Chromium Code Reviews Chromium Code Reviews
Issue 196793023:
Add seccomp sandbox for non-SFI NaCl (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // A mini-zygote specifically for Native Client. | 5 // A mini-zygote specifically for Native Client. |
| 6 | 6 |
| 7 #include "components/nacl/loader/nacl_helper_linux.h" | 7 #include "components/nacl/loader/nacl_helper_linux.h" |
| 8 | 8 |
| 9 #include <errno.h> | 9 #include <errno.h> |
| 10 #include <fcntl.h> | 10 #include <fcntl.h> |
| (...skipping 29 matching lines...) Expand all Loading... | |
| 40 | 40 |
| 41 struct NaClLoaderSystemInfo { | 41 struct NaClLoaderSystemInfo { |
| 42 size_t prereserved_sandbox_size; | 42 size_t prereserved_sandbox_size; |
| 43 long number_of_cores; | 43 long number_of_cores; |
| 44 }; | 44 }; |
| 45 | 45 |
| 46 // The child must mimic the behavior of zygote_main_linux.cc on the child | 46 // The child must mimic the behavior of zygote_main_linux.cc on the child |
| 47 // side of the fork. See zygote_main_linux.cc:HandleForkRequest from | 47 // side of the fork. See zygote_main_linux.cc:HandleForkRequest from |
| 48 // if (!child) { | 48 // if (!child) { |
| 49 void BecomeNaClLoader(const std::vector<int>& child_fds, | 49 void BecomeNaClLoader(const std::vector<int>& child_fds, |
| 50 const NaClLoaderSystemInfo& system_info) { | 50 const NaClLoaderSystemInfo& system_info, |
| 51 bool uses_nonsfi) { | |
| 51 VLOG(1) << "NaCl loader: setting up IPC descriptor"; | 52 VLOG(1) << "NaCl loader: setting up IPC descriptor"; |
| 52 // don't need zygote FD any more | 53 // don't need zygote FD any more |
|
jln (very slow on Chromium)
2014/03/20 00:54:53
We need to refactor a bunch of this logic, but in
hamaji
2014/03/24 15:56:37
Done. However, this essentially disables --no-sand
| |
| 53 if (IGNORE_EINTR(close(kNaClZygoteDescriptor)) != 0) | 54 if (IGNORE_EINTR(close(kNaClZygoteDescriptor)) != 0) |
| 54 LOG(ERROR) << "close(kNaClZygoteDescriptor) failed."; | 55 LOG(ERROR) << "close(kNaClZygoteDescriptor) failed."; |
| 55 bool sandbox_initialized = InitializeBPFSandbox(); | 56 bool sandbox_initialized = false; |
|
jln (very slow on Chromium)
2014/03/20 00:54:53
rename to bpf_sandbox_initialized.
hamaji
2014/03/24 15:56:37
Done.
| |
| 57 if (uses_nonsfi) | |
| 58 sandbox_initialized = InitializeBPFSandboxForNonSfi(); | |
| 59 else | |
| 60 sandbox_initialized = InitializeBPFSandbox(); | |
| 56 if (!sandbox_initialized) { | 61 if (!sandbox_initialized) { |
| 57 LOG(ERROR) << "Could not initialize NaCl's second " | 62 LOG(ERROR) << "Could not initialize NaCl's second " |
| 58 << "layer sandbox (seccomp-bpf)."; | 63 << "layer sandbox (seccomp-bpf)."; |
| 64 // We really depend on seccomp sandbox for non-SFI mode. We do not | |
| 65 // run any program without seccomp sandbox. | |
| 66 if (uses_nonsfi) | |
| 67 _exit(1); | |
| 59 } | 68 } |
| 60 base::GlobalDescriptors::GetInstance()->Set( | 69 base::GlobalDescriptors::GetInstance()->Set( |
| 61 kPrimaryIPCChannel, | 70 kPrimaryIPCChannel, |
| 62 child_fds[content::ZygoteForkDelegate::kBrowserFDIndex]); | 71 child_fds[content::ZygoteForkDelegate::kBrowserFDIndex]); |
| 63 | 72 |
| 64 base::MessageLoopForIO main_message_loop; | 73 base::MessageLoopForIO main_message_loop; |
| 65 NaClListener listener; | 74 NaClListener listener; |
| 66 listener.set_prereserved_sandbox_size(system_info.prereserved_sandbox_size); | 75 listener.set_prereserved_sandbox_size(system_info.prereserved_sandbox_size); |
| 67 listener.set_number_of_cores(system_info.number_of_cores); | 76 listener.set_number_of_cores(system_info.number_of_cores); |
| 68 listener.Listen(); | 77 listener.Listen(); |
| 69 _exit(0); | 78 _exit(0); |
| 70 } | 79 } |
| 71 | 80 |
| 72 // Start the NaCl loader in a child created by the NaCl loader Zygote. | 81 // Start the NaCl loader in a child created by the NaCl loader Zygote. |
| 73 void ChildNaClLoaderInit(const std::vector<int>& child_fds, | 82 void ChildNaClLoaderInit(const std::vector<int>& child_fds, |
| 74 const NaClLoaderSystemInfo& system_info) { | 83 const NaClLoaderSystemInfo& system_info, |
| 84 bool uses_nonsfi) { | |
| 75 const int parent_fd = child_fds[content::ZygoteForkDelegate::kParentFDIndex]; | 85 const int parent_fd = child_fds[content::ZygoteForkDelegate::kParentFDIndex]; |
| 76 const int dummy_fd = child_fds[content::ZygoteForkDelegate::kDummyFDIndex]; | 86 const int dummy_fd = child_fds[content::ZygoteForkDelegate::kDummyFDIndex]; |
| 77 bool validack = false; | 87 bool validack = false; |
| 78 const size_t kMaxReadSize = 1024; | 88 const size_t kMaxReadSize = 1024; |
| 79 char buffer[kMaxReadSize]; | 89 char buffer[kMaxReadSize]; |
| 80 // Wait until the parent process has discovered our PID. We | 90 // Wait until the parent process has discovered our PID. We |
| 81 // should not fork any child processes (which the seccomp | 91 // should not fork any child processes (which the seccomp |
| 82 // sandbox does) until then, because that can interfere with the | 92 // sandbox does) until then, because that can interfere with the |
| 83 // parent's discovery of our PID. | 93 // parent's discovery of our PID. |
| 84 const int nread = HANDLE_EINTR(read(parent_fd, buffer, kMaxReadSize)); | 94 const int nread = HANDLE_EINTR(read(parent_fd, buffer, kMaxReadSize)); |
| (...skipping 11 matching lines...) Expand all Loading... | |
| 96 switches::kProcessChannelID, | 106 switches::kProcessChannelID, |
| 97 std::string(&buffer[len], nread - len)); | 107 std::string(&buffer[len], nread - len)); |
| 98 validack = true; | 108 validack = true; |
| 99 } | 109 } |
| 100 } | 110 } |
| 101 if (IGNORE_EINTR(close(dummy_fd)) != 0) | 111 if (IGNORE_EINTR(close(dummy_fd)) != 0) |
| 102 LOG(ERROR) << "close(dummy_fd) failed"; | 112 LOG(ERROR) << "close(dummy_fd) failed"; |
| 103 if (IGNORE_EINTR(close(parent_fd)) != 0) | 113 if (IGNORE_EINTR(close(parent_fd)) != 0) |
| 104 LOG(ERROR) << "close(parent_fd) failed"; | 114 LOG(ERROR) << "close(parent_fd) failed"; |
| 105 if (validack) { | 115 if (validack) { |
| 106 BecomeNaClLoader(child_fds, system_info); | 116 BecomeNaClLoader(child_fds, system_info, uses_nonsfi); |
| 107 } else { | 117 } else { |
| 108 LOG(ERROR) << "Failed to synch with zygote"; | 118 LOG(ERROR) << "Failed to synch with zygote"; |
| 109 } | 119 } |
| 110 _exit(1); | 120 _exit(1); |
| 111 } | 121 } |
| 112 | 122 |
| 113 // Handle a fork request from the Zygote. | 123 // Handle a fork request from the Zygote. |
| 114 // Some of this code was lifted from | 124 // Some of this code was lifted from |
| 115 // content/browser/zygote_main_linux.cc:ForkWithRealPid() | 125 // content/browser/zygote_main_linux.cc:ForkWithRealPid() |
| 116 bool HandleForkRequest(const std::vector<int>& child_fds, | 126 bool HandleForkRequest(const std::vector<int>& child_fds, |
| 117 const NaClLoaderSystemInfo& system_info, | 127 const NaClLoaderSystemInfo& system_info, |
| 128 PickleIterator* input_iter, | |
| 118 Pickle* output_pickle) { | 129 Pickle* output_pickle) { |
| 130 bool uses_nonsfi; | |
| 131 if (!input_iter->ReadBool(&uses_nonsfi)) { | |
| 132 LOG(ERROR) << "Could not read uses_nonsfi status"; | |
| 133 return false; | |
| 134 } | |
| 135 | |
| 119 if (content::ZygoteForkDelegate::kNumPassedFDs != child_fds.size()) { | 136 if (content::ZygoteForkDelegate::kNumPassedFDs != child_fds.size()) { |
| 120 LOG(ERROR) << "nacl_helper: unexpected number of fds, got " | 137 LOG(ERROR) << "nacl_helper: unexpected number of fds, got " |
| 121 << child_fds.size(); | 138 << child_fds.size(); |
| 122 return false; | 139 return false; |
| 123 } | 140 } |
| 124 | 141 |
| 125 VLOG(1) << "nacl_helper: forking"; | 142 VLOG(1) << "nacl_helper: forking"; |
| 126 pid_t child_pid = fork(); | 143 pid_t child_pid = fork(); |
| 127 if (child_pid < 0) { | 144 if (child_pid < 0) { |
| 128 PLOG(ERROR) << "*** fork() failed."; | 145 PLOG(ERROR) << "*** fork() failed."; |
| 129 } | 146 } |
| 130 | 147 |
| 131 if (child_pid == 0) { | 148 if (child_pid == 0) { |
| 132 ChildNaClLoaderInit(child_fds, system_info); | 149 ChildNaClLoaderInit(child_fds, system_info, uses_nonsfi); |
| 133 NOTREACHED(); | 150 NOTREACHED(); |
| 134 } | 151 } |
| 135 | 152 |
| 136 // I am the parent. | 153 // I am the parent. |
| 137 // First, close the dummy_fd so the sandbox won't find me when | 154 // First, close the dummy_fd so the sandbox won't find me when |
| 138 // looking for the child's pid in /proc. Also close other fds. | 155 // looking for the child's pid in /proc. Also close other fds. |
| 139 for (size_t i = 0; i < child_fds.size(); i++) { | 156 for (size_t i = 0; i < child_fds.size(); i++) { |
| 140 if (IGNORE_EINTR(close(child_fds[i])) != 0) | 157 if (IGNORE_EINTR(close(child_fds[i])) != 0) |
| 141 LOG(ERROR) << "close(child_fds[i]) failed"; | 158 LOG(ERROR) << "close(child_fds[i]) failed"; |
| 142 } | 159 } |
| (...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 194 int command_type, | 211 int command_type, |
| 195 const std::vector<int>& attached_fds, | 212 const std::vector<int>& attached_fds, |
| 196 const NaClLoaderSystemInfo& system_info, | 213 const NaClLoaderSystemInfo& system_info, |
| 197 PickleIterator* input_iter) { | 214 PickleIterator* input_iter) { |
| 198 Pickle write_pickle; | 215 Pickle write_pickle; |
| 199 bool have_to_reply = false; | 216 bool have_to_reply = false; |
| 200 // Commands must write anything to send back to |write_pickle|. | 217 // Commands must write anything to send back to |write_pickle|. |
| 201 switch (command_type) { | 218 switch (command_type) { |
| 202 case nacl::kNaClForkRequest: | 219 case nacl::kNaClForkRequest: |
| 203 have_to_reply = HandleForkRequest(attached_fds, system_info, | 220 have_to_reply = HandleForkRequest(attached_fds, system_info, |
| 221 input_iter, | |
| 204 &write_pickle); | 222 &write_pickle); |
| 205 break; | 223 break; |
| 206 case nacl::kNaClGetTerminationStatusRequest: | 224 case nacl::kNaClGetTerminationStatusRequest: |
| 207 have_to_reply = | 225 have_to_reply = |
| 208 HandleGetTerminationStatusRequest(input_iter, &write_pickle); | 226 HandleGetTerminationStatusRequest(input_iter, &write_pickle); |
| 209 break; | 227 break; |
| 210 default: | 228 default: |
| 211 LOG(ERROR) << "Unsupported command from Zygote"; | 229 LOG(ERROR) << "Unsupported command from Zygote"; |
| 212 return false; | 230 return false; |
| 213 } | 231 } |
| (...skipping 167 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 381 // Now handle requests from the Zygote. | 399 // Now handle requests from the Zygote. |
| 382 while (true) { | 400 while (true) { |
| 383 bool request_handled = HandleZygoteRequest(kNaClZygoteDescriptor, | 401 bool request_handled = HandleZygoteRequest(kNaClZygoteDescriptor, |
| 384 system_info); | 402 system_info); |
| 385 // Do not turn this into a CHECK() without thinking about robustness | 403 // Do not turn this into a CHECK() without thinking about robustness |
| 386 // against malicious IPC requests. | 404 // against malicious IPC requests. |
| 387 DCHECK(request_handled); | 405 DCHECK(request_handled); |
| 388 } | 406 } |
| 389 NOTREACHED(); | 407 NOTREACHED(); |
| 390 } | 408 } |
| OLD | NEW |
