OLD | NEW |
---|---|
1 // Copyright (c) 2009 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2009 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <unistd.h> | 5 #include <unistd.h> |
6 #include <sys/epoll.h> | 6 #include <sys/epoll.h> |
7 #include <sys/types.h> | 7 #include <sys/types.h> |
8 #include <sys/socket.h> | 8 #include <sys/socket.h> |
9 #include <sys/signal.h> | 9 #include <sys/signal.h> |
10 #include <sys/prctl.h> | 10 #include <sys/prctl.h> |
11 #include <sys/wait.h> | 11 #include <sys/wait.h> |
12 | 12 |
13 #include "base/command_line.h" | 13 #include "base/command_line.h" |
14 #include "base/eintr_wrapper.h" | 14 #include "base/eintr_wrapper.h" |
15 #include "base/global_descriptors_posix.h" | 15 #include "base/global_descriptors_posix.h" |
16 #include "base/pickle.h" | 16 #include "base/pickle.h" |
17 #include "base/rand_util.h" | 17 #include "base/rand_util.h" |
18 #include "base/unix_domain_socket_posix.h" | 18 #include "base/unix_domain_socket_posix.h" |
19 | 19 |
20 #include "chrome/browser/zygote_host_linux.h" | 20 #include "chrome/browser/zygote_host_linux.h" |
21 #include "chrome/common/chrome_descriptors.h" | 21 #include "chrome/common/chrome_descriptors.h" |
22 #include "chrome/common/main_function_params.h" | 22 #include "chrome/common/main_function_params.h" |
23 #include "chrome/common/process_watcher.h" | 23 #include "chrome/common/process_watcher.h" |
24 #include "chrome/common/sandbox_methods_linux.h" | |
24 | 25 |
25 #include "skia/ext/SkFontHost_fontconfig_control.h" | 26 #include "skia/ext/SkFontHost_fontconfig_control.h" |
26 | 27 |
27 // http://code.google.com/p/chromium/wiki/LinuxZygote | 28 // http://code.google.com/p/chromium/wiki/LinuxZygote |
28 | 29 |
30 static const int kMagicSandboxIPCDescriptor = 5; | |
31 | |
29 // This is the object which implements the zygote. The ZygoteMain function, | 32 // This is the object which implements the zygote. The ZygoteMain function, |
30 // which is called from ChromeMain, at the the bottom and simple constructs one | 33 // which is called from ChromeMain, at the the bottom and simple constructs one |
31 // of these objects and runs it. | 34 // of these objects and runs it. |
32 class Zygote { | 35 class Zygote { |
33 public: | 36 public: |
34 bool ProcessRequests() { | 37 bool ProcessRequests() { |
35 // A SOCK_SEQPACKET socket is installed in fd 3. We get commands from the | 38 // A SOCK_SEQPACKET socket is installed in fd 3. We get commands from the |
36 // browser on it. | 39 // browser on it. |
37 // A SOCK_DGRAM is installed in fd 4. This is the sandbox IPC channel. | 40 // A SOCK_DGRAM is installed in fd 4. This is the sandbox IPC channel. |
38 // See http://code.google.com/p/chromium/wiki/LinuxSandboxIPC | 41 // See http://code.google.com/p/chromium/wiki/LinuxSandboxIPC |
(...skipping 150 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
189 | 192 |
190 error: | 193 error: |
191 LOG(WARNING) << "Error parsing fork request from browser"; | 194 LOG(WARNING) << "Error parsing fork request from browser"; |
192 for (std::vector<int>::const_iterator | 195 for (std::vector<int>::const_iterator |
193 i = fds.begin(); i != fds.end(); ++i) | 196 i = fds.begin(); i != fds.end(); ++i) |
194 close(*i); | 197 close(*i); |
195 return false; | 198 return false; |
196 } | 199 } |
197 }; | 200 }; |
198 | 201 |
202 // Patched dynamic symbol wrapper functions... | |
203 namespace sandbox_wrapper { | |
204 | |
205 void do_localtime(time_t input, struct tm* output) { | |
206 Pickle request; | |
207 request.WriteInt(LinuxSandbox::METHOD_LOCALTIME); | |
208 request.WriteString( | |
209 std::string(reinterpret_cast<char*>(&input), sizeof(input))); | |
210 | |
211 uint8_t reply_buf[512]; | |
Evan Martin
2009/07/20 18:57:25
sizeof(struct tm) here?
| |
212 const ssize_t r = base::SendRecvMsg( | |
213 kMagicSandboxIPCDescriptor, reply_buf, sizeof(reply_buf), NULL, request); | |
214 if (r == -1) { | |
215 memset(output, 0, sizeof(struct tm)); | |
216 return; | |
217 } | |
218 | |
219 Pickle reply(reinterpret_cast<char*>(reply_buf), r); | |
220 void* iter = NULL; | |
221 std::string result; | |
222 if (!reply.ReadString(&iter, &result) || | |
223 result.size() != sizeof(struct tm)) { | |
224 memset(output, 0, sizeof(struct tm)); | |
225 return; | |
226 } | |
227 | |
228 memcpy(output, result.data(), sizeof(struct tm)); | |
229 } | |
230 | |
231 struct tm* localtime(const time_t* timep) { | |
232 static struct tm time_struct; | |
233 do_localtime(*timep, &time_struct); | |
234 return &time_struct; | |
235 } | |
236 | |
237 struct tm* localtime_r(const time_t* timep, struct tm* result) { | |
238 do_localtime(*timep, result); | |
239 return result; | |
240 } | |
241 | |
242 } // namespace sandbox_wrapper | |
243 | |
244 /* On IA-32, function calls which need to be resolved by the dynamic linker are | |
245 * directed to the producure linking table (PLT). Each PLT entry contains code | |
246 * which jumps (indirectly) via the global offset table (GOT): | |
247 * Dump of assembler code for function f@plt: | |
248 * 0x0804830c <f@plt+0>: jmp *0x804a004 # GOT indirect jump | |
249 * 0x08048312 <f@plt+6>: push $0x8 | |
250 * 0x08048317 <f@plt+11>: jmp 0x80482ec <_init+48> | |
251 * | |
252 * At the beginning of a process's lifetime, the GOT entry jumps back to | |
253 * <f@plt+6> end then enters the dynamic linker. Once the symbol has been | |
254 * resolved, the GOT entry is patched so that future calls go directly to the | |
255 * resolved function. | |
256 * | |
257 * This macro finds the PLT entry for a given symbol, |symbol|, and reads the | |
258 * GOT entry address from the first instruction. It then patches that address | |
259 * with the address of a replacement function, |replacement|. | |
260 */ | |
261 #define PATCH_GLOBAL_OFFSET_TABLE(symbol, replacement) \ | |
262 /* First, get the current instruction pointer since the PLT address */ \ | |
263 /* is IP relative */ \ | |
264 asm ("call 0f\n" \ | |
265 "0: pop %%ecx\n" \ | |
266 /* Move the IP relative address of the PLT entry into EAX */ \ | |
267 "mov $" #symbol "@plt,%%eax\n" \ | |
268 /* Add EAX to ECX to get an absolute entry */ \ | |
269 "add %%eax,%%ecx\n" \ | |
270 /* The value in ECX was relative to the add instruction, however, */ \ | |
271 /* the IP value was that of the pop. The pop and mov take 6 */ \ | |
272 /* bytes, so adding 6 gets us the correct address for the PLT. The */ \ | |
273 /* first instruction at the PLT is FF 25 <abs address>, so we skip 2 */ \ | |
274 /* bytes to get to the address. 6 + 2 = 8: */ \ | |
275 "movl 8(%%ecx),%%ecx\n" \ | |
276 /* Now ECX contains the address of the GOT entry, we poke our */ \ | |
277 /* replacement function in there: */ \ | |
278 "movl %0,(%%ecx)\n" \ | |
279 : /* no output */ \ | |
280 : "r" (replacement) \ | |
281 : "memory", "%eax", "%ecx"); | |
282 | |
199 static bool MaybeEnterChroot() { | 283 static bool MaybeEnterChroot() { |
200 const char* const sandbox_fd_string = getenv("SBX_D"); | 284 const char* const sandbox_fd_string = getenv("SBX_D"); |
201 if (sandbox_fd_string) { | 285 if (sandbox_fd_string) { |
202 // The SUID sandbox sets this environment variable to a file descriptor | 286 // The SUID sandbox sets this environment variable to a file descriptor |
203 // over which we can signal that we have completed our startup and can be | 287 // over which we can signal that we have completed our startup and can be |
204 // chrooted. | 288 // chrooted. |
205 | 289 |
206 char* endptr; | 290 char* endptr; |
207 const long fd_long = strtol(sandbox_fd_string, &endptr, 10); | 291 const long fd_long = strtol(sandbox_fd_string, &endptr, 10); |
208 if (!*sandbox_fd_string || *endptr || fd_long < 0 || fd_long > INT_MAX) | 292 if (!*sandbox_fd_string || *endptr || fd_long < 0 || fd_long > INT_MAX) |
209 return false; | 293 return false; |
210 const int fd = fd_long; | 294 const int fd = fd_long; |
211 | 295 |
212 // Before entering the sandbox, "prime" any systems that need to open | 296 // Before entering the sandbox, "prime" any systems that need to open |
213 // files and cache the results or the descriptors. | 297 // files and cache the results or the descriptors. |
214 base::RandUint64(); | 298 base::RandUint64(); |
215 | 299 |
300 PATCH_GLOBAL_OFFSET_TABLE(localtime, sandbox_wrapper::localtime); | |
301 PATCH_GLOBAL_OFFSET_TABLE(localtime_r, sandbox_wrapper::localtime_r); | |
302 | |
216 static const char kChrootMe = 'C'; | 303 static const char kChrootMe = 'C'; |
217 static const char kChrootMeSuccess = 'O'; | 304 static const char kChrootMeSuccess = 'O'; |
218 | 305 |
219 if (HANDLE_EINTR(write(fd, &kChrootMe, 1)) != 1) { | 306 if (HANDLE_EINTR(write(fd, &kChrootMe, 1)) != 1) { |
220 LOG(ERROR) << "Failed to write to chroot pipe: " << errno; | 307 LOG(ERROR) << "Failed to write to chroot pipe: " << errno; |
221 return false; | 308 return false; |
222 } | 309 } |
223 | 310 |
224 // We need to reap the chroot helper process in any event: | 311 // We need to reap the chroot helper process in any event: |
225 wait(NULL); | 312 wait(NULL); |
226 | 313 |
227 char reply; | 314 char reply; |
228 if (HANDLE_EINTR(read(fd, &reply, 1)) != 1) { | 315 if (HANDLE_EINTR(read(fd, &reply, 1)) != 1) { |
229 LOG(ERROR) << "Failed to read from chroot pipe: " << errno; | 316 LOG(ERROR) << "Failed to read from chroot pipe: " << errno; |
230 return false; | 317 return false; |
231 } | 318 } |
232 | 319 |
233 if (reply != kChrootMeSuccess) { | 320 if (reply != kChrootMeSuccess) { |
234 LOG(ERROR) << "Error code reply from chroot helper"; | 321 LOG(ERROR) << "Error code reply from chroot helper"; |
235 return false; | 322 return false; |
236 } | 323 } |
237 | 324 |
238 static const int kMagicSandboxIPCDescriptor = 5; | |
239 SkiaFontConfigUseIPCImplementation(kMagicSandboxIPCDescriptor); | 325 SkiaFontConfigUseIPCImplementation(kMagicSandboxIPCDescriptor); |
240 | 326 |
241 // Previously, we required that the binary be non-readable. This causes the | 327 // Previously, we required that the binary be non-readable. This causes the |
242 // kernel to mark the process as non-dumpable at startup. The thinking was | 328 // kernel to mark the process as non-dumpable at startup. The thinking was |
243 // that, although we were putting the renderers into a PID namespace (with | 329 // that, although we were putting the renderers into a PID namespace (with |
244 // the SUID sandbox), they would nonetheless be in the /same/ PID | 330 // the SUID sandbox), they would nonetheless be in the /same/ PID |
245 // namespace. So they could ptrace each other unless they were non-dumpable. | 331 // namespace. So they could ptrace each other unless they were non-dumpable. |
246 // | 332 // |
247 // If the binary was readable, then there would be a window between process | 333 // If the binary was readable, then there would be a window between process |
248 // startup and the point where we set the non-dumpable flag in which a | 334 // startup and the point where we set the non-dumpable flag in which a |
(...skipping 17 matching lines...) Expand all Loading... | |
266 bool ZygoteMain(const MainFunctionParams& params) { | 352 bool ZygoteMain(const MainFunctionParams& params) { |
267 if (!MaybeEnterChroot()) { | 353 if (!MaybeEnterChroot()) { |
268 LOG(FATAL) << "Failed to enter sandbox. Fail safe abort. (errno: " | 354 LOG(FATAL) << "Failed to enter sandbox. Fail safe abort. (errno: " |
269 << errno << ")"; | 355 << errno << ")"; |
270 return false; | 356 return false; |
271 } | 357 } |
272 | 358 |
273 Zygote zygote; | 359 Zygote zygote; |
274 return zygote.ProcessRequests(); | 360 return zygote.ProcessRequests(); |
275 } | 361 } |
OLD | NEW |