OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <dirent.h> | |
5 #include <fcntl.h> | 6 #include <fcntl.h> |
6 #include <sys/resource.h> | 7 #include <sys/resource.h> |
7 #include <sys/stat.h> | 8 #include <sys/stat.h> |
8 #include <sys/time.h> | 9 #include <sys/time.h> |
9 #include <sys/types.h> | 10 #include <sys/types.h> |
10 | 11 |
11 #include <limits> | 12 #include <limits> |
12 | 13 |
13 #include "base/bind.h" | 14 #include "base/bind.h" |
14 #include "base/bind_helpers.h" | 15 #include "base/bind_helpers.h" |
15 #include "base/command_line.h" | 16 #include "base/command_line.h" |
16 #include "base/logging.h" | 17 #include "base/logging.h" |
17 #include "base/memory/singleton.h" | 18 #include "base/memory/singleton.h" |
18 #include "base/posix/eintr_wrapper.h" | 19 #include "base/posix/eintr_wrapper.h" |
20 #include "base/strings/string_number_conversions.h" | |
19 #include "base/time/time.h" | 21 #include "base/time/time.h" |
20 #include "content/common/sandbox_linux.h" | 22 #include "content/common/sandbox_linux.h" |
21 #include "content/common/sandbox_seccomp_bpf_linux.h" | 23 #include "content/common/sandbox_seccomp_bpf_linux.h" |
22 #include "content/public/common/content_switches.h" | 24 #include "content/public/common/content_switches.h" |
23 #include "content/public/common/sandbox_linux.h" | 25 #include "content/public/common/sandbox_linux.h" |
24 #include "sandbox/linux/suid/client/setuid_sandbox_client.h" | 26 #include "sandbox/linux/suid/client/setuid_sandbox_client.h" |
25 | 27 |
26 namespace { | 28 namespace { |
27 | 29 |
28 void LogSandboxStarted(const std::string& sandbox_name) { | 30 void LogSandboxStarted(const std::string& sandbox_name) { |
(...skipping 107 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
136 if (IsRunningTSAN()) | 138 if (IsRunningTSAN()) |
137 return false; | 139 return false; |
138 // The GPU process is allowed to call InitializeSandbox() with threads for | 140 // The GPU process is allowed to call InitializeSandbox() with threads for |
139 // now, because it loads third party libraries. | 141 // now, because it loads third party libraries. |
140 if (process_type != switches::kGpuProcess) | 142 if (process_type != switches::kGpuProcess) |
141 CHECK(false) << error_message; | 143 CHECK(false) << error_message; |
142 LOG(ERROR) << error_message; | 144 LOG(ERROR) << error_message; |
143 return false; | 145 return false; |
144 } | 146 } |
145 | 147 |
148 if (linux_sandbox->HasOpenDirectories()) { | |
149 LOG(ERROR) << "InitializeSandbox() called after unexpected directries " | |
jln (very slow on Chromium)
2013/10/22 01:10:50
Let's LOG(FATAL).
Mostyn Bramley-Moore
2013/10/23 23:15:19
Done in patchset 2.
| |
150 "have been opened- the setuid sandbox may be at risk, if " | |
151 "the BPF sandbox is not running."; | |
152 } | |
153 | |
146 // Attempt to limit the future size of the address space of the process. | 154 // Attempt to limit the future size of the address space of the process. |
147 linux_sandbox->LimitAddressSpace(process_type); | 155 linux_sandbox->LimitAddressSpace(process_type); |
148 | 156 |
149 // First, try to enable seccomp-bpf. | 157 // First, try to enable seccomp-bpf. |
150 seccomp_bpf_started = linux_sandbox->StartSeccompBpf(process_type); | 158 seccomp_bpf_started = linux_sandbox->StartSeccompBpf(process_type); |
151 | 159 |
152 return seccomp_bpf_started; | 160 return seccomp_bpf_started; |
153 } | 161 } |
154 | 162 |
155 int LinuxSandbox::GetStatus() const { | 163 int LinuxSandbox::GetStatus() const { |
(...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
201 } | 209 } |
202 | 210 |
203 // At least "..", "." and the current thread should be present. | 211 // At least "..", "." and the current thread should be present. |
204 CHECK_LE(3UL, task_stat.st_nlink); | 212 CHECK_LE(3UL, task_stat.st_nlink); |
205 // Counting threads via /proc/self/task could be racy. For the purpose of | 213 // Counting threads via /proc/self/task could be racy. For the purpose of |
206 // determining if the current proces is monothreaded it works: if at any | 214 // determining if the current proces is monothreaded it works: if at any |
207 // time it becomes monothreaded, it'll stay so. | 215 // time it becomes monothreaded, it'll stay so. |
208 return task_stat.st_nlink == 3; | 216 return task_stat.st_nlink == 3; |
209 } | 217 } |
210 | 218 |
219 bool LinuxSandbox::HasOpenDirectories() const { | |
220 short num_dirs = 0; | |
221 | |
222 DIR* fd_dir = NULL; | |
jln (very slow on Chromium)
2013/10/22 01:10:50
It's too dangerous and error-prone to make sure th
Mostyn Bramley-Moore
2013/10/23 23:15:19
Done in patchset 2.
| |
223 int fd_fd; | |
224 | |
225 if (proc_fd_ >= 0) { | |
226 fd_fd = openat(proc_fd_, "self/fd", O_RDONLY|O_DIRECTORY); | |
227 } | |
jln (very slow on Chromium)
2013/10/22 01:10:50
style: else on the same line.
Mostyn Bramley-Moore
2013/10/23 23:15:19
Done.
| |
228 else { | |
229 fd_fd = open("/proc/self/fd", O_RDONLY|O_DIRECTORY); | |
230 } | |
231 fd_dir = fdopendir(fd_fd); | |
jln (very slow on Chromium)
2013/10/22 01:10:50
Declare fd_dir only here as needed. Add a comment
Mostyn Bramley-Moore
2013/10/23 23:15:19
The OpenDirDeleter code should take care of this.
| |
232 if (!fd_dir) { | |
jln (very slow on Chromium)
2013/10/22 01:10:50
Add a #if !DEFINED(NDEBUG) ... CHECK(fd_dir) above
Mostyn Bramley-Moore
2013/10/23 23:15:19
I ended up using this in a few places, so I create
| |
233 // We're unable to find the real answer, guess false. | |
234 return false; | |
235 } | |
236 | |
237 struct dirent* e = NULL; | |
238 struct stat s; | |
239 while ((e = readdir(fd_dir))) { | |
jln (very slow on Chromium)
2013/10/22 01:10:50
Please, use readdir_r, I wouldn't want to rely on
Mostyn Bramley-Moore
2013/10/23 23:15:19
Done.
| |
240 if (strcmp(e->d_name, ".") == 0 || strcmp(e->d_name, "..") == 0) | |
241 continue; | |
242 | |
243 // Skip over the /proc file descriptor. | |
244 int fd_num; | |
245 if (proc_fd_ != -1 && base::StringToInt(e->d_name, &fd_num)) { | |
246 if (fd_num == proc_fd_) | |
247 continue; | |
248 } | |
249 | |
250 if (fstatat(fd_fd, e->d_name, &s, 0) == 0) { | |
jln (very slow on Chromium)
2013/10/22 01:10:50
This is quote subtle and error prone, so please CH
Mostyn Bramley-Moore
2013/10/23 23:15:19
Done.
| |
251 if (S_ISDIR(s.st_mode)) { | |
252 num_dirs++; | |
253 // We had to open /proc/self/fd/ so we really want to check if | |
jln (very slow on Chromium)
2013/10/22 01:10:50
proc_fd_ and fd_fd should be treated the same, no
Mostyn Bramley-Moore
2013/10/22 19:10:04
Yes, except that we know fd_fd must be valid where
Mostyn Bramley-Moore
2013/10/23 23:15:19
In patchset 2 I replaced this counting logic with
| |
254 // there are more than one directory open (ignoring /proc/). | |
255 if (num_dirs > 1) { | |
256 closedir(fd_dir); | |
257 return true; | |
258 } | |
259 } | |
260 } | |
261 } | |
262 | |
263 closedir(fd_dir); | |
264 return false; | |
265 } | |
266 | |
211 bool LinuxSandbox::seccomp_bpf_started() const { | 267 bool LinuxSandbox::seccomp_bpf_started() const { |
212 return seccomp_bpf_started_; | 268 return seccomp_bpf_started_; |
213 } | 269 } |
214 | 270 |
215 sandbox::SetuidSandboxClient* | 271 sandbox::SetuidSandboxClient* |
216 LinuxSandbox::setuid_sandbox_client() const { | 272 LinuxSandbox::setuid_sandbox_client() const { |
217 return setuid_sandbox_client_.get(); | 273 return setuid_sandbox_client_.get(); |
218 } | 274 } |
219 | 275 |
220 // For seccomp-bpf, we use the SandboxSeccompBpf class. | 276 // For seccomp-bpf, we use the SandboxSeccompBpf class. |
(...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
276 void LinuxSandbox::SealSandbox() { | 332 void LinuxSandbox::SealSandbox() { |
277 if (proc_fd_ >= 0) { | 333 if (proc_fd_ >= 0) { |
278 int ret = HANDLE_EINTR(close(proc_fd_)); | 334 int ret = HANDLE_EINTR(close(proc_fd_)); |
279 CHECK_EQ(0, ret); | 335 CHECK_EQ(0, ret); |
280 proc_fd_ = -1; | 336 proc_fd_ = -1; |
281 } | 337 } |
282 } | 338 } |
283 | 339 |
284 } // namespace content | 340 } // namespace content |
285 | 341 |
OLD | NEW |