sandbox/linux/services/credentials.cc - Issue 276443003: NaCl: Add sanity check for number of open FDs at startup

Side by Side Diff: sandbox/linux/services/credentials.cc

Issue 276443003: NaCl: Add sanity check for number of open FDs at startup (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 6 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "sandbox/linux/services/credentials.h"	5 #include "sandbox/linux/services/credentials.h"

6	6

7 #include <dirent.h>	7 #include <dirent.h>

8 #include <errno.h>	8 #include <errno.h>

9 #include <fcntl.h>	9 #include <fcntl.h>

10 #include <signal.h>	10 #include <signal.h>

(...skipping 155 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
166 } // namespace.	166 } // namespace.

167	167

168 namespace sandbox {	168 namespace sandbox {

169	169

170 Credentials::Credentials() {	170 Credentials::Credentials() {

171 }	171 }

172	172

173 Credentials::~Credentials() {	173 Credentials::~Credentials() {

174 }	174 }

175	175

	176 int Credentials::CountOpenFds(int proc_fd) {
	jln (very slow on Chromium) 2014/05/07 23:08:24 You could please add a unit test? Nothing fancy r You could please add a unit test? Nothing fancy required. sandboxing tests are guaranteed monothreaded, so counting fds, creating a pipe and asserting count + 2 is fine. Mark Seaborn 2014/05/09 22:02:31 Done. Show quoted text On 2014/05/07 23:08:24, jln wrote: > You could please add a unit test? > > Nothing fancy required. sandboxing tests are guaranteed monothreaded, so > counting fds, creating a pipe and asserting count + 2 is fine. Done.
	177 int proc_self_fd = openat(proc_fd, "self/fd", O_DIRECTORY \| O_RDONLY);
	jln (very slow on Chromium) 2014/05/07 23:08:24 Could you DCHECK_LE(0, proc_fd); ? Or feel free t Could you DCHECK_LE(0, proc_fd); ? Or feel free to mimic the API offered by HasOpenDirectory() and allow -1 for ease of use outside of sandboxing. Mark Seaborn 2014/05/09 22:02:31 Done. Show quoted text On 2014/05/07 23:08:24, jln wrote: > Could you DCHECK_LE(0, proc_fd); ? Done. Show quoted text > Or feel free to mimic the API offered by HasOpenDirectory() and allow -1 for > ease of use outside of sandboxing. I had started doing that before I sent the change for review, but I didn't want the error handling path (which does "If not available, guess false"), and I realised I didn't need to allow -1 anyway.
	178 PCHECK(0 <= proc_self_fd);

	179

	180 // Ownership of proc_self_fd is transferred here, it must not be closed

	181 // or modified afterwards except via dir.

	182 ScopedDIR dir(fdopendir(proc_self_fd));

	183 CHECK(dir);

	184

	185 int count = 0;

	186 struct dirent e;

	187 struct dirent* de;

	188 while (!readdir_r(dir.get(), &e, &de) && de) {

	189 if (strcmp(e.d_name, ".") == 0 \|\| strcmp(e.d_name, "..") == 0) {

	190 continue;

	191 }

	192

	193 int fd_num;

	194 CHECK(base::StringToInt(e.d_name, &fd_num));

	195 if (fd_num == proc_fd \|\| fd_num == proc_self_fd) {

	196 continue;

	197 }

	198

	199 ++count;

	200 }

	201 return count;

	202 }

	203

176 bool Credentials::HasOpenDirectory(int proc_fd) {	204 bool Credentials::HasOpenDirectory(int proc_fd) {

177 int proc_self_fd = -1;	205 int proc_self_fd = -1;

178 if (proc_fd >= 0) {	206 if (proc_fd >= 0) {

179 proc_self_fd = openat(proc_fd, "self/fd", O_DIRECTORY \| O_RDONLY);	207 proc_self_fd = openat(proc_fd, "self/fd", O_DIRECTORY \| O_RDONLY);

180 } else {	208 } else {

181 proc_self_fd = openat(AT_FDCWD, "/proc/self/fd", O_DIRECTORY \| O_RDONLY);	209 proc_self_fd = openat(AT_FDCWD, "/proc/self/fd", O_DIRECTORY \| O_RDONLY);

182 if (proc_self_fd < 0) {	210 if (proc_self_fd < 0) {

183 // If this process has been chrooted (eg into /proc/self/fdinfo) then	211 // If this process has been chrooted (eg into /proc/self/fdinfo) then

184 // the new root dir will not have directory listing permissions for us	212 // the new root dir will not have directory listing permissions for us

185 // (hence EACCES). And if we do have this permission, then /proc won't	213 // (hence EACCES). And if we do have this permission, then /proc won't

(...skipping 123 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
309 }	337 }

310	338

311 bool Credentials::DropFileSystemAccess() {	339 bool Credentials::DropFileSystemAccess() {

312 // Chrooting to a safe empty dir will only be safe if no directory file	340 // Chrooting to a safe empty dir will only be safe if no directory file

313 // descriptor is available to the process.	341 // descriptor is available to the process.

314 DCHECK(!HasOpenDirectory(-1));	342 DCHECK(!HasOpenDirectory(-1));

315 return ChrootToSafeEmptyDir();	343 return ChrootToSafeEmptyDir();

316 }	344 }

317	345

318 } // namespace sandbox.	346 } // namespace sandbox.

OLD	NEW

« components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc ('K') | « sandbox/linux/services/credentials.h ('k') | no next file » | no next file with comments »