diff options
author | hidehiko <hidehiko@chromium.org> | 2015-03-10 00:00:14 -0700 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2015-03-10 07:00:41 +0000 |
commit | 7d7dcec900cc0c148237307a79b9471a6459f2e5 (patch) | |
tree | fcb996d45a5078628551e8c49d7b05c376173626 | |
parent | 69cfa7bbd88391cef0ad02f4e95697c674404e77 (diff) | |
download | chromium_src-7d7dcec900cc0c148237307a79b9471a6459f2e5.zip chromium_src-7d7dcec900cc0c148237307a79b9471a6459f2e5.tar.gz chromium_src-7d7dcec900cc0c148237307a79b9471a6459f2e5.tar.bz2 |
Non-SFI mode: Suid sandbox.
This CL enables suid sandbox on nacl_helper_nonsfi.
BUG=358465
TEST=Ran trybots. Ran Non-SFI NaCl app with nacl_helper_nonsfi.
Review URL: https://codereview.chromium.org/888903004
Cr-Commit-Position: refs/heads/master@{#319845}
-rw-r--r-- | chrome/test/nacl/nacl_browsertest_util.cc | 6 | ||||
-rw-r--r-- | chrome/test/ppapi/ppapi_browsertest.cc | 4 | ||||
-rw-r--r-- | chrome/test/ppapi/ppapi_test.cc | 6 | ||||
-rw-r--r-- | components/nacl/loader/nacl_helper_linux.cc | 22 | ||||
-rw-r--r-- | components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc | 27 | ||||
-rw-r--r-- | components/nacl_nonsfi.gyp | 6 | ||||
-rw-r--r-- | content/content_nacl_nonsfi.gyp | 2 | ||||
-rw-r--r-- | sandbox/sandbox_nacl_nonsfi.gyp | 45 |
8 files changed, 97 insertions, 21 deletions
diff --git a/chrome/test/nacl/nacl_browsertest_util.cc b/chrome/test/nacl/nacl_browsertest_util.cc index 6248d8a..f1e0f80 100644 --- a/chrome/test/nacl/nacl_browsertest_util.cc +++ b/chrome/test/nacl/nacl_browsertest_util.cc @@ -297,6 +297,9 @@ void NaClBrowserTestTransitionalNonSfi::SetUpCommandLine( base::CommandLine* command_line) { NaClBrowserTestNonSfiMode::SetUpCommandLine(command_line); command_line->AppendSwitch(switches::kUseNaClHelperNonSfi); + // TODO(hidehiko): Remove this flag, when namespace sandbox is supported + // by nacl_helper_nonsfi. (cf. crbug.com/464663) + command_line->AppendSwitch(switches::kDisableNamespaceSandbox); } base::FilePath::StringType NaClBrowserTestStatic::Variant() { @@ -322,6 +325,9 @@ void NaClBrowserTestPnaclTransitionalNonSfi::SetUpCommandLine( base::CommandLine* command_line) { NaClBrowserTestPnaclNonSfi::SetUpCommandLine(command_line); command_line->AppendSwitch(switches::kUseNaClHelperNonSfi); + // TODO(hidehiko): Remove this flag, when namespace sandbox is supported + // by nacl_helper_nonsfi. (cf. crbug.com/464663) + command_line->AppendSwitch(switches::kDisableNamespaceSandbox); } void NaClBrowserTestNewlibExtension::SetUpCommandLine( diff --git a/chrome/test/ppapi/ppapi_browsertest.cc b/chrome/test/ppapi/ppapi_browsertest.cc index be5a136..b3fbc3f 100644 --- a/chrome/test/ppapi/ppapi_browsertest.cc +++ b/chrome/test/ppapi/ppapi_browsertest.cc @@ -19,6 +19,7 @@ #include "components/content_settings/core/browser/host_content_settings_map.h" #include "components/nacl/common/nacl_switches.h" #include "content/public/browser/web_contents.h" +#include "content/public/common/content_switches.h" #include "content/public/common/url_constants.h" #include "content/public/test/javascript_test_observer.h" #include "content/public/test/test_renderer_host.h" @@ -1349,6 +1350,9 @@ class TransitionalNonSfiPackagedAppTest : public NonSfiPackagedAppTest { void SetUpCommandLine(base::CommandLine* command_line) override { NonSfiPackagedAppTest::SetUpCommandLine(command_line); command_line->AppendSwitch(switches::kUseNaClHelperNonSfi); + // TODO(hidehiko): Remove this flag, when namespace sandbox is supported + // by nacl_helper_nonsfi. (cf. crbug.com/464663) + command_line->AppendSwitch(switches::kDisableNamespaceSandbox); } }; diff --git a/chrome/test/ppapi/ppapi_test.cc b/chrome/test/ppapi/ppapi_test.cc index 7c98066..ff60b59 100644 --- a/chrome/test/ppapi/ppapi_test.cc +++ b/chrome/test/ppapi/ppapi_test.cc @@ -444,6 +444,9 @@ void PPAPINaClPNaClTransitionalNonSfiTest::SetUpCommandLine( PPAPINaClPNaClNonSfiTest::SetUpCommandLine(command_line); #if !defined(DISABLE_NACL) command_line->AppendSwitch(switches::kUseNaClHelperNonSfi); + // TODO(hidehiko): Remove this flag, when namespace sandbox is supported. + // by nacl_helper_nonsfi. (cf. crbug.com/464663) + command_line->AppendSwitch(switches::kDisableNamespaceSandbox); #endif } @@ -458,6 +461,9 @@ void PPAPIPrivateNaClPNaClTransitionalNonSfiTest::SetUpCommandLine( PPAPIPrivateNaClPNaClNonSfiTest::SetUpCommandLine(command_line); #if !defined(DISABLE_NACL) command_line->AppendSwitch(switches::kUseNaClHelperNonSfi); + // TODO(hidehiko): Remove this flag, when namespace sandbox is supported + // by nacl_helper_nonsfi. (cf. crbug.com/464663) + command_line->AppendSwitch(switches::kDisableNamespaceSandbox); #endif } diff --git a/components/nacl/loader/nacl_helper_linux.cc b/components/nacl/loader/nacl_helper_linux.cc index 6f79819..adb6d8b 100644 --- a/components/nacl/loader/nacl_helper_linux.cc +++ b/components/nacl/loader/nacl_helper_linux.cc @@ -75,11 +75,7 @@ void BecomeNaClLoader(base::ScopedFD browser_fd, const NaClLoaderSystemInfo& system_info, bool uses_nonsfi_mode, nacl::NaClSandbox* nacl_sandbox) { -#if !defined(OS_NACL_NONSFI) - // Currently sandbox is disabled for nacl_helper_nonsfi. - // TODO(hidehiko): Enable sandbox. DCHECK(nacl_sandbox); -#endif VLOG(1) << "NaCl loader: setting up IPC descriptor"; // Close or shutdown IPC channels that we don't need anymore. PCHECK(0 == IGNORE_EINTR(close(kNaClZygoteDescriptor))); @@ -110,15 +106,15 @@ void BecomeNaClLoader(base::ScopedFD browser_fd, // We do this before seccomp-bpf is initialized. PCHECK(signal(SIGPIPE, SIG_IGN) != SIG_ERR); -#if !defined(OS_NACL_NONSFI) - // Currently sandbox is disabled for nacl_helper_nonsfi. - // TODO(hidehiko): Enable sandbox. // Finish layer-1 sandbox initialization and initialize the layer-2 sandbox. CHECK(!nacl_sandbox->HasOpenDirectory()); +#if !defined(OS_NACL_NONSFI) + // Currently Layer-two sandbox is not yet supported on nacl_helper_nonsfi. + // TODO(hidehiko): Enable the sandbox. nacl_sandbox->InitializeLayerTwoSandbox(uses_nonsfi_mode); +#endif nacl_sandbox->SealLayerOneSandbox(); nacl_sandbox->CheckSandboxingStateWithPolicy(); -#endif base::GlobalDescriptors::GetInstance()->Set(kPrimaryIPCChannel, browser_fd.release()); @@ -301,9 +297,6 @@ bool HandleZygoteRequest(int zygote_ipc_fd, char buf[kNaClMaxIPCMessageLength]; const ssize_t msglen = UnixDomainSocket::RecvMsg(zygote_ipc_fd, &buf, sizeof(buf), &fds); -#if !defined(OS_NACL_NONSFI) - // Currently sandbox is disabled for nacl_helper_nonsfi. - // TODO(hidehiko): Enable sandbox. // If the Zygote has started handling requests, we should be sandboxed via // the setuid sandbox. if (!nacl_sandbox->layer_one_enabled()) { @@ -311,7 +304,6 @@ bool HandleZygoteRequest(int zygote_ipc_fd, << "Most likely you need to configure your SUID sandbox " << "correctly"; } -#endif if (msglen == 0 || (msglen == -1 && errno == ECONNRESET)) { // EOF from the browser. Goodbye! _exit(0); @@ -465,11 +457,6 @@ int main(int argc, char* argv[]) { CheckRDebug(argv[0]); #endif -#if defined(OS_NACL_NONSFI) - // Currently sandbox is disabled for nacl_helper_nonsfi. - // TODO(hidehiko): Enable sandbox. - scoped_ptr<nacl::NaClSandbox> nacl_sandbox; -#else scoped_ptr<nacl::NaClSandbox> nacl_sandbox(new nacl::NaClSandbox); // Make sure that the early initialization did not start any spurious // threads. @@ -480,7 +467,6 @@ int main(int argc, char* argv[]) { const bool is_init_process = 1 == getpid(); nacl_sandbox->InitializeLayerOneSandbox(); CHECK_EQ(is_init_process, nacl_sandbox->layer_one_enabled()); -#endif // defined(OS_NACL_NONSFI) const std::vector<int> empty; // Send the zygote a message to let it know we are ready to help diff --git a/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc b/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc index 9fd81bc..05a7302 100644 --- a/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc +++ b/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc @@ -30,10 +30,13 @@ #include "sandbox/linux/services/credentials.h" #include "sandbox/linux/services/namespace_sandbox.h" #include "sandbox/linux/services/proc_util.h" -#include "sandbox/linux/services/resource_limits.h" #include "sandbox/linux/services/thread_helpers.h" #include "sandbox/linux/suid/client/setuid_sandbox_client.h" +#if !defined(OS_NACL_NONSFI) +#include "sandbox/linux/services/resource_limits.h" +#endif + namespace nacl { namespace { @@ -63,6 +66,10 @@ bool MaybeSetProcessNonDumpable() { return prctl(PR_GET_DUMPABLE) == 0; } +#if !defined(OS_NACL_NONSFI) +// Currently Layer-two sandbox is not yet supported on nacl_helper_nonsfi. +// This function is used only in InitializeLayerTwoSandbox(). +// TODO(hidehiko): Enable the sandbox. void RestrictAddressSpaceUsage() { #if defined(ADDRESS_SANITIZER) || defined(MEMORY_SANITIZER) || \ defined(THREAD_SANITIZER) @@ -93,6 +100,7 @@ void RestrictAddressSpaceUsage() { #endif CHECK(sandbox::ResourceLimits::Lower(RLIMIT_AS, kNewAddressSpaceLimit)); } +#endif // !OS_NACL_NONSFI } // namespace @@ -137,7 +145,11 @@ void NaClSandbox::InitializeLayerOneSandbox() { CHECK(MaybeSetProcessNonDumpable()); CHECK(IsSandboxed()); layer_one_enabled_ = true; - } else if (sandbox::NamespaceSandbox::InNewUserNamespace()) { + } + // Currently namespace sandbox is not yet supported on nacl_helper_nonsfi. + // TODO(hidehiko): Enable the sandbox. +#if !defined(OS_NACL_NONSFI) + else if (sandbox::NamespaceSandbox::InNewUserNamespace()) { CHECK(sandbox::Credentials::MoveToNewUserNS()); // This relies on SealLayerOneSandbox() to be called later since this // class is keeping a file descriptor to /proc/. @@ -146,8 +158,14 @@ void NaClSandbox::InitializeLayerOneSandbox() { CHECK(IsSandboxed()); layer_one_enabled_ = true; } +#endif // !OS_NACL_NONSFI } +#if !defined(OS_NACL_NONSFI) +// Currently Layer-two sandbox is not yet supported on nacl_helper_nonsfi. +// TODO(hidehiko): Enable the sandbox. +// Note that CheckForExpectedNumberOfOpenFds() is just referred from +// InitializeLayerTwoSandbox(). Enable them together. void NaClSandbox::CheckForExpectedNumberOfOpenFds() { // We expect to have the following FDs open: // 1-3) stdin, stdout, stderr. @@ -188,6 +206,7 @@ void NaClSandbox::InitializeLayerTwoSandbox(bool uses_nonsfi_mode) { layer_two_enabled_ = nacl::InitializeBPFSandbox(proc_fd_.Pass()); } } +#endif // OS_NACL_NONSFI void NaClSandbox::SealLayerOneSandbox() { if (proc_fd_.is_valid() && !layer_two_enabled_) { @@ -219,6 +238,9 @@ void NaClSandbox::CheckSandboxingStateWithPolicy() { LOG(FATAL) << kNoSuidMsg << kItIsNotAllowedMsg; } +#if !defined(OS_NACL_NONSFI) + // Currently Layer-two sandbox is not yet supported on nacl_helper_nonsfi. + // TODO(hidehiko): Enable the sandbox. if (!layer_two_enabled_) { static const char kNoBpfMsg[] = "The seccomp-bpf sandbox is not engaged for NaCl:"; @@ -227,6 +249,7 @@ void NaClSandbox::CheckSandboxingStateWithPolicy() { else LOG(FATAL) << kNoBpfMsg << kItIsNotAllowedMsg; } +#endif } } // namespace nacl diff --git a/components/nacl_nonsfi.gyp b/components/nacl_nonsfi.gyp index 9301404..867bce0 100644 --- a/components/nacl_nonsfi.gyp +++ b/components/nacl_nonsfi.gyp @@ -49,12 +49,14 @@ 'sources': [ 'nacl/common/nacl_messages.cc', + 'nacl/common/nacl_switches.cc', 'nacl/common/nacl_types.cc', 'nacl/common/nacl_types_param_traits.cc', 'nacl/loader/nacl_helper_linux.cc', 'nacl/loader/nacl_trusted_listener.cc', 'nacl/loader/nonsfi/nonsfi_listener.cc', 'nacl/loader/nonsfi/nonsfi_main.cc', + 'nacl/loader/sandbox_linux/nacl_sandbox_linux.cc', ], 'link_flags': [ @@ -75,6 +77,7 @@ '-lppapi_ipc_nacl', '-lppapi_proxy_nacl', '-lppapi_shared_nacl', + '-lsandbox_nacl_nonsfi', '-lshared_memory_support_nacl', '-ltracing_nacl', ], @@ -99,6 +102,7 @@ '>(tc_lib_dir_nonsfi_helper32)/libppapi_ipc_nacl.a', '>(tc_lib_dir_nonsfi_helper32)/libppapi_proxy_nacl.a', '>(tc_lib_dir_nonsfi_helper32)/libppapi_shared_nacl.a', + '>(tc_lib_dir_nonsfi_helper32)/libsandbox_nacl_nonsfi.a', '>(tc_lib_dir_nonsfi_helper32)/libshared_memory_support_nacl.a', '>(tc_lib_dir_nonsfi_helper32)/libtracing_nacl.a', ], @@ -122,6 +126,7 @@ '>(tc_lib_dir_nonsfi_helper_arm)/libppapi_ipc_nacl.a', '>(tc_lib_dir_nonsfi_helper_arm)/libppapi_proxy_nacl.a', '>(tc_lib_dir_nonsfi_helper_arm)/libppapi_shared_nacl.a', + '>(tc_lib_dir_nonsfi_helper_arm)/libsandbox_nacl_nonsfi.a', '>(tc_lib_dir_nonsfi_helper_arm)/libshared_memory_support_nacl.a', '>(tc_lib_dir_nonsfi_helper_arm)/libtracing_nacl.a', ], @@ -137,6 +142,7 @@ '../native_client/src/untrusted/nacl/nacl.gyp:nacl_lib_newlib', '../native_client/tools.gyp:prep_toolchain', '../ppapi/ppapi_proxy_nacl.gyp:ppapi_proxy_nacl', + '../sandbox/sandbox_nacl_nonsfi.gyp:sandbox_nacl_nonsfi', ], }, # TODO(hidehiko): Add Non-SFI version of nacl_loader_unittests. diff --git a/content/content_nacl_nonsfi.gyp b/content/content_nacl_nonsfi.gyp index 28b44e3..4f30ca4 100644 --- a/content/content_nacl_nonsfi.gyp +++ b/content/content_nacl_nonsfi.gyp @@ -26,7 +26,7 @@ 'sources': [ 'common/send_zygote_child_ping_linux.cc', - 'public/common/send_zygote_child_ping_linux.h', + 'public/common/content_switches.cc', # TODO(hidehiko): Add sandbox code. ], }, diff --git a/sandbox/sandbox_nacl_nonsfi.gyp b/sandbox/sandbox_nacl_nonsfi.gyp new file mode 100644 index 0000000..c55b124 --- /dev/null +++ b/sandbox/sandbox_nacl_nonsfi.gyp @@ -0,0 +1,45 @@ +# Copyright 2015 The Chromium Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +{ + 'variables': { + 'chromium_code': 1, + }, + 'includes': [ + '../build/common_untrusted.gypi', + ], + 'conditions': [ + ['disable_nacl==0 and disable_nacl_untrusted==0', { + 'targets': [ + { + 'target_name': 'sandbox_nacl_nonsfi', + 'type': 'none', + 'variables': { + 'nacl_untrusted_build': 1, + 'nlib_target': 'libsandbox_nacl_nonsfi.a', + 'build_glibc': 0, + 'build_newlib': 0, + 'build_irt': 0, + 'build_pnacl_newlib': 0, + 'build_nonsfi_helper': 1, + + 'sources': [ + # This is the subset of linux build target, needed for + # nacl_helper_nonsfi's sandbox implementation. + 'linux/services/proc_util.cc', + 'linux/services/thread_helpers.cc', + 'linux/suid/client/setuid_sandbox_client.cc', + # TODO(hidehiko): Support namespace sandbox and seccomp-bpf + # sandbox. + ], + }, + 'dependencies': [ + '../base/base_nacl.gyp:base_nacl_nonsfi', + '../native_client/tools.gyp:prep_toolchain', + ], + }, + ], + }], + ], +} |