Linux sandbox: better APIs with /proc/ arguments

content/common/sandbox_linux/sandbox_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <dirent.h>
 #include <fcntl.h>
 #include <sys/resource.h>
 #include <sys/stat.h>
 #include <sys/time.h>
 #include <sys/types.h>
@@ skipping 58 matching lines @@
 }
 
 bool IsRunningTSAN() {
 #if defined(THREAD_SANITIZER)
   return true;
 #else
   return false;
 #endif
 }
 
-// Try to open /proc/self/task/ with the help of |proc_fd|. |proc_fd| can be
-// -1. Will return -1 on error and set errno like open(2).
+// Get a file descriptor to /proc. Either duplicate |proc_fd| or try to open
+// it by using the filesystem directly.
 // TODO(jln): get rid of this ugly interface.
-int OpenProcTaskFd(int proc_fd) {
-  int proc_self_task = -1;
+base::ScopedFD OpenProc(int proc_fd) {
+  int ret_proc_fd = -1;
   if (proc_fd >= 0) {
     // If a handle to /proc is available, use it. This allows to bypass file
     // system restrictions.
-    proc_self_task = HANDLE_EINTR(
-        openat(proc_fd, "self/task/", O_RDONLY | O_DIRECTORY | O_CLOEXEC));
+    ret_proc_fd =
+        HANDLE_EINTR(openat(proc_fd, ".", O_RDONLY | O_DIRECTORY | O_CLOEXEC));
   } else {
     // Otherwise, make an attempt to access the file system directly.
-    proc_self_task = HANDLE_EINTR(openat(AT_FDCWD, "/proc/self/task/",
-                                         O_RDONLY | O_DIRECTORY | O_CLOEXEC));
+    ret_proc_fd = HANDLE_EINTR(
+        openat(AT_FDCWD, "/proc/", O_RDONLY | O_DIRECTORY | O_CLOEXEC));
   }
-  return proc_self_task;
+  DCHECK_LE(0, ret_proc_fd);
+  return base::ScopedFD(ret_proc_fd);
 }
 
 }  // namespace
 
 namespace content {
 
 LinuxSandbox::LinuxSandbox()
     : proc_fd_(-1),
       seccomp_bpf_started_(false),
       sandbox_status_flags_(kSandboxLinuxInvalid),
@@ skipping 71 matching lines @@
 void LinuxSandbox::EngageNamespaceSandbox() {
   CHECK(pre_initialized_);
   // Check being in a new PID namespace created by the namespace sandbox and
   // being the init process.
   CHECK(sandbox::NamespaceSandbox::InNewPidNamespace());
   const pid_t pid = getpid();
   CHECK_EQ(1, pid);
 
   CHECK(sandbox::Credentials::MoveToNewUserNS());
   // Note: this requires SealSandbox() to be called later in this process to be
-  // safe, as this class is keeping a file descriptor to /proc.
-  CHECK(!HasOpenDirectories());
-  CHECK(sandbox::Credentials::DropFileSystemAccess());
-  CHECK(IsSingleThreaded());
-  CHECK(sandbox::Credentials::DropAllCapabilities());
+  // safe, as this class is keeping a file descriptor to /proc/.
+  CHECK(sandbox::Credentials::DropFileSystemAccess(proc_fd_));
+  CHECK(sandbox::Credentials::DropAllCapabilities(proc_fd_));
 
   // This needs to happen after moving to a new user NS, since doing so involves
   // writing the UID/GID map.
   CHECK(SandboxDebugHandling::SetDumpableStatusAndHandlers());
 }
 
 std::vector<int> LinuxSandbox::GetFileDescriptorsToClose() {
   std::vector<int> fds;
   if (proc_fd_ >= 0) {
     fds.push_back(proc_fd_);
@@ skipping 49 matching lines @@
     }
   }
 
   return sandbox_status_flags_;
 }
 
 // Threads are counted via /proc/self/task. This is a little hairy because of
 // PID namespaces and existing sandboxes, so "self" must really be used instead
 // of using the pid.
 bool LinuxSandbox::IsSingleThreaded() const {
-  base::ScopedFD proc_self_task(OpenProcTaskFd(proc_fd_));
+  base::ScopedFD proc_fd(OpenProc(proc_fd_));
 
-  CHECK(proc_self_task.is_valid())
-      << "Could not count threads, the sandbox was not "
-      << "pre-initialized properly.";
+  CHECK(proc_fd.is_valid()) << "Could not count threads, the sandbox was not "
+                            << "pre-initialized properly.";
 
   const bool is_single_threaded =
-      sandbox::ThreadHelpers::IsSingleThreaded(proc_self_task.get());
+      sandbox::ThreadHelpers::IsSingleThreaded(proc_fd.get());
 
   return is_single_threaded;
 }
 
 bool LinuxSandbox::seccomp_bpf_started() const {
   return seccomp_bpf_started_;
 }
 
 sandbox::SetuidSandboxClient*
     LinuxSandbox::setuid_sandbox_client() const {
   return setuid_sandbox_client_.get();
 }
 
 // For seccomp-bpf, we use the SandboxSeccompBPF class.
 bool LinuxSandbox::StartSeccompBPF(const std::string& process_type) {
   CHECK(!seccomp_bpf_started_);
   CHECK(pre_initialized_);
   if (seccomp_bpf_supported()) {
-    base::ScopedFD proc_self_task(OpenProcTaskFd(proc_fd_));
     seccomp_bpf_started_ =
-        SandboxSeccompBPF::StartSandbox(process_type, proc_self_task.Pass());
+        SandboxSeccompBPF::StartSandbox(process_type, OpenProc(proc_fd_));
   }
 
   if (seccomp_bpf_started_) {
     LogSandboxStarted("seccomp-bpf");
   }
 
   return seccomp_bpf_started_;
 }
 
 bool LinuxSandbox::InitializeSandboxImpl() {
@@ skipping 146 matching lines @@
         (sandbox_status_flags_ != kSandboxLinuxInvalid) &&
         (GetStatus() & kSandboxLinuxSeccompBPF);
   }
   if (promised_seccomp_bpf_would_start) {
     CHECK(seccomp_bpf_started_);
   }
 }
 
 void LinuxSandbox::StopThreadAndEnsureNotCounted(base::Thread* thread) const {
   DCHECK(thread);
-  base::ScopedFD proc_self_task(OpenProcTaskFd(proc_fd_));
-  PCHECK(proc_self_task.is_valid());
-  CHECK(sandbox::ThreadHelpers::StopThreadAndWatchProcFS(proc_self_task.get(),
-                                                         thread));
+  base::ScopedFD proc_fd(OpenProc(proc_fd_));
+  PCHECK(proc_fd.is_valid());
+  CHECK(
+      sandbox::ThreadHelpers::StopThreadAndWatchProcFS(proc_fd.get(), thread));
 }
 
 }  // namespace content