sandbox: Extend BrokerPolicy to support file creation

sandbox/linux/syscall_broker/broker_policy.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/syscall_broker/broker_policy.h"
 
 #include <fcntl.h>
 #include <stdint.h>
 #include <string.h>
 
 #include <string>
 #include <vector>
 
 #include "base/logging.h"
 #include "sandbox/linux/syscall_broker/broker_common.h"
 
 namespace sandbox {
 namespace syscall_broker {
 
 namespace {
 
+// Validate a path to be evaulated by this policy.
+// Async signal safe - calls: strlen
+bool ValidatePath(const char* path) {
+  if (!path)
+    return false;
+
+  size_t len = strlen(path);
+  // No empty paths
+  if (len == 0)
+    return false;
+  // Paths must be absolute and not relative
+  if (path[0] != '/')
+    return false;
+  // No trailing / (but "/" is valid)
+  if (len > 1 && path[len - 1] == '/')
+    return false;
+  // No trailing /..
+  if (len >= 3 && path[len - 3] == '/' && path[len - 2] == '.' &&
+      path[len - 1] == '.')
+    return false;
+  // No /../ anywhere
+  for (size_t i = 0; i < len; i++) {
+    if (path[i] == '/' && (len - i) > 3) {
+      if (path[i + 1] == '.' && path[i + 2] == '.' && path[i + 3] == '/') {
+        return false;
+      }
+    }
+  }
+  return true;
+}
+
 // We maintain a list of flags that have been reviewed for "sanity" and that
 // we're ok to allow in the broker.
 // I.e. here is where we wouldn't add O_RESET_FILE_SYSTEM.
-bool IsAllowedOpenFlags(int flags) {
-  // First, check the access mode.
+// Async signal safe - No external calls
+bool CheckFlags(const BrokerPermission& perm, int flags) {
+  // First, check the access mode is valid.
   const int access_mode = flags & O_ACCMODE;
   if (access_mode != O_RDONLY && access_mode != O_WRONLY &&
       access_mode != O_RDWR) {
     return false;
   }
 
-  // We only support a 2-parameters open, so we forbid O_CREAT.
-  if (flags & O_CREAT) {
+  // Check if read is allowed
+  if (!perm.allow_read && (access_mode == O_RDONLY || access_mode == O_RDWR)) {
+    return false;
+  }
+
+  // Check if write is allowed
+  if (!perm.allow_write && (access_mode == O_WRONLY || access_mode == O_RDWR)) {
+    return false;
+  }
+
+  // Check if file creation is allowed.
+  if (!perm.allow_create && (flags & O_CREAT)) {
+    return false;
+  }
+
+  // If O_CREAT is present, ensure O_EXCL
+  if ((flags & O_CREAT) && !(flags & O_EXCL)) {
+    return false;
+  }
+
+  // If this file is to be unlinked, ensure its created.
+  if (perm.unlink && !(flags & O_CREAT)) {
     return false;
   }
 
   // Some flags affect the behavior of the current process. We don't support
   // them and don't allow them for now.
-  if (flags & kCurrentProcessOpenFlagsMask)
+  if (flags & kCurrentProcessOpenFlagsMask) {
     return false;
+  }
 
   // Now check that all the flags are known to us.
   const int creation_and_status_flags = flags & ~O_ACCMODE;
 
   const int known_flags = O_APPEND | O_ASYNC | O_CLOEXEC | O_CREAT | O_DIRECT |
                           O_DIRECTORY | O_EXCL | O_LARGEFILE | O_NOATIME |
                           O_NOCTTY | O_NOFOLLOW | O_NONBLOCK | O_NDELAY |
                           O_SYNC | O_TRUNC;
 
   const int unknown_flags = ~known_flags;
   const bool has_unknown_flags = creation_and_status_flags & unknown_flags;
   return !has_unknown_flags;
 }
 
-// Needs to be async signal safe if |file_to_open| is NULL.
-// TODO(jln): assert signal safety.
-bool GetFileNameInWhitelist(const std::vector<std::string>& allowed_file_names,
-                            const char* requested_filename,
-                            const char** file_to_open) {
-  if (file_to_open && *file_to_open) {
-    // Make sure that callers never pass a non-empty string. In case callers
-    // wrongly forget to check the return value and look at the string
-    // instead, this could catch bugs.
-    RAW_LOG(FATAL, "*file_to_open should be NULL");
+// Sets the filename.
+// Async signal safe if file_to_open == NULL
+void SetFileName(const BrokerPermission& perm,
+                 const char* requested_filename,
+                 const char** file_to_open) {
+  if (file_to_open) {
+    if (perm.recursive)
+      *file_to_open = requested_filename;
+    else
+      *file_to_open = perm.path.c_str();
+  }
+}
+
+bool ValidatePermission(const BrokerPermission& perm) {
+  // Don't allow unlinking on creation without create permission
+  if (perm.unlink && !perm.allow_create)
     return false;
-  }
-
-  // Look for |requested_filename| in |allowed_file_names|.
-  // We don't use ::find() because it takes a std::string and
-  // the conversion allocates memory.
-  for (const auto& allowed_file_name : allowed_file_names) {
-    if (strcmp(requested_filename, allowed_file_name.c_str()) == 0) {
-      if (file_to_open)
-        *file_to_open = allowed_file_name.c_str();
-      return true;
-    }
-  }
-  return false;
+  // Recursive paths must have a trailing slash
+  if (perm.recursive && perm.path.back() != '/')
+    return false;
+  // Whitelisted paths must be absolute.
+  if (perm.path.front() != '/')
+    return false;
+  return true;
 }
 
 }  // namespace
 
 BrokerPolicy::BrokerPolicy(int denied_errno,
-                           const std::vector<std::string>& allowed_r_files,
-                           const std::vector<std::string>& allowed_w_files)
+                           const std::vector<BrokerPermission>& permissions)
     : denied_errno_(denied_errno),
-      allowed_r_files_(allowed_r_files),
-      allowed_w_files_(allowed_w_files) {
+      permissions_(permissions),
+      num_of_permissions_(permissions.size()) {
+  // The spec guarantees vectors store their elements contiguously
+  // so set up a pointer to array of element so it can be used
+  // in async signal safe code instead of vector operations.
+  permissions_array_ = &permissions_[0];
+  for (size_t i = 0; i < num_of_permissions_; i++) {
+    if (!ValidatePermission(permissions_array_[i])) {
+      // TODO: DIE HERE
+      // SANDBOX_DIE("Failed to Validate Broker permissions");
+    }
+  }
 }
 
 BrokerPolicy::~BrokerPolicy() {
 }
 
 // Check if calling access() should be allowed on |requested_filename| with
 // mode |requested_mode|.
 // Note: access() being a system call to check permissions, this can get a bit
 // confusing. We're checking if calling access() should even be allowed with
 // the same policy we would use for open().
 // If |file_to_access| is not NULL, we will return the matching pointer from
 // the whitelist. For paranoia a caller should then use |file_to_access|. See
 // GetFileNameIfAllowedToOpen() for more explanation.
 // return true if calling access() on this file should be allowed, false
 // otherwise.
 // Async signal safe if and only if |file_to_access| is NULL.
 bool BrokerPolicy::GetFileNameIfAllowedToAccess(
     const char* requested_filename,
     int requested_mode,
     const char** file_to_access) const {
+  if (file_to_access && *file_to_access) {
+    // Make sure that callers never pass a non-empty string. In case callers
+    // wrongly forget to check the return value and look at the string
+    // instead, this could catch bugs.
+    RAW_LOG(FATAL, "*file_to_access should be NULL");
+    return false;
+  }
+  if (!ValidatePath(requested_filename))
+    return false;
+
   // First, check if |requested_mode| is existence, ability to read or ability
   // to write. We do not support X_OK.
   if (requested_mode != F_OK && requested_mode & ~(R_OK | W_OK)) {
     return false;
   }
-  switch (requested_mode) {
-    case F_OK:
-      // We allow to check for file existence if we can either read or write.
-      return GetFileNameInWhitelist(
-                 allowed_r_files_, requested_filename, file_to_access) ||
-             GetFileNameInWhitelist(
-                 allowed_w_files_, requested_filename, file_to_access);
-    case R_OK:
-      return GetFileNameInWhitelist(
-          allowed_r_files_, requested_filename, file_to_access);
-    case W_OK:
-      return GetFileNameInWhitelist(
-          allowed_w_files_, requested_filename, file_to_access);
-    case R_OK | W_OK: {
-      bool allowed_for_read_and_write =
-          GetFileNameInWhitelist(allowed_r_files_, requested_filename, NULL) &&
-          GetFileNameInWhitelist(
-              allowed_w_files_, requested_filename, file_to_access);
-      return allowed_for_read_and_write;
+
+  for (size_t i = 0; i < num_of_permissions_; i++) {
+    const char* path = permissions_array_[i].path.c_str();
+    if ((permissions_array_[i].recursive &&
+         strncmp(requested_filename, path, strlen(path)) == 0) ||
+        strcmp(requested_filename, path) == 0) {
+      switch (requested_mode) {
+        case F_OK:
+          if (permissions_array_[i].allow_read ||
+              permissions_array_[i].allow_write) {
+            SetFileName(permissions_array_[i], requested_filename,
+                        file_to_access);
+            return true;
+          }
+          break;
+        case R_OK:
+          if (permissions_array_[i].allow_read) {
+            SetFileName(permissions_array_[i], requested_filename,
+                        file_to_access);
+            return true;
+          }
+          break;
+        case W_OK:
+          if (permissions_array_[i].allow_write) {
+            SetFileName(permissions_array_[i], requested_filename,
+                        file_to_access);
+            return true;
+          }
+          break;
+        case R_OK | W_OK:
+          if (permissions_array_[i].allow_read &&
+              permissions_array_[i].allow_write) {
+            SetFileName(permissions_array_[i], requested_filename,
+                        file_to_access);
+            return true;
+          }
+          break;
+        default:
+          return false;
+      }
+      return false;
     }
-    default:
-      return false;
   }
+  return false;
 }
 
 // Check if |requested_filename| can be opened with flags |requested_flags|.
 // If |file_to_open| is not NULL, we will return the matching pointer from the
 // whitelist. For paranoia, a caller should then use |file_to_open| rather
 // than |requested_filename|, so that it never attempts to open an
 // attacker-controlled file name, even if an attacker managed to fool the
 // string comparison mechanism.
 // Return true if opening should be allowed, false otherwise.
 // Async signal safe if and only if |file_to_open| is NULL.
 bool BrokerPolicy::GetFileNameIfAllowedToOpen(const char* requested_filename,
                                               int requested_flags,
-                                              const char** file_to_open) const {
-  if (!IsAllowedOpenFlags(requested_flags)) {
+                                              const char** file_to_open,
+                                              bool* unlink_after_open) const {
+  if (file_to_open && *file_to_open) {
+    // Make sure that callers never pass a non-empty string. In case callers
+    // wrongly forget to check the return value and look at the string
+    // instead, this could catch bugs.
+    RAW_LOG(FATAL, "*file_to_open should be NULL");
     return false;
   }
-  switch (requested_flags & O_ACCMODE) {
-    case O_RDONLY:
-      return GetFileNameInWhitelist(
-          allowed_r_files_, requested_filename, file_to_open);
-    case O_WRONLY:
-      return GetFileNameInWhitelist(
-          allowed_w_files_, requested_filename, file_to_open);
-    case O_RDWR: {
-      bool allowed_for_read_and_write =
-          GetFileNameInWhitelist(allowed_r_files_, requested_filename, NULL) &&
-          GetFileNameInWhitelist(
-              allowed_w_files_, requested_filename, file_to_open);
-      return allowed_for_read_and_write;
+  if (!ValidatePath(requested_filename))
+    return false;
+  for (size_t i = 0; i < num_of_permissions_; i++) {
+    const char* path = permissions_array_[i].path.c_str();
+    if ((permissions_array_[i].recursive &&
+         strncmp(requested_filename, path, strlen(path)) == 0) ||
+        strcmp(requested_filename, path) == 0) {
+      if (CheckFlags(permissions_array_[i], requested_flags)) {
+        SetFileName(permissions_array_[i], requested_filename, file_to_open);
+        if (unlink_after_open)
+          *unlink_after_open = permissions_array_[i].unlink;
+        return true;
+      } else {
+        return false;
+      }
     }
-    default:
-      return false;
   }
+  return false;
 }
 
 }  // namespace syscall_broker
 
 }  // namespace sandbox