Linux sandbox: move CurrentProcessHasOpenDirectories

sandbox/linux/services/credentials.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/services/credentials.h"
 
+#include <dirent.h>
 #include <errno.h>
+#include <fcntl.h>
 #include <stdio.h>
 #include <sys/capability.h>
+#include <sys/stat.h>
+#include <sys/types.h>
 #include <unistd.h>
 
 #include "base/basictypes.h"
 #include "base/bind.h"
 #include "base/logging.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/template_util.h"
 #include "base/threading/thread.h"
 
 namespace {
@@ skipping 22 matching lines @@
   inline void operator()(FILE* f) const {
     DCHECK(f);
     PCHECK(0 == fclose(f));
   }
 };
 
 // Don't use ScopedFILE in base/file_util.h since it doesn't check fclose().
 // TODO(jln): fix base/.
 typedef scoped_ptr<FILE, FILECloser> ScopedFILE;
 
+struct DIRCloser {
+  void operator()(DIR* d) const {
+    DCHECK(d);
+    PCHECK(0 == closedir(d));
+  }
+};
+
+typedef scoped_ptr<DIR, DIRCloser> ScopedDIR;
+
 COMPILE_ASSERT((base::is_same<uid_t, gid_t>::value), UidAndGidAreSameType);
 // generic_id_t can be used for either uid_t or gid_t.
 typedef uid_t generic_id_t;
 
 // Write a uid or gid mapping from |id| to |id| in |map_file|.
 bool WriteToIdMapFile(const char* map_file, generic_id_t id) {
   ScopedFILE f(fopen(map_file, "w"));
   PCHECK(f);
   const uid_t inside_id = id;
   const uid_t outside_id = id;
@@ skipping 74 matching lines @@
 }  // namespace.
 
 namespace sandbox {
 
 Credentials::Credentials() {
 }
 
 Credentials::~Credentials() {
 }
 
+bool Credentials::HasOpenDirectory(int proc_fd) {
+  int proc_self_fd = -1;
+  if (proc_fd >= 0) {
+    proc_self_fd = openat(proc_fd, "self/fd", O_DIRECTORY | O_RDONLY);
+  } else {
+    proc_self_fd = openat(AT_FDCWD, "/proc/self/fd", O_DIRECTORY | O_RDONLY);
+    if (proc_self_fd < 0) {
+      // If not available, guess false.
+      // TODO(mostynb@opera.com): add a CHECK_EQ(ENOENT, errno); Figure out what
+      // other situations are here. http://crbug.com/314985
+      return false;
+    }
+  }
+  CHECK_GE(proc_self_fd, 0);
+
+  // Ownership of proc_self_fd is transferred here, it must not be closed
+  // or modified afterwards except via dir.
+  ScopedDIR dir(fdopendir(proc_self_fd));
+  CHECK(dir);
+
+  struct dirent e;
+  struct dirent* de;
+  while (!readdir_r(dir.get(), &e, &de) && de) {
+    if (strcmp(e.d_name, ".") == 0 || strcmp(e.d_name, "..") == 0) {
+      continue;
+    }
+
+    int fd_num;
+    CHECK(base::StringToInt(e.d_name, &fd_num));
+    if (fd_num == proc_fd || fd_num == proc_self_fd) {
+      continue;
+    }
+
+    struct stat s;
+    // It's OK to use proc_self_fd here, fstatat won't modify it.
+    CHECK(fstatat(proc_self_fd, e.d_name, &s, 0) == 0);
+    if (S_ISDIR(s.st_mode)) {
+      return true;
+    }
+  }
+
+  // No open unmanaged directories found.
+  return false;
+}
+
 bool Credentials::DropAllCapabilities() {
   ScopedCap cap(cap_init());
   CHECK(cap);
   PCHECK(0 == cap_set_proc(cap.get()));
   // We never let this function fail.
   return true;
 }
 
 bool Credentials::HasAnyCapability() const {
   ScopedCap current_cap(cap_get_proc());
@@ skipping 36 matching lines @@
   DCHECK(GetRESIds(NULL, NULL));
   const char kGidMapFile[] = "/proc/self/gid_map";
   const char kUidMapFile[] = "/proc/self/uid_map";
   CHECK(WriteToIdMapFile(kGidMapFile, gid));
   CHECK(WriteToIdMapFile(kUidMapFile, uid));
   DCHECK(GetRESIds(NULL, NULL));
   return true;
 }
 
 bool Credentials::DropFileSystemAccess() {
+  // Chrooting to a safe empty dir will only be safe if no directory file
+  // descriptor is available to the process.
+  DCHECK(!HasOpenDirectory(-1));
   return ChrootToSafeEmptyDir();
 }
 
 }  // namespace sandbox.