Linux sandbox: componentize almost everything.

Componentize seccomp_bpf_helpers, sandbox_services and suid_sandbox_client. libc_urandom_override is special since it uses weak symbols hackery. BUG=360124 R=mdempsky@chromium.org TBR=jln Review URL: https://codereview.chromium.org/226083005 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@261945 0039d316-1c4b-4281-b951-d872f2087c98
author: jln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2014-04-05 00:46:49 +0000
committer: jln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2014-04-05 00:46:49 +0000
commit: 356b4c3386a3781904ce254a229d92e6fa0b41a3 (patch)
tree: 68678f1c7818c0c903cfd07026173b7dab1d0587 /sandbox
parent: 7a3fa417a1f77493b00ec35264b5c1a5c91d335a (diff)
download: chromium_src-356b4c3386a3781904ce254a229d92e6fa0b41a3.zip
chromium_src-356b4c3386a3781904ce254a229d92e6fa0b41a3.tar.gz
chromium_src-356b4c3386a3781904ce254a229d92e6fa0b41a3.tar.bz2
12 files changed, 52 insertions, 24 deletions
diff --git a/sandbox/linux/sandbox_linux.gypi b/sandbox/linux/sandbox_linux.gypi
index 48d1f54..75f37c9 100644
--- a/sandbox/linux/sandbox_linux.gypi
+++ b/sandbox/linux/sandbox_linux.gypi
@@ -119,7 +119,7 @@
     },
     {
       'target_name': 'seccomp_bpf_helpers',
-      'type': 'static_library',
+      'type': '<(component)',
       'sources': [
         'seccomp-bpf-helpers/baseline_policy.cc',
         'seccomp-bpf-helpers/baseline_policy.h',
@@ -131,6 +131,11 @@
         'seccomp-bpf-helpers/syscall_sets.h',
       ],
       'dependencies': [
+        '../base/base.gyp:base',
+        'seccomp_bpf',
+      ],
+      'defines': [
+        'SANDBOX_IMPLEMENTATION',
       ],
       'include_dirs': [
         '../..',
@@ -178,7 +183,7 @@
       ],
     },
     { 'target_name': 'sandbox_services',
-      'type': 'static_library',
+      'type': '<(component)',
       'sources': [
         'services/broker_process.cc',
         'services/broker_process.h',
@@ -194,6 +199,9 @@
       'dependencies': [
         '../base/base.gyp:base',
       ],
+      'defines': [
+        'SANDBOX_IMPLEMENTATION',
+      ],
       'conditions': [
         ['compile_credentials==1', {
           'sources': [
@@ -243,13 +251,16 @@
     },
     {
       'target_name': 'suid_sandbox_client',
-      'type': 'static_library',
+      'type': '<(component)',
       'sources': [
         'suid/common/sandbox.h',
         'suid/common/suid_unsafe_environment_variables.h',
         'suid/client/setuid_sandbox_client.cc',
         'suid/client/setuid_sandbox_client.h',
       ],
+      'defines': [
+        'SANDBOX_IMPLEMENTATION',
+      ],
       'dependencies': [
         '../base/base.gyp:base',
         'sandbox_services',
diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.h b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.h
index 1dfd137..f1e4bb9 100644
--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.h
+++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.h
@@ -5,6 +5,7 @@
 #ifndef SANDBOX_LINUX_SECCOMP_BPF_HELPERS_BASELINE_POLICY_H_
 #define SANDBOX_LINUX_SECCOMP_BPF_HELPERS_BASELINE_POLICY_H_
 
+#include "sandbox/linux/sandbox_export.h"
 #include "sandbox/linux/seccomp-bpf/errorcode.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h"
 
@@ -22,7 +23,7 @@ class SandboxBPFPolicy;
 // The "baseline" policy is somewhat arbitrary. All Chromium policies are an
 // alteration of it, and it represents a reasonable common ground to run most
 // code in a sandboxed environment.
-class BaselinePolicy : public SandboxBPFPolicy {
+class SANDBOX_EXPORT BaselinePolicy : public SandboxBPFPolicy {
  public:
   BaselinePolicy();
   // |fs_denied_errno| is the errno returned when a filesystem access system
diff --git a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h
index 3bf5c16..0bada37 100644
--- a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h
+++ b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h
@@ -7,6 +7,7 @@
 
 #include "base/basictypes.h"
 #include "build/build_config.h"
+#include "sandbox/linux/sandbox_export.h"
 
 // The handlers are suitable for use in Trap() error codes. They are
 // guaranteed to be async-signal safe.
@@ -19,20 +20,24 @@ struct arch_seccomp_data;
 // This handler will crash the currently running process. The crashing address
 // will be the number of the current system call, extracted from |args|.
 // This handler will also print to stderr the number of the crashing syscall.
-intptr_t CrashSIGSYS_Handler(const struct arch_seccomp_data& args, void* aux);
+SANDBOX_EXPORT intptr_t
+    CrashSIGSYS_Handler(const struct arch_seccomp_data& args, void* aux);
 
 // The following three handlers are suitable to report failures with the
 // clone(), prctl() and ioctl() system calls respectively.
 
 // The crashing address will be (clone_flags & 0xFFFFFF), where clone_flags is
 // the clone(2) argument, extracted from |args|.
-intptr_t SIGSYSCloneFailure(const struct arch_seccomp_data& args, void* aux);
+SANDBOX_EXPORT intptr_t
+    SIGSYSCloneFailure(const struct arch_seccomp_data& args, void* aux);
 // The crashing address will be (option & 0xFFF), where option is the prctl(2)
 // argument.
-intptr_t SIGSYSPrctlFailure(const struct arch_seccomp_data& args, void* aux);
+SANDBOX_EXPORT intptr_t
+    SIGSYSPrctlFailure(const struct arch_seccomp_data& args, void* aux);
 // The crashing address will be request & 0xFFFF, where request is the ioctl(2)
 // argument.
-intptr_t SIGSYSIoctlFailure(const struct arch_seccomp_data& args, void* aux);
+SANDBOX_EXPORT intptr_t
+    SIGSYSIoctlFailure(const struct arch_seccomp_data& args, void* aux);
 
 }  // namespace sandbox.
 
diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h
index 65b7c47..aa1e0d1 100644
--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h
@@ -6,10 +6,11 @@
 #define SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_
 
 #include "build/build_config.h"
+#include "sandbox/linux/sandbox_export.h"
 
 // These are helpers to build seccomp-bpf policies, i.e. policies for a
 // sandbox that reduces the Linux kernel's attack surface. They return an
-// ErrorCode suitable to restrict certain system call parameters.
+// SANDBOX_EXPORT ErrorCode suitable to restrict certain system call parameters.
 
 namespace sandbox {
 
@@ -20,37 +21,38 @@ class SandboxBPF;
 // Reject fork(2) attempts with EPERM.
 // Don't restrict on ASAN.
 // Crash if anything else is attempted.
-ErrorCode RestrictCloneToThreadsAndEPERMFork(SandboxBPF* sandbox);
+SANDBOX_EXPORT ErrorCode
+    RestrictCloneToThreadsAndEPERMFork(SandboxBPF* sandbox);
 
 // Allow PR_SET_NAME, PR_SET_DUMPABLE, PR_GET_DUMPABLE.
 // Crash if anything else is attempted.
-ErrorCode RestrictPrctl(SandboxBPF* sandbox);
+SANDBOX_EXPORT ErrorCode RestrictPrctl(SandboxBPF* sandbox);
 
 // Allow TCGETS and FIONREAD.
 // Crash if anything else is attempted.
-ErrorCode RestrictIoctl(SandboxBPF* sandbox);
+SANDBOX_EXPORT ErrorCode RestrictIoctl(SandboxBPF* sandbox);
 
 // Restrict the flags argument in mmap(2).
 // Only allow: MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS |
 // MAP_STACK | MAP_NORESERVE | MAP_FIXED | MAP_DENYWRITE.
 // Crash if any other flag is used.
-ErrorCode RestrictMmapFlags(SandboxBPF* sandbox);
+SANDBOX_EXPORT ErrorCode RestrictMmapFlags(SandboxBPF* sandbox);
 
 // Restrict the prot argument in mprotect(2).
 // Only allow: PROT_READ | PROT_WRITE | PROT_EXEC.
-ErrorCode RestrictMprotectFlags(SandboxBPF* sandbox);
+SANDBOX_EXPORT ErrorCode RestrictMprotectFlags(SandboxBPF* sandbox);
 
 // Restrict fcntl(2) cmd argument to:
 // We allow F_GETFL, F_SETFL, F_GETFD, F_SETFD, F_DUPFD, F_DUPFD_CLOEXEC,
 // F_SETLK, F_SETLKW and F_GETLK.
 // Also, in F_SETFL, restrict the allowed flags to: O_ACCMODE | O_APPEND |
 // O_NONBLOCK | O_SYNC | O_LARGEFILE | O_CLOEXEC | O_NOATIME.
-ErrorCode RestrictFcntlCommands(SandboxBPF* sandbox);
+SANDBOX_EXPORT ErrorCode RestrictFcntlCommands(SandboxBPF* sandbox);
 
 #if defined(__i386__)
 // Restrict socketcall(2) to only allow socketpair(2), send(2), recv(2),
 // sendto(2), recvfrom(2), shutdown(2), sendmsg(2) and recvmsg(2).
-ErrorCode RestrictSocketcallCommand(SandboxBPF* sandbox);
+SANDBOX_EXPORT ErrorCode RestrictSocketcallCommand(SandboxBPF* sandbox);
 #endif
 
 }  // namespace sandbox.
diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.h b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.h
index d2cf1a1..dc92681 100644
--- a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.h
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.h
@@ -7,6 +7,7 @@
 
 #include "base/basictypes.h"
 #include "build/build_config.h"
+#include "sandbox/linux/sandbox_export.h"
 
 // These are helpers to build seccomp-bpf policies, i.e. policies for a
 // sandbox that reduces the Linux kernel's attack surface. Given their
@@ -15,7 +16,7 @@
 
 namespace sandbox {
 
-class SyscallSets {
+class SANDBOX_EXPORT SyscallSets {
  public:
   static bool IsKill(int sysno);
   static bool IsAllowedGettime(int sysno);
diff --git a/sandbox/linux/services/broker_process.h b/sandbox/linux/services/broker_process.h
index 84de396..b312b8f6 100644
--- a/sandbox/linux/services/broker_process.h
+++ b/sandbox/linux/services/broker_process.h
@@ -12,6 +12,7 @@
 #include "base/callback_forward.h"
 #include "base/pickle.h"
 #include "base/process/process.h"
+#include "sandbox/linux/sandbox_export.h"
 
 namespace sandbox {
 
@@ -25,7 +26,7 @@ namespace sandbox {
 // 2. CHECK(open_broker.Init(NULL));
 // 3. Enable sandbox.
 // 4. Use open_broker.Open() to open files.
-class BrokerProcess {
+class SANDBOX_EXPORT BrokerProcess {
  public:
   // |denied_errno| is the error code returned when methods such as Open()
   // or Access() are invoked on a file which is not in the whitelist. EACCESS
diff --git a/sandbox/linux/services/credentials.h b/sandbox/linux/services/credentials.h
index 48cf259..75eb5c4 100644
--- a/sandbox/linux/services/credentials.h
+++ b/sandbox/linux/services/credentials.h
@@ -15,13 +15,14 @@
 
 #include "base/basictypes.h"
 #include "base/memory/scoped_ptr.h"
+#include "sandbox/linux/sandbox_export.h"
 
 namespace sandbox {
 
 // This class should be used to manipulate the current process' credentials.
 // It is currently a stub used to manipulate POSIX.1e capabilities as
 // implemented by the Linux kernel.
-class Credentials {
+class SANDBOX_EXPORT Credentials {
  public:
   Credentials();
   ~Credentials();
diff --git a/sandbox/linux/services/init_process_reaper.h b/sandbox/linux/services/init_process_reaper.h
index 531d18c..7c9eab4 100644
--- a/sandbox/linux/services/init_process_reaper.h
+++ b/sandbox/linux/services/init_process_reaper.h
@@ -6,6 +6,7 @@
 #define SANDBOX_LINUX_SERVICES_INIT_PROCESS_REAPER_H_
 
 #include "base/callback_forward.h"
+#include "sandbox/linux/sandbox_export.h"
 
 namespace sandbox {
 
@@ -16,7 +17,8 @@ namespace sandbox {
 // immediately after fork().
 // Since this function calls fork(), it's very important that the caller has
 // only one thread running.
-bool CreateInitProcessReaper(base::Closure* post_fork_parent_callback);
+SANDBOX_EXPORT bool CreateInitProcessReaper(
+    base::Closure* post_fork_parent_callback);
 
 }  // namespace sandbox.
 
diff --git a/sandbox/linux/services/scoped_process.h b/sandbox/linux/services/scoped_process.h
index d9f8b25..61da80a 100644
--- a/sandbox/linux/services/scoped_process.h
+++ b/sandbox/linux/services/scoped_process.h
@@ -8,6 +8,7 @@
 #include "base/basictypes.h"
 #include "base/callback_forward.h"
 #include "base/process/process_handle.h"
+#include "sandbox/linux/sandbox_export.h"
 
 namespace sandbox {
 
@@ -18,7 +19,7 @@ namespace sandbox {
 // destroy it.
 // This class cannot be instanciated from a multi-threaded process, as it needs
 // to fork().
-class ScopedProcess {
+class SANDBOX_EXPORT ScopedProcess {
  public:
   // A new process will be created and |child_callback| will run in the child
   // process. This callback is allowed to terminate the process or to simply
diff --git a/sandbox/linux/services/thread_helpers.h b/sandbox/linux/services/thread_helpers.h
index f1b9327..d3ae038 100644
--- a/sandbox/linux/services/thread_helpers.h
+++ b/sandbox/linux/services/thread_helpers.h
@@ -6,12 +6,13 @@
 #define SANDBOX_LINUX_SERVICES_THREAD_HELPERS_H_
 
 #include "base/basictypes.h"
+#include "sandbox/linux/sandbox_export.h"
 
 namespace base { class Thread; }
 
 namespace sandbox {
 
-class ThreadHelpers {
+class SANDBOX_EXPORT ThreadHelpers {
  public:
   // Check whether the current process is single threaded. |proc_self_tasks|
   // can be a file descriptor to /proc/self/task/ and remains owned by the
diff --git a/sandbox/linux/services/yama.h b/sandbox/linux/services/yama.h
index 236b74c..8677c2f 100644
--- a/sandbox/linux/services/yama.h
+++ b/sandbox/linux/services/yama.h
@@ -7,13 +7,14 @@
 
 #include "base/basictypes.h"
 #include "base/process/process_handle.h"
+#include "sandbox/linux/sandbox_export.h"
 
 namespace sandbox {
 
 // Yama is a LSM kernel module which can restrict ptrace().
 // This class provides ways to detect if Yama is present and enabled
 // and to restrict which processes can ptrace the current process.
-class Yama {
+class SANDBOX_EXPORT Yama {
  public:
   // This enum should be used to set or check a bitmask.
   // A value of 0 would indicate that the status is not known.
diff --git a/sandbox/linux/suid/client/setuid_sandbox_client.h b/sandbox/linux/suid/client/setuid_sandbox_client.h
index 5a6724d..0f6db7a 100644
--- a/sandbox/linux/suid/client/setuid_sandbox_client.h
+++ b/sandbox/linux/suid/client/setuid_sandbox_client.h
@@ -7,6 +7,7 @@
 
 #include "base/basictypes.h"
 #include "base/callback_forward.h"
+#include "sandbox/linux/sandbox_export.h"
 
 namespace base { class Environment; }
 
@@ -21,7 +22,7 @@ namespace sandbox {
 // 2. The browser launches a renderer through the setuid sandbox.
 // 3. The renderer requests being chroot-ed through ChrootMe() and
 //    requests other sandboxing status via the status functions.
-class SetuidSandboxClient {
+class SANDBOX_EXPORT SetuidSandboxClient {
  public:
   // All instantation should go through this factory method.
   static class SetuidSandboxClient* Create();
author	jln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2014-04-05 00:46:49 +0000
committer	jln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2014-04-05 00:46:49 +0000
commit	356b4c3386a3781904ce254a229d92e6fa0b41a3 (patch)
tree	68678f1c7818c0c903cfd07026173b7dab1d0587 /sandbox
parent	7a3fa417a1f77493b00ec35264b5c1a5c91d335a (diff)
download	chromium_src-356b4c3386a3781904ce254a229d92e6fa0b41a3.zip chromium_src-356b4c3386a3781904ce254a229d92e6fa0b41a3.tar.gz chromium_src-356b4c3386a3781904ce254a229d92e6fa0b41a3.tar.bz2