Fix logic for checking chrome-sandbox setuid binary

content/browser/zygote_host/zygote_communication_linux.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/zygote_host/zygote_communication_linux.h"
 
 #include <string.h>
 #include <sys/socket.h>
 
 #include "base/base_switches.h"
 #include "base/command_line.h"
 #include "base/logging.h"
 #include "base/metrics/histogram.h"
 #include "base/metrics/sparse_histogram.h"
 #include "base/path_service.h"
 #include "base/pickle.h"
 #include "base/posix/eintr_wrapper.h"
 #include "base/posix/unix_domain_socket_linux.h"
-#include "content/browser/renderer_host/render_sandbox_host_linux.h"
 #include "content/browser/zygote_host/zygote_host_impl_linux.h"
-#include "content/common/child_process_sandbox_support_impl_linux.h"
 #include "content/common/zygote_commands_linux.h"
 #include "content/public/browser/content_browser_client.h"
+#include "content/public/common/content_client.h"
 #include "content/public/common/content_switches.h"
 #include "content/public/common/result_codes.h"
-#include "sandbox/linux/services/namespace_sandbox.h"
-#include "sandbox/linux/suid/client/setuid_sandbox_host.h"
 #include "ui/display/display_switches.h"
-#include "ui/gfx/switches.h"
 
 namespace content {
 
-namespace {
-
-// Receive a fixed message on fd and return the sender's PID.
-// Returns true if the message received matches the expected message.
-bool ReceiveFixedMessage(int fd,
-                         const char* expect_msg,
-                         size_t expect_len,
-                         base::ProcessId* sender_pid) {
-  char buf[expect_len + 1];
-  std::vector<base::ScopedFD> fds_vec;
-
-  const ssize_t len = base::UnixDomainSocket::RecvMsgWithPid(
-      fd, buf, sizeof(buf), &fds_vec, sender_pid);
-  if (static_cast<size_t>(len) != expect_len)
-    return false;
-  if (memcmp(buf, expect_msg, expect_len) != 0)
-    return false;
-  if (!fds_vec.empty())
-    return false;
-  return true;
-}
-
-}  // namespace
-
 ZygoteCommunication::ZygoteCommunication()
-    : control_fd_(-1),
+    : control_fd_(),
       control_lock_(),
       pid_(),
       list_of_running_zygote_children_(),
       child_tracking_lock_(),
       sandbox_status_(0),
       have_read_sandbox_status_word_(false),
       init_(false) {}
 
 ZygoteCommunication::~ZygoteCommunication() {}
 
 bool ZygoteCommunication::SendMessage(const base::Pickle& data,
                                       const std::vector<int>* fds) {
-  DCHECK_NE(-1, control_fd_);
+  DCHECK(control_fd_.is_valid());
   CHECK(data.size() <= kZygoteMaxMessageLength)
       << "Trying to send too-large message to zygote (sending " << data.size()
       << " bytes, max is " << kZygoteMaxMessageLength << ")";
   CHECK(!fds || fds->size() <= base::UnixDomainSocket::kMaxFileDescriptors)
       << "Trying to send message with too many file descriptors to zygote "
       << "(sending " << fds->size() << ", max is "
       << base::UnixDomainSocket::kMaxFileDescriptors << ")";
 
-  return base::UnixDomainSocket::SendMsg(control_fd_, data.data(), data.size(),
+  return base::UnixDomainSocket::SendMsg(control_fd_.get(), data.data(),
+                                         data.size(),
                                          fds ? *fds : std::vector<int>());
 }
 
 ssize_t ZygoteCommunication::ReadSandboxStatus() {
-  DCHECK_NE(-1, control_fd_);
+  DCHECK(control_fd_.is_valid());
   // At startup we send a kZygoteCommandGetSandboxStatus request to the zygote,
   // but don't wait for the reply. Thus, the first time that we read from the
   // zygote, we get the reply to that request.
   ssize_t bytes_read = HANDLE_EINTR(
-      read(control_fd_, &sandbox_status_, sizeof(sandbox_status_)));
+      read(control_fd_.get(), &sandbox_status_, sizeof(sandbox_status_)));
   if (bytes_read != sizeof(sandbox_status_)) {
     return -1;
   }
   return bytes_read;
 }
 
 ssize_t ZygoteCommunication::ReadReply(void* buf, size_t buf_len) {
-  DCHECK_NE(-1, control_fd_);
+  DCHECK(control_fd_.is_valid());
   if (!have_read_sandbox_status_word_) {
     if (ReadSandboxStatus() == -1) {
       return -1;
     }
     have_read_sandbox_status_word_ = true;
     UMA_HISTOGRAM_SPARSE_SLOWLY("Linux.SandboxStatus", sandbox_status_);
   }
 
-  return HANDLE_EINTR(read(control_fd_, buf, buf_len));
+  return HANDLE_EINTR(read(control_fd_.get(), buf, buf_len));
 }
 
 pid_t ZygoteCommunication::ForkRequest(
     const std::vector<std::string>& argv,
     std::unique_ptr<FileDescriptorInfo> mapping,
     const std::string& process_type) {
   DCHECK(init_);
 
   base::Pickle pickle;
   int raw_socks[2];
@@ skipping 140 matching lines @@
 
 void ZygoteCommunication::Init() {
   CHECK(!init_);
 
   base::FilePath chrome_path;
   CHECK(PathService::Get(base::FILE_EXE, &chrome_path));
   base::CommandLine cmd_line(chrome_path);
 
   cmd_line.AppendSwitchASCII(switches::kProcessType, switches::kZygoteProcess);
 
-  int fds[2];
-  CHECK(socketpair(AF_UNIX, SOCK_SEQPACKET, 0, fds) == 0);
-  CHECK(base::UnixDomainSocket::EnableReceiveProcessId(fds[0]));
-  base::FileHandleMappingVector fds_to_map;
-  fds_to_map.push_back(std::make_pair(fds[1], kZygoteSocketPairFd));
-
-  base::LaunchOptions options;
   const base::CommandLine& browser_command_line =
       *base::CommandLine::ForCurrentProcess();
   if (browser_command_line.HasSwitch(switches::kZygoteCmdPrefix)) {
     cmd_line.PrependWrapper(
         browser_command_line.GetSwitchValueNative(switches::kZygoteCmdPrefix));
   }
   // Append any switches from the browser process that need to be forwarded on
   // to the zygote/renderers.
   // Should this list be obtained from browser_render_process_host.cc?
   static const char* const kForwardSwitches[] = {
       switches::kAllowSandboxDebugging, switches::kAndroidFontsPath,
       switches::kDisableSeccompFilterSandbox,
       switches::kEnableHeapProfiling,
       switches::kEnableLogging,  // Support, e.g., --enable-logging=stderr.
       // Zygote process needs to know what resources to have loaded when it
       // becomes a renderer process.
       switches::kForceDeviceScaleFactor, switches::kLoggingLevel,
       switches::kNoSandbox, switches::kPpapiInProcess,
       switches::kRegisterPepperPlugins, switches::kV, switches::kVModule,
   };
   cmd_line.CopySwitchesFrom(browser_command_line, kForwardSwitches,
                             arraysize(kForwardSwitches));
 
   GetContentClient()->browser()->AppendExtraCommandLineSwitches(&cmd_line, -1);
 
-  const bool using_namespace_sandbox =
-      ZygoteHostImpl::GetInstance()->ShouldUseNamespaceSandbox();
-  // A non empty sandbox_cmd means we want a SUID sandbox.
-  const bool using_suid_sandbox =
-      !ZygoteHostImpl::GetInstance()->SandboxCommand().empty() &&
-      !using_namespace_sandbox;
-
-  // Start up the sandbox host process and get the file descriptor for the
-  // renderers to talk to it.
-  const int sfd = RenderSandboxHostLinux::GetInstance()->GetRendererSocket();
-  fds_to_map.push_back(std::make_pair(sfd, GetSandboxFD()));
-
-  base::ScopedFD dummy_fd;
-  if (using_suid_sandbox) {
-    std::unique_ptr<sandbox::SetuidSandboxHost> sandbox_host(
-        sandbox::SetuidSandboxHost::Create());
-    sandbox_host->PrependWrapper(&cmd_line);
-    sandbox_host->SetupLaunchOptions(&options, &fds_to_map, &dummy_fd);
-    sandbox_host->SetupLaunchEnvironment();
-  }
-
-  options.fds_to_remap = &fds_to_map;
-  base::Process process =
-      using_namespace_sandbox
-          ? sandbox::NamespaceSandbox::LaunchProcess(cmd_line, options)
-          : base::LaunchProcess(cmd_line, options);
-  CHECK(process.IsValid()) << "Failed to launch zygote process";
-
-  dummy_fd.reset();
-
-  if (using_suid_sandbox || using_namespace_sandbox) {
-    // The SUID sandbox will execute the zygote in a new PID namespace, and
-    // the main zygote process will then fork from there.  Watch now our
-    // elaborate dance to find and validate the zygote's PID.
-
-    // First we receive a message from the zygote boot process.
-    base::ProcessId boot_pid;
-    CHECK(ReceiveFixedMessage(fds[0], kZygoteBootMessage,
-                              sizeof(kZygoteBootMessage), &boot_pid));
-
-    // Within the PID namespace, the zygote boot process thinks it's PID 1,
-    // but its real PID can never be 1. This gives us a reliable test that
-    // the kernel is translating the sender's PID to our namespace.
-    CHECK_GT(boot_pid, 1)
-        << "Received invalid process ID for zygote; kernel might be too old? "
-           "See crbug.com/357670 or try using --"
-        << switches::kDisableSetuidSandbox << " to workaround.";
-
-    // Now receive the message that the zygote's ready to go, along with the
-    // main zygote process's ID.
-    CHECK(ReceiveFixedMessage(fds[0], kZygoteHelloMessage,
-                              sizeof(kZygoteHelloMessage), &pid_));
-    CHECK_GT(pid_, 1);
-
-    if (process.Pid() != pid_) {
-      // Reap the sandbox.
-      base::EnsureProcessGetsReaped(process.Pid());
-    }
-  } else {
-    // Not using the SUID sandbox.
-    // Note that ~base::Process() will reset the internal value, but there's no
-    // real "handle" on POSIX so that is safe.
-    pid_ = process.Pid();
-  }
-
-  close(fds[1]);
-  control_fd_ = fds[0];
-
-  ZygoteHostImpl::GetInstance()->AddZygotePid(pid_);
+  pid_ = ZygoteHostImpl::GetInstance()->LaunchZygote(&cmd_line, &control_fd_);
 
   base::Pickle pickle;
   pickle.WriteInt(kZygoteCommandGetSandboxStatus);
   if (!SendMessage(pickle, NULL))
     LOG(FATAL) << "Cannot communicate with zygote";
 
   init_ = true;
 }
 
 base::TerminationStatus ZygoteCommunication::GetTerminationStatus(
@@ skipping 51 matching lines @@
   }
   if (ReadSandboxStatus() == -1) {
     return 0;
   }
   have_read_sandbox_status_word_ = true;
   UMA_HISTOGRAM_SPARSE_SLOWLY("Linux.SandboxStatus", sandbox_status_);
   return sandbox_status_;
 }
 
 }  // namespace content