add a LinuxSandbox::HasOpenDirectories() sanity check

content/common/sandbox_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+#include <dirent.h>
 #include <fcntl.h>
 #include <sys/resource.h>
 #include <sys/stat.h>
 #include <sys/time.h>
 #include <sys/types.h>
 
 #include <limits>
 
 #include "base/bind.h"
 #include "base/callback_helpers.h"
 #include "base/command_line.h"
 #include "base/logging.h"
 #include "base/memory/singleton.h"
 #include "base/posix/eintr_wrapper.h"
+#include "base/strings/string_number_conversions.h"
 #include "base/time/time.h"
 #include "content/common/sandbox_linux.h"
 #include "content/common/sandbox_seccomp_bpf_linux.h"
 #include "content/public/common/content_switches.h"
 #include "content/public/common/sandbox_linux.h"
 #include "sandbox/linux/suid/client/setuid_sandbox_client.h"
 
 namespace {
 
 void LogSandboxStarted(const std::string& sandbox_name) {
@@ skipping 24 matching lines @@
 }
 
 bool IsRunningTSAN() {
 #if defined(THREAD_SANITIZER)
   return true;
 #else
   return false;
 #endif
 }
 
+struct DIRDeleter {
+  void operator()(DIR* d) {
+    CHECK(closedir(d) == 0);

[jln (very slow on Chromium), 2013/11/02 00:10:56]

You can even use PCHECK().

[Mostyn Bramley-Moore, 2013/11/02 07:30:07]

Done.

+  }
+};
+
 }  // namespace
 
 namespace content {
 
 LinuxSandbox::LinuxSandbox()
     : proc_fd_(-1),
       seccomp_bpf_started_(false),
       pre_initialized_(false),
+      sealed_(false),
       seccomp_bpf_supported_(false),
       setuid_sandbox_client_(sandbox::SetuidSandboxClient::Create()) {
   if (setuid_sandbox_client_ == NULL) {
     LOG(FATAL) << "Failed to instantiate the setuid sandbox client.";
   }
 }
 
 LinuxSandbox::~LinuxSandbox() {
 }
 
 LinuxSandbox* LinuxSandbox::GetInstance() {
   LinuxSandbox* instance = Singleton<LinuxSandbox>::get();
   CHECK(instance);
   return instance;
 }
 
 #if defined(ADDRESS_SANITIZER) && defined(OS_LINUX)
 // ASan API call to notify the tool the sandbox is going to be turned on.
 extern "C" void __sanitizer_sandbox_on_notify(void *reserved);
 #endif
 
 void LinuxSandbox::PreinitializeSandbox() {
   CHECK(!pre_initialized_);
+  CHECK(!sealed_);
   seccomp_bpf_supported_ = false;
 #if defined(ADDRESS_SANITIZER) && defined(OS_LINUX)
   // ASan needs to open some resources before the sandbox is enabled.
   // This should not fork, not launch threads, not open a directory.
   __sanitizer_sandbox_on_notify(/*reserved*/NULL);
 #endif
 
 #if !defined(NDEBUG)
   // Open proc_fd_ only in Debug mode so that forgetting to close it doesn't
   // produce a sandbox escape in Release mode.
   proc_fd_ = open("/proc", O_DIRECTORY | O_RDONLY);
   CHECK_GE(proc_fd_, 0);
 #endif  // !defined(NDEBUG)
   // We "pre-warm" the code that detects supports for seccomp BPF.
   if (SandboxSeccompBpf::IsSeccompBpfDesired()) {
     if (!SandboxSeccompBpf::SupportsSandbox()) {
       VLOG(1) << "Lacking support for seccomp-bpf sandbox.";
     } else {
       seccomp_bpf_supported_ = true;
     }
   }
   pre_initialized_ = true;
 }
 
 bool LinuxSandbox::InitializeSandbox() {
   bool seccomp_bpf_started = false;
   LinuxSandbox* linux_sandbox = LinuxSandbox::GetInstance();
+  CHECK(!linux_sandbox->sealed_);
   // We need to make absolutely sure that our sandbox is "sealed" before
   // InitializeSandbox does exit.
   base::ScopedClosureRunner sandbox_sealer(
       base::Bind(&LinuxSandbox::SealSandbox, base::Unretained(linux_sandbox)));
   const std::string process_type =
       CommandLine::ForCurrentProcess()->GetSwitchValueASCII(
           switches::kProcessType);
 
   // No matter what, it's always an error to call InitializeSandbox() after
   // threads have been created.
   if (!linux_sandbox->IsSingleThreaded()) {
     std::string error_message = "InitializeSandbox() called with multiple "
                                 "threads in process " + process_type;
     // TSAN starts a helper thread. So we don't start the sandbox and don't
     // even report an error about it.
     if (IsRunningTSAN())
       return false;
     // The GPU process is allowed to call InitializeSandbox() with threads for
     // now, because it loads third party libraries.
     if (process_type != switches::kGpuProcess)
       CHECK(false) << error_message;
     LOG(ERROR) << error_message;
     return false;
   }
 
+  if (linux_sandbox->HasOpenDirectories()) {
+    LOG(FATAL) << "InitializeSandbox() called after unexpected directories "
+                  "have been opened- the setuid sandbox may be at risk, if "

[jln (very slow on Chromium), 2013/11/02 00:10:56]

I would drop the detail about the BPF sandbox and just say something simple like
"This breaks the security of the setuid sandbox".

[Mostyn Bramley-Moore, 2013/11/02 07:30:07]

Done.

+                  "the BPF sandbox is not running.";
+  }
+
   // Attempt to limit the future size of the address space of the process.
   linux_sandbox->LimitAddressSpace(process_type);
 
   // First, try to enable seccomp-bpf.
   seccomp_bpf_started = linux_sandbox->StartSeccompBpf(process_type);
 
   return seccomp_bpf_started;
 }
 
 int LinuxSandbox::GetStatus() const {
@@ skipping 45 matching lines @@
   }
 
   // At least "..", "." and the current thread should be present.
   CHECK_LE(3UL, task_stat.st_nlink);
   // Counting threads via /proc/self/task could be racy. For the purpose of
   // determining if the current proces is monothreaded it works: if at any
   // time it becomes monothreaded, it'll stay so.
   return task_stat.st_nlink == 3;
 }
 
+bool LinuxSandbox::HasOpenDirectories() {
+  CHECK(!sealed_);
+
+  int proc_self_fd = -1;
+  if (proc_fd_ >= 0) {
+    proc_self_fd = openat(proc_fd_, "self/fd", O_DIRECTORY | O_RDONLY);
+  } else {
+    proc_self_fd = openat(AT_FDCWD, "/proc/self/fd", O_DIRECTORY | O_RDONLY);
+    if ((proc_self_fd < 0) && errno == ENOENT) {
+      // Guess false.
+      return false;
+    }
+  }
+  CHECK_GE(proc_self_fd, 0);
+
+  // Ownership of proc_self_fd is transferred here, it must not be closed
+  // or modified afterwards except via dir.
+  scoped_ptr<DIR, DIRDeleter> dir(fdopendir(proc_self_fd));
+  CHECK(dir);
+
+  struct dirent e;
+  struct dirent* de;
+  while (!readdir_r(dir.get(), &e, &de) && de) {
+    if (strcmp(e.d_name, ".") == 0 || strcmp(e.d_name, "..") == 0)
+      continue;
+
+    int fd_num;
+    CHECK(base::StringToInt(e.d_name, &fd_num));
+    if (fd_num == proc_fd_ || fd_num == proc_self_fd) {
+      continue;
+    }
+
+    struct stat s;
+    // It's OK to use proc_self_fd here, fstatat won't modify it.
+    CHECK(fstatat(proc_self_fd, e.d_name, &s, 0) == 0);
+    if (S_ISDIR(s.st_mode)) {
+      return true;
+    }
+  }
+
+  // No open unmanaged directories found. \o/
+  return false;
+}
+
 bool LinuxSandbox::seccomp_bpf_started() const {
   return seccomp_bpf_started_;
 }
 
 sandbox::SetuidSandboxClient*
     LinuxSandbox::setuid_sandbox_client() const {
   return setuid_sandbox_client_.get();
 }
 
 // For seccomp-bpf, we use the SandboxSeccompBpf class.
@@ skipping 54 matching lines @@
   return false;
 #endif  // !defined(ADDRESS_SANITIZER)
 }
 
 void LinuxSandbox::SealSandbox() {
   if (proc_fd_ >= 0) {
     int ret = HANDLE_EINTR(close(proc_fd_));
     CHECK_EQ(0, ret);
     proc_fd_ = -1;
   }
+  sealed_ = true;
 }
 
 }  // namespace content