| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h" | 5 #include "components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <fcntl.h> | 8 #include <fcntl.h> |
| 9 #include <sys/prctl.h> | 9 #include <sys/prctl.h> |
| 10 #include <sys/stat.h> | 10 #include <sys/stat.h> |
| (...skipping 12 matching lines...) Expand all Loading... |
| 23 #include "base/posix/eintr_wrapper.h" | 23 #include "base/posix/eintr_wrapper.h" |
| 24 #include "build/build_config.h" | 24 #include "build/build_config.h" |
| 25 #include "components/nacl/common/nacl_switches.h" | 25 #include "components/nacl/common/nacl_switches.h" |
| 26 #include "components/nacl/loader/nonsfi/nonsfi_sandbox.h" | 26 #include "components/nacl/loader/nonsfi/nonsfi_sandbox.h" |
| 27 #include "components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.h" | 27 #include "components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.h" |
| 28 #include "content/public/common/content_switches.h" | 28 #include "content/public/common/content_switches.h" |
| 29 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | 29 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
| 30 #include "sandbox/linux/services/credentials.h" | 30 #include "sandbox/linux/services/credentials.h" |
| 31 #include "sandbox/linux/services/namespace_sandbox.h" | 31 #include "sandbox/linux/services/namespace_sandbox.h" |
| 32 #include "sandbox/linux/services/proc_util.h" | 32 #include "sandbox/linux/services/proc_util.h" |
| 33 #include "sandbox/linux/services/resource_limits.h" | |
| 34 #include "sandbox/linux/services/thread_helpers.h" | 33 #include "sandbox/linux/services/thread_helpers.h" |
| 35 #include "sandbox/linux/suid/client/setuid_sandbox_client.h" | 34 #include "sandbox/linux/suid/client/setuid_sandbox_client.h" |
| 36 | 35 |
| 36 #if !defined(OS_NACL_NONSFI) |
| 37 #include "sandbox/linux/services/resource_limits.h" |
| 38 #endif |
| 39 |
| 37 namespace nacl { | 40 namespace nacl { |
| 38 | 41 |
| 39 namespace { | 42 namespace { |
| 40 | 43 |
| 41 // This is a poor man's check on whether we are sandboxed. | 44 // This is a poor man's check on whether we are sandboxed. |
| 42 bool IsSandboxed() { | 45 bool IsSandboxed() { |
| 43 int proc_fd = open("/proc/self/exe", O_RDONLY); | 46 int proc_fd = open("/proc/self/exe", O_RDONLY); |
| 44 if (proc_fd >= 0) { | 47 if (proc_fd >= 0) { |
| 45 PCHECK(0 == IGNORE_EINTR(close(proc_fd))); | 48 PCHECK(0 == IGNORE_EINTR(close(proc_fd))); |
| 46 return false; | 49 return false; |
| 47 } | 50 } |
| 48 return true; | 51 return true; |
| 49 } | 52 } |
| 50 | 53 |
| 51 bool MaybeSetProcessNonDumpable() { | 54 bool MaybeSetProcessNonDumpable() { |
| 52 const base::CommandLine& command_line = | 55 const base::CommandLine& command_line = |
| 53 *base::CommandLine::ForCurrentProcess(); | 56 *base::CommandLine::ForCurrentProcess(); |
| 54 if (command_line.HasSwitch(switches::kAllowSandboxDebugging)) { | 57 if (command_line.HasSwitch(switches::kAllowSandboxDebugging)) { |
| 55 return true; | 58 return true; |
| 56 } | 59 } |
| 57 | 60 |
| 58 if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) { | 61 if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) { |
| 59 PLOG(ERROR) << "Failed to set non-dumpable flag"; | 62 PLOG(ERROR) << "Failed to set non-dumpable flag"; |
| 60 return false; | 63 return false; |
| 61 } | 64 } |
| 62 | 65 |
| 63 return prctl(PR_GET_DUMPABLE) == 0; | 66 return prctl(PR_GET_DUMPABLE) == 0; |
| 64 } | 67 } |
| 65 | 68 |
| 69 #if !defined(OS_NACL_NONSFI) |
| 70 // Currently Layer-two sandbox is not yet supported on nacl_helper_nonsfi. |
| 71 // This function is used only in InitializeLayerTwoSandbox(). |
| 72 // TODO(hidehiko): Enable the sandbox. |
| 66 void RestrictAddressSpaceUsage() { | 73 void RestrictAddressSpaceUsage() { |
| 67 #if defined(ADDRESS_SANITIZER) || defined(MEMORY_SANITIZER) || \ | 74 #if defined(ADDRESS_SANITIZER) || defined(MEMORY_SANITIZER) || \ |
| 68 defined(THREAD_SANITIZER) | 75 defined(THREAD_SANITIZER) |
| 69 // Sanitizers need to reserve huge chunks of the address space. | 76 // Sanitizers need to reserve huge chunks of the address space. |
| 70 return; | 77 return; |
| 71 #endif | 78 #endif |
| 72 | 79 |
| 73 // Add a limit to the brk() heap that would prevent allocations that can't be | 80 // Add a limit to the brk() heap that would prevent allocations that can't be |
| 74 // indexed by an int. This helps working around typical security bugs. | 81 // indexed by an int. This helps working around typical security bugs. |
| 75 // This could almost certainly be set to zero. GLibc's allocator and others | 82 // This could almost certainly be set to zero. GLibc's allocator and others |
| (...skipping 10 matching lines...) Expand all Loading... |
| 86 // | 93 // |
| 87 // Set the limit to 128 GB and have some margin. | 94 // Set the limit to 128 GB and have some margin. |
| 88 const rlim_t kNewAddressSpaceLimit = 1UL << 37; | 95 const rlim_t kNewAddressSpaceLimit = 1UL << 37; |
| 89 #else | 96 #else |
| 90 // Some architectures such as X86 allow 32 bits processes to switch to 64 | 97 // Some architectures such as X86 allow 32 bits processes to switch to 64 |
| 91 // bits when running under 64 bits kernels. Set a limit in case this happens. | 98 // bits when running under 64 bits kernels. Set a limit in case this happens. |
| 92 const rlim_t kNewAddressSpaceLimit = std::numeric_limits<uint32_t>::max(); | 99 const rlim_t kNewAddressSpaceLimit = std::numeric_limits<uint32_t>::max(); |
| 93 #endif | 100 #endif |
| 94 CHECK(sandbox::ResourceLimits::Lower(RLIMIT_AS, kNewAddressSpaceLimit)); | 101 CHECK(sandbox::ResourceLimits::Lower(RLIMIT_AS, kNewAddressSpaceLimit)); |
| 95 } | 102 } |
| 103 #endif // !OS_NACL_NONSFI |
| 96 | 104 |
| 97 } // namespace | 105 } // namespace |
| 98 | 106 |
| 99 NaClSandbox::NaClSandbox() | 107 NaClSandbox::NaClSandbox() |
| 100 : layer_one_enabled_(false), | 108 : layer_one_enabled_(false), |
| 101 layer_one_sealed_(false), | 109 layer_one_sealed_(false), |
| 102 layer_two_enabled_(false), | 110 layer_two_enabled_(false), |
| 103 layer_two_is_nonsfi_(false), | 111 layer_two_is_nonsfi_(false), |
| 104 proc_fd_(-1), | 112 proc_fd_(-1), |
| 105 setuid_sandbox_client_(sandbox::SetuidSandboxClient::Create()) { | 113 setuid_sandbox_client_(sandbox::SetuidSandboxClient::Create()) { |
| (...skipping 24 matching lines...) Expand all Loading... |
| 130 | 138 |
| 131 // Make sure that no directory file descriptor is open, as it would bypass | 139 // Make sure that no directory file descriptor is open, as it would bypass |
| 132 // the setuid sandbox model. | 140 // the setuid sandbox model. |
| 133 CHECK(!HasOpenDirectory()); | 141 CHECK(!HasOpenDirectory()); |
| 134 | 142 |
| 135 // Get sandboxed. | 143 // Get sandboxed. |
| 136 CHECK(setuid_sandbox_client_->ChrootMe()); | 144 CHECK(setuid_sandbox_client_->ChrootMe()); |
| 137 CHECK(MaybeSetProcessNonDumpable()); | 145 CHECK(MaybeSetProcessNonDumpable()); |
| 138 CHECK(IsSandboxed()); | 146 CHECK(IsSandboxed()); |
| 139 layer_one_enabled_ = true; | 147 layer_one_enabled_ = true; |
| 140 } else if (sandbox::NamespaceSandbox::InNewUserNamespace()) { | 148 } |
| 149 // Currently namespace sandbox is not yet supported on nacl_helper_nonsfi. |
| 150 // TODO(hidehiko): Enable the sandbox. |
| 151 #if !defined(OS_NACL_NONSFI) |
| 152 else if (sandbox::NamespaceSandbox::InNewUserNamespace()) { |
| 141 CHECK(sandbox::Credentials::MoveToNewUserNS()); | 153 CHECK(sandbox::Credentials::MoveToNewUserNS()); |
| 142 // This relies on SealLayerOneSandbox() to be called later since this | 154 // This relies on SealLayerOneSandbox() to be called later since this |
| 143 // class is keeping a file descriptor to /proc/. | 155 // class is keeping a file descriptor to /proc/. |
| 144 CHECK(sandbox::Credentials::DropFileSystemAccess(proc_fd_.get())); | 156 CHECK(sandbox::Credentials::DropFileSystemAccess(proc_fd_.get())); |
| 145 CHECK(sandbox::Credentials::DropAllCapabilities(proc_fd_.get())); | 157 CHECK(sandbox::Credentials::DropAllCapabilities(proc_fd_.get())); |
| 146 CHECK(IsSandboxed()); | 158 CHECK(IsSandboxed()); |
| 147 layer_one_enabled_ = true; | 159 layer_one_enabled_ = true; |
| 148 } | 160 } |
| 161 #endif // !OS_NACL_NONSFI |
| 149 } | 162 } |
| 150 | 163 |
| 164 #if !defined(OS_NACL_NONSFI) |
| 165 // Currently Layer-two sandbox is not yet supported on nacl_helper_nonsfi. |
| 166 // TODO(hidehiko): Enable the sandbox. |
| 167 // Note that CheckForExpectedNumberOfOpenFds() is just referred from |
| 168 // InitializeLayerTwoSandbox(). Enable them together. |
| 151 void NaClSandbox::CheckForExpectedNumberOfOpenFds() { | 169 void NaClSandbox::CheckForExpectedNumberOfOpenFds() { |
| 152 // We expect to have the following FDs open: | 170 // We expect to have the following FDs open: |
| 153 // 1-3) stdin, stdout, stderr. | 171 // 1-3) stdin, stdout, stderr. |
| 154 // 4) The /dev/urandom FD used by base::GetUrandomFD(). | 172 // 4) The /dev/urandom FD used by base::GetUrandomFD(). |
| 155 // 5) A dummy pipe FD used to overwrite kSandboxIPCChannel. | 173 // 5) A dummy pipe FD used to overwrite kSandboxIPCChannel. |
| 156 // 6) The socket for the Chrome IPC channel that's connected to the | 174 // 6) The socket for the Chrome IPC channel that's connected to the |
| 157 // browser process, kPrimaryIPCChannel. | 175 // browser process, kPrimaryIPCChannel. |
| 158 // We also have an fd for /proc (proc_fd_), but CountOpenFds excludes this. | 176 // We also have an fd for /proc (proc_fd_), but CountOpenFds excludes this. |
| 159 // | 177 // |
| 160 // This sanity check ensures that dynamically loaded libraries don't | 178 // This sanity check ensures that dynamically loaded libraries don't |
| (...skipping 20 matching lines...) Expand all Loading... |
| 181 // Pass proc_fd_ ownership to the BPF sandbox, which guarantees it will | 199 // Pass proc_fd_ ownership to the BPF sandbox, which guarantees it will |
| 182 // be closed. There is no point in keeping it around since the BPF policy | 200 // be closed. There is no point in keeping it around since the BPF policy |
| 183 // will prevent its usage. | 201 // will prevent its usage. |
| 184 if (uses_nonsfi_mode) { | 202 if (uses_nonsfi_mode) { |
| 185 layer_two_enabled_ = nacl::nonsfi::InitializeBPFSandbox(proc_fd_.Pass()); | 203 layer_two_enabled_ = nacl::nonsfi::InitializeBPFSandbox(proc_fd_.Pass()); |
| 186 layer_two_is_nonsfi_ = true; | 204 layer_two_is_nonsfi_ = true; |
| 187 } else { | 205 } else { |
| 188 layer_two_enabled_ = nacl::InitializeBPFSandbox(proc_fd_.Pass()); | 206 layer_two_enabled_ = nacl::InitializeBPFSandbox(proc_fd_.Pass()); |
| 189 } | 207 } |
| 190 } | 208 } |
| 209 #endif // OS_NACL_NONSFI |
| 191 | 210 |
| 192 void NaClSandbox::SealLayerOneSandbox() { | 211 void NaClSandbox::SealLayerOneSandbox() { |
| 193 if (proc_fd_.is_valid() && !layer_two_enabled_) { | 212 if (proc_fd_.is_valid() && !layer_two_enabled_) { |
| 194 // If nothing prevents us, check that there is no superfluous directory | 213 // If nothing prevents us, check that there is no superfluous directory |
| 195 // open. | 214 // open. |
| 196 CHECK(!HasOpenDirectory()); | 215 CHECK(!HasOpenDirectory()); |
| 197 } | 216 } |
| 198 proc_fd_.reset(); | 217 proc_fd_.reset(); |
| 199 layer_one_sealed_ = true; | 218 layer_one_sealed_ = true; |
| 200 } | 219 } |
| (...skipping 11 matching lines...) Expand all Loading... |
| 212 | 231 |
| 213 if (!layer_one_enabled_ || !layer_one_sealed_) { | 232 if (!layer_one_enabled_ || !layer_one_sealed_) { |
| 214 static const char kNoSuidMsg[] = | 233 static const char kNoSuidMsg[] = |
| 215 "The SUID sandbox is not engaged for NaCl:"; | 234 "The SUID sandbox is not engaged for NaCl:"; |
| 216 if (can_be_no_sandbox) | 235 if (can_be_no_sandbox) |
| 217 LOG(ERROR) << kNoSuidMsg << kItIsDangerousMsg; | 236 LOG(ERROR) << kNoSuidMsg << kItIsDangerousMsg; |
| 218 else | 237 else |
| 219 LOG(FATAL) << kNoSuidMsg << kItIsNotAllowedMsg; | 238 LOG(FATAL) << kNoSuidMsg << kItIsNotAllowedMsg; |
| 220 } | 239 } |
| 221 | 240 |
| 241 #if !defined(OS_NACL_NONSFI) |
| 242 // Currently Layer-two sandbox is not yet supported on nacl_helper_nonsfi. |
| 243 // TODO(hidehiko): Enable the sandbox. |
| 222 if (!layer_two_enabled_) { | 244 if (!layer_two_enabled_) { |
| 223 static const char kNoBpfMsg[] = | 245 static const char kNoBpfMsg[] = |
| 224 "The seccomp-bpf sandbox is not engaged for NaCl:"; | 246 "The seccomp-bpf sandbox is not engaged for NaCl:"; |
| 225 if (can_be_no_sandbox) | 247 if (can_be_no_sandbox) |
| 226 LOG(ERROR) << kNoBpfMsg << kItIsDangerousMsg; | 248 LOG(ERROR) << kNoBpfMsg << kItIsDangerousMsg; |
| 227 else | 249 else |
| 228 LOG(FATAL) << kNoBpfMsg << kItIsNotAllowedMsg; | 250 LOG(FATAL) << kNoBpfMsg << kItIsNotAllowedMsg; |
| 229 } | 251 } |
| 252 #endif |
| 230 } | 253 } |
| 231 | 254 |
| 232 } // namespace nacl | 255 } // namespace nacl |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 888903004:
Non-SFI mode:Suid sandbox. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master