Reland: Introduce sys_sigprocmask and sys_sigaction. (patchset #4 id:80001 of https://codereview.ch…

sandbox/linux/services/syscall_wrappers.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/services/syscall_wrappers.h"
 
 #include <pthread.h>
 #include <sched.h>
 #include <setjmp.h>
 #include <sys/resource.h>
 #include <sys/syscall.h>
 #include <sys/time.h>
 #include <sys/types.h>
 #include <unistd.h>
+#include <cstring>
 
 #include "base/compiler_specific.h"
 #include "base/logging.h"
 #include "base/third_party/valgrind/valgrind.h"
 #include "build/build_config.h"
 #include "sandbox/linux/system_headers/capability.h"
+#include "sandbox/linux/system_headers/linux_signal.h"
 #include "sandbox/linux/system_headers/linux_syscalls.h"
 
 namespace sandbox {
 
 pid_t sys_getpid(void) {
   return syscall(__NR_getpid);
 }
 
 pid_t sys_gettid(void) {
   return syscall(__NR_gettid);
@@ skipping 99 matching lines @@
 }
 
 int sys_chroot(const char* path) {
   return syscall(__NR_chroot, path);
 }
 
 int sys_unshare(int flags) {
   return syscall(__NR_unshare, flags);
 }
 
+int sys_sigprocmask(int how, const sigset_t* set, decltype(nullptr) oldset) {
+  // In some toolchain (in particular Android and PNaCl toolchain),
+  // sigset_t is 32 bits, but Linux ABI requires 64 bits.
+  uint64_t linux_value = 0;
+  std::memcpy(&linux_value, set, std::min(sizeof(sigset_t), sizeof(uint64_t)));
+  return syscall(__NR_rt_sigprocmask, how, &linux_value, nullptr,
+                 sizeof(linux_value));
+}
+
+#if defined(MEMORY_SANITIZER)

[hidehiko, 2015/04/23 15:59:56]

Note: I'll add (|| !defined(OS_NACL_NONSFI)) in a later CL to this condition
(i.e., with PNaCl toolchain we need to use direct system call).
This is because:
- The signal ABIs provided by PNaCl toolchian is incompatible with Linux's. So,
we always need to use direct syscall. In other words, sigaction() in libc should
not be called while the program runs.
- It is for nacl_helper in Non-SFI mode, so practically the problem described
below does not happen.
- In addition, we need to revive the MSAN unpoisonize in Trap::SigSysAction,
because the callback will not be wrapped as MSAN does.

[mdempsky, 2015/04/23 19:39:36]

Is it an option to just add a

  #if defined(OS_NACL_NONSFI)
  #error MSAN and non-SFI are incompatible
  #endif

check in here?  Or do we require the ability to compile the non-SFI code with
MSAN?

[hidehiko, 2015/04/24 17:38:38]

I think we can use ifdef as you said here. Please let me check it in the later
CL.

[mdempsky, 2015/04/24 18:03:02]

Sure.

+// If MEMORY_SANITIZER is enabled, it is necessary to call sigaction() here,
+// rather than the direct syscall (sys_sigaction() defined by ourselves).
+// It is because, if MEMORY_SANITIZER is enabled, sigaction is wrapped, and
+// |act->sa_handler| is injected in order to unpoisonize the memory passed via
+// callback's arguments. Please see msan_interceptors.cc for more details.
+// So, if the direct syscall is used, as MEMORY_SANITIZER does not know about
+// it, sigaction() invocation in other places would be broken (in more precise,
+// returned |oldact| would have a broken |sa_handler| callback).
+// Practically, it would break NaCl's signal handler installation.
+// cf) native_client/src/trusted/service_runtime/linux/nacl_signal.c.
+int sys_sigaction(int signum,
+                  const struct sigaction* act,
+                  struct sigaction* oldact) {
+  return sigaction(signum, act, oldact);
+}
+#else
+// struct sigaction is different ABI from the Linux's.
+struct KernelSigAction {
+  void (*kernel_handler)(int);
+  uint32_t sa_flags;
+  void (*sa_restorer)(void);
+  uint64_t sa_mask;
+};
+
+// On X86_64 arch, it is necessary to set sa_restorer always.
+#if defined(ARCH_CPU_X86_64)
+#if !defined(SA_RESTORER)
+#define SA_RESTORER 0x04000000
+#endif
+
+// rt_sigreturn is a special system call that interacts with the user land
+// stack. Thus, here prologue must not be created, which implies syscall()
+// does not work properly, too. Note that rt_sigreturn will never return.
+static __attribute__((naked)) void sys_rt_sigreturn() {

[mdempsky, 2015/04/23 19:39:36]

Hm, the GCC manual says "This attribute is available on the ARM, AVR, MCORE,
MSP430, NDS32, RL78, RX and SPU ports."  But I don't see any reason it shouldn't
work on x86-64 too.

[hidehiko, 2015/04/24 17:38:38]

Good catch! GCC does not support naked, but clang does.
Fixed GCC build by falling back to libc's sigaction(), as there seems no simple
way to define naked function with GCC (or need huge inline asm code).

+  // Just invoke rt_sigreturn system call.
+  asm volatile ("syscall\n"
+                :: "a"(__NR_rt_sigreturn));
+}
+#endif
+
+int sys_sigaction(int signum,
+                  const struct sigaction* act,
+                  struct sigaction* oldact) {
+  KernelSigAction kernel_act = {};
+  if (act) {
+    kernel_act.kernel_handler = act->sa_handler;
+    std::memcpy(&kernel_act.sa_mask, &act->sa_mask,
+                std::min(sizeof(kernel_act.sa_mask), sizeof(act->sa_mask)));
+    kernel_act.sa_flags = act->sa_flags;
+
+#if defined(ARCH_CPU_X86_64)
+    if (!(kernel_act.sa_flags & SA_RESTORER)) {
+      kernel_act.sa_flags |= SA_RESTORER;
+      kernel_act.sa_restorer = sys_rt_sigreturn;
+    }
+#endif
+  }
+
+  KernelSigAction kernel_oldact = {};
+  int result = syscall(__NR_rt_sigaction, signum, act ? &kernel_act : nullptr,
+                       oldact ? &kernel_oldact : nullptr, sizeof(uint64_t));
+  if (result == 0 && oldact) {
+    oldact->sa_handler = kernel_oldact.kernel_handler;
+    sigemptyset(&oldact->sa_mask);
+    std::memcpy(&oldact->sa_mask, &kernel_oldact.sa_mask,
+                std::min(sizeof(kernel_act.sa_mask), sizeof(act->sa_mask)));
+    oldact->sa_flags = kernel_oldact.sa_flags;
+  }
+  return result;
+}
+
+#endif  // defined(MEMORY_SANITIZER)
+
 }  // namespace sandbox