| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h" | 5 #include "components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <fcntl.h> | 8 #include <fcntl.h> |
| 9 #include <sys/prctl.h> | 9 #include <sys/prctl.h> |
| 10 #include <sys/stat.h> | 10 #include <sys/stat.h> |
| 11 #include <sys/types.h> | 11 #include <sys/types.h> |
| 12 #include <unistd.h> | 12 #include <unistd.h> |
| 13 | 13 |
| 14 #include "base/basictypes.h" | 14 #include "base/basictypes.h" |
| 15 #include "base/callback.h" | 15 #include "base/callback.h" |
| 16 #include "base/command_line.h" | 16 #include "base/command_line.h" |
| 17 #include "base/compiler_specific.h" | 17 #include "base/compiler_specific.h" |
| 18 #include "base/files/scoped_file.h" | 18 #include "base/files/scoped_file.h" |
| 19 #include "base/logging.h" | 19 #include "base/logging.h" |
| 20 #include "base/memory/scoped_ptr.h" | 20 #include "base/memory/scoped_ptr.h" |
| 21 #include "base/posix/eintr_wrapper.h" | 21 #include "base/posix/eintr_wrapper.h" |
| 22 #include "build/build_config.h" | 22 #include "build/build_config.h" |
| 23 #include "components/nacl/common/nacl_switches.h" | 23 #include "components/nacl/common/nacl_switches.h" |
| 24 #include "components/nacl/loader/nonsfi/nonsfi_sandbox.h" | 24 #include "components/nacl/loader/nonsfi/nonsfi_sandbox.h" |
| 25 #include "components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.h" | 25 #include "components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.h" |
| 26 #include "content/public/common/content_switches.h" | 26 #include "content/public/common/content_switches.h" |
| 27 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | 27 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
| 28 #include "sandbox/linux/services/credentials.h" |
| 29 #include "sandbox/linux/services/namespace_sandbox.h" |
| 28 #include "sandbox/linux/services/proc_util.h" | 30 #include "sandbox/linux/services/proc_util.h" |
| 29 #include "sandbox/linux/services/thread_helpers.h" | 31 #include "sandbox/linux/services/thread_helpers.h" |
| 30 #include "sandbox/linux/suid/client/setuid_sandbox_client.h" | 32 #include "sandbox/linux/suid/client/setuid_sandbox_client.h" |
| 31 | 33 |
| 32 namespace nacl { | 34 namespace nacl { |
| 33 | 35 |
| 34 namespace { | 36 namespace { |
| 35 | 37 |
| 36 // This is a poor man's check on whether we are sandboxed. | 38 // This is a poor man's check on whether we are sandboxed. |
| 37 bool IsSandboxed() { | 39 bool IsSandboxed() { |
| (...skipping 66 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 104 | 106 |
| 105 // Make sure that no directory file descriptor is open, as it would bypass | 107 // Make sure that no directory file descriptor is open, as it would bypass |
| 106 // the setuid sandbox model. | 108 // the setuid sandbox model. |
| 107 CHECK(!HasOpenDirectory()); | 109 CHECK(!HasOpenDirectory()); |
| 108 | 110 |
| 109 // Get sandboxed. | 111 // Get sandboxed. |
| 110 CHECK(setuid_sandbox_client_->ChrootMe()); | 112 CHECK(setuid_sandbox_client_->ChrootMe()); |
| 111 CHECK(MaybeSetProcessNonDumpable()); | 113 CHECK(MaybeSetProcessNonDumpable()); |
| 112 CHECK(IsSandboxed()); | 114 CHECK(IsSandboxed()); |
| 113 layer_one_enabled_ = true; | 115 layer_one_enabled_ = true; |
| 116 } else if (sandbox::NamespaceSandbox::InNewUserNamespace()) { |
| 117 CHECK(sandbox::Credentials::MoveToNewUserNS()); |
| 118 CHECK(sandbox::Credentials::DropFileSystemAccess()); |
| 119 CHECK(sandbox::Credentials::DropAllCapabilities()); |
| 120 CHECK(IsSandboxed()); |
| 121 layer_one_enabled_ = true; |
| 114 } | 122 } |
| 115 } | 123 } |
| 116 | 124 |
| 117 void NaClSandbox::CheckForExpectedNumberOfOpenFds() { | 125 void NaClSandbox::CheckForExpectedNumberOfOpenFds() { |
| 126 // We expect to have the following FDs open: |
| 127 // 1-3) stdin, stdout, stderr. |
| 128 // 4) The /dev/urandom FD used by base::GetUrandomFD(). |
| 129 // 5) A dummy pipe FD used to overwrite kSandboxIPCChannel. |
| 130 // 6) The socket for the Chrome IPC channel that's connected to the |
| 131 // browser process, kPrimaryIPCChannel. |
| 132 // We also have an fd for /proc (proc_fd_), but CountOpenFds excludes this. |
| 133 // |
| 134 // This sanity check ensures that dynamically loaded libraries don't |
| 135 // leave any FDs open before we enable the sandbox. |
| 136 int expected_num_fds = 6; |
| 118 if (setuid_sandbox_client_->IsSuidSandboxChild()) { | 137 if (setuid_sandbox_client_->IsSuidSandboxChild()) { |
| 119 // We expect to have the following FDs open: | 138 // When using the setuid sandbox, there is one additional socket used for |
| 120 // 1-3) stdin, stdout, stderr. | 139 // ChrootMe(). After ChrootMe(), it is no longer connected to anything. |
| 121 // 4) The /dev/urandom FD used by base::GetUrandomFD(). | 140 ++expected_num_fds; |
| 122 // 5) A dummy pipe FD used to overwrite kSandboxIPCChannel. | |
| 123 // 6) The socket created by the SUID sandbox helper, used by ChrootMe(). | |
| 124 // After ChrootMe(), this is no longer connected to anything. | |
| 125 // (Only present when running under the SUID sandbox.) | |
| 126 // 7) The socket for the Chrome IPC channel that's connected to the | |
| 127 // browser process, kPrimaryIPCChannel. | |
| 128 // | |
| 129 // This sanity check ensures that dynamically loaded libraries don't | |
| 130 // leave any FDs open before we enable the sandbox. | |
| 131 CHECK_EQ(7, sandbox::ProcUtil::CountOpenFds(proc_fd_.get())); | |
| 132 } | 141 } |
| 142 |
| 143 CHECK_EQ(expected_num_fds, sandbox::ProcUtil::CountOpenFds(proc_fd_.get())); |
| 133 } | 144 } |
| 134 | 145 |
| 135 void NaClSandbox::InitializeLayerTwoSandbox(bool uses_nonsfi_mode) { | 146 void NaClSandbox::InitializeLayerTwoSandbox(bool uses_nonsfi_mode) { |
| 136 // seccomp-bpf only applies to the current thread, so it's critical to only | 147 // seccomp-bpf only applies to the current thread, so it's critical to only |
| 137 // have a single thread running here. | 148 // have a single thread running here. |
| 138 DCHECK(!layer_one_sealed_); | 149 DCHECK(!layer_one_sealed_); |
| 139 CHECK(IsSingleThreaded()); | 150 CHECK(IsSingleThreaded()); |
| 140 CheckForExpectedNumberOfOpenFds(); | 151 CheckForExpectedNumberOfOpenFds(); |
| 141 | 152 |
| 142 base::ScopedFD proc_self_task(GetProcSelfTask(proc_fd_.get())); | 153 base::ScopedFD proc_self_task(GetProcSelfTask(proc_fd_.get())); |
| (...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 184 static const char kNoBpfMsg[] = | 195 static const char kNoBpfMsg[] = |
| 185 "The seccomp-bpf sandbox is not engaged for NaCl:"; | 196 "The seccomp-bpf sandbox is not engaged for NaCl:"; |
| 186 if (can_be_no_sandbox) | 197 if (can_be_no_sandbox) |
| 187 LOG(ERROR) << kNoBpfMsg << kItIsDangerousMsg; | 198 LOG(ERROR) << kNoBpfMsg << kItIsDangerousMsg; |
| 188 else | 199 else |
| 189 LOG(FATAL) << kNoBpfMsg << kItIsNotAllowedMsg; | 200 LOG(FATAL) << kNoBpfMsg << kItIsNotAllowedMsg; |
| 190 } | 201 } |
| 191 } | 202 } |
| 192 | 203 |
| 193 } // namespace nacl | 204 } // namespace nacl |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 897723005:
Allow using the namespace sandbox in zygote host. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master