Chromium Code Reviews Chromium Code Reviews
Issue 24055003:
add a LinuxSandbox::HasOpenDirectories() sanity check (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <dirent.h> | |
| 5 #include <fcntl.h> | 6 #include <fcntl.h> |
| 6 #include <sys/resource.h> | 7 #include <sys/resource.h> |
| 7 #include <sys/stat.h> | 8 #include <sys/stat.h> |
| 8 #include <sys/time.h> | 9 #include <sys/time.h> |
| 9 #include <sys/types.h> | 10 #include <sys/types.h> |
| 10 | 11 |
| 11 #include <limits> | 12 #include <limits> |
| 12 | 13 |
| 13 #include "base/bind.h" | 14 #include "base/bind.h" |
| 14 #include "base/callback_helpers.h" | 15 #include "base/callback_helpers.h" |
| 15 #include "base/command_line.h" | 16 #include "base/command_line.h" |
| 16 #include "base/logging.h" | 17 #include "base/logging.h" |
| 17 #include "base/memory/singleton.h" | 18 #include "base/memory/singleton.h" |
| 18 #include "base/posix/eintr_wrapper.h" | 19 #include "base/posix/eintr_wrapper.h" |
| 20 #include "base/strings/string_number_conversions.h" | |
| 19 #include "base/time/time.h" | 21 #include "base/time/time.h" |
| 20 #include "content/common/sandbox_linux.h" | 22 #include "content/common/sandbox_linux.h" |
| 21 #include "content/common/sandbox_seccomp_bpf_linux.h" | 23 #include "content/common/sandbox_seccomp_bpf_linux.h" |
| 22 #include "content/public/common/content_switches.h" | 24 #include "content/public/common/content_switches.h" |
| 23 #include "content/public/common/sandbox_linux.h" | 25 #include "content/public/common/sandbox_linux.h" |
| 24 #include "sandbox/linux/suid/client/setuid_sandbox_client.h" | 26 #include "sandbox/linux/suid/client/setuid_sandbox_client.h" |
| 25 | 27 |
| 26 namespace { | 28 namespace { |
| 27 | 29 |
| 28 void LogSandboxStarted(const std::string& sandbox_name) { | 30 void LogSandboxStarted(const std::string& sandbox_name) { |
| (...skipping 24 matching lines...) Expand all Loading... | |
| 53 } | 55 } |
| 54 | 56 |
| 55 bool IsRunningTSAN() { | 57 bool IsRunningTSAN() { |
| 56 #if defined(THREAD_SANITIZER) | 58 #if defined(THREAD_SANITIZER) |
| 57 return true; | 59 return true; |
| 58 #else | 60 #else |
| 59 return false; | 61 return false; |
| 60 #endif | 62 #endif |
| 61 } | 63 } |
| 62 | 64 |
| 65 struct DIRDeleter { | |
| 66 void operator()(DIR *d) { | |
| 67 CHECK(closedir(d) == 0); | |
| 68 } | |
| 69 }; | |
| 70 | |
| 63 } // namespace | 71 } // namespace |
| 64 | 72 |
| 65 namespace content { | 73 namespace content { |
| 66 | 74 |
| 67 LinuxSandbox::LinuxSandbox() | 75 LinuxSandbox::LinuxSandbox() |
| 68 : proc_fd_(-1), | 76 : proc_fd_(-1), |
| 69 seccomp_bpf_started_(false), | 77 seccomp_bpf_started_(false), |
| 70 pre_initialized_(false), | 78 pre_initialized_(false), |
| 79 sealed_(false), | |
| 71 seccomp_bpf_supported_(false), | 80 seccomp_bpf_supported_(false), |
| 72 setuid_sandbox_client_(sandbox::SetuidSandboxClient::Create()) { | 81 setuid_sandbox_client_(sandbox::SetuidSandboxClient::Create()) { |
| 73 if (setuid_sandbox_client_ == NULL) { | 82 if (setuid_sandbox_client_ == NULL) { |
| 74 LOG(FATAL) << "Failed to instantiate the setuid sandbox client."; | 83 LOG(FATAL) << "Failed to instantiate the setuid sandbox client."; |
| 75 } | 84 } |
| 76 } | 85 } |
| 77 | 86 |
| 78 LinuxSandbox::~LinuxSandbox() { | 87 LinuxSandbox::~LinuxSandbox() { |
| 79 } | 88 } |
| 80 | 89 |
| 81 LinuxSandbox* LinuxSandbox::GetInstance() { | 90 LinuxSandbox* LinuxSandbox::GetInstance() { |
| 82 LinuxSandbox* instance = Singleton<LinuxSandbox>::get(); | 91 LinuxSandbox* instance = Singleton<LinuxSandbox>::get(); |
| 83 CHECK(instance); | 92 CHECK(instance); |
| 84 return instance; | 93 return instance; |
| 85 } | 94 } |
| 86 | 95 |
| 87 #if defined(ADDRESS_SANITIZER) && defined(OS_LINUX) | 96 #if defined(ADDRESS_SANITIZER) && defined(OS_LINUX) |
| 88 // ASan API call to notify the tool the sandbox is going to be turned on. | 97 // ASan API call to notify the tool the sandbox is going to be turned on. |
| 89 extern "C" void __sanitizer_sandbox_on_notify(void *reserved); | 98 extern "C" void __sanitizer_sandbox_on_notify(void *reserved); |
| 90 #endif | 99 #endif |
| 91 | 100 |
| 92 void LinuxSandbox::PreinitializeSandbox() { | 101 void LinuxSandbox::PreinitializeSandbox() { |
| 93 CHECK(!pre_initialized_); | 102 CHECK(!pre_initialized_); |
| 103 CHECK(!sealed_); | |
| 94 seccomp_bpf_supported_ = false; | 104 seccomp_bpf_supported_ = false; |
| 95 #if defined(ADDRESS_SANITIZER) && defined(OS_LINUX) | 105 #if defined(ADDRESS_SANITIZER) && defined(OS_LINUX) |
| 96 // ASan needs to open some resources before the sandbox is enabled. | 106 // ASan needs to open some resources before the sandbox is enabled. |
| 97 // This should not fork, not launch threads, not open a directory. | 107 // This should not fork, not launch threads, not open a directory. |
| 98 __sanitizer_sandbox_on_notify(/*reserved*/NULL); | 108 __sanitizer_sandbox_on_notify(/*reserved*/NULL); |
| 99 #endif | 109 #endif |
| 100 | 110 |
| 101 #if !defined(NDEBUG) | 111 OpenProc(); |
| 102 // Open proc_fd_ only in Debug mode so that forgetting to close it doesn't | 112 |
| 103 // produce a sandbox escape in Release mode. | |
| 104 proc_fd_ = open("/proc", O_DIRECTORY | O_RDONLY); | |
| 105 CHECK_GE(proc_fd_, 0); | |
| 106 #endif // !defined(NDEBUG) | |
| 107 // We "pre-warm" the code that detects supports for seccomp BPF. | 113 // We "pre-warm" the code that detects supports for seccomp BPF. |
| 108 if (SandboxSeccompBpf::IsSeccompBpfDesired()) { | 114 if (SandboxSeccompBpf::IsSeccompBpfDesired()) { |
| 109 if (!SandboxSeccompBpf::SupportsSandbox()) { | 115 if (!SandboxSeccompBpf::SupportsSandbox()) { |
| 110 VLOG(1) << "Lacking support for seccomp-bpf sandbox."; | 116 VLOG(1) << "Lacking support for seccomp-bpf sandbox."; |
| 111 } else { | 117 } else { |
| 112 seccomp_bpf_supported_ = true; | 118 seccomp_bpf_supported_ = true; |
| 113 } | 119 } |
| 114 } | 120 } |
| 115 pre_initialized_ = true; | 121 pre_initialized_ = true; |
| 116 } | 122 } |
| 117 | 123 |
| 118 bool LinuxSandbox::InitializeSandbox() { | 124 bool LinuxSandbox::InitializeSandbox() { |
| 119 bool seccomp_bpf_started = false; | 125 bool seccomp_bpf_started = false; |
| 120 LinuxSandbox* linux_sandbox = LinuxSandbox::GetInstance(); | 126 LinuxSandbox* linux_sandbox = LinuxSandbox::GetInstance(); |
| 127 CHECK(!linux_sandbox->sealed_); | |
| 121 // We need to make absolutely sure that our sandbox is "sealed" before | 128 // We need to make absolutely sure that our sandbox is "sealed" before |
| 122 // InitializeSandbox does exit. | 129 // InitializeSandbox does exit. |
| 123 base::ScopedClosureRunner sandbox_sealer( | 130 base::ScopedClosureRunner sandbox_sealer( |
| 124 base::Bind(&LinuxSandbox::SealSandbox, base::Unretained(linux_sandbox))); | 131 base::Bind(&LinuxSandbox::SealSandbox, base::Unretained(linux_sandbox))); |
| 125 const std::string process_type = | 132 const std::string process_type = |
| 126 CommandLine::ForCurrentProcess()->GetSwitchValueASCII( | 133 CommandLine::ForCurrentProcess()->GetSwitchValueASCII( |
| 127 switches::kProcessType); | 134 switches::kProcessType); |
| 128 | 135 |
| 129 // No matter what, it's always an error to call InitializeSandbox() after | 136 // No matter what, it's always an error to call InitializeSandbox() after |
| 130 // threads have been created. | 137 // threads have been created. |
| 131 if (!linux_sandbox->IsSingleThreaded()) { | 138 if (!linux_sandbox->IsSingleThreaded()) { |
| 132 std::string error_message = "InitializeSandbox() called with multiple " | 139 std::string error_message = "InitializeSandbox() called with multiple " |
| 133 "threads in process " + process_type; | 140 "threads in process " + process_type; |
| 134 // TSAN starts a helper thread. So we don't start the sandbox and don't | 141 // TSAN starts a helper thread. So we don't start the sandbox and don't |
| 135 // even report an error about it. | 142 // even report an error about it. |
| 136 if (IsRunningTSAN()) | 143 if (IsRunningTSAN()) |
| 137 return false; | 144 return false; |
| 138 // The GPU process is allowed to call InitializeSandbox() with threads for | 145 // The GPU process is allowed to call InitializeSandbox() with threads for |
| 139 // now, because it loads third party libraries. | 146 // now, because it loads third party libraries. |
| 140 if (process_type != switches::kGpuProcess) | 147 if (process_type != switches::kGpuProcess) |
| 141 CHECK(false) << error_message; | 148 CHECK(false) << error_message; |
| 142 LOG(ERROR) << error_message; | 149 LOG(ERROR) << error_message; |
| 143 return false; | 150 return false; |
| 144 } | 151 } |
| 145 | 152 |
| 153 if (linux_sandbox->HasOpenDirectories()) { | |
| 154 LOG(FATAL) << "InitializeSandbox() called after unexpected directories " | |
| 155 "have been opened- the setuid sandbox may be at risk, if " | |
| 156 "the BPF sandbox is not running."; | |
| 157 } | |
| 158 | |
| 146 // Attempt to limit the future size of the address space of the process. | 159 // Attempt to limit the future size of the address space of the process. |
| 147 linux_sandbox->LimitAddressSpace(process_type); | 160 linux_sandbox->LimitAddressSpace(process_type); |
| 148 | 161 |
| 149 // First, try to enable seccomp-bpf. | 162 // First, try to enable seccomp-bpf. |
| 150 seccomp_bpf_started = linux_sandbox->StartSeccompBpf(process_type); | 163 seccomp_bpf_started = linux_sandbox->StartSeccompBpf(process_type); |
| 151 | 164 |
| 152 return seccomp_bpf_started; | 165 return seccomp_bpf_started; |
| 153 } | 166 } |
| 154 | 167 |
| 155 int LinuxSandbox::GetStatus() const { | 168 int LinuxSandbox::GetStatus() const { |
| (...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 201 } | 214 } |
| 202 | 215 |
| 203 // At least "..", "." and the current thread should be present. | 216 // At least "..", "." and the current thread should be present. |
| 204 CHECK_LE(3UL, task_stat.st_nlink); | 217 CHECK_LE(3UL, task_stat.st_nlink); |
| 205 // Counting threads via /proc/self/task could be racy. For the purpose of | 218 // Counting threads via /proc/self/task could be racy. For the purpose of |
| 206 // determining if the current proces is monothreaded it works: if at any | 219 // determining if the current proces is monothreaded it works: if at any |
| 207 // time it becomes monothreaded, it'll stay so. | 220 // time it becomes monothreaded, it'll stay so. |
| 208 return task_stat.st_nlink == 3; | 221 return task_stat.st_nlink == 3; |
| 209 } | 222 } |
| 210 | 223 |
| 224 bool LinuxSandbox::OpenProc() { | |
|
jln (very slow on Chromium)
2013/11/01 18:55:37
Please, remove this.
Mostyn Bramley-Moore
2013/11/01 22:22:40
Done.
| |
| 225 CHECK(!sealed_); | |
| 226 #if !defined(NDEBUG) | |
| 227 if (proc_fd_ == -1) { | |
| 228 // Open proc_fd_ only in Debug mode so that forgetting to close it doesn't | |
| 229 // produce a sandbox escape in Release mode. | |
| 230 proc_fd_ = open("/proc", O_DIRECTORY | O_RDONLY); | |
| 231 CHECK_GE(proc_fd_, 0); | |
| 232 } | |
| 233 return true; | |
| 234 #else | |
| 235 return false; | |
| 236 #endif // !defined(NDEBUG) | |
| 237 } | |
| 238 | |
| 239 bool LinuxSandbox::HasOpenDirectories() { | |
| 240 CHECK(!sealed_); | |
| 241 if (!OpenProc()) { | |
|
jln (very slow on Chromium)
2013/11/01 18:55:37
You don't need to do the OpenProc() thing, it adds
Mostyn Bramley-Moore
2013/11/01 22:22:40
Done- I assume you mean errno == ENOENT ?
| |
| 242 // We must not be in debug mode, so guess false; | |
| 243 return false; | |
| 244 } | |
| 245 | |
| 246 int proc_self_fd = openat(proc_fd_, "self/fd", O_RDONLY|O_DIRECTORY); | |
| 247 CHECK(proc_self_fd != -1); | |
| 248 | |
| 249 // Ownership of proc_self_fd is transferred here, it must not be closed | |
| 250 // or modified afterwards except via dir. | |
| 251 DIR *dir = fdopendir(proc_self_fd); | |
|
jln (very slow on Chromium)
2013/11/01 18:55:37
Style: I don't like it but the style is T* ptr, no
Mostyn Bramley-Moore
2013/11/01 22:22:40
Done.
| |
| 252 CHECK(dir); | |
| 253 scoped_ptr<DIR, DIRDeleter> dir_fd(dir); | |
|
jln (very slow on Chromium)
2013/11/01 18:55:37
Just have directly:
scoped_ptr<DIR, DIRDeleter> d
Mostyn Bramley-Moore
2013/11/01 22:22:40
Done.
| |
| 254 | |
| 255 struct dirent e, *de; | |
|
jln (very slow on Chromium)
2013/11/01 18:55:37
Style: on two different lines
Unfortunately the st
Mostyn Bramley-Moore
2013/11/01 22:22:40
Done.
| |
| 256 while (!readdir_r(dir, &e, &de) && de) { | |
| 257 if (strcmp(e.d_name, ".") == 0 || strcmp(e.d_name, "..") == 0) | |
| 258 continue; | |
| 259 | |
| 260 int fd_num; | |
| 261 CHECK(base::StringToInt(e.d_name, &fd_num)); | |
| 262 if (fd_num == proc_fd_ || fd_num == proc_self_fd) { | |
| 263 continue; | |
| 264 } | |
| 265 | |
| 266 struct stat s; | |
| 267 // It's OK to use proc_self_fd here, fstatat won't modify it. | |
|
jln (very slow on Chromium)
2013/11/01 18:55:37
Maybe it's more readable with dirfd(dir.get()) ? Y
Mostyn Bramley-Moore
2013/11/01 22:22:40
IMO it's more obvious to people reading this code
| |
| 268 CHECK(fstatat(proc_self_fd, e.d_name, &s, 0) == 0); | |
| 269 if (S_ISDIR(s.st_mode)) { | |
| 270 return true; | |
| 271 } | |
| 272 } | |
| 273 | |
| 274 // No open unmanaged directories found. \o/ | |
| 275 return false; | |
| 276 } | |
| 277 | |
| 211 bool LinuxSandbox::seccomp_bpf_started() const { | 278 bool LinuxSandbox::seccomp_bpf_started() const { |
| 212 return seccomp_bpf_started_; | 279 return seccomp_bpf_started_; |
| 213 } | 280 } |
| 214 | 281 |
| 215 sandbox::SetuidSandboxClient* | 282 sandbox::SetuidSandboxClient* |
| 216 LinuxSandbox::setuid_sandbox_client() const { | 283 LinuxSandbox::setuid_sandbox_client() const { |
| 217 return setuid_sandbox_client_.get(); | 284 return setuid_sandbox_client_.get(); |
| 218 } | 285 } |
| 219 | 286 |
| 220 // For seccomp-bpf, we use the SandboxSeccompBpf class. | 287 // For seccomp-bpf, we use the SandboxSeccompBpf class. |
| (...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 275 return false; | 342 return false; |
| 276 #endif // !defined(ADDRESS_SANITIZER) | 343 #endif // !defined(ADDRESS_SANITIZER) |
| 277 } | 344 } |
| 278 | 345 |
| 279 void LinuxSandbox::SealSandbox() { | 346 void LinuxSandbox::SealSandbox() { |
| 280 if (proc_fd_ >= 0) { | 347 if (proc_fd_ >= 0) { |
| 281 int ret = HANDLE_EINTR(close(proc_fd_)); | 348 int ret = HANDLE_EINTR(close(proc_fd_)); |
| 282 CHECK_EQ(0, ret); | 349 CHECK_EQ(0, ret); |
| 283 proc_fd_ = -1; | 350 proc_fd_ = -1; |
| 284 } | 351 } |
| 352 sealed_ = true; | |
| 285 } | 353 } |
| 286 | 354 |
| 287 } // namespace content | 355 } // namespace content |
| 288 | 356 |
| OLD | NEW |
