| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/syscall_broker/broker_policy.h" | 5 #include "sandbox/linux/syscall_broker/broker_policy.h" |
| 6 | 6 |
| 7 #include <fcntl.h> | 7 #include <fcntl.h> |
| 8 #include <stdint.h> | 8 #include <stdint.h> |
| 9 #include <string.h> | 9 #include <string.h> |
| 10 | 10 |
| 11 #include <string> | 11 #include <string> |
| 12 #include <vector> | 12 #include <vector> |
| 13 | 13 |
| 14 #include "base/logging.h" | 14 #include "base/logging.h" |
| 15 #include "sandbox/linux/syscall_broker/broker_common.h" | 15 #include "sandbox/linux/syscall_broker/broker_common.h" |
| 16 | 16 |
| 17 namespace sandbox { | 17 namespace sandbox { |
| 18 namespace syscall_broker { | 18 namespace syscall_broker { |
| 19 | 19 |
| 20 namespace { | 20 BrokerPolicy::BrokerPolicy(int denied_errno, |
| 21 | 21 const std::vector<BrokerFilePermission>& permissions) |
| 22 // We maintain a list of flags that have been reviewed for "sanity" and that | 22 : denied_errno_(denied_errno), |
| 23 // we're ok to allow in the broker. | 23 permissions_(permissions), |
| 24 // I.e. here is where we wouldn't add O_RESET_FILE_SYSTEM. | 24 num_of_permissions_(permissions.size()) { |
| 25 bool IsAllowedOpenFlags(int flags) { | 25 // The spec guarantees vectors store their elements contiguously |
| 26 // First, check the access mode. | 26 // so set up a pointer to array of element so it can be used |
| 27 const int access_mode = flags & O_ACCMODE; | 27 // in async signal safe code instead of vector operations. |
| 28 if (access_mode != O_RDONLY && access_mode != O_WRONLY && | 28 if (num_of_permissions_ > 0) { |
| 29 access_mode != O_RDWR) { | 29 permissions_array_ = &permissions_[0]; |
| 30 return false; | 30 } else { |
| 31 permissions_array_ = NULL; |
| 31 } | 32 } |
| 32 | |
| 33 // We only support a 2-parameters open, so we forbid O_CREAT. | |
| 34 if (flags & O_CREAT) { | |
| 35 return false; | |
| 36 } | |
| 37 | |
| 38 // Some flags affect the behavior of the current process. We don't support | |
| 39 // them and don't allow them for now. | |
| 40 if (flags & kCurrentProcessOpenFlagsMask) | |
| 41 return false; | |
| 42 | |
| 43 // Now check that all the flags are known to us. | |
| 44 const int creation_and_status_flags = flags & ~O_ACCMODE; | |
| 45 | |
| 46 const int known_flags = O_APPEND | O_ASYNC | O_CLOEXEC | O_CREAT | O_DIRECT | | |
| 47 O_DIRECTORY | O_EXCL | O_LARGEFILE | O_NOATIME | | |
| 48 O_NOCTTY | O_NOFOLLOW | O_NONBLOCK | O_NDELAY | | |
| 49 O_SYNC | O_TRUNC; | |
| 50 | |
| 51 const int unknown_flags = ~known_flags; | |
| 52 const bool has_unknown_flags = creation_and_status_flags & unknown_flags; | |
| 53 return !has_unknown_flags; | |
| 54 } | |
| 55 | |
| 56 // Needs to be async signal safe if |file_to_open| is NULL. | |
| 57 // TODO(jln): assert signal safety. | |
| 58 bool GetFileNameInWhitelist(const std::vector<std::string>& allowed_file_names, | |
| 59 const char* requested_filename, | |
| 60 const char** file_to_open) { | |
| 61 if (file_to_open && *file_to_open) { | |
| 62 // Make sure that callers never pass a non-empty string. In case callers | |
| 63 // wrongly forget to check the return value and look at the string | |
| 64 // instead, this could catch bugs. | |
| 65 RAW_LOG(FATAL, "*file_to_open should be NULL"); | |
| 66 return false; | |
| 67 } | |
| 68 | |
| 69 // Look for |requested_filename| in |allowed_file_names|. | |
| 70 // We don't use ::find() because it takes a std::string and | |
| 71 // the conversion allocates memory. | |
| 72 for (const auto& allowed_file_name : allowed_file_names) { | |
| 73 if (strcmp(requested_filename, allowed_file_name.c_str()) == 0) { | |
| 74 if (file_to_open) | |
| 75 *file_to_open = allowed_file_name.c_str(); | |
| 76 return true; | |
| 77 } | |
| 78 } | |
| 79 return false; | |
| 80 } | |
| 81 | |
| 82 } // namespace | |
| 83 | |
| 84 BrokerPolicy::BrokerPolicy(int denied_errno, | |
| 85 const std::vector<std::string>& allowed_r_files, | |
| 86 const std::vector<std::string>& allowed_w_files) | |
| 87 : denied_errno_(denied_errno), | |
| 88 allowed_r_files_(allowed_r_files), | |
| 89 allowed_w_files_(allowed_w_files) { | |
| 90 } | 33 } |
| 91 | 34 |
| 92 BrokerPolicy::~BrokerPolicy() { | 35 BrokerPolicy::~BrokerPolicy() { |
| 93 } | 36 } |
| 94 | 37 |
| 95 // Check if calling access() should be allowed on |requested_filename| with | 38 // Check if calling access() should be allowed on |requested_filename| with |
| 96 // mode |requested_mode|. | 39 // mode |requested_mode|. |
| 97 // Note: access() being a system call to check permissions, this can get a bit | 40 // Note: access() being a system call to check permissions, this can get a bit |
| 98 // confusing. We're checking if calling access() should even be allowed with | 41 // confusing. We're checking if calling access() should even be allowed with |
| 99 // the same policy we would use for open(). | 42 // the same policy we would use for open(). |
| 100 // If |file_to_access| is not NULL, we will return the matching pointer from | 43 // If |file_to_access| is not NULL, we will return the matching pointer from |
| 101 // the whitelist. For paranoia a caller should then use |file_to_access|. See | 44 // the whitelist. For paranoia a caller should then use |file_to_access|. See |
| 102 // GetFileNameIfAllowedToOpen() for more explanation. | 45 // GetFileNameIfAllowedToOpen() for more explanation. |
| 103 // return true if calling access() on this file should be allowed, false | 46 // return true if calling access() on this file should be allowed, false |
| 104 // otherwise. | 47 // otherwise. |
| 105 // Async signal safe if and only if |file_to_access| is NULL. | 48 // Async signal safe if and only if |file_to_access| is NULL. |
| 106 bool BrokerPolicy::GetFileNameIfAllowedToAccess( | 49 bool BrokerPolicy::GetFileNameIfAllowedToAccess( |
| 107 const char* requested_filename, | 50 const char* requested_filename, |
| 108 int requested_mode, | 51 int requested_mode, |
| 109 const char** file_to_access) const { | 52 const char** file_to_access) const { |
| 110 // First, check if |requested_mode| is existence, ability to read or ability | 53 if (file_to_access && *file_to_access) { |
| 111 // to write. We do not support X_OK. | 54 // Make sure that callers never pass a non-empty string. In case callers |
| 112 if (requested_mode != F_OK && requested_mode & ~(R_OK | W_OK)) { | 55 // wrongly forget to check the return value and look at the string |
| 56 // instead, this could catch bugs. |
| 57 RAW_LOG(FATAL, "*file_to_access should be NULL"); |
| 113 return false; | 58 return false; |
| 114 } | 59 } |
| 115 switch (requested_mode) { | 60 for (size_t i = 0; i < num_of_permissions_; i++) { |
| 116 case F_OK: | 61 if (permissions_array_[i].CheckAccess(requested_filename, requested_mode, |
| 117 // We allow to check for file existence if we can either read or write. | 62 file_to_access)) { |
| 118 return GetFileNameInWhitelist( | 63 return true; |
| 119 allowed_r_files_, requested_filename, file_to_access) || | |
| 120 GetFileNameInWhitelist( | |
| 121 allowed_w_files_, requested_filename, file_to_access); | |
| 122 case R_OK: | |
| 123 return GetFileNameInWhitelist( | |
| 124 allowed_r_files_, requested_filename, file_to_access); | |
| 125 case W_OK: | |
| 126 return GetFileNameInWhitelist( | |
| 127 allowed_w_files_, requested_filename, file_to_access); | |
| 128 case R_OK | W_OK: { | |
| 129 bool allowed_for_read_and_write = | |
| 130 GetFileNameInWhitelist(allowed_r_files_, requested_filename, NULL) && | |
| 131 GetFileNameInWhitelist( | |
| 132 allowed_w_files_, requested_filename, file_to_access); | |
| 133 return allowed_for_read_and_write; | |
| 134 } | 64 } |
| 135 default: | |
| 136 return false; | |
| 137 } | 65 } |
| 66 return false; |
| 138 } | 67 } |
| 139 | 68 |
| 140 // Check if |requested_filename| can be opened with flags |requested_flags|. | 69 // Check if |requested_filename| can be opened with flags |requested_flags|. |
| 141 // If |file_to_open| is not NULL, we will return the matching pointer from the | 70 // If |file_to_open| is not NULL, we will return the matching pointer from the |
| 142 // whitelist. For paranoia, a caller should then use |file_to_open| rather | 71 // whitelist. For paranoia, a caller should then use |file_to_open| rather |
| 143 // than |requested_filename|, so that it never attempts to open an | 72 // than |requested_filename|, so that it never attempts to open an |
| 144 // attacker-controlled file name, even if an attacker managed to fool the | 73 // attacker-controlled file name, even if an attacker managed to fool the |
| 145 // string comparison mechanism. | 74 // string comparison mechanism. |
| 146 // Return true if opening should be allowed, false otherwise. | 75 // Return true if opening should be allowed, false otherwise. |
| 147 // Async signal safe if and only if |file_to_open| is NULL. | 76 // Async signal safe if and only if |file_to_open| is NULL. |
| 148 bool BrokerPolicy::GetFileNameIfAllowedToOpen(const char* requested_filename, | 77 bool BrokerPolicy::GetFileNameIfAllowedToOpen(const char* requested_filename, |
| 149 int requested_flags, | 78 int requested_flags, |
| 150 const char** file_to_open) const { | 79 const char** file_to_open, |
| 151 if (!IsAllowedOpenFlags(requested_flags)) { | 80 bool* unlink_after_open) const { |
| 81 if (file_to_open && *file_to_open) { |
| 82 // Make sure that callers never pass a non-empty string. In case callers |
| 83 // wrongly forget to check the return value and look at the string |
| 84 // instead, this could catch bugs. |
| 85 RAW_LOG(FATAL, "*file_to_open should be NULL"); |
| 152 return false; | 86 return false; |
| 153 } | 87 } |
| 154 switch (requested_flags & O_ACCMODE) { | 88 for (size_t i = 0; i < num_of_permissions_; i++) { |
| 155 case O_RDONLY: | 89 if (permissions_array_[i].CheckOpen(requested_filename, requested_flags, |
| 156 return GetFileNameInWhitelist( | 90 file_to_open, unlink_after_open)) { |
| 157 allowed_r_files_, requested_filename, file_to_open); | 91 return true; |
| 158 case O_WRONLY: | |
| 159 return GetFileNameInWhitelist( | |
| 160 allowed_w_files_, requested_filename, file_to_open); | |
| 161 case O_RDWR: { | |
| 162 bool allowed_for_read_and_write = | |
| 163 GetFileNameInWhitelist(allowed_r_files_, requested_filename, NULL) && | |
| 164 GetFileNameInWhitelist( | |
| 165 allowed_w_files_, requested_filename, file_to_open); | |
| 166 return allowed_for_read_and_write; | |
| 167 } | 92 } |
| 168 default: | |
| 169 return false; | |
| 170 } | 93 } |
| 94 return false; |
| 171 } | 95 } |
| 172 | 96 |
| 173 } // namespace syscall_broker | 97 } // namespace syscall_broker |
| 174 | 98 |
| 175 } // namespace sandbox | 99 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 761903003:
Update from https://crrev.com/306655 (Closed)
Base URL: git@github.com:domokit/mojo.git@master