Non-SFI mode: Enable seccomp-bpf sandbox on nacl_helper_nonsfi.

This CL enables seccomp-bpf sandbox on nacl_helper_nonsfi.
In codegen.cc, static_cast is added as implicit narrowing triggers compiler warning (= error with -Werror), with PNaCl toolchain.

TEST=Ran bots. Ran ./sandbox_linux_unittests and ./nacl_loader_unittests locally with {Debug,Release} * {clang,gcc,msan,tsan} combinations. Ran ./browser_tests --gtest_filter=*NaCl*:*PPAPI* locally with {Release} * {clang,gcc,msan} combinations. Test an app using Non-SFI mode already with --use-nacl-helper-nonsfi.
BUG=358465

Review URL: https://codereview.chromium.org/1104993002

Cr-Commit-Position: refs/heads/master@{#327880}

3 files changed, 36 insertions, 32 deletions

diff --git a/components/nacl/loader/nacl_helper_linux.cc b/components/nacl/loader/nacl_helper_linux.cc
index e7e75fb..8206eca 100644
--- a/components/nacl/loader/nacl_helper_linux.cc
+++ b/components/nacl/loader/nacl_helper_linux.cc
@@ -108,11 +108,7 @@ void BecomeNaClLoader(base::ScopedFD browser_fd,
 
   // Finish layer-1 sandbox initialization and initialize the layer-2 sandbox.
   CHECK(!nacl_sandbox->HasOpenDirectory());
-#if !defined(OS_NACL_NONSFI)
-  // Currently Layer-two sandbox is not yet supported on nacl_helper_nonsfi.
-  // TODO(hidehiko): Enable the sandbox.
   nacl_sandbox->InitializeLayerTwoSandbox(uses_nonsfi_mode);
-#endif
   nacl_sandbox->SealLayerOneSandbox();
   nacl_sandbox->CheckSandboxingStateWithPolicy();
 
diff --git a/components/nacl/loader/nonsfi/nonsfi_sandbox.cc b/components/nacl/loader/nonsfi/nonsfi_sandbox.cc
index 2a6d5bc9..25493d6 100644
--- a/components/nacl/loader/nonsfi/nonsfi_sandbox.cc
+++ b/components/nacl/loader/nonsfi/nonsfi_sandbox.cc
@@ -6,7 +6,6 @@
 
 #include <errno.h>
 #include <fcntl.h>
-#include <linux/futex.h>
 #include <linux/net.h>
 #include <sys/mman.h>
 #include <sys/prctl.h>
@@ -22,12 +21,21 @@
 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
+#include "sandbox/linux/system_headers/linux_futex.h"
 #include "sandbox/linux/system_headers/linux_syscalls.h"
 
-#if defined(__arm__) && !defined(MAP_STACK)
-// Chrome OS Daisy (ARM) build environment has old headers.
-#define MAP_STACK 0x20000
-#endif
+// Chrome OS Daisy (ARM) build environment and PNaCl toolchain do not define
+// MAP_STACK.
+#if !defined(MAP_STACK)
+# if defined(ARCH_CPU_X86_FAMILY) || defined(ARCH_CPU_ARM_FAMILY)
+#  define MAP_STACK 0x20000
+# else
+// Note that, on other architecture, MAP_STACK has different value (e.g. mips'
+// MAP_STACK is 0x40000), though Non-SFI is not supported on such
+// architectures.
+#  error "Unknown platform."
+# endif
+#endif  // !defined(MAP_STACK)
 
 #define CASES SANDBOX_BPF_DSL_CASES
 
@@ -68,11 +76,14 @@ ResultExpr RestrictFcntlCommands() {
 
 ResultExpr RestrictClone() {
   // We allow clone only for new thread creation.
+  int clone_flags =
+      CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |
+      CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS;
+#if !defined(OS_NACL_NONSFI)
+  clone_flags |= CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID;
+#endif
   const Arg<int> flags(0);
-  return If(flags == (CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |
-                      CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS |
-                      CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID),
-            Allow()).Else(CrashSIGSYSClone());
+  return If(flags == clone_flags, Allow()).Else(CrashSIGSYSClone());
 }
 
 ResultExpr RestrictFutexOperation() {
@@ -131,7 +142,10 @@ ResultExpr RestrictMmap() {
 #if defined(__x86_64__) || defined(__arm__)
 ResultExpr RestrictSocketpair() {
   // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen.
+  // Note: PNaCl toolchain does not define PF_UNIX.
+#if !defined(OS_NACL_NONSFI)
   static_assert(AF_UNIX == PF_UNIX, "AF_UNIX must equal PF_UNIX.");
+#endif
   const Arg<int> domain(0);
   return If(domain == AF_UNIX, Allow()).Else(CrashSIGSYS());
 }
diff --git a/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc b/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc
index 17b7b84..869658f 100644
--- a/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc
+++ b/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc
@@ -30,13 +30,10 @@
 #include "sandbox/linux/services/credentials.h"
 #include "sandbox/linux/services/namespace_sandbox.h"
 #include "sandbox/linux/services/proc_util.h"
+#include "sandbox/linux/services/resource_limits.h"
 #include "sandbox/linux/services/thread_helpers.h"
 #include "sandbox/linux/suid/client/setuid_sandbox_client.h"
 
-#if !defined(OS_NACL_NONSFI)
-#include "sandbox/linux/services/resource_limits.h"
-#endif
-
 namespace nacl {
 
 namespace {
@@ -66,10 +63,6 @@ bool MaybeSetProcessNonDumpable() {
   return prctl(PR_GET_DUMPABLE) == 0;
 }
 
-#if !defined(OS_NACL_NONSFI)
-// Currently Layer-two sandbox is not yet supported on nacl_helper_nonsfi.
-// This function is used only in InitializeLayerTwoSandbox().
-// TODO(hidehiko): Enable the sandbox.
 void RestrictAddressSpaceUsage() {
 #if defined(ADDRESS_SANITIZER) || defined(MEMORY_SANITIZER) || \
     defined(THREAD_SANITIZER)
@@ -100,7 +93,6 @@ void RestrictAddressSpaceUsage() {
 #endif
   CHECK(sandbox::ResourceLimits::Lower(RLIMIT_AS, kNewAddressSpaceLimit));
 }
-#endif  // !OS_NACL_NONSFI
 
 }  // namespace
 
@@ -156,11 +148,6 @@ void NaClSandbox::InitializeLayerOneSandbox() {
   }
 }
 
-#if !defined(OS_NACL_NONSFI)
-// Currently Layer-two sandbox is not yet supported on nacl_helper_nonsfi.
-// TODO(hidehiko): Enable the sandbox.
-// Note that CheckForExpectedNumberOfOpenFds() is just referred from
-// InitializeLayerTwoSandbox(). Enable them together.
 void NaClSandbox::CheckForExpectedNumberOfOpenFds() {
   // We expect to have the following FDs open:
   //  1-3) stdin, stdout, stderr.
@@ -198,10 +185,13 @@ void NaClSandbox::InitializeLayerTwoSandbox(bool uses_nonsfi_mode) {
     layer_two_enabled_ = nacl::nonsfi::InitializeBPFSandbox(proc_fd_.Pass());
     layer_two_is_nonsfi_ = true;
   } else {
+#if defined(OS_NACL_NONSFI)
+    LOG(FATAL) << "nacl_helper_nonsfi can run only Non-SFI plugin.";
+#else
     layer_two_enabled_ = nacl::InitializeBPFSandbox(proc_fd_.Pass());
+#endif
   }
 }
-#endif  // OS_NACL_NONSFI
 
 void NaClSandbox::SealLayerOneSandbox() {
   if (proc_fd_.is_valid() && !layer_two_enabled_) {
@@ -219,8 +209,16 @@ void NaClSandbox::CheckSandboxingStateWithPolicy() {
       " this is not allowed in this configuration.";
 
   const bool no_sandbox_for_nonsfi_ok =
+#if defined(ADDRESS_SANITIZER) || defined(THREAD_SANITIZER) || \
+    defined(MEMORY_SANITIZER) || defined(LEAK_SANITIZER)
+      // Sanitizer tests run with --no-sandbox, but without
+      // --nacl-dangerous-no-sandbox-nonsfi. Allow that case.
+      true;
+#else
       base::CommandLine::ForCurrentProcess()->HasSwitch(
           switches::kNaClDangerousNoSandboxNonSfi);
+#endif
+
   const bool can_be_no_sandbox =
       !layer_two_is_nonsfi_ || no_sandbox_for_nonsfi_ok;
 
@@ -233,9 +231,6 @@ void NaClSandbox::CheckSandboxingStateWithPolicy() {
       LOG(FATAL) << kNoSuidMsg << kItIsNotAllowedMsg;
   }
 
-#if !defined(OS_NACL_NONSFI)
-  // Currently Layer-two sandbox is not yet supported on nacl_helper_nonsfi.
-  // TODO(hidehiko): Enable the sandbox.
   if (!layer_two_enabled_) {
     static const char kNoBpfMsg[] =
         "The seccomp-bpf sandbox is not engaged for NaCl:";
@@ -244,7 +239,6 @@ void NaClSandbox::CheckSandboxingStateWithPolicy() {
     else
       LOG(FATAL) << kNoBpfMsg << kItIsNotAllowedMsg;
   }
-#endif
 }
 
 }  // namespace nacl