New NaCl zygote implementation 2

content/browser/zygote_main_linux.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <dlfcn.h>
 #include <fcntl.h>
 #include <pthread.h>
 #include <sys/epoll.h>
 #include <sys/prctl.h>
 #include <sys/signal.h>
@@ skipping 20 matching lines @@
 #include "base/memory/scoped_ptr.h"
 #include "base/path_service.h"
 #include "base/pickle.h"
 #include "base/process_util.h"
 #include "base/rand_util.h"
 #include "base/sys_info.h"
 #include "build/build_config.h"
 #include "crypto/nss_util.h"
 #include "chrome/common/chrome_paths.h"
 #include "chrome/common/chrome_switches.h"
+#include "chrome/common/nacl_helper_linux.h"
 #include "content/common/chrome_descriptors.h"
 #include "content/common/font_config_ipc_linux.h"
 #include "content/common/main_function_params.h"
 #include "content/common/pepper_plugin_registry.h"
 #include "content/common/process_watcher.h"
 #include "content/common/result_codes.h"
 #include "content/common/sandbox_methods_linux.h"
 #include "content/common/set_process_title.h"
 #include "content/common/unix_domain_socket_posix.h"
 #include "media/base/media.h"
@@ skipping 10 matching lines @@
 
 // http://code.google.com/p/chromium/wiki/LinuxZygote
 
 static const int kBrowserDescriptor = 3;
 static const int kMagicSandboxIPCDescriptor = 5;
 static const int kZygoteIdDescriptor = 7;
 static bool g_suid_sandbox_active = false;
 #if defined(SECCOMP_SANDBOX)
 // |g_proc_fd| is used only by the seccomp sandbox.
 static int g_proc_fd = -1;
+static int g_nacl_helper_fd = -1;
+static base::ProcessId g_naclpid = -1;
 #endif
 
 #if defined(CHROMIUM_SELINUX)
 static void SELinuxTransitionToTypeOrDie(const char* type) {
   security_context_t security_context;
   if (getcon(&security_context))
     LOG(FATAL) << "Cannot get SELinux context";
 
   context_t context = context_new(security_context);
   context_type_set(context, type);
@@ skipping 73 matching lines @@
       return false;
     }
 
     Pickle pickle(buf, len);
     void* iter = NULL;
 
     int kind;
     if (pickle.ReadInt(&iter, &kind)) {
       switch (kind) {
         case ZygoteHost::kCmdFork:
+        case ZygoteHost::kCmdNaClFork:
           // This function call can return multiple times, once per fork().
-          return HandleForkRequest(fd, pickle, iter, fds);
+          return HandleForkRequest(fd, pickle, iter, fds,
+                                   kind == ZygoteHost::kCmdNaClFork);
         case ZygoteHost::kCmdReap:
           if (!fds.empty())
             break;
           HandleReapRequest(fd, pickle, iter);
           return false;
         case ZygoteHost::kCmdGetTerminationStatus:
           if (!fds.empty())
             break;
           HandleGetTerminationStatus(fd, pickle, iter);
           return false;
@@ skipping 58 matching lines @@
 
     Pickle write_pickle;
     write_pickle.WriteInt(static_cast<int>(status));
     write_pickle.WriteInt(exit_code);
     ssize_t written =
         HANDLE_EINTR(write(fd, write_pickle.data(), write_pickle.size()));
     if (written != static_cast<ssize_t>(write_pickle.size()))
       PLOG(ERROR) << "write";
   }
 
+  base::ProcessId ForkNaClLauncher(std::vector<int>& fds) {
+    base::ProcessId naclchild;
+    VLOG(1) << "ForkNaClLauncher";
+
+    if (g_suid_sandbox_active) {
+      DCHECK(fds.size() == kNaClParentFDIndex + 1);
+    } else {
+      DCHECK(fds.size() == kNaClSandboxFDIndex + 1);
+    }
+    if (!UnixDomainSocket::SendMsg(g_nacl_helper_fd, kNaClForkRequest,
+                                   sizeof(kNaClForkRequest), fds)) {
+      perror("ForkNaClLauncher: send failed");
+      return -1;
+    }
+    if (read(g_nacl_helper_fd, &naclchild, sizeof(naclchild))
+        != sizeof(naclchild)) {
+      perror("ForkNaClLauncher: read failed");

[Mark Seaborn, 2011/06/15 16:09:04]

You're calling perror() even if read() didn't return an error (e.g. if it
returned less than sizeof(naclchild)), which is wrong.

[Brad Chen, 2011/06/15 18:47:47]

Done.

+      return -1;

[Mark Seaborn, 2011/06/15 16:09:04]

If the read() fails, don't you need to abandon the connection?  Any future reads
will be unsynchronised so could return garbage.

[Brad Chen, 2011/06/15 18:47:47]

Let's talk face-to-face about what makes sense in terms of error recovery code
here.
On 2011/06/15 16:09:04, Mark Seaborn wrote:

+    }
+    VLOG(1) << "nacl_child is " << naclchild;
+    return naclchild;
+  }
+
   // This is equivalent to fork(), except that, when using the SUID
   // sandbox, it returns the real PID of the child process as it
   // appears outside the sandbox, rather than returning the PID inside
   // the sandbox.
-  int ForkWithRealPid() {
-    if (!g_suid_sandbox_active)
-      return fork();
+  int ForkWithRealPid(const bool naclfork, std::vector<int>& fds) {
+    // If we didn't start a nacl helper, don't use it to fork.
+    // TODO(bradchen): remove this once nacl helper is debugged
+    bool isnaclfork = naclfork && (g_naclpid != -1);
+
+    if (!g_suid_sandbox_active) {
+      VLOG(1) << "suid sandbox NOT active";
+      VLOG(1) << "fds.size() is " << fds.size();
+      if (isnaclfork) {
+        return ForkNaClLauncher(fds);
+      } else {
+        return fork();
+      }
+    }
 
     int dummy_fd;
     ino_t dummy_inode;
     int pipe_fds[2] = { -1, -1 };
     base::ProcessId pid = 0;
 
     dummy_fd = socket(PF_UNIX, SOCK_DGRAM, 0);
     if (dummy_fd < 0) {
       LOG(ERROR) << "Failed to create dummy FD";
       goto error;
     }
     if (!base::FileDescriptorGetInode(&dummy_inode, dummy_fd)) {
       LOG(ERROR) << "Failed to get inode for dummy FD";
       goto error;
     }
     if (pipe(pipe_fds) != 0) {
       LOG(ERROR) << "Failed to create pipe";
       goto error;
     }
 
-    pid = fork();
+    if (isnaclfork) {
+      fds.push_back(dummy_fd);
+      fds.push_back(pipe_fds[0]);
+      pid = ForkNaClLauncher(fds);
+    } else {
+      pid = fork();
+    }
     if (pid < 0) {
       goto error;
     } else if (pid == 0) {
       // In the child process.
       close(pipe_fds[1]);
       char buffer[1];
       // Wait until the parent process has discovered our PID.  We
       // should not fork any child processes (which the seccomp
       // sandbox does) until then, because that can interfere with the
       // parent's discovery of our PID.
@@ skipping 52 matching lines @@
     if (pipe_fds[0] >= 0)
       close(pipe_fds[0]);
     if (pipe_fds[1] >= 0)
       close(pipe_fds[1]);
     return -1;
   }
 
   // Handle a 'fork' request from the browser: this means that the browser
   // wishes to start a new renderer.
   bool HandleForkRequest(int fd, const Pickle& pickle, void* iter,
-                         std::vector<int>& fds) {
+                         std::vector<int>& fds, const bool isnaclfork) {
     std::vector<std::string> args;
     int argc, numfds;
     base::GlobalDescriptors::Mapping mapping;
     base::ProcessId child;
 
     if (!pickle.ReadInt(&iter, &argc))
       goto error;
 
     for (int i = 0; i < argc; ++i) {
       std::string arg;
@@ skipping 10 matching lines @@
     for (int i = 0; i < numfds; ++i) {
       base::GlobalDescriptors::Key key;
       if (!pickle.ReadUInt32(&iter, &key))
         goto error;
       mapping.push_back(std::make_pair(key, fds[i]));
     }
 
     mapping.push_back(std::make_pair(
         static_cast<uint32_t>(kSandboxIPCChannel), kMagicSandboxIPCDescriptor));
 
-    child = ForkWithRealPid();
+    if (isnaclfork) {
+      fds.push_back(kMagicSandboxIPCDescriptor);
+    }
+    child = ForkWithRealPid(isnaclfork, fds);
 
     if (!child) {
 #if defined(SECCOMP_SANDBOX)
       // Try to open /proc/self/maps as the seccomp sandbox needs access to it
       if (g_proc_fd >= 0) {
         int proc_self_maps = openat(g_proc_fd, "self/maps", O_RDONLY);
         if (proc_self_maps >= 0) {
           SeccompSandboxSetProcSelfMaps(proc_self_maps);
         }
         close(g_proc_fd);
@@ skipping 54 matching lines @@
 
   // In the SUID sandbox, we try to use a new PID namespace. Thus the PIDs
   // fork() returns are not the real PIDs, so we need to map the Real PIDS
   // into the sandbox PID namespace.
   typedef base::hash_map<base::ProcessHandle, base::ProcessHandle> ProcessMap;
   ProcessMap real_pids_to_sandbox_pids;
 
   const int sandbox_flags_;
 };
 
+static void LaunchNaClHelper() {
+  VLOG(1) << "LaunchNaClHelper";
+  int fds[2];
+
+  // Confirm a couple hard-wired assumptions.
+  // The NaCl constants are from chrome/nacl/nacl_linux_helper.h
+  DCHECK(kNaClZygoteDescriptor == kBrowserDescriptor);
+  DCHECK(kNaClSandboxDescriptor == kMagicSandboxIPCDescriptor);
+
+  CHECK(socketpair(PF_UNIX, SOCK_SEQPACKET, 0, fds) == 0);
+  base::file_handle_mapping_vector fds_to_map;
+  fds_to_map.push_back(std::make_pair(fds[1], 3));
+
+  const char* nacl_zygote_exe = getenv("NACL_NEW_ZYGOTE");
+  g_naclpid = -1;
+  if (NULL != nacl_zygote_exe) {
+    CommandLine::StringVector argv = CommandLine::ForCurrentProcess()->argv();
+    argv[0] = nacl_zygote_exe;
+    base::LaunchAppWithClone(argv, fds_to_map, false, &g_naclpid,

[Mark Seaborn, 2011/06/15 16:09:04]

If this takes fds_to_map, and you're passing CLONE_FS, won't this mess up the
FDs in the calling process?  Surely the LaunchApp function will try to close all
FDs except those in fds_to_map.

[Brad Chen, 2011/06/15 18:47:47]

This code works, which suggests I might not be messing up FDs in the calling
process. We might talk more about this if you'd like.

On 2011/06/15 16:09:04, Mark Seaborn wrote:

+                             CLONE_FS | SIGCHLD);
+  }
+  close(fds[1]);
+  if (g_naclpid > 0) {
+    const int kExpectedLength = sizeof(kNaClHelperMagic);
+    char buf[kExpectedLength];
+
+    VLOG(1) << "NaCl Launcher PID is " << g_naclpid;
+    int nread = read(fds[0], buf, sizeof(buf));

[Mark Seaborn, 2011/06/15 16:09:04]

Please add a comment saying why you are waiting for a message here.  i.e. We
need to wait for execve() to have been called before turning on (chrooting) the
SUID sandbox.

[Brad Chen, 2011/06/15 18:47:47]

Done.

+    DCHECK(nread == kExpectedLength) << "Incorrect NaCl helper magic length";
+    DCHECK(0 == strcmp(buf, kNaClHelperMagic)) << "Incorrect nacl helper magic";

[Mark Seaborn, 2011/06/15 16:09:04]

memcmp(), surely?  The buffer is not null-terminated.

[Brad Chen, 2011/06/15 18:47:47]

Done.

+    // all is well
+    g_nacl_helper_fd = fds[0];
+    return;
+  }
+  // TODO(bradchen): Make this LOG(ERROR) when the NaCl helper
+  // becomes the default.
+  VLOG(1) << "Could not launch NaCl helper";
+  g_naclpid = -1;
+  g_nacl_helper_fd = -1;
+  close(fds[0]);
+
+  return;

[Mark Seaborn, 2011/06/15 16:09:04]

Not needed.

[Brad Chen, 2011/06/15 18:47:47]

Done.

+}
+
 // With SELinux we can carve out a precise sandbox, so we don't have to play
 // with intercepting libc calls.
 #if !defined(CHROMIUM_SELINUX)
 
 static void ProxyLocaltimeCallToBrowser(time_t input, struct tm* output,
                                         char* timezone_out,
                                         size_t timezone_out_len) {
   Pickle request;
   request.WriteInt(LinuxSandbox::METHOD_LOCALTIME);
   request.WriteString(
@@ skipping 261 matching lines @@
   if (CommandLine::ForCurrentProcess()->HasSwitch(
           switches::kEnableSeccompSandbox)) {
     g_proc_fd = open("/proc", O_DIRECTORY | O_RDONLY);
     if (g_proc_fd < 0) {
       LOG(ERROR) << "WARNING! Cannot access \"/proc\". Disabling seccomp "
                     "sandboxing.";
     }
   }
 #endif  // SECCOMP_SANDBOX
 
+  // launch Native Client helper before entering the sandbox
+  LaunchNaClHelper();
+
   // Turn on the SELinux or SUID sandbox
   if (!EnterSandbox()) {
     LOG(FATAL) << "Failed to enter sandbox. Fail safe abort. (errno: "
                << errno << ")";
     return false;
   }
 
   int sandbox_flags = 0;
   if (getenv("SBX_D"))
     sandbox_flags |= ZygoteHost::kSandboxSUID;
@@ skipping 20 matching lines @@
       VLOG(1) << "Enabling experimental Seccomp sandbox.";
       sandbox_flags |= ZygoteHost::kSandboxSeccomp;
     }
   }
 #endif  // SECCOMP_SANDBOX
 
   Zygote zygote(sandbox_flags);
   // This function call can return multiple times, once per fork().
   return zygote.ProcessRequests();
 }