Add seccomp sandbox for non-SFI NaCl

components/nacl/loader/nacl_helper_linux.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // A mini-zygote specifically for Native Client.
 
 #include "components/nacl/loader/nacl_helper_linux.h"
 
 #include <errno.h>
 #include <fcntl.h>
@@ skipping 25 matching lines @@
 #include "ipc/ipc_switches.h"
 #include "sandbox/linux/services/libc_urandom_override.h"
 
 namespace {
 
 struct NaClLoaderSystemInfo {
   size_t prereserved_sandbox_size;
   long number_of_cores;
 };
 
+// This is a poor man's check on whether we are sandboxed.
+bool IsSandboxed() {
+  int proc_fd = open("/proc/self/exe", O_RDONLY);
+  if (proc_fd >= 0) {
+    close(proc_fd);
+    return false;
+  }
+  return true;
+}
+
+void InitializeSandbox(bool uses_nonsfi) {
+  const bool setuid_sandbox_enabled = IsSandboxed();
+  if (uses_nonsfi) {
+    CHECK(setuid_sandbox_enabled)
+        << "SUID sandbox is mandatory for non-SFI NaCl";
+  }
+  // don't need zygote FD any more
+  if (IGNORE_EINTR(close(kNaClZygoteDescriptor)) != 0)
+    LOG(ERROR) << "close(kNaClZygoteDescriptor) failed.";
+  bool bpf_sandbox_initialized = false;
+  if (uses_nonsfi)
+    bpf_sandbox_initialized = InitializeBPFSandboxForNonSfi();
+  else
+    bpf_sandbox_initialized = InitializeBPFSandbox();
+  if (!bpf_sandbox_initialized) {
+    LOG(ERROR) << "Could not initialize NaCl's second "
+               << "layer sandbox (seccomp-bpf).";
+    // We really depend on seccomp sandbox for non-SFI mode. We do not
+    // run any program without seccomp sandbox.
+    if (uses_nonsfi)
+      _exit(1);
+  }
+}
+
 // The child must mimic the behavior of zygote_main_linux.cc on the child
 // side of the fork. See zygote_main_linux.cc:HandleForkRequest from
 //   if (!child) {
 void BecomeNaClLoader(const std::vector<int>& child_fds,
-                      const NaClLoaderSystemInfo& system_info) {
+                      const NaClLoaderSystemInfo& system_info,
+                      bool uses_nonsfi) {
   VLOG(1) << "NaCl loader: setting up IPC descriptor";
-  // don't need zygote FD any more
-  if (IGNORE_EINTR(close(kNaClZygoteDescriptor)) != 0)
-    LOG(ERROR) << "close(kNaClZygoteDescriptor) failed.";
-  bool sandbox_initialized = InitializeBPFSandbox();
-  if (!sandbox_initialized) {
-    LOG(ERROR) << "Could not initialize NaCl's second "
-      << "layer sandbox (seccomp-bpf).";
-  }
+  InitializeSandbox(uses_nonsfi);
   base::GlobalDescriptors::GetInstance()->Set(
       kPrimaryIPCChannel,
       child_fds[content::ZygoteForkDelegate::kBrowserFDIndex]);
 
   base::MessageLoopForIO main_message_loop;
   NaClListener listener;

[Mark Seaborn, 2014/03/28 01:38:25]

This could become "listener(uses_nonsfi_mode)" (see other comment).

[hamaji, 2014/03/28 12:06:10]

Done, but I added set_uses_nonsfi_mode for consistency with the following two
fields.

   listener.set_prereserved_sandbox_size(system_info.prereserved_sandbox_size);
   listener.set_number_of_cores(system_info.number_of_cores);
   listener.Listen();
   _exit(0);
 }
 
 // Start the NaCl loader in a child created by the NaCl loader Zygote.
 void ChildNaClLoaderInit(const std::vector<int>& child_fds,
-                         const NaClLoaderSystemInfo& system_info) {
+                         const NaClLoaderSystemInfo& system_info,
+                         bool uses_nonsfi) {
   const int parent_fd = child_fds[content::ZygoteForkDelegate::kParentFDIndex];
   const int dummy_fd = child_fds[content::ZygoteForkDelegate::kDummyFDIndex];
   bool validack = false;
   const size_t kMaxReadSize = 1024;
   char buffer[kMaxReadSize];
   // Wait until the parent process has discovered our PID.  We
   // should not fork any child processes (which the seccomp
   // sandbox does) until then, because that can interfere with the
   // parent's discovery of our PID.
   const int nread = HANDLE_EINTR(read(parent_fd, buffer, kMaxReadSize));
@@ skipping 11 matching lines @@
           switches::kProcessChannelID,
           std::string(&buffer[len], nread - len));
       validack = true;
     }
   }
   if (IGNORE_EINTR(close(dummy_fd)) != 0)
     LOG(ERROR) << "close(dummy_fd) failed";
   if (IGNORE_EINTR(close(parent_fd)) != 0)
     LOG(ERROR) << "close(parent_fd) failed";
   if (validack) {
-    BecomeNaClLoader(child_fds, system_info);
+    BecomeNaClLoader(child_fds, system_info, uses_nonsfi);
   } else {
     LOG(ERROR) << "Failed to synch with zygote";
   }
   _exit(1);
 }
 
 // Handle a fork request from the Zygote.
 // Some of this code was lifted from
 // content/browser/zygote_main_linux.cc:ForkWithRealPid()
 bool HandleForkRequest(const std::vector<int>& child_fds,
                        const NaClLoaderSystemInfo& system_info,
+                       PickleIterator* input_iter,
                        Pickle* output_pickle) {
+  bool uses_nonsfi;
+  if (!input_iter->ReadBool(&uses_nonsfi)) {
+    LOG(ERROR) << "Could not read uses_nonsfi status";
+    return false;
+  }
+
   if (content::ZygoteForkDelegate::kNumPassedFDs != child_fds.size()) {
     LOG(ERROR) << "nacl_helper: unexpected number of fds, got "
         << child_fds.size();
     return false;
   }
 
   VLOG(1) << "nacl_helper: forking";
   pid_t child_pid = fork();
   if (child_pid < 0) {
     PLOG(ERROR) << "*** fork() failed.";
   }
 
   if (child_pid == 0) {
-    ChildNaClLoaderInit(child_fds, system_info);
+    ChildNaClLoaderInit(child_fds, system_info, uses_nonsfi);
     NOTREACHED();
   }
 
   // I am the parent.
   // First, close the dummy_fd so the sandbox won't find me when
   // looking for the child's pid in /proc. Also close other fds.
   for (size_t i = 0; i < child_fds.size(); i++) {
     if (IGNORE_EINTR(close(child_fds[i])) != 0)
       LOG(ERROR) << "close(child_fds[i]) failed";
   }
@@ skipping 26 matching lines @@
   base::TerminationStatus status;
   if (known_dead)
     status = base::GetKnownDeadTerminationStatus(child_to_wait, &exit_code);
   else
     status = base::GetTerminationStatus(child_to_wait, &exit_code);
   output_pickle->WriteInt(static_cast<int>(status));
   output_pickle->WriteInt(exit_code);
   return true;
 }
 
-// This is a poor man's check on whether we are sandboxed.
-bool IsSandboxed() {
-  int proc_fd = open("/proc/self/exe", O_RDONLY);
-  if (proc_fd >= 0) {
-    close(proc_fd);
-    return false;
-  }
-  return true;
-}
-
 // Honor a command |command_type|. Eventual command parameters are
 // available in |input_iter| and eventual file descriptors attached to
 // the command are in |attached_fds|.
 // Reply to the command on |reply_fds|.
 bool HonorRequestAndReply(int reply_fd,
                           int command_type,
                           const std::vector<int>& attached_fds,
                           const NaClLoaderSystemInfo& system_info,
                           PickleIterator* input_iter) {
   Pickle write_pickle;
   bool have_to_reply = false;
   // Commands must write anything to send back to |write_pickle|.
   switch (command_type) {
     case nacl::kNaClForkRequest:
       have_to_reply = HandleForkRequest(attached_fds, system_info,
+                                        input_iter,
                                         &write_pickle);
       break;
     case nacl::kNaClGetTerminationStatusRequest:
       have_to_reply =
           HandleGetTerminationStatusRequest(input_iter, &write_pickle);
       break;
     default:
       LOG(ERROR) << "Unsupported command from Zygote";
       return false;
   }
@@ skipping 167 matching lines @@
   // Now handle requests from the Zygote.
   while (true) {
     bool request_handled = HandleZygoteRequest(kNaClZygoteDescriptor,
                                                system_info);
     // Do not turn this into a CHECK() without thinking about robustness
     // against malicious IPC requests.
     DCHECK(request_handled);
   }
   NOTREACHED();
 }