OLD | NEW |
---|---|
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h" | 5 #include "components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h" |
6 | 6 |
7 #include <errno.h> | 7 #include <errno.h> |
8 #include <fcntl.h> | 8 #include <fcntl.h> |
9 #include <sys/prctl.h> | |
9 #include <sys/stat.h> | 10 #include <sys/stat.h> |
10 #include <sys/types.h> | 11 #include <sys/types.h> |
11 #include <unistd.h> | 12 #include <unistd.h> |
12 | 13 |
13 #include "base/basictypes.h" | 14 #include "base/basictypes.h" |
14 #include "base/callback.h" | 15 #include "base/callback.h" |
15 #include "base/command_line.h" | 16 #include "base/command_line.h" |
16 #include "base/compiler_specific.h" | 17 #include "base/compiler_specific.h" |
17 #include "base/files/scoped_file.h" | 18 #include "base/files/scoped_file.h" |
18 #include "base/logging.h" | 19 #include "base/logging.h" |
19 #include "base/memory/scoped_ptr.h" | 20 #include "base/memory/scoped_ptr.h" |
20 #include "base/posix/eintr_wrapper.h" | 21 #include "base/posix/eintr_wrapper.h" |
21 #include "build/build_config.h" | 22 #include "build/build_config.h" |
22 #include "components/nacl/common/nacl_switches.h" | 23 #include "components/nacl/common/nacl_switches.h" |
23 #include "components/nacl/loader/nonsfi/nonsfi_sandbox.h" | 24 #include "components/nacl/loader/nonsfi/nonsfi_sandbox.h" |
24 #include "components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.h" | 25 #include "components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.h" |
26 #include "content/public/common/content_switches.h" | |
25 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | 27 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
28 #include "sandbox/linux/services/credentials.h" | |
29 #include "sandbox/linux/services/namespace_sandbox.h" | |
26 #include "sandbox/linux/services/proc_util.h" | 30 #include "sandbox/linux/services/proc_util.h" |
27 #include "sandbox/linux/services/thread_helpers.h" | 31 #include "sandbox/linux/services/thread_helpers.h" |
28 #include "sandbox/linux/suid/client/setuid_sandbox_client.h" | 32 #include "sandbox/linux/suid/client/setuid_sandbox_client.h" |
29 | 33 |
30 namespace nacl { | 34 namespace nacl { |
31 | 35 |
32 namespace { | 36 namespace { |
33 | 37 |
34 // This is a poor man's check on whether we are sandboxed. | 38 // This is a poor man's check on whether we are sandboxed. |
35 bool IsSandboxed() { | 39 bool IsSandboxed() { |
36 int proc_fd = open("/proc/self/exe", O_RDONLY); | 40 int proc_fd = open("/proc/self/exe", O_RDONLY); |
37 if (proc_fd >= 0) { | 41 if (proc_fd >= 0) { |
38 PCHECK(0 == IGNORE_EINTR(close(proc_fd))); | 42 PCHECK(0 == IGNORE_EINTR(close(proc_fd))); |
39 return false; | 43 return false; |
40 } | 44 } |
41 return true; | 45 return true; |
42 } | 46 } |
43 | 47 |
44 // Open a new file descriptor to /proc/self/task/ by using | 48 // Open a new file descriptor to /proc/self/task/ by using |
45 // |proc_fd|. | 49 // |proc_fd|. |
46 base::ScopedFD GetProcSelfTask(int proc_fd) { | 50 base::ScopedFD GetProcSelfTask(int proc_fd) { |
47 base::ScopedFD proc_self_task(HANDLE_EINTR( | 51 base::ScopedFD proc_self_task(HANDLE_EINTR( |
48 openat(proc_fd, "self/task/", O_RDONLY | O_DIRECTORY | O_CLOEXEC))); | 52 openat(proc_fd, "self/task/", O_RDONLY | O_DIRECTORY | O_CLOEXEC))); |
49 PCHECK(proc_self_task.is_valid()); | 53 PCHECK(proc_self_task.is_valid()); |
50 return proc_self_task.Pass(); | 54 return proc_self_task.Pass(); |
51 } | 55 } |
52 | 56 |
57 bool MaybeSetProcessNonDumpable() { | |
jln (very slow on Chromium)
2015/02/06 00:37:29
Good catch. Let's split it into its own CL if you
rickyz (no longer on Chrome)
2015/02/06 01:53:18
Split this out into https://codereview.chromium.or
| |
58 const base::CommandLine& command_line = | |
59 *base::CommandLine::ForCurrentProcess(); | |
60 if (command_line.HasSwitch(switches::kAllowSandboxDebugging)) { | |
61 return true; | |
62 } | |
63 | |
64 if (prctl(PR_SET_DUMPABLE, 0) != 0) { | |
65 PLOG(ERROR) << "Failed to set non-dumpable flag"; | |
66 return false; | |
67 } | |
68 | |
69 return prctl(PR_GET_DUMPABLE) == 0; | |
70 } | |
71 | |
53 } // namespace | 72 } // namespace |
54 | 73 |
55 NaClSandbox::NaClSandbox() | 74 NaClSandbox::NaClSandbox() |
56 : layer_one_enabled_(false), | 75 : layer_one_enabled_(false), |
57 layer_one_sealed_(false), | 76 layer_one_sealed_(false), |
58 layer_two_enabled_(false), | 77 layer_two_enabled_(false), |
59 layer_two_is_nonsfi_(false), | 78 layer_two_is_nonsfi_(false), |
60 proc_fd_(-1), | 79 proc_fd_(-1), |
61 setuid_sandbox_client_(sandbox::SetuidSandboxClient::Create()) { | 80 setuid_sandbox_client_(sandbox::SetuidSandboxClient::Create()) { |
62 proc_fd_.reset( | 81 proc_fd_.reset( |
(...skipping 21 matching lines...) Expand all Loading... | |
84 | 103 |
85 if (setuid_sandbox_client_->IsSuidSandboxChild()) { | 104 if (setuid_sandbox_client_->IsSuidSandboxChild()) { |
86 setuid_sandbox_client_->CloseDummyFile(); | 105 setuid_sandbox_client_->CloseDummyFile(); |
87 | 106 |
88 // Make sure that no directory file descriptor is open, as it would bypass | 107 // Make sure that no directory file descriptor is open, as it would bypass |
89 // the setuid sandbox model. | 108 // the setuid sandbox model. |
90 CHECK(!HasOpenDirectory()); | 109 CHECK(!HasOpenDirectory()); |
91 | 110 |
92 // Get sandboxed. | 111 // Get sandboxed. |
93 CHECK(setuid_sandbox_client_->ChrootMe()); | 112 CHECK(setuid_sandbox_client_->ChrootMe()); |
113 CHECK(MaybeSetProcessNonDumpable()); | |
114 CHECK(IsSandboxed()); | |
115 layer_one_enabled_ = true; | |
116 } else if (sandbox::NamespaceSandbox::InNewUserNamespace()) { | |
117 CHECK(sandbox::Credentials::MoveToNewUserNS()); | |
118 CHECK(sandbox::Credentials::DropFileSystemAccess()); | |
119 CHECK(sandbox::Credentials::DropAllCapabilities()); | |
120 | |
121 // This needs to happen after moving to a new user NS, since doing so | |
122 // involves writing the UID/GID map. | |
123 CHECK(MaybeSetProcessNonDumpable()); | |
94 CHECK(IsSandboxed()); | 124 CHECK(IsSandboxed()); |
95 layer_one_enabled_ = true; | 125 layer_one_enabled_ = true; |
96 } | 126 } |
97 } | 127 } |
98 | 128 |
99 void NaClSandbox::CheckForExpectedNumberOfOpenFds() { | 129 void NaClSandbox::CheckForExpectedNumberOfOpenFds() { |
100 if (setuid_sandbox_client_->IsSuidSandboxChild()) { | 130 if (setuid_sandbox_client_->IsSuidSandboxChild()) { |
101 // We expect to have the following FDs open: | 131 // We expect to have the following FDs open: |
102 // 1-3) stdin, stdout, stderr. | 132 // 1-3) stdin, stdout, stderr. |
103 // 4) The /dev/urandom FD used by base::GetUrandomFD(). | 133 // 4) The /dev/urandom FD used by base::GetUrandomFD(). |
104 // 5) A dummy pipe FD used to overwrite kSandboxIPCChannel. | 134 // 5) A dummy pipe FD used to overwrite kSandboxIPCChannel. |
105 // 6) The socket created by the SUID sandbox helper, used by ChrootMe(). | 135 // 6) The socket created by the SUID sandbox helper, used by ChrootMe(). |
106 // After ChrootMe(), this is no longer connected to anything. | 136 // After ChrootMe(), this is no longer connected to anything. |
107 // (Only present when running under the SUID sandbox.) | 137 // (Only present when running under the SUID sandbox.) |
108 // 7) The socket for the Chrome IPC channel that's connected to the | 138 // 7) The socket for the Chrome IPC channel that's connected to the |
109 // browser process, kPrimaryIPCChannel. | 139 // browser process, kPrimaryIPCChannel. |
110 // | 140 // |
111 // This sanity check ensures that dynamically loaded libraries don't | 141 // This sanity check ensures that dynamically loaded libraries don't |
112 // leave any FDs open before we enable the sandbox. | 142 // leave any FDs open before we enable the sandbox. |
113 CHECK_EQ(7, sandbox::ProcUtil::CountOpenFds(proc_fd_.get())); | 143 CHECK_EQ(7, sandbox::ProcUtil::CountOpenFds(proc_fd_.get())); |
144 } else if (sandbox::NamespaceSandbox::InNewUserNamespace()) { | |
145 // Same as above, except minus the SUID sandbox helper FD. | |
146 CHECK_EQ(6, sandbox::ProcUtil::CountOpenFds(proc_fd_.get())); | |
jln (very slow on Chromium)
2015/02/06 00:37:29
Maybe symbolize that count and -1/+1 it?
rickyz (no longer on Chrome)
2015/02/06 01:53:18
Done.
| |
114 } | 147 } |
115 } | 148 } |
116 | 149 |
117 void NaClSandbox::InitializeLayerTwoSandbox(bool uses_nonsfi_mode) { | 150 void NaClSandbox::InitializeLayerTwoSandbox(bool uses_nonsfi_mode) { |
118 // seccomp-bpf only applies to the current thread, so it's critical to only | 151 // seccomp-bpf only applies to the current thread, so it's critical to only |
119 // have a single thread running here. | 152 // have a single thread running here. |
120 DCHECK(!layer_one_sealed_); | 153 DCHECK(!layer_one_sealed_); |
121 CHECK(IsSingleThreaded()); | 154 CHECK(IsSingleThreaded()); |
122 CheckForExpectedNumberOfOpenFds(); | 155 CheckForExpectedNumberOfOpenFds(); |
123 | 156 |
(...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
166 static const char kNoBpfMsg[] = | 199 static const char kNoBpfMsg[] = |
167 "The seccomp-bpf sandbox is not engaged for NaCl:"; | 200 "The seccomp-bpf sandbox is not engaged for NaCl:"; |
168 if (can_be_no_sandbox) | 201 if (can_be_no_sandbox) |
169 LOG(ERROR) << kNoBpfMsg << kItIsDangerousMsg; | 202 LOG(ERROR) << kNoBpfMsg << kItIsDangerousMsg; |
170 else | 203 else |
171 LOG(FATAL) << kNoBpfMsg << kItIsNotAllowedMsg; | 204 LOG(FATAL) << kNoBpfMsg << kItIsNotAllowedMsg; |
172 } | 205 } |
173 } | 206 } |
174 | 207 |
175 } // namespace nacl | 208 } // namespace nacl |
OLD | NEW |