Allow chrome_sandbox to act as a helper program and find the socket with a given inode number.

BUG=none
TEST=none
Review URL: http://codereview.chromium.org/312003

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@30931 0039d316-1c4b-4281-b951-d872f2087c98

4 files changed, 168 insertions, 4 deletions

diff --git a/sandbox/linux/suid/linux_util.c b/sandbox/linux/suid/linux_util.c
new file mode 100644
index 0000000..ded545b
--- /dev/null
+++ b/sandbox/linux/suid/linux_util.c
@@ -0,0 +1,111 @@
+// Copyright (c) 2009 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// The following is duplicated from base/linux_utils.cc.
+// We shouldn't link against C++ code in a setuid binary.
+
+#include "linux_util.h"
+
+#include <dirent.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+// expected prefix of the target of the /proc/self/fd/%d link for a socket
+static const char kSocketLinkPrefix[] = "socket:[";
+
+// Parse a symlink in /proc/pid/fd/$x and return the inode number of the
+// socket.
+//   inode_out: (output) set to the inode number on success
+//   path: e.g. /proc/1234/fd/5 (must be a UNIX domain socket descriptor)
+static bool ProcPathGetInode(ino_t* inode_out, const char* path) {
+  char buf[256];
+  const ssize_t n = readlink(path, buf, sizeof(buf) - 1);
+  if (n == -1)
+    return false;
+  buf[n] = 0;
+
+  if (memcmp(kSocketLinkPrefix, buf, sizeof(kSocketLinkPrefix) - 1))
+    return false;
+
+  char *endptr;
+  const unsigned long long int inode_ul =
+      strtoull(buf + sizeof(kSocketLinkPrefix) - 1, &endptr, 10);
+  if (*endptr != ']')
+    return false;
+
+  if (inode_ul == ULLONG_MAX)
+    return false;
+
+  *inode_out = inode_ul;
+  return true;
+}
+
+bool FindProcessHoldingSocket(pid_t* pid_out, ino_t socket_inode) {
+  bool already_found = false;
+
+  DIR* proc = opendir("/proc");
+  if (!proc)
+    return false;
+
+  const uid_t uid = getuid();
+  struct dirent* dent;
+  while ((dent = readdir(proc))) {
+    char *endptr;
+    const unsigned long int pid_ul = strtoul(dent->d_name, &endptr, 10);
+    if (pid_ul == ULONG_MAX || *endptr)
+      continue;
+
+    // We have this setuid code here because the zygote and its children have
+    // /proc/$pid/fd owned by root. While scanning through /proc, we add this
+    // extra check so users cannot accidentally gain information about other
+    // users' processes. To determine process ownership, we use the property
+    // that if user foo owns process N, then /proc/N is owned by foo.
+    {
+      char buf[256];
+      struct stat statbuf;
+      snprintf(buf, sizeof(buf), "/proc/%lu", pid_ul);
+      if (stat(buf, &statbuf) < 0)
+        continue;
+      if (uid != statbuf.st_uid)
+        continue;
+    }
+
+    char buf[256];
+    snprintf(buf, sizeof(buf), "/proc/%lu/fd", pid_ul);
+    DIR* fd = opendir(buf);
+    if (!fd)
+      continue;
+
+    while ((dent = readdir(fd))) {
+      if (snprintf(buf, sizeof(buf), "/proc/%lu/fd/%s", pid_ul,
+                   dent->d_name) >= sizeof(buf) - 1) {
+        continue;
+      }
+
+      ino_t fd_inode;
+      if (ProcPathGetInode(&fd_inode, buf)) {
+        if (fd_inode == socket_inode) {
+          if (already_found) {
+            closedir(fd);
+            closedir(proc);
+            return false;
+          }
+
+          already_found = true;
+          *pid_out = pid_ul;
+          break;
+        }
+      }
+    }
+    closedir(fd);
+  }
+  closedir(proc);
+
+  return already_found;
+}
diff --git a/sandbox/linux/suid/linux_util.h b/sandbox/linux/suid/linux_util.h
new file mode 100644
index 0000000..72e3f00
--- /dev/null
+++ b/sandbox/linux/suid/linux_util.h
@@ -0,0 +1,20 @@
+// Copyright (c) 2009 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// The following is duplicated from base/linux_utils.h.
+// We shouldn't link against C++ code in a setuid binary.
+
+#ifndef SANDBOX_LINUX_SUID_LINUX_UTIL_H_
+#define SANDBOX_LINUX_SUID_LINUX_UTIL_H_
+
+#include <stdbool.h>
+#include <sys/types.h>
+
+static const char kFindInodeSwitch[] = "--find-inode";
+
+// Find the process which holds the given socket, named by inode number. If
+// multiple processes hold the socket, this function returns false.
+bool FindProcessHoldingSocket(pid_t* pid_out, ino_t socket_inode);
+
+#endif  // SANDBOX_LINUX_SUID_LINUX_UTIL_H_
diff --git a/sandbox/linux/suid/sandbox.c b/sandbox/linux/suid/sandbox.c
index c16045a..c061a85 100644
--- a/sandbox/linux/suid/sandbox.c
+++ b/sandbox/linux/suid/sandbox.c
@@ -11,6 +11,8 @@
 #include <sched.h>
 #include <signal.h>
 #include <stdarg.h>
+#include <stdbool.h>
+#include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -21,8 +23,8 @@
 #include <sys/time.h>
 #include <sys/types.h>
 #include <unistd.h>
-#include <stdbool.h>
 
+#include "linux_util.h"
 #include "suid_unsafe_environment_variables.h"
 
 #if !defined(CLONE_NEWPID)
@@ -37,7 +39,7 @@ static const char kMsgChrootMe = 'C';
 static const char kMsgChrootSuccessful = 'O';
 
 static void FatalError(const char *msg, ...)
-    __attribute__((noreturn, format(printf,1,2)));
+    __attribute__((noreturn, format(printf, 1, 2)));
 
 static void FatalError(const char *msg, ...) {
   va_list ap;
@@ -109,7 +111,7 @@ static int CloneChrootHelperProcess() {
   if (pid == 0) {
     // We share our files structure with an untrusted process. As a security in
     // depth measure, we make sure that we can't open anything by mistake.
-    // TODO: drop CAP_SYS_RESOURCE / use SECURE_NOROOT
+    // TODO(agl): drop CAP_SYS_RESOURCE / use SECURE_NOROOT
 
     const struct rlimit nofile = {0, 0};
     if (setrlimit(RLIMIT_NOFILE, &nofile))
@@ -258,7 +260,6 @@ static bool DropRoot() {
 }
 
 static bool SetupChildEnvironment() {
-
   unsigned i;
 
   // ld.so may have cleared several environment variables because we are SUID.
@@ -291,6 +292,32 @@ int main(int argc, char **argv) {
     return 1;
   }
 
+  // In the SUID sandbox, if we succeed in calling MoveToNewPIDNamespace()
+  // below, then the zygote and all the renderers are in an alternate PID
+  // namespace and do not know their real PIDs. As such, they report the wrong
+  // PIDs to the task manager.
+  //
+  // To fix this, when the zygote spawns a new renderer, it gives the renderer
+  // a dummy socket, which has a unique inode number. Then it asks the sandbox
+  // host to find the PID of the process holding that fd by searching /proc.
+  //
+  // Since the zygote and renderers are all spawned by this setuid executable,
+  // their entries in /proc are owned by root and only readable by root. In
+  // order to search /proc for the fd we want, this setuid executable has to
+  // double as a helper and perform the search. The code block below does this
+  // when you call it with --find-inode INODE_NUMBER.
+  if (argc == 3 && (0 == strcmp(argv[1], kFindInodeSwitch))) {
+    pid_t pid;
+    char *endptr;
+    ino_t inode = strtoull(argv[2], &endptr, 10);
+    if (inode == ULLONG_MAX || *endptr)
+      return 1;
+    if (!FindProcessHoldingSocket(&pid, inode))
+      return 1;
+    printf("%d\n", pid);
+    return 0;
+  }
+
   if (!MoveToNewPIDNamespace())
     return 1;
   if (!SpawnChrootHelper())
diff --git a/sandbox/sandbox.gyp b/sandbox/sandbox.gyp
index 598de3f..260a794 100644
--- a/sandbox/sandbox.gyp
+++ b/sandbox/sandbox.gyp
@@ -10,8 +10,14 @@
           'target_name': 'chrome_sandbox',
           'type': 'executable',
           'sources': [
+            'linux/suid/linux_util.c',
+            'linux/suid/linux_util.h',
             'linux/suid/sandbox.c',
           ],
+          'cflags': [
+            # For ULLONG_MAX
+            '-std=gnu99',
+          ],
           'include_dirs': [
             '..',
           ],