Chromium Code Reviews Chromium Code Reviews
Issue 938223004:
Linux sandbox: better APIs with /proc/ arguments (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <dirent.h> | 5 #include <dirent.h> |
| 6 #include <fcntl.h> | 6 #include <fcntl.h> |
| 7 #include <sys/resource.h> | 7 #include <sys/resource.h> |
| 8 #include <sys/stat.h> | 8 #include <sys/stat.h> |
| 9 #include <sys/time.h> | 9 #include <sys/time.h> |
| 10 #include <sys/types.h> | 10 #include <sys/types.h> |
| (...skipping 58 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 69 } | 69 } |
| 70 | 70 |
| 71 bool IsRunningTSAN() { | 71 bool IsRunningTSAN() { |
| 72 #if defined(THREAD_SANITIZER) | 72 #if defined(THREAD_SANITIZER) |
| 73 return true; | 73 return true; |
| 74 #else | 74 #else |
| 75 return false; | 75 return false; |
| 76 #endif | 76 #endif |
| 77 } | 77 } |
| 78 | 78 |
| 79 // Try to open /proc/self/task/ with the help of |proc_fd|. |proc_fd| can be | 79 // Get a file descriptor to /proc. Either duplicate |proc_fd| or try to open |
| 80 // -1. Will return -1 on error and set errno like open(2). | 80 // it by using the filesystem directly. |
| 81 // TODO(jln): get rid of this ugly interface. | 81 // TODO(jln): get rid of this ugly interface. |
|
jln (very slow on Chromium)
2015/02/24 01:45:38
This will be cleaned-up when refactoring how we st
| |
| 82 int OpenProcTaskFd(int proc_fd) { | 82 base::ScopedFD OpenProc(int proc_fd) { |
| 83 int proc_self_task = -1; | 83 int ret_proc_fd = -1; |
| 84 if (proc_fd >= 0) { | 84 if (proc_fd >= 0) { |
| 85 // If a handle to /proc is available, use it. This allows to bypass file | 85 // If a handle to /proc is available, use it. This allows to bypass file |
| 86 // system restrictions. | 86 // system restrictions. |
| 87 proc_self_task = HANDLE_EINTR( | 87 ret_proc_fd = |
| 88 openat(proc_fd, "self/task/", O_RDONLY | O_DIRECTORY | O_CLOEXEC)); | 88 HANDLE_EINTR(openat(proc_fd, ".", O_RDONLY | O_DIRECTORY | O_CLOEXEC)); |
| 89 } else { | 89 } else { |
| 90 // Otherwise, make an attempt to access the file system directly. | 90 // Otherwise, make an attempt to access the file system directly. |
| 91 proc_self_task = HANDLE_EINTR(openat(AT_FDCWD, "/proc/self/task/", | 91 ret_proc_fd = HANDLE_EINTR( |
| 92 O_RDONLY | O_DIRECTORY | O_CLOEXEC)); | 92 openat(AT_FDCWD, "/proc/", O_RDONLY | O_DIRECTORY | O_CLOEXEC)); |
| 93 } | 93 } |
| 94 return proc_self_task; | 94 DCHECK_LE(0, ret_proc_fd); |
| 95 return base::ScopedFD(ret_proc_fd); | |
| 95 } | 96 } |
| 96 | 97 |
| 97 } // namespace | 98 } // namespace |
| 98 | 99 |
| 99 namespace content { | 100 namespace content { |
| 100 | 101 |
| 101 LinuxSandbox::LinuxSandbox() | 102 LinuxSandbox::LinuxSandbox() |
| 102 : proc_fd_(-1), | 103 : proc_fd_(-1), |
| 103 seccomp_bpf_started_(false), | 104 seccomp_bpf_started_(false), |
| 104 sandbox_status_flags_(kSandboxLinuxInvalid), | 105 sandbox_status_flags_(kSandboxLinuxInvalid), |
| (...skipping 71 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 176 void LinuxSandbox::EngageNamespaceSandbox() { | 177 void LinuxSandbox::EngageNamespaceSandbox() { |
| 177 CHECK(pre_initialized_); | 178 CHECK(pre_initialized_); |
| 178 // Check being in a new PID namespace created by the namespace sandbox and | 179 // Check being in a new PID namespace created by the namespace sandbox and |
| 179 // being the init process. | 180 // being the init process. |
| 180 CHECK(sandbox::NamespaceSandbox::InNewPidNamespace()); | 181 CHECK(sandbox::NamespaceSandbox::InNewPidNamespace()); |
| 181 const pid_t pid = getpid(); | 182 const pid_t pid = getpid(); |
| 182 CHECK_EQ(1, pid); | 183 CHECK_EQ(1, pid); |
| 183 | 184 |
| 184 CHECK(sandbox::Credentials::MoveToNewUserNS()); | 185 CHECK(sandbox::Credentials::MoveToNewUserNS()); |
| 185 // Note: this requires SealSandbox() to be called later in this process to be | 186 // Note: this requires SealSandbox() to be called later in this process to be |
| 186 // safe, as this class is keeping a file descriptor to /proc. | 187 // safe, as this class is keeping a file descriptor to /proc/. |
| 187 CHECK(!HasOpenDirectories()); | 188 CHECK(sandbox::Credentials::DropFileSystemAccess(proc_fd_)); |
| 188 CHECK(sandbox::Credentials::DropFileSystemAccess()); | 189 CHECK(sandbox::Credentials::DropAllCapabilities(proc_fd_)); |
| 189 CHECK(IsSingleThreaded()); | |
| 190 CHECK(sandbox::Credentials::DropAllCapabilities()); | |
| 191 | 190 |
| 192 // This needs to happen after moving to a new user NS, since doing so involves | 191 // This needs to happen after moving to a new user NS, since doing so involves |
| 193 // writing the UID/GID map. | 192 // writing the UID/GID map. |
| 194 CHECK(SandboxDebugHandling::SetDumpableStatusAndHandlers()); | 193 CHECK(SandboxDebugHandling::SetDumpableStatusAndHandlers()); |
| 195 } | 194 } |
| 196 | 195 |
| 197 std::vector<int> LinuxSandbox::GetFileDescriptorsToClose() { | 196 std::vector<int> LinuxSandbox::GetFileDescriptorsToClose() { |
| 198 std::vector<int> fds; | 197 std::vector<int> fds; |
| 199 if (proc_fd_ >= 0) { | 198 if (proc_fd_ >= 0) { |
| 200 fds.push_back(proc_fd_); | 199 fds.push_back(proc_fd_); |
| (...skipping 49 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 250 } | 249 } |
| 251 } | 250 } |
| 252 | 251 |
| 253 return sandbox_status_flags_; | 252 return sandbox_status_flags_; |
| 254 } | 253 } |
| 255 | 254 |
| 256 // Threads are counted via /proc/self/task. This is a little hairy because of | 255 // Threads are counted via /proc/self/task. This is a little hairy because of |
| 257 // PID namespaces and existing sandboxes, so "self" must really be used instead | 256 // PID namespaces and existing sandboxes, so "self" must really be used instead |
| 258 // of using the pid. | 257 // of using the pid. |
| 259 bool LinuxSandbox::IsSingleThreaded() const { | 258 bool LinuxSandbox::IsSingleThreaded() const { |
| 260 base::ScopedFD proc_self_task(OpenProcTaskFd(proc_fd_)); | 259 base::ScopedFD proc_fd(OpenProc(proc_fd_)); |
| 261 | 260 |
| 262 CHECK(proc_self_task.is_valid()) | 261 CHECK(proc_fd.is_valid()) << "Could not count threads, the sandbox was not " |
| 263 << "Could not count threads, the sandbox was not " | 262 << "pre-initialized properly."; |
| 264 << "pre-initialized properly."; | |
| 265 | 263 |
| 266 const bool is_single_threaded = | 264 const bool is_single_threaded = |
| 267 sandbox::ThreadHelpers::IsSingleThreaded(proc_self_task.get()); | 265 sandbox::ThreadHelpers::IsSingleThreaded(proc_fd.get()); |
| 268 | 266 |
| 269 return is_single_threaded; | 267 return is_single_threaded; |
| 270 } | 268 } |
| 271 | 269 |
| 272 bool LinuxSandbox::seccomp_bpf_started() const { | 270 bool LinuxSandbox::seccomp_bpf_started() const { |
| 273 return seccomp_bpf_started_; | 271 return seccomp_bpf_started_; |
| 274 } | 272 } |
| 275 | 273 |
| 276 sandbox::SetuidSandboxClient* | 274 sandbox::SetuidSandboxClient* |
| 277 LinuxSandbox::setuid_sandbox_client() const { | 275 LinuxSandbox::setuid_sandbox_client() const { |
| 278 return setuid_sandbox_client_.get(); | 276 return setuid_sandbox_client_.get(); |
| 279 } | 277 } |
| 280 | 278 |
| 281 // For seccomp-bpf, we use the SandboxSeccompBPF class. | 279 // For seccomp-bpf, we use the SandboxSeccompBPF class. |
| 282 bool LinuxSandbox::StartSeccompBPF(const std::string& process_type) { | 280 bool LinuxSandbox::StartSeccompBPF(const std::string& process_type) { |
| 283 CHECK(!seccomp_bpf_started_); | 281 CHECK(!seccomp_bpf_started_); |
| 284 CHECK(pre_initialized_); | 282 CHECK(pre_initialized_); |
| 285 if (seccomp_bpf_supported()) { | 283 if (seccomp_bpf_supported()) { |
| 286 base::ScopedFD proc_self_task(OpenProcTaskFd(proc_fd_)); | |
| 287 seccomp_bpf_started_ = | 284 seccomp_bpf_started_ = |
| 288 SandboxSeccompBPF::StartSandbox(process_type, proc_self_task.Pass()); | 285 SandboxSeccompBPF::StartSandbox(process_type, OpenProc(proc_fd_)); |
| 289 } | 286 } |
| 290 | 287 |
| 291 if (seccomp_bpf_started_) { | 288 if (seccomp_bpf_started_) { |
| 292 LogSandboxStarted("seccomp-bpf"); | 289 LogSandboxStarted("seccomp-bpf"); |
| 293 } | 290 } |
| 294 | 291 |
| 295 return seccomp_bpf_started_; | 292 return seccomp_bpf_started_; |
| 296 } | 293 } |
| 297 | 294 |
| 298 bool LinuxSandbox::InitializeSandboxImpl() { | 295 bool LinuxSandbox::InitializeSandboxImpl() { |
| (...skipping 146 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 445 (sandbox_status_flags_ != kSandboxLinuxInvalid) && | 442 (sandbox_status_flags_ != kSandboxLinuxInvalid) && |
| 446 (GetStatus() & kSandboxLinuxSeccompBPF); | 443 (GetStatus() & kSandboxLinuxSeccompBPF); |
| 447 } | 444 } |
| 448 if (promised_seccomp_bpf_would_start) { | 445 if (promised_seccomp_bpf_would_start) { |
| 449 CHECK(seccomp_bpf_started_); | 446 CHECK(seccomp_bpf_started_); |
| 450 } | 447 } |
| 451 } | 448 } |
| 452 | 449 |
| 453 void LinuxSandbox::StopThreadAndEnsureNotCounted(base::Thread* thread) const { | 450 void LinuxSandbox::StopThreadAndEnsureNotCounted(base::Thread* thread) const { |
| 454 DCHECK(thread); | 451 DCHECK(thread); |
| 455 base::ScopedFD proc_self_task(OpenProcTaskFd(proc_fd_)); | 452 base::ScopedFD proc_fd(OpenProc(proc_fd_)); |
| 456 PCHECK(proc_self_task.is_valid()); | 453 PCHECK(proc_fd.is_valid()); |
| 457 CHECK(sandbox::ThreadHelpers::StopThreadAndWatchProcFS(proc_self_task.get(), | 454 CHECK( |
| 458 thread)); | 455 sandbox::ThreadHelpers::StopThreadAndWatchProcFS(proc_fd.get(), thread)); |
| 459 } | 456 } |
| 460 | 457 |
| 461 } // namespace content | 458 } // namespace content |
| OLD | NEW |
