Merge 249937 "Linux Sandbox: Stop GPU watchdog in accountable way."

content/common/sandbox_linux/sandbox_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <dirent.h>
 #include <fcntl.h>
 #include <sys/resource.h>
 #include <sys/stat.h>
 #include <sys/time.h>
 #include <sys/types.h>
+#include <unistd.h>
 
 #include <limits>
 
 #include "base/bind.h"
 #include "base/callback_helpers.h"
 #include "base/command_line.h"
 #include "base/logging.h"
+#include "base/memory/scoped_ptr.h"
 #include "base/memory/singleton.h"
 #include "base/posix/eintr_wrapper.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/time/time.h"
 #include "build/build_config.h"
 #include "content/common/sandbox_linux/sandbox_linux.h"
 #include "content/common/sandbox_linux/sandbox_seccomp_bpf_linux.h"
 #include "content/public/common/content_switches.h"
 #include "content/public/common/sandbox_linux.h"
 #include "sandbox/linux/services/credentials.h"
+#include "sandbox/linux/services/thread_helpers.h"
 #include "sandbox/linux/suid/client/setuid_sandbox_client.h"
 
 namespace {
 
+struct FDCloser {
+  inline void operator()(int* fd) const {
+    DCHECK(fd);
+    PCHECK(0 == IGNORE_EINTR(close(*fd)));
+    *fd = -1;
+  }
+};
+
+// Don't use base::ScopedFD since it doesn't CHECK that the file descriptor was
+// closed.
+typedef scoped_ptr<int, FDCloser> SafeScopedFD;
+
 void LogSandboxStarted(const std::string& sandbox_name) {
   const CommandLine& command_line = *CommandLine::ForCurrentProcess();
   const std::string process_type =
       command_line.GetSwitchValueASCII(switches::kProcessType);
   const std::string activated_sandbox =
       "Activated " + sandbox_name + " sandbox for process type: " +
       process_type + ".";
 #if defined(OS_CHROMEOS)
   LOG(WARNING) << activated_sandbox;
 #else
@@ skipping 15 matching lines @@
 }
 
 bool IsRunningTSAN() {
 #if defined(THREAD_SANITIZER)
   return true;
 #else
   return false;
 #endif
 }
 
+// Try to open /proc/self/task/ with the help of |proc_fd|. |proc_fd| can be
+// -1. Will return -1 on error and set errno like open(2).
+int OpenProcTaskFd(int proc_fd) {
+  int proc_self_task = -1;
+  if (proc_fd >= 0) {
+    // If a handle to /proc is available, use it. This allows to bypass file
+    // system restrictions.
+    proc_self_task = openat(proc_fd, "self/task/", O_RDONLY | O_DIRECTORY);
+  } else {
+    // Otherwise, make an attempt to access the file system directly.
+    proc_self_task = open("/proc/self/task/", O_RDONLY | O_DIRECTORY);
+  }
+  return proc_self_task;
+}
+
 }  // namespace
 
 namespace content {
 
 LinuxSandbox::LinuxSandbox()
     : proc_fd_(-1),
       seccomp_bpf_started_(false),
       sandbox_status_flags_(kSandboxLinuxInvalid),
       pre_initialized_(false),
       seccomp_bpf_supported_(false),
@@ skipping 41 matching lines @@
     }
   }
   pre_initialized_ = true;
 }
 
 bool LinuxSandbox::InitializeSandbox() {
   LinuxSandbox* linux_sandbox = LinuxSandbox::GetInstance();
   return linux_sandbox->InitializeSandboxImpl();
 }
 
+void LinuxSandbox::StopThread(base::Thread* thread) {
+  LinuxSandbox* linux_sandbox = LinuxSandbox::GetInstance();
+  linux_sandbox->StopThreadImpl(thread);
+}
+
 int LinuxSandbox::GetStatus() {
   CHECK(pre_initialized_);
   if (kSandboxLinuxInvalid == sandbox_status_flags_) {
     // Initialize sandbox_status_flags_.
     sandbox_status_flags_ = 0;
     if (setuid_sandbox_client_->IsSandboxed()) {
       sandbox_status_flags_ |= kSandboxLinuxSUID;
       if (setuid_sandbox_client_->IsInNewPIDNamespace())
         sandbox_status_flags_ |= kSandboxLinuxPIDNS;
       if (setuid_sandbox_client_->IsInNewNETNamespace())
         sandbox_status_flags_ |= kSandboxLinuxNetNS;
     }
 
     // We report whether the sandbox will be activated when renderers, workers
     // and PPAPI plugins go through sandbox initialization.
     if (seccomp_bpf_supported() &&
         SandboxSeccompBPF::ShouldEnableSeccompBPF(switches::kRendererProcess)) {
       sandbox_status_flags_ |= kSandboxLinuxSeccompBPF;
     }
   }
 
   return sandbox_status_flags_;
 }
 
 // Threads are counted via /proc/self/task. This is a little hairy because of
 // PID namespaces and existing sandboxes, so "self" must really be used instead
 // of using the pid.
 bool LinuxSandbox::IsSingleThreaded() const {
-  struct stat task_stat;
-  int fstat_ret;
-  if (proc_fd_ >= 0) {
-    // If a handle to /proc is available, use it. This allows to bypass file
-    // system restrictions.
-    fstat_ret = fstatat(proc_fd_, "self/task/", &task_stat, 0);
-  } else {
-    // Otherwise, make an attempt to access the file system directly.
-    fstat_ret = fstatat(AT_FDCWD, "/proc/self/task/", &task_stat, 0);
-  }
-  // In Debug mode, it's mandatory to be able to count threads to catch bugs.
+  bool is_single_threaded = false;
+  int proc_self_task = OpenProcTaskFd(proc_fd_);
+
+// In Debug mode, it's mandatory to be able to count threads to catch bugs.
 #if !defined(NDEBUG)
-  // Using DCHECK here would be incorrect. DCHECK can be enabled in non
-  // official release mode.
-  CHECK_EQ(0, fstat_ret) << "Could not count threads, the sandbox was not "
-                         << "pre-initialized properly.";
+  // Using CHECK here since we want to check all the cases where
+  // !defined(NDEBUG)
+  // gets built.
+  CHECK_LE(0, proc_self_task) << "Could not count threads, the sandbox was not "
+                              << "pre-initialized properly.";
 #endif  // !defined(NDEBUG)
-  if (fstat_ret) {
+
+  if (proc_self_task < 0) {
     // Pretend to be monothreaded if it can't be determined (for instance the
     // setuid sandbox is already engaged but no proc_fd_ is available).
-    return true;
+    is_single_threaded = true;
+  } else {
+    SafeScopedFD task_closer(&proc_self_task);
+    is_single_threaded =
+        sandbox::ThreadHelpers::IsSingleThreaded(proc_self_task);
   }
 
-  // At least "..", "." and the current thread should be present.
-  CHECK_LE(3UL, task_stat.st_nlink);
-  // Counting threads via /proc/self/task could be racy. For the purpose of
-  // determining if the current proces is monothreaded it works: if at any
-  // time it becomes monothreaded, it'll stay so.
-  return task_stat.st_nlink == 3;
+  return is_single_threaded;
 }
 
 bool LinuxSandbox::seccomp_bpf_started() const {
   return seccomp_bpf_started_;
 }
 
 sandbox::SetuidSandboxClient*
     LinuxSandbox::setuid_sandbox_client() const {
   return setuid_sandbox_client_.get();
 }
@@ skipping 55 matching lines @@
 
   // Attempt to limit the future size of the address space of the process.
   LimitAddressSpace(process_type);
 
   // Try to enable seccomp-bpf.
   bool seccomp_bpf_started = StartSeccompBPF(process_type);
 
   return seccomp_bpf_started;
 }
 
+void LinuxSandbox::StopThreadImpl(base::Thread* thread) {
+  DCHECK(thread);
+  StopThreadAndEnsureNotCounted(thread);
+}
 
 bool LinuxSandbox::seccomp_bpf_supported() const {
   CHECK(pre_initialized_);
   return seccomp_bpf_supported_;
 }
 
 bool LinuxSandbox::LimitAddressSpace(const std::string& process_type) {
   (void) process_type;
 #if !defined(ADDRESS_SANITIZER)
   CommandLine* command_line = CommandLine::ForCurrentProcess();
@@ skipping 26 matching lines @@
   const rlim_t kNewDataSegmentMaxSize = std::numeric_limits<int>::max();
 
   bool limited_as = AddResourceLimit(RLIMIT_AS, address_space_limit);
   bool limited_data = AddResourceLimit(RLIMIT_DATA, kNewDataSegmentMaxSize);
   return limited_as && limited_data;
 #else
   return false;
 #endif  // !defined(ADDRESS_SANITIZER)
 }
 
-bool LinuxSandbox::HasOpenDirectories() {
+bool LinuxSandbox::HasOpenDirectories() const {
   return sandbox::Credentials().HasOpenDirectory(proc_fd_);
 }
 
 void LinuxSandbox::SealSandbox() {
   if (proc_fd_ >= 0) {
     int ret = IGNORE_EINTR(close(proc_fd_));
     CHECK_EQ(0, ret);
     proc_fd_ = -1;
   }
 }
 
 void LinuxSandbox::CheckForBrokenPromises(const std::string& process_type) {
   // Make sure that any promise made with GetStatus() wasn't broken.
   bool promised_seccomp_bpf_would_start = false;
   if (process_type == switches::kRendererProcess ||
       process_type == switches::kWorkerProcess ||
       process_type == switches::kPpapiPluginProcess) {
     promised_seccomp_bpf_would_start =
         (sandbox_status_flags_ != kSandboxLinuxInvalid) &&
         (GetStatus() & kSandboxLinuxSeccompBPF);
   }
   if (promised_seccomp_bpf_would_start) {
     CHECK(seccomp_bpf_started_);
   }
 }
 
+void LinuxSandbox::StopThreadAndEnsureNotCounted(base::Thread* thread) const {
+  DCHECK(thread);
+  int proc_self_task = OpenProcTaskFd(proc_fd_);
+  PCHECK(proc_self_task >= 0);
+  SafeScopedFD task_closer(&proc_self_task);
+  CHECK(
+      sandbox::ThreadHelpers::StopThreadAndWatchProcFS(proc_self_task, thread));
+}
+
 }  // namespace content