1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
|
// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h"
#include <errno.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
#include "base/basictypes.h"
#include "base/callback.h"
#include "base/command_line.h"
#include "base/compiler_specific.h"
#include "base/files/scoped_file.h"
#include "base/logging.h"
#include "base/memory/scoped_ptr.h"
#include "base/posix/eintr_wrapper.h"
#include "build/build_config.h"
#include "components/nacl/common/nacl_switches.h"
#include "components/nacl/loader/nonsfi/nonsfi_sandbox.h"
#include "components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.h"
#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
#include "sandbox/linux/services/proc_util.h"
#include "sandbox/linux/services/thread_helpers.h"
#include "sandbox/linux/suid/client/setuid_sandbox_client.h"
namespace nacl {
namespace {
// This is a poor man's check on whether we are sandboxed.
bool IsSandboxed() {
int proc_fd = open("/proc/self/exe", O_RDONLY);
if (proc_fd >= 0) {
PCHECK(0 == IGNORE_EINTR(close(proc_fd)));
return false;
}
return true;
}
// Open a new file descriptor to /proc/self/task/ by using
// |proc_fd|.
base::ScopedFD GetProcSelfTask(int proc_fd) {
base::ScopedFD proc_self_task(HANDLE_EINTR(
openat(proc_fd, "self/task/", O_RDONLY | O_DIRECTORY | O_CLOEXEC)));
PCHECK(proc_self_task.is_valid());
return proc_self_task.Pass();
}
} // namespace
NaClSandbox::NaClSandbox()
: layer_one_enabled_(false),
layer_one_sealed_(false),
layer_two_enabled_(false),
layer_two_is_nonsfi_(false),
proc_fd_(-1),
setuid_sandbox_client_(sandbox::SetuidSandboxClient::Create()) {
proc_fd_.reset(
HANDLE_EINTR(open("/proc", O_DIRECTORY | O_RDONLY | O_CLOEXEC)));
PCHECK(proc_fd_.is_valid());
}
NaClSandbox::~NaClSandbox() {
}
bool NaClSandbox::IsSingleThreaded() {
CHECK(proc_fd_.is_valid());
base::ScopedFD proc_self_task(GetProcSelfTask(proc_fd_.get()));
return sandbox::ThreadHelpers::IsSingleThreaded(proc_self_task.get());
}
bool NaClSandbox::HasOpenDirectory() {
CHECK(proc_fd_.is_valid());
return sandbox::ProcUtil::HasOpenDirectory(proc_fd_.get());
}
void NaClSandbox::InitializeLayerOneSandbox() {
// Check that IsSandboxed() works. We should not be sandboxed at this point.
CHECK(!IsSandboxed()) << "Unexpectedly sandboxed!";
if (setuid_sandbox_client_->IsSuidSandboxChild()) {
setuid_sandbox_client_->CloseDummyFile();
// Make sure that no directory file descriptor is open, as it would bypass
// the setuid sandbox model.
CHECK(!HasOpenDirectory());
// Get sandboxed.
CHECK(setuid_sandbox_client_->ChrootMe());
CHECK(IsSandboxed());
layer_one_enabled_ = true;
}
}
void NaClSandbox::CheckForExpectedNumberOfOpenFds() {
if (setuid_sandbox_client_->IsSuidSandboxChild()) {
// We expect to have the following FDs open:
// 1-3) stdin, stdout, stderr.
// 4) The /dev/urandom FD used by base::GetUrandomFD().
// 5) A dummy pipe FD used to overwrite kSandboxIPCChannel.
// 6) The socket created by the SUID sandbox helper, used by ChrootMe().
// After ChrootMe(), this is no longer connected to anything.
// (Only present when running under the SUID sandbox.)
// 7) The socket for the Chrome IPC channel that's connected to the
// browser process, kPrimaryIPCChannel.
//
// This sanity check ensures that dynamically loaded libraries don't
// leave any FDs open before we enable the sandbox.
CHECK_EQ(7, sandbox::ProcUtil::CountOpenFds(proc_fd_.get()));
}
}
void NaClSandbox::InitializeLayerTwoSandbox(bool uses_nonsfi_mode) {
// seccomp-bpf only applies to the current thread, so it's critical to only
// have a single thread running here.
DCHECK(!layer_one_sealed_);
CHECK(IsSingleThreaded());
CheckForExpectedNumberOfOpenFds();
base::ScopedFD proc_self_task(GetProcSelfTask(proc_fd_.get()));
if (uses_nonsfi_mode) {
layer_two_enabled_ =
nacl::nonsfi::InitializeBPFSandbox(proc_self_task.Pass());
layer_two_is_nonsfi_ = true;
} else {
layer_two_enabled_ = nacl::InitializeBPFSandbox(proc_self_task.Pass());
}
}
void NaClSandbox::SealLayerOneSandbox() {
if (!layer_two_enabled_) {
// If nothing prevents us, check that there is no superfluous directory
// open.
CHECK(!HasOpenDirectory());
}
proc_fd_.reset();
layer_one_sealed_ = true;
}
void NaClSandbox::CheckSandboxingStateWithPolicy() {
static const char kItIsDangerousMsg[] = " this is dangerous.";
static const char kItIsNotAllowedMsg[] =
" this is not allowed in this configuration.";
const bool no_sandbox_for_nonsfi_ok =
base::CommandLine::ForCurrentProcess()->HasSwitch(
switches::kNaClDangerousNoSandboxNonSfi);
const bool can_be_no_sandbox =
!layer_two_is_nonsfi_ || no_sandbox_for_nonsfi_ok;
if (!layer_one_enabled_ || !layer_one_sealed_) {
static const char kNoSuidMsg[] =
"The SUID sandbox is not engaged for NaCl:";
if (can_be_no_sandbox)
LOG(ERROR) << kNoSuidMsg << kItIsDangerousMsg;
else
LOG(FATAL) << kNoSuidMsg << kItIsNotAllowedMsg;
}
if (!layer_two_enabled_) {
static const char kNoBpfMsg[] =
"The seccomp-bpf sandbox is not engaged for NaCl:";
if (can_be_no_sandbox)
LOG(ERROR) << kNoBpfMsg << kItIsDangerousMsg;
else
LOG(FATAL) << kNoBpfMsg << kItIsNotAllowedMsg;
}
}
} // namespace nacl
|
