 };
 
+// Patched dynamic symbol wrapper functions...
+namespace sandbox_wrapper {
+
+void do_localtime(time_t input, struct tm* output) {
+  Pickle request;
+  request.WriteInt(LinuxSandbox::METHOD_LOCALTIME);
+  request.WriteString(
+      std::string(reinterpret_cast<char*>(&input), sizeof(input)));
+
+  uint8_t reply_buf[512];

[Evan Martin, 2009/07/20 18:57:25]

sizeof(struct tm) here?

+  const ssize_t r = base::SendRecvMsg(
+      kMagicSandboxIPCDescriptor, reply_buf, sizeof(reply_buf), NULL, request);
+  if (r == -1) {
+    memset(output, 0, sizeof(struct tm));
+    return;
+  }
+
+  Pickle reply(reinterpret_cast<char*>(reply_buf), r);
+  void* iter = NULL;
+  std::string result;
+  if (!reply.ReadString(&iter, &result) ||
+      result.size() != sizeof(struct tm)) {
+    memset(output, 0, sizeof(struct tm));
+    return;
+  }
+
+  memcpy(output, result.data(), sizeof(struct tm));
+}
+
+struct tm* localtime(const time_t* timep) {
+  static struct tm time_struct;
+  do_localtime(*timep, &time_struct);
+  return &time_struct;
+}
+
+struct tm* localtime_r(const time_t* timep, struct tm* result) {
+  do_localtime(*timep, result);
+  return result;
+}
+
+}  // namespace sandbox_wrapper
+
+/* On IA-32, function calls which need to be resolved by the dynamic linker are
+ * directed to the producure linking table (PLT). Each PLT entry contains code
+ * which jumps (indirectly) via the global offset table (GOT):
+ *   Dump of assembler code for function f@plt:
+ *   0x0804830c <f@plt+0>:   jmp    *0x804a004  # GOT indirect jump
+ *   0x08048312 <f@plt+6>:   push   $0x8
+ *   0x08048317 <f@plt+11>:  jmp    0x80482ec <_init+48>
+ *
+ * At the beginning of a process's lifetime, the GOT entry jumps back to
+ * <f@plt+6> end then enters the dynamic linker. Once the symbol has been
+ * resolved, the GOT entry is patched so that future calls go directly to the
+ * resolved function.
+ *
+ * This macro finds the PLT entry for a given symbol, |symbol|, and reads the
+ * GOT entry address from the first instruction. It then patches that address
+ * with the address of a replacement function, |replacement|.
+ */
+#define PATCH_GLOBAL_OFFSET_TABLE(symbol, replacement) \
+       /* First, get the current instruction pointer since the PLT address */ \
+       /* is IP relative */ \
+  asm ("call 0f\n" \
+       "0: pop %%ecx\n" \
+       /* Move the IP relative address of the PLT entry into EAX */ \
+       "mov $" #symbol "@plt,%%eax\n" \
+       /* Add EAX to ECX to get an absolute entry */ \
+       "add %%eax,%%ecx\n" \
+       /* The value in ECX was relative to the add instruction, however, */ \
+       /* the IP value was that of the pop. The pop and mov take 6 */ \
+       /* bytes, so adding 6 gets us the correct address for the PLT. The */ \
+       /* first instruction at the PLT is FF 25 <abs address>, so we skip 2 */ \
+       /* bytes to get to the address. 6 + 2 = 8: */ \
+       "movl 8(%%ecx),%%ecx\n" \
+       /* Now ECX contains the address of the GOT entry, we poke our */ \
+       /* replacement function in there: */ \
+       "movl %0,(%%ecx)\n" \
+       :  /* no output */ \
+       :  "r" (replacement) \
+       : "memory", "%eax", "%ecx");
+
 static bool MaybeEnterChroot() {
   const char* const sandbox_fd_string = getenv("SBX_D");
   if (sandbox_fd_string) {
     // The SUID sandbox sets this environment variable to a file descriptor
     // over which we can signal that we have completed our startup and can be
     // chrooted.
 
     char* endptr;
     const long fd_long = strtol(sandbox_fd_string, &endptr, 10);
     if (!*sandbox_fd_string || *endptr || fd_long < 0 || fd_long > INT_MAX)
       return false;
     const int fd = fd_long;
 
     // Before entering the sandbox, "prime" any systems that need to open
     // files and cache the results or the descriptors.
     base::RandUint64();
 
+    PATCH_GLOBAL_OFFSET_TABLE(localtime, sandbox_wrapper::localtime);
+    PATCH_GLOBAL_OFFSET_TABLE(localtime_r, sandbox_wrapper::localtime_r);
+
     static const char kChrootMe = 'C';
     static const char kChrootMeSuccess = 'O';
 
     if (HANDLE_EINTR(write(fd, &kChrootMe, 1)) != 1) {
       LOG(ERROR) << "Failed to write to chroot pipe: " << errno;
       return false;
     }
 
     // We need to reap the chroot helper process in any event:
     wait(NULL);
 
     char reply;
     if (HANDLE_EINTR(read(fd, &reply, 1)) != 1) {
       LOG(ERROR) << "Failed to read from chroot pipe: " << errno;
       return false;
     }
 
     if (reply != kChrootMeSuccess) {
       LOG(ERROR) << "Error code reply from chroot helper";
       return false;
     }
 
-    static const int kMagicSandboxIPCDescriptor = 5;
     SkiaFontConfigUseIPCImplementation(kMagicSandboxIPCDescriptor);
 
     // Previously, we required that the binary be non-readable. This causes the
     // kernel to mark the process as non-dumpable at startup. The thinking was
     // that, although we were putting the renderers into a PID namespace (with
     // the SUID sandbox), they would nonetheless be in the /same/ PID
     // namespace. So they could ptrace each other unless they were non-dumpable.
     //
     // If the binary was readable, then there would be a window between process
     // startup and the point where we set the non-dumpable flag in which a
@@ skipping 17 matching lines @@
 bool ZygoteMain(const MainFunctionParams& params) {
   if (!MaybeEnterChroot()) {
     LOG(FATAL) << "Failed to enter sandbox. Fail safe abort. (errno: "
                << errno << ")";
     return false;
   }
 
   Zygote zygote;
   return zygote.ProcessRequests();
 }