content/common/sandbox_linux.cc - Issue 24055003: add a LinuxSandbox::HasOpenDirectories() sanity check

Side by Side Diff: content/common/sandbox_linux.cc

Issue 24055003: add a LinuxSandbox::HasOpenDirectories() sanity check (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 7 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

	5 #include <dirent.h>

5 #include <fcntl.h>	6 #include <fcntl.h>

6 #include <sys/resource.h>	7 #include <sys/resource.h>

7 #include <sys/stat.h>	8 #include <sys/stat.h>

8 #include <sys/time.h>	9 #include <sys/time.h>

9 #include <sys/types.h>	10 #include <sys/types.h>

10	11

11 #include <limits>	12 #include <limits>

12	13

13 #include "base/bind.h"	14 #include "base/bind.h"

14 #include "base/bind_helpers.h"	15 #include "base/bind_helpers.h"

15 #include "base/command_line.h"	16 #include "base/command_line.h"

16 #include "base/logging.h"	17 #include "base/logging.h"

17 #include "base/memory/singleton.h"	18 #include "base/memory/singleton.h"

18 #include "base/posix/eintr_wrapper.h"	19 #include "base/posix/eintr_wrapper.h"

	20 #include "base/strings/string_number_conversions.h"

19 #include "base/time/time.h"	21 #include "base/time/time.h"

20 #include "content/common/sandbox_linux.h"	22 #include "content/common/sandbox_linux.h"

21 #include "content/common/sandbox_seccomp_bpf_linux.h"	23 #include "content/common/sandbox_seccomp_bpf_linux.h"

22 #include "content/public/common/content_switches.h"	24 #include "content/public/common/content_switches.h"

23 #include "content/public/common/sandbox_linux.h"	25 #include "content/public/common/sandbox_linux.h"

24 #include "sandbox/linux/suid/client/setuid_sandbox_client.h"	26 #include "sandbox/linux/suid/client/setuid_sandbox_client.h"

25	27

26 namespace {	28 namespace {

27	29

28 void LogSandboxStarted(const std::string& sandbox_name) {	30 void LogSandboxStarted(const std::string& sandbox_name) {

(...skipping 107 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
136 if (IsRunningTSAN())	138 if (IsRunningTSAN())

137 return false;	139 return false;

138 // The GPU process is allowed to call InitializeSandbox() with threads for	140 // The GPU process is allowed to call InitializeSandbox() with threads for

139 // now, because it loads third party libraries.	141 // now, because it loads third party libraries.

140 if (process_type != switches::kGpuProcess)	142 if (process_type != switches::kGpuProcess)

141 CHECK(false) << error_message;	143 CHECK(false) << error_message;

142 LOG(ERROR) << error_message;	144 LOG(ERROR) << error_message;

143 return false;	145 return false;

144 }	146 }

145	147

	148 if (linux_sandbox->HasOpenDirectories()) {

	149 LOG(ERROR) << "InitializeSandbox() called after unexpected directries "
	jln (very slow on Chromium) 2013/10/22 01:10:50 Let's LOG(FATAL). Let's LOG(FATAL). Mostyn Bramley-Moore 2013/10/23 23:15:19 Done in patchset 2. Show quoted text On 2013/10/22 01:10:50, jln wrote: > Let's LOG(FATAL). Done in patchset 2.
	150 "have been opened- the setuid sandbox may be at risk, if "

	151 "the BPF sandbox is not running.";

	152 }

	153

146 // Attempt to limit the future size of the address space of the process.	154 // Attempt to limit the future size of the address space of the process.

147 linux_sandbox->LimitAddressSpace(process_type);	155 linux_sandbox->LimitAddressSpace(process_type);

148	156

149 // First, try to enable seccomp-bpf.	157 // First, try to enable seccomp-bpf.

150 seccomp_bpf_started = linux_sandbox->StartSeccompBpf(process_type);	158 seccomp_bpf_started = linux_sandbox->StartSeccompBpf(process_type);

151	159

152 return seccomp_bpf_started;	160 return seccomp_bpf_started;

153 }	161 }

154	162

155 int LinuxSandbox::GetStatus() const {	163 int LinuxSandbox::GetStatus() const {

(...skipping 45 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
201 }	209 }

202	210

203 // At least "..", "." and the current thread should be present.	211 // At least "..", "." and the current thread should be present.

204 CHECK_LE(3UL, task_stat.st_nlink);	212 CHECK_LE(3UL, task_stat.st_nlink);

205 // Counting threads via /proc/self/task could be racy. For the purpose of	213 // Counting threads via /proc/self/task could be racy. For the purpose of

206 // determining if the current proces is monothreaded it works: if at any	214 // determining if the current proces is monothreaded it works: if at any

207 // time it becomes monothreaded, it'll stay so.	215 // time it becomes monothreaded, it'll stay so.

208 return task_stat.st_nlink == 3;	216 return task_stat.st_nlink == 3;

209 }	217 }

210	218

	219 bool LinuxSandbox::HasOpenDirectories() const {

	220 short num_dirs = 0;

	221

	222 DIR* fd_dir = NULL;
	jln (very slow on Chromium) 2013/10/22 01:10:50 It's too dangerous and error-prone to make sure th It's too dangerous and error-prone to make sure that we call closedir(). Either create a new OpenDirDeleter class and use a scoped_ptr, or use a ScopedClosureRunner. I would prefer the former. Don't forget to CHECK closedir(). Mostyn Bramley-Moore 2013/10/23 23:15:19 Done in patchset 2. Show quoted text On 2013/10/22 01:10:50, jln wrote: > It's too dangerous and error-prone to make sure that we call closedir(). > > Either create a new OpenDirDeleter class and use a scoped_ptr, or use a > ScopedClosureRunner. > > I would prefer the former. Don't forget to CHECK closedir(). Done in patchset 2.
	223 int fd_fd;

	224

	225 if (proc_fd_ >= 0) {

	226 fd_fd = openat(proc_fd_, "self/fd", O_RDONLY\|O_DIRECTORY);

	227 }
	jln (very slow on Chromium) 2013/10/22 01:10:50 style: else on the same line. style: else on the same line. Mostyn Bramley-Moore 2013/10/23 23:15:19 Done. Show quoted text On 2013/10/22 01:10:50, jln wrote: > style: else on the same line. Done.
	228 else {

	229 fd_fd = open("/proc/self/fd", O_RDONLY\|O_DIRECTORY);

	230 }

	231 fd_dir = fdopendir(fd_fd);
	jln (very slow on Chromium) 2013/10/22 01:10:50 Declare fd_dir only here as needed. Add a comment Declare fd_dir only here as needed. Add a comment that ownership of "fd_fd" is transfered to fd_dir as the API is not obvious. Mostyn Bramley-Moore 2013/10/23 23:15:19 The OpenDirDeleter code should take care of this. Show quoted text On 2013/10/22 01:10:50, jln wrote: > Declare fd_dir only here as needed. Add a comment that ownership of "fd_fd" is > transfered to fd_dir as the API is not obvious. The OpenDirDeleter code should take care of this.
	232 if (!fd_dir) {
	jln (very slow on Chromium) 2013/10/22 01:10:50 Add a #if !DEFINED(NDEBUG) ... CHECK(fd_dir) above Add a #if !DEFINED(NDEBUG) ... CHECK(fd_dir) above (see line 199 for why). Mostyn Bramley-Moore 2013/10/23 23:15:19 I ended up using this in a few places, so I create Show quoted text On 2013/10/22 01:10:50, jln wrote: > Add a #if !DEFINED(NDEBUG) ... CHECK(fd_dir) above (see line 199 for why). I ended up using this in a few places, so I created a REAL_DEBUG_CHECK macro to keep things concise.
	233 // We're unable to find the real answer, guess false.

	234 return false;

	235 }

	236

	237 struct dirent* e = NULL;

	238 struct stat s;

	239 while ((e = readdir(fd_dir))) {
	jln (very slow on Chromium) 2013/10/22 01:10:50 Please, use readdir_r, I wouldn't want to rely on Please, use readdir_r, I wouldn't want to rely on the fact that we're mono-threaded. You can just allocate the dirent on the stack. Mostyn Bramley-Moore 2013/10/23 23:15:19 Done. Show quoted text On 2013/10/22 01:10:50, jln wrote: > Please, use readdir_r, I wouldn't want to rely on the fact that we're > mono-threaded. > > You can just allocate the dirent on the stack. Done.
	240 if (strcmp(e->d_name, ".") == 0 \|\| strcmp(e->d_name, "..") == 0)

	241 continue;

	242

	243 // Skip over the /proc file descriptor.

	244 int fd_num;

	245 if (proc_fd_ != -1 && base::StringToInt(e->d_name, &fd_num)) {

	246 if (fd_num == proc_fd_)

	247 continue;

	248 }

	249

	250 if (fstatat(fd_fd, e->d_name, &s, 0) == 0) {
	jln (very slow on Chromium) 2013/10/22 01:10:50 This is quote subtle and error prone, so please CH This is quote subtle and error prone, so please CHECK this use of fstatat. Mostyn Bramley-Moore 2013/10/23 23:15:19 Done. Show quoted text On 2013/10/22 01:10:50, jln wrote: > This is quote subtle and error prone, so please CHECK this use of fstatat. Done.
	251 if (S_ISDIR(s.st_mode)) {

	252 num_dirs++;

	253 // We had to open /proc/self/fd/ so we really want to check if
	jln (very slow on Chromium) 2013/10/22 01:10:50 proc_fd_ and fd_fd should be treated the same, no proc_fd_ and fd_fd should be treated the same, no ? It's a lot safer to check the exact same file descriptor than just counting. Unfortunately in theory fdopendir() could be at liberty to dup() etc, but your current test would already fail under such a scenario. You could still maintain a counter a DCHECK that it's less than 2. Mostyn Bramley-Moore 2013/10/22 19:10:04 Yes, except that we know fd_fd must be valid where Show quoted text On 2013/10/22 01:10:50, jln wrote: > proc_fd_ and fd_fd should be treated the same, no ? Yes, except that we know fd_fd must be valid whereas proc_fd_ might not be. Show quoted text > It's a lot safer to check the exact same file descriptor than just counting. > > Unfortunately in theory fdopendir() could be at liberty to dup() etc, but your > current test would already fail under such a scenario. If we don't want to count duplicate file descriptors, then I suppose we should instead check for the device/inode pair of /proc and /proc/self/fd. Show quoted text > You could still maintain a counter a DCHECK that it's less than 2. Are these the situations we want to catch: 1) proc_fd_ is valid, /proc/self/fd is open, and a third distinct directory (ie neither /proc nor /proc/self/fd) is also open. 2) proc_fd_ is invalid and any directory besides /proc/self/fd is open. Mostyn Bramley-Moore 2013/10/23 23:15:19 In patchset 2 I replaced this counting logic with Show quoted text On 2013/10/22 19:10:04, Mostyn Bramley-Moore wrote: > On 2013/10/22 01:10:50, jln wrote: > > proc_fd_ and fd_fd should be treated the same, no ? > > Yes, except that we know fd_fd must be valid whereas proc_fd_ might not be. > > > It's a lot safer to check the exact same file descriptor than just counting. > > > > Unfortunately in theory fdopendir() could be at liberty to dup() etc, but your > > current test would already fail under such a scenario. > > If we don't want to count duplicate file descriptors, then I suppose we should > instead check for the device/inode pair of /proc and /proc/self/fd. > > > You could still maintain a counter a DCHECK that it's less than 2. > > Are these the situations we want to catch: > > 1) proc_fd_ is valid, /proc/self/fd is open, and a third distinct directory (ie > neither /proc nor /proc/self/fd) is also open. > > 2) proc_fd_ is invalid and any directory besides /proc/self/fd is open. In patchset 2 I replaced this counting logic with comparisons to the device/inode pairs for the managed directories.
	254 // there are more than one directory open (ignoring /proc/).

	255 if (num_dirs > 1) {

	256 closedir(fd_dir);

	257 return true;

	258 }

	259 }

	260 }

	261 }

	262

	263 closedir(fd_dir);

	264 return false;

	265 }

	266

211 bool LinuxSandbox::seccomp_bpf_started() const {	267 bool LinuxSandbox::seccomp_bpf_started() const {

212 return seccomp_bpf_started_;	268 return seccomp_bpf_started_;

213 }	269 }

214	270

215 sandbox::SetuidSandboxClient*	271 sandbox::SetuidSandboxClient*

216 LinuxSandbox::setuid_sandbox_client() const {	272 LinuxSandbox::setuid_sandbox_client() const {

217 return setuid_sandbox_client_.get();	273 return setuid_sandbox_client_.get();

218 }	274 }

219	275

220 // For seccomp-bpf, we use the SandboxSeccompBpf class.	276 // For seccomp-bpf, we use the SandboxSeccompBpf class.

(...skipping 55 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
276 void LinuxSandbox::SealSandbox() {	332 void LinuxSandbox::SealSandbox() {

277 if (proc_fd_ >= 0) {	333 if (proc_fd_ >= 0) {

278 int ret = HANDLE_EINTR(close(proc_fd_));	334 int ret = HANDLE_EINTR(close(proc_fd_));

279 CHECK_EQ(0, ret);	335 CHECK_EQ(0, ret);

280 proc_fd_ = -1;	336 proc_fd_ = -1;

281 }	337 }

282 }	338 }

283	339

284 } // namespace content	340 } // namespace content

285	341

OLD	NEW

« content/common/sandbox_linux.h ('K') | « content/common/sandbox_linux.h ('k') | no next file » | no next file with comments »