New NaCl zygote implementation 2

content/browser/zygote_main_linux.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/zygote_host_linux.h"
 
 #include <dlfcn.h>
 #include <fcntl.h>
 #include <pthread.h>
 #include <sys/socket.h>
@@ skipping 19 matching lines @@
 #include "content/common/chrome_descriptors.h"
 #include "content/common/content_switches.h"
 #include "content/common/font_config_ipc_linux.h"
 #include "content/common/main_function_params.h"
 #include "content/common/pepper_plugin_registry.h"
 #include "content/common/process_watcher.h"
 #include "content/common/result_codes.h"
 #include "content/common/sandbox_methods_linux.h"
 #include "content/common/set_process_title.h"
 #include "content/common/unix_domain_socket_posix.h"
+#include "content/common/zygote_fork_delegate_linux.h"
 #include "seccompsandbox/sandbox.h"
 #include "skia/ext/SkFontHost_fontconfig_control.h"
 #include "unicode/timezone.h"
+#include "ipc/ipc_switches.h"
 
 #if defined(OS_LINUX)
 #include <sys/epoll.h>
 #include <sys/prctl.h>
 #include <sys/signal.h>
 #else
 #include <signal.h>
 #endif
 
 #if defined(CHROMIUM_SELINUX)
@@ skipping 32 matching lines @@
   freecon(security_context);
 
   if (r) {
     LOG(FATAL) << "dynamic transition to type '" << type << "' failed. "
                   "(this binary has been built with SELinux support, but maybe "
                   "the policies haven't been loaded into the kernel?)";
   }
 }
 #endif  // CHROMIUM_SELINUX
 
+// Search through string vector args for a string of the form
+// --swtch=value. Return the string if found, else return the
+// empty string.

[Evan Martin, 2011/06/27 18:49:32]

I'm a little concerned that this is incorrect for a command line like:
  google-chrome -- http://foo.com/--swtch=1234/blah

How much should I worry?  It would be nice to reuse our existing
command-line-parsing code for this sort of thing.

Or perhaps it would make more sense to just explicitly include the needed info
in the initial pickle that we IPC, even if it's redundant with the args that
we're sending.

I'd be ok with just marking this TODO() if you don't think it's
security-sensitive.

[Brad Chen, 2011/06/27 22:06:25]

I never liked this code this much anyway. Realizing it's not throw away I've
modified HandleForkRequest (same file) to avoid using it. Hopefully you'll agree
this is better.

On 2011/06/27 18:49:32, Evan Martin wrote:

+static std::string ExtractArg(std::vector<std::string>& args,
+                              const std::string& swtch) {
+  const std::string key = "--" + swtch + "=";
+  int len = key.length();
+  for (size_t i = 0; i < args.size(); i++) {
+    if (key.compare(0, len, args[i], 0, len) == 0) {
+      return args[i];
+    }
+  }
+  return "";
+}
+
 // This is the object which implements the zygote. The ZygoteMain function,
 // which is called from ChromeMain, simply constructs one of these objects and
 // runs it.
 class Zygote {
  public:
-  explicit Zygote(int sandbox_flags)
-      : sandbox_flags_(sandbox_flags) {
+  explicit Zygote(int sandbox_flags, ZygoteForkDelegate* helper)
+    : sandbox_flags_(sandbox_flags),
+      helper_(helper) {
   }
 
   bool ProcessRequests() {
     // A SOCK_SEQPACKET socket is installed in fd 3. We get commands from the
     // browser on it.
     // A SOCK_DGRAM is installed in fd 5. This is the sandbox IPC channel.
     // See http://code.google.com/p/chromium/wiki/LinuxSandboxIPC
 
     // We need to accept SIGCHLD, even though our handler is a no-op because
     // otherwise we cannot wait on children. (According to POSIX 2001.)
@@ skipping 46 matching lines @@
 
     Pickle pickle(buf, len);
     void* iter = NULL;
 
     int kind;
     if (pickle.ReadInt(&iter, &kind)) {
       switch (kind) {
         case ZygoteHost::kCmdFork:
           // This function call can return multiple times, once per fork().
           return HandleForkRequest(fd, pickle, iter, fds);
+
         case ZygoteHost::kCmdReap:
           if (!fds.empty())
             break;
           HandleReapRequest(fd, pickle, iter);
           return false;
         case ZygoteHost::kCmdGetTerminationStatus:
           if (!fds.empty())
             break;
           HandleGetTerminationStatus(fd, pickle, iter);
           return false;
@@ skipping 62 matching lines @@
     ssize_t written =
         HANDLE_EINTR(write(fd, write_pickle.data(), write_pickle.size()));
     if (written != static_cast<ssize_t>(write_pickle.size()))
       PLOG(ERROR) << "write";
   }
 
   // This is equivalent to fork(), except that, when using the SUID
   // sandbox, it returns the real PID of the child process as it
   // appears outside the sandbox, rather than returning the PID inside
   // the sandbox.
-  int ForkWithRealPid() {
-    if (!g_suid_sandbox_active)
+  int ForkWithRealPid(const std::string process_type, std::vector<int>& fds,

[Evan Martin, 2011/06/27 18:49:32]

These should be const std::string&

[Brad Chen, 2011/06/27 22:06:25]

Done.

+                      const std::string channel_switch) {
+    const bool use_helper = (helper_ && helper_->CanHelp(process_type));
+    if (!(use_helper || g_suid_sandbox_active)) {
       return fork();
+    }
 
     int dummy_fd;
     ino_t dummy_inode;
     int pipe_fds[2] = { -1, -1 };
     base::ProcessId pid = 0;
 
     dummy_fd = socket(PF_UNIX, SOCK_DGRAM, 0);
     if (dummy_fd < 0) {
       LOG(ERROR) << "Failed to create dummy FD";
       goto error;
     }
     if (!base::FileDescriptorGetInode(&dummy_inode, dummy_fd)) {
       LOG(ERROR) << "Failed to get inode for dummy FD";
       goto error;
     }
     if (pipe(pipe_fds) != 0) {
       LOG(ERROR) << "Failed to create pipe";
       goto error;
     }
 
-    pid = fork();
+    if (use_helper) {
+      fds.push_back(dummy_fd);
+      fds.push_back(pipe_fds[0]);
+      pid = helper_->Fork(fds);
+    } else {
+      pid = fork();
+    }
     if (pid < 0) {
       goto error;
     } else if (pid == 0) {
       // In the child process.
       close(pipe_fds[1]);
       char buffer[1];
       // Wait until the parent process has discovered our PID.  We
       // should not fork any child processes (which the seccomp
       // sandbox does) until then, because that can interfere with the
       // parent's discovery of our PID.
       if (HANDLE_EINTR(read(pipe_fds[0], buffer, 1)) != 1 ||
           buffer[0] != 'x') {
         LOG(FATAL) << "Failed to synchronise with parent zygote process";
       }
       close(pipe_fds[0]);
       close(dummy_fd);
       return 0;
     } else {
       // In the parent process.
       close(dummy_fd);
       dummy_fd = -1;
       close(pipe_fds[0]);
       pipe_fds[0] = -1;
-      uint8_t reply_buf[512];
-      Pickle request;
-      request.WriteInt(LinuxSandbox::METHOD_GET_CHILD_WITH_INODE);
-      request.WriteUInt64(dummy_inode);
+      base::ProcessId real_pid;
+      if (g_suid_sandbox_active) {
+        uint8_t reply_buf[512];
+        Pickle request;
+        request.WriteInt(LinuxSandbox::METHOD_GET_CHILD_WITH_INODE);
+        request.WriteUInt64(dummy_inode);
 
-      const ssize_t r = UnixDomainSocket::SendRecvMsg(
-          kMagicSandboxIPCDescriptor, reply_buf, sizeof(reply_buf), NULL,
-          request);
-      if (r == -1) {
-        LOG(ERROR) << "Failed to get child process's real PID";
-        goto error;
+        const ssize_t r = UnixDomainSocket::SendRecvMsg(
+            kMagicSandboxIPCDescriptor, reply_buf, sizeof(reply_buf), NULL,
+            request);
+        if (r == -1) {
+          LOG(ERROR) << "Failed to get child process's real PID";
+          goto error;
+        }
+
+        Pickle reply(reinterpret_cast<char*>(reply_buf), r);
+        void* iter2 = NULL;

[Evan Martin, 2011/06/27 18:49:32]

Why "iter2" and not just "iter"?

[Brad Chen, 2011/06/27 22:06:25]

An irrelevant artifact; fixed.

On 2011/06/27 18:49:32, Evan Martin wrote:

+        if (!reply.ReadInt(&iter2, &real_pid))
+          goto error;
+        if (real_pid <= 0) {
+          // METHOD_GET_CHILD_WITH_INODE failed. Did the child die already?
+          LOG(ERROR) << "METHOD_GET_CHILD_WITH_INODE failed";
+          goto error;
+        }
+        real_pids_to_sandbox_pids[real_pid] = pid;
       }
-
-      base::ProcessId real_pid;
-      Pickle reply(reinterpret_cast<char*>(reply_buf), r);
-      void* iter2 = NULL;
-      if (!reply.ReadInt(&iter2, &real_pid))
-        goto error;
-      if (real_pid <= 0) {
-        // METHOD_GET_CHILD_WITH_INODE failed. Did the child die already?
-        LOG(ERROR) << "METHOD_GET_CHILD_WITH_INODE failed";
-        goto error;
-      }
-      real_pids_to_sandbox_pids[real_pid] = pid;
-      if (HANDLE_EINTR(write(pipe_fds[1], "x", 1)) != 1) {
-        LOG(ERROR) << "Failed to synchronise with child process";
-        goto error;
+      if (use_helper) {
+        real_pid = pid;
+        if (!helper_->AckChild(pipe_fds[1], channel_switch)) {
+          LOG(ERROR) << "Failed to synchronise with NaCl child process";
+          goto error;
+        }
+      } else {
+        if (HANDLE_EINTR(write(pipe_fds[1], "x", 1)) != 1) {
+          LOG(ERROR) << "Failed to synchronise with child process";
+          goto error;
+        }
       }
       close(pipe_fds[1]);
       return real_pid;
     }
 
    error:
     if (pid > 0) {
       if (waitpid(pid, NULL, WNOHANG) == -1)
         LOG(ERROR) << "Failed to wait for process";
     }
     if (dummy_fd >= 0)
       close(dummy_fd);
     if (pipe_fds[0] >= 0)
       close(pipe_fds[0]);
     if (pipe_fds[1] >= 0)
       close(pipe_fds[1]);
     return -1;
   }
 
   // Handle a 'fork' request from the browser: this means that the browser
   // wishes to start a new renderer.
-  bool HandleForkRequest(int fd, const Pickle& pickle, void* iter,
-                         std::vector<int>& fds) {
+  bool HandleForkRequest(int fd, const Pickle& pickle,
+                         void* iter, std::vector<int>& fds) {
     std::vector<std::string> args;
     int argc, numfds;
     base::GlobalDescriptors::Mapping mapping;
     base::ProcessId child;
+    std::string process_type;
+
+    if (!pickle.ReadString(&iter, &process_type))
+      goto error;
 
     if (!pickle.ReadInt(&iter, &argc))
       goto error;
 
     for (int i = 0; i < argc; ++i) {
       std::string arg;
       if (!pickle.ReadString(&iter, &arg))
         goto error;
       args.push_back(arg);
     }
 
     if (!pickle.ReadInt(&iter, &numfds))
       goto error;
     if (numfds != static_cast<int>(fds.size()))
       goto error;
 
     for (int i = 0; i < numfds; ++i) {
       base::GlobalDescriptors::Key key;
       if (!pickle.ReadUInt32(&iter, &key))
         goto error;
       mapping.push_back(std::make_pair(key, fds[i]));
     }
 
     mapping.push_back(std::make_pair(
         static_cast<uint32_t>(kSandboxIPCChannel), kMagicSandboxIPCDescriptor));
 
-    child = ForkWithRealPid();
+    child = ForkWithRealPid(process_type, fds,
+                            ExtractArg(args, switches::kProcessChannelID));
 
     if (!child) {
 #if defined(SECCOMP_SANDBOX)
       // Try to open /proc/self/maps as the seccomp sandbox needs access to it
       if (g_proc_fd >= 0) {
         int proc_self_maps = openat(g_proc_fd, "self/maps", O_RDONLY);
         if (proc_self_maps >= 0) {
           SeccompSandboxSetProcSelfMaps(proc_self_maps);
         }
         close(g_proc_fd);
@@ skipping 52 matching lines @@
     return false;
   }
 
   // In the SUID sandbox, we try to use a new PID namespace. Thus the PIDs
   // fork() returns are not the real PIDs, so we need to map the Real PIDS
   // into the sandbox PID namespace.
   typedef base::hash_map<base::ProcessHandle, base::ProcessHandle> ProcessMap;
   ProcessMap real_pids_to_sandbox_pids;
 
   const int sandbox_flags_;
+  ZygoteForkDelegate* helper_;
 };
 
 // With SELinux we can carve out a precise sandbox, so we don't have to play
 // with intercepting libc calls.
 #if !defined(CHROMIUM_SELINUX)
 
 static void ProxyLocaltimeCallToBrowser(time_t input, struct tm* output,
                                         char* timezone_out,
                                         size_t timezone_out_len) {
   Pickle request;
@@ skipping 238 matching lines @@
 #else  // CHROMIUM_SELINUX
 
 static bool EnterSandbox() {
   PreSandboxInit();
   SkiaFontConfigUseIPCImplementation(kMagicSandboxIPCDescriptor);
   return true;
 }
 
 #endif  // CHROMIUM_SELINUX
 
-bool ZygoteMain(const MainFunctionParams& params) {
+bool ZygoteMain(const MainFunctionParams& params,
+                ZygoteForkDelegate* forkdelegate) {
 #if !defined(CHROMIUM_SELINUX)
   g_am_zygote_or_renderer = true;
 #endif
 
 #if defined(SECCOMP_SANDBOX)
   // The seccomp sandbox needs access to files in /proc, which might be denied
   // after one of the other sandboxes have been started. So, obtain a suitable
   // file handle in advance.
   if (CommandLine::ForCurrentProcess()->HasSwitch(
           switches::kEnableSeccompSandbox)) {
     g_proc_fd = open("/proc", O_DIRECTORY | O_RDONLY);
     if (g_proc_fd < 0) {
       LOG(ERROR) << "WARNING! Cannot access \"/proc\". Disabling seccomp "
                     "sandboxing.";
     }
   }
 #endif  // SECCOMP_SANDBOX
 
+  VLOG(1) << "initializing fork delegate";
+  forkdelegate->Init(getenv("SBX_D") != NULL, // g_suid_sandbox_active,
+                     kBrowserDescriptor, kMagicSandboxIPCDescriptor);
+
   // Turn on the SELinux or SUID sandbox
   if (!EnterSandbox()) {
     LOG(FATAL) << "Failed to enter sandbox. Fail safe abort. (errno: "
                << errno << ")";
     return false;
   }
 
   int sandbox_flags = 0;
   if (getenv("SBX_D"))
     sandbox_flags |= ZygoteHost::kSandboxSUID;
@@ skipping 16 matching lines @@
       LOG(ERROR) << "WARNING! This machine lacks support needed for the "
                     "Seccomp sandbox. Running renderers with Seccomp "
                     "sandboxing disabled.";
     } else {
       VLOG(1) << "Enabling experimental Seccomp sandbox.";
       sandbox_flags |= ZygoteHost::kSandboxSeccomp;
     }
   }
 #endif  // SECCOMP_SANDBOX
 
-  Zygote zygote(sandbox_flags);
+  Zygote zygote(sandbox_flags, forkdelegate);
   // This function call can return multiple times, once per fork().
   return zygote.ProcessRequests();
 }