Namespace sandbox: add important security checks

content/zygote/zygote_main_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/zygote/zygote_main.h"
 
 #include <dlfcn.h>
 #include <fcntl.h>
 #include <pthread.h>
 #include <signal.h>
@@ skipping 13 matching lines @@
 #include "base/pickle.h"
 #include "base/posix/eintr_wrapper.h"
 #include "base/posix/unix_domain_socket_linux.h"
 #include "base/rand_util.h"
 #include "base/strings/safe_sprintf.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/sys_info.h"
 #include "build/build_config.h"
 #include "content/common/child_process_sandbox_support_impl_linux.h"
 #include "content/common/font_config_ipc_linux.h"
+#include "content/common/sandbox_linux/sandbox_debug_handling_linux.h"
 #include "content/common/sandbox_linux/sandbox_linux.h"
 #include "content/common/zygote_commands_linux.h"
 #include "content/public/common/content_switches.h"
 #include "content/public/common/main_function_params.h"
 #include "content/public/common/sandbox_linux.h"
 #include "content/public/common/zygote_fork_delegate_linux.h"
 #include "content/zygote/zygote_linux.h"
 #include "crypto/nss_util.h"
 #include "sandbox/linux/services/credentials.h"

[rickyz (no longer on Chrome), 2015/02/11 22:59:56]

Can we get rid of this include in this case?

[jln (very slow on Chromium), 2015/02/11 23:13:06]

Done.

 #include "sandbox/linux/services/init_process_reaper.h"
 #include "sandbox/linux/services/libc_urandom_override.h"
 #include "sandbox/linux/services/namespace_sandbox.h"
 #include "sandbox/linux/suid/client/setuid_sandbox_client.h"
 #include "third_party/icu/source/i18n/unicode/timezone.h"
 #include "third_party/skia/include/ports/SkFontConfigInterface.h"
 
 #if defined(OS_LINUX)
 #include <sys/prctl.h>
 #endif
@@ skipping 12 matching lines @@
 #endif
 
 #if defined(ADDRESS_SANITIZER)
 #include <sanitizer/asan_interface.h>
 #endif
 
 namespace content {
 
 namespace {
 
-void DoChrootSignalHandler(int) {
-  const int old_errno = errno;
-  const char kFirstMessage[] = "Chroot signal handler called.\n";
-  ignore_result(write(STDERR_FILENO, kFirstMessage, sizeof(kFirstMessage) - 1));
-
-  const int chroot_ret = chroot("/");
-
-  char kSecondMessage[100];
-  const ssize_t printed =
-      base::strings::SafeSPrintf(kSecondMessage,
-                                 "chroot() returned %d. Errno is %d.\n",
-                                 chroot_ret,
-                                 errno);
-  if (printed > 0 && printed < static_cast<ssize_t>(sizeof(kSecondMessage))) {
-    ignore_result(write(STDERR_FILENO, kSecondMessage, printed));
-  }
-  errno = old_errno;
-}
-
-// This is a quick hack to allow testing sandbox crash reports in production
-// binaries.
-// This installs a signal handler for SIGUSR2 that performs a chroot().
-// In most of our BPF policies, it is a "watched" system call which will
-// trigger a SIGSYS signal whose handler will crash.
-// This has been added during the investigation of https://crbug.com/415842.
-void InstallSandboxCrashTestHandler() {
-  struct sigaction act = {};
-  act.sa_handler = DoChrootSignalHandler;
-  CHECK_EQ(0, sigemptyset(&act.sa_mask));
-  act.sa_flags = 0;
-
-  PCHECK(0 == sigaction(SIGUSR2, &act, NULL));
-}
-
 void CloseFds(const std::vector<int>& fds) {
   for (const auto& it : fds) {
     PCHECK(0 == IGNORE_EINTR(close(it)));
   }
 }
 
 }  // namespace
 
 // See http://code.google.com/p/chromium/wiki/LinuxZygote
 
@@ skipping 275 matching lines @@
   // newly created process.
   const bool init_created =
       sandbox::CreateInitProcessReaper(post_fork_parent_callback);
   if (!init_created) {
     LOG(ERROR) << "Error creating an init process to reap zombies";
     return false;
   }
   return true;
 }
 
-static bool MaybeSetProcessNonDumpable() {
-  const base::CommandLine& command_line =
-      *base::CommandLine::ForCurrentProcess();
-  if (command_line.HasSwitch(switches::kAllowSandboxDebugging)) {
-    // If sandbox debugging is allowed, install a handler for sandbox-related
-    // crash testing.
-    InstallSandboxCrashTestHandler();
-    return true;
-  }
-
-  if (prctl(PR_SET_DUMPABLE, 0) != 0) {
-    PLOG(ERROR) << "Failed to set non-dumpable flag";
-    return false;
-  }
-
-  return prctl(PR_GET_DUMPABLE) == 0;
-}
-
 // Enter the setuid sandbox. This requires the current process to have been
 // created through the setuid sandbox.
 static bool EnterSuidSandbox(sandbox::SetuidSandboxClient* setuid_sandbox,
                              base::Closure* post_fork_parent_callback) {
   DCHECK(setuid_sandbox);
   DCHECK(setuid_sandbox->IsSuidSandboxChild());
 
   // Use the SUID sandbox.  This still allows the seccomp sandbox to
   // be enabled by the process later.
 
@@ skipping 14 matching lines @@
            "is not the init process. Please, make sure the SUID "
            "binary is up to date.";
   }
 
   if (getpid() == 1) {
     // The setuid sandbox has created a new PID namespace and we need
     // to assume the role of init.
     CHECK(CreateInitProcessReaper(post_fork_parent_callback));
   }
 
-  CHECK(MaybeSetProcessNonDumpable());
+  CHECK(SandboxDebugHandling::SetDumpableStatusAndHandlers());
   return true;
 }
 
-static void EnterNamespaceSandbox(base::Closure* post_fork_parent_callback) {
-  pid_t pid = getpid();
-  if (sandbox::NamespaceSandbox::InNewPidNamespace()) {
-    CHECK_EQ(1, pid);
-  }
+static void EnterNamespaceSandbox(LinuxSandbox* linux_sandbox,
+                                  base::Closure* post_fork_parent_callback) {
+  linux_sandbox->EngageNamespaceSandbox();
 
-  CHECK(sandbox::Credentials::MoveToNewUserNS());
-  CHECK(sandbox::Credentials::DropFileSystemAccess());
-  CHECK(sandbox::Credentials::DropAllCapabilities());
-
-  // This needs to happen after moving to a new user NS, since doing so involves
-  // writing the UID/GID map.
-  CHECK(MaybeSetProcessNonDumpable());
-
-  if (pid == 1) {
+  if (getpid() == 1) {
     CHECK(CreateInitProcessReaper(post_fork_parent_callback));
   }
 }
 
 #if defined(ADDRESS_SANITIZER)
 const size_t kSanitizerMaxMessageLength = 1 * 1024 * 1024;
 
 // A helper process which collects code coverage data from the renderers over a
 // socket and dumps it to a file. See http://crbug.com/336212 for discussion.
 static void SanitizerCoverageHelper(int socket_fd, int file_fd) {
@@ skipping 58 matching lines @@
 #if !defined(THREAD_SANITIZER)
   DCHECK(linux_sandbox->IsSingleThreaded());
 #endif
 
   sandbox::SetuidSandboxClient* setuid_sandbox =
       linux_sandbox->setuid_sandbox_client();
   if (setuid_sandbox->IsSuidSandboxChild()) {
     CHECK(EnterSuidSandbox(setuid_sandbox, post_fork_parent_callback))
         << "Failed to enter setuid sandbox";
   } else if (sandbox::NamespaceSandbox::InNewUserNamespace()) {
-    EnterNamespaceSandbox(post_fork_parent_callback);
+    EnterNamespaceSandbox(linux_sandbox, post_fork_parent_callback);
   } else {
     CHECK(!using_layer1_sandbox);
   }
 }
 
 bool ZygoteMain(const MainFunctionParams& params,
                 ScopedVector<ZygoteForkDelegate> fork_delegates) {
   g_am_zygote_or_renderer = true;
   sandbox::InitLibcUrandomOverrides();
 
@@ skipping 86 matching lines @@
   bool setuid_sandbox_engaged = sandbox_flags & kSandboxLinuxSUID;
   CHECK_EQ(using_setuid_sandbox, setuid_sandbox_engaged);
 
   Zygote zygote(sandbox_flags, fork_delegates.Pass(), extra_children,
                 extra_fds);
   // This function call can return multiple times, once per fork().
   return zygote.ProcessRequests();
 }
 
 }  // namespace content