Chromium Code Reviews Chromium Code Reviews
Issue 721553002:
sandbox: Extend BrokerPolicy to support file creation (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/syscall_broker/broker_host.h" | 5 #include "sandbox/linux/syscall_broker/broker_host.h" |
| 6 | 6 |
| 7 #include <fcntl.h> | 7 #include <fcntl.h> |
| 8 #include <sys/socket.h> | 8 #include <sys/socket.h> |
| 9 #include <sys/stat.h> | 9 #include <sys/stat.h> |
| 10 #include <sys/syscall.h> | 10 #include <sys/syscall.h> |
| (...skipping 20 matching lines...) Expand all Loading... | |
| 31 namespace { | 31 namespace { |
| 32 | 32 |
| 33 bool IsRunningOnValgrind() { | 33 bool IsRunningOnValgrind() { |
| 34 return RUNNING_ON_VALGRIND; | 34 return RUNNING_ON_VALGRIND; |
| 35 } | 35 } |
| 36 | 36 |
| 37 // A little open(2) wrapper to handle some oddities for us. In the general case | 37 // A little open(2) wrapper to handle some oddities for us. In the general case |
| 38 // make a direct system call since we want to keep in control of the broker | 38 // make a direct system call since we want to keep in control of the broker |
| 39 // process' system calls profile to be able to loosely sandbox it. | 39 // process' system calls profile to be able to loosely sandbox it. |
| 40 int sys_open(const char* pathname, int flags) { | 40 int sys_open(const char* pathname, int flags) { |
| 41 // Always pass a defined |mode| in case flags mistakenly contains O_CREAT. | 41 // Hardcode mode to rw------- when creating files. |
| 42 const int mode = 0; | 42 int mode; |
| 43 if (flags & O_CREAT) | |
| 44 mode = 0600; | |
| 45 else | |
| 46 mode = 0; | |
| 43 if (IsRunningOnValgrind()) { | 47 if (IsRunningOnValgrind()) { |
| 44 // Valgrind does not support AT_FDCWD, just use libc's open() in this case. | 48 // Valgrind does not support AT_FDCWD, just use libc's open() in this case. |
| 45 return open(pathname, flags, mode); | 49 return open(pathname, flags, mode); |
| 46 } else { | 50 } else { |
| 47 return syscall(__NR_openat, AT_FDCWD, pathname, flags, mode); | 51 return syscall(__NR_openat, AT_FDCWD, pathname, flags, mode); |
| 48 } | 52 } |
| 49 } | 53 } |
| 50 | 54 |
| 51 // Open |requested_filename| with |flags| if allowed by our policy. | 55 // Open |requested_filename| with |flags| if allowed by our policy. |
| 52 // Write the syscall return value (-errno) to |write_pickle| and append | 56 // Write the syscall return value (-errno) to |write_pickle| and append |
| 53 // a file descriptor to |opened_files| if relevant. | 57 // a file descriptor to |opened_files| if relevant. |
| 54 void OpenFileForIPC(const BrokerPolicy& policy, | 58 void OpenFileForIPC(const BrokerPolicy& policy, |
| 55 const std::string& requested_filename, | 59 const std::string& requested_filename, |
| 56 int flags, | 60 int flags, |
| 57 Pickle* write_pickle, | 61 Pickle* write_pickle, |
| 58 std::vector<int>* opened_files) { | 62 std::vector<int>* opened_files) { |
| 59 DCHECK(write_pickle); | 63 DCHECK(write_pickle); |
| 60 DCHECK(opened_files); | 64 DCHECK(opened_files); |
| 61 const char* file_to_open = NULL; | 65 const char* file_to_open = NULL; |
| 66 bool unlink_after_open = false; | |
| 62 const bool safe_to_open_file = policy.GetFileNameIfAllowedToOpen( | 67 const bool safe_to_open_file = policy.GetFileNameIfAllowedToOpen( |
| 63 requested_filename.c_str(), flags, &file_to_open); | 68 requested_filename.c_str(), flags, &file_to_open, &unlink_after_open); |
|
Jorge Lucangeli Obes
2014/11/14 18:48:07
When do you think we're gonna need this? I thought
leecam
2014/11/18 21:40:54
We do allow unlink but we dont have an IPC for the
| |
| 64 | 69 |
| 65 if (safe_to_open_file) { | 70 if (safe_to_open_file) { |
| 66 CHECK(file_to_open); | 71 CHECK(file_to_open); |
| 67 int opened_fd = sys_open(file_to_open, flags); | 72 int opened_fd = sys_open(file_to_open, flags); |
| 68 if (opened_fd < 0) { | 73 if (opened_fd < 0) { |
| 69 write_pickle->WriteInt(-errno); | 74 write_pickle->WriteInt(-errno); |
| 70 } else { | 75 } else { |
| 71 // Success. | 76 // Success. |
| 77 if (unlink_after_open) { | |
| 78 unlink(file_to_open); | |
| 79 } | |
| 72 opened_files->push_back(opened_fd); | 80 opened_files->push_back(opened_fd); |
| 73 write_pickle->WriteInt(0); | 81 write_pickle->WriteInt(0); |
| 74 } | 82 } |
| 75 } else { | 83 } else { |
| 76 write_pickle->WriteInt(-policy.denied_errno()); | 84 write_pickle->WriteInt(-policy.denied_errno()); |
| 77 } | 85 } |
| 78 } | 86 } |
| 79 | 87 |
| 80 // Perform access(2) on |requested_filename| with mode |mode| if allowed by our | 88 // Perform access(2) on |requested_filename| with mode |mode| if allowed by our |
| 81 // policy. Write the syscall return value (-errno) to |write_pickle|. | 89 // policy. Write the syscall return value (-errno) to |write_pickle|. |
| (...skipping 134 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 216 NOTREACHED(); | 224 NOTREACHED(); |
| 217 } | 225 } |
| 218 | 226 |
| 219 LOG(ERROR) << "Error parsing IPC request"; | 227 LOG(ERROR) << "Error parsing IPC request"; |
| 220 return RequestStatus::FAILURE; | 228 return RequestStatus::FAILURE; |
| 221 } | 229 } |
| 222 | 230 |
| 223 } // namespace syscall_broker | 231 } // namespace syscall_broker |
| 224 | 232 |
| 225 } // namespace sandbox | 233 } // namespace sandbox |
| OLD | NEW |
