Ensure seccomp-bpf cannot be silently disabled for non-SFI NaCl

components/nacl/loader/nacl_helper_linux.cc

Index: components/nacl/loader/nacl_helper_linux.cc
diff --git a/components/nacl/loader/nacl_helper_linux.cc b/components/nacl/loader/nacl_helper_linux.cc
index 26578c02de1a9ee59081bff9b858e305c092458b..0f00c4bebeba5affee18b74c9bbdd39a223e2134 100644
--- a/components/nacl/loader/nacl_helper_linux.cc
+++ b/components/nacl/loader/nacl_helper_linux.cc
@@ -28,6 +28,7 @@
 #include "base/posix/unix_domain_socket_linux.h"
 #include "base/process/kill.h"
 #include "base/rand_util.h"
+#include "components/nacl/common/nacl_switches.h"
 #include "components/nacl/loader/nacl_listener.h"
 #include "components/nacl/loader/nacl_sandbox_linux.h"
 #include "content/public/common/zygote_fork_delegate_linux.h"
@@ -43,21 +44,49 @@ struct NaClLoaderSystemInfo {
   long number_of_cores;
 };
 
+// This is a poor man's check on whether we are sandboxed.
+bool IsSandboxed() {
+  int proc_fd = open("/proc/self/exe", O_RDONLY);
+  if (proc_fd >= 0) {
+    close(proc_fd);
+    return false;
+  }
+  return true;
+}
+
+void InitializeSandbox(bool uses_nonsfi_mode) {
+  if (uses_nonsfi_mode) {
+    const bool setuid_sandbox_enabled = IsSandboxed();
+    CHECK(setuid_sandbox_enabled)
+        << "SUID sandbox is mandatory for non-SFI NaCl";
+    // TODO(hamaji): Add a strict seccomp sandbox for non-SFI NaCl.
+    // https://code.google.com/p/chromium/issues/detail?id=359285
+    bool bpf_sandbox_initialized = InitializeBPFSandbox();
+    CHECK(bpf_sandbox_initialized)
+        << "Could not initialize NaCl's second "
+        << "layer sandbox (seccomp-bpf) for non-SFI mode.";
+  } else {
+    bool bpf_sandbox_initialized = InitializeBPFSandbox();
+    if (!bpf_sandbox_initialized) {
+      LOG(ERROR) << "Could not initialize NaCl's second "
+                 << "layer sandbox (seccomp-bpf) for SFI mode.";
+    }
+  }
+}
+
 // The child must mimic the behavior of zygote_main_linux.cc on the child
 // side of the fork. See zygote_main_linux.cc:HandleForkRequest from
 //   if (!child) {
 void BecomeNaClLoader(const std::vector<int>& child_fds,
                       const NaClLoaderSystemInfo& system_info,
-                      bool uses_nonsfi_mode) {
+                      bool uses_nonsfi_mode,
+                      bool no_sandbox) {
   VLOG(1) << "NaCl loader: setting up IPC descriptor";
   // don't need zygote FD any more
   if (IGNORE_EINTR(close(kNaClZygoteDescriptor)) != 0)
     LOG(ERROR) << "close(kNaClZygoteDescriptor) failed.";
-  bool sandbox_initialized = InitializeBPFSandbox();
-  if (!sandbox_initialized) {
-    LOG(ERROR) << "Could not initialize NaCl's second "
-      << "layer sandbox (seccomp-bpf).";
-  }
+  if (!no_sandbox)
+    InitializeSandbox(uses_nonsfi_mode);
   base::GlobalDescriptors::GetInstance()->Set(
       kPrimaryIPCChannel,
       child_fds[content::ZygoteForkDelegate::kBrowserFDIndex]);
@@ -75,6 +104,24 @@ void BecomeNaClLoader(const std::vector<int>& child_fds,
 void ChildNaClLoaderInit(const std::vector<int>& child_fds,
                          const NaClLoaderSystemInfo& system_info,
                          bool uses_nonsfi_mode) {
+  bool no_sandbox = false;
+  if (uses_nonsfi_mode) {
+    CommandLine* cmd_line = CommandLine::ForCurrentProcess();
+    no_sandbox = cmd_line->HasSwitch(switches::kNaClDangerousNoSandboxNonSfi);

[jln (very slow on Chromium), 2014/04/07 23:38:10]

Does this really work? How does this get forwarded to nacl_loader? Typically
you'd need to whitelist it in the Zygote.

[hamaji, 2014/04/08 04:38:30]

No, I forgot to merge two commits. Now the flag should be transferred
appropriately (browser => zygote => nacl_helper).

+    if (no_sandbox)
+      LOG(ERROR) << "DANGEROUS: Running non-SFI NaCl without sandbox!";
+    // We reset command line flags for non-SFI mode not to let flags
+    // for SFI mode accidentally changes the behavior of non-SFI mode.
+    // Particularly, non-SFI NaCl should disregard
+    // --disable-seccomp-filter-sandbox. This flag is considered safe
+    // for SFI NaCl as seccomp sandbox is its secondary syscall
+    // sandbox. However, non-SFI NaCl should initialize seccomp unless
+    // more scary flag (i.e., --nacl-dangerous-no-sandbox-nonsfi) is
+    // specified.
+    cmd_line->Reset();
+    CHECK(cmd_line->Init(0, NULL));

[jln (very slow on Chromium), 2014/04/07 23:38:10]

Instead of doing this, simply relax the CHECK() line 65 for this specific
condition.

[hamaji, 2014/04/08 04:38:30]

Done.

+  }
+
   const int parent_fd = child_fds[content::ZygoteForkDelegate::kParentFDIndex];
   const int dummy_fd = child_fds[content::ZygoteForkDelegate::kDummyFDIndex];
   bool validack = false;
@@ -106,7 +153,7 @@ void ChildNaClLoaderInit(const std::vector<int>& child_fds,
   if (IGNORE_EINTR(close(parent_fd)) != 0)
     LOG(ERROR) << "close(parent_fd) failed";
   if (validack) {
-    BecomeNaClLoader(child_fds, system_info, uses_nonsfi_mode);
+    BecomeNaClLoader(child_fds, system_info, uses_nonsfi_mode, no_sandbox);
   } else {
     LOG(ERROR) << "Failed to synch with zygote";
   }
@@ -186,16 +233,6 @@ bool HandleGetTerminationStatusRequest(PickleIterator* input_iter,
   return true;
 }
 
-// This is a poor man's check on whether we are sandboxed.
-bool IsSandboxed() {
-  int proc_fd = open("/proc/self/exe", O_RDONLY);
-  if (proc_fd >= 0) {
-    close(proc_fd);
-    return false;
-  }
-  return true;
-}
-
 // Honor a command |command_type|. Eventual command parameters are
 // available in |input_iter| and eventual file descriptors attached to
 // the command are in |attached_fds|.