search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Blink roll 25b6bd3a7a131ffe68d809546ad1a20707915cdc:3a503f41ae42e5b79cfcd2ff10e65afde...
[chromium-blink-merge.git] / sandbox / linux / syscall_broker / broker_host.cc
blob29300f7e374359ec4038db80c46105de658aa60f
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "sandbox/linux/syscall_broker/broker_host.h"
6
7 #include <fcntl.h>
8 #include <sys/socket.h>
9 #include <sys/stat.h>
10 #include <sys/syscall.h>
11 #include <sys/types.h>
12 #include <unistd.h>
13
14 #include <string>
15 #include <vector>
16
17 #include "base/files/scoped_file.h"
18 #include "base/logging.h"
19 #include "base/pickle.h"
20 #include "base/posix/eintr_wrapper.h"
21 #include "base/posix/unix_domain_socket_linux.h"
22 #include "base/third_party/valgrind/valgrind.h"
23 #include "sandbox/linux/services/linux_syscalls.h"
24 #include "sandbox/linux/syscall_broker/broker_common.h"
25 #include "sandbox/linux/syscall_broker/broker_policy.h"
26
27 namespace sandbox {
28
29 namespace syscall_broker {
30
31 namespace {
32
33 bool IsRunningOnValgrind() {
34 return RUNNING_ON_VALGRIND;
35 }
36
37 // A little open(2) wrapper to handle some oddities for us. In the general case
38 // make a direct system call since we want to keep in control of the broker
39 // process' system calls profile to be able to loosely sandbox it.
40 int sys_open(const char* pathname, int flags) {
41 // Always pass a defined |mode| in case flags mistakenly contains O_CREAT.
42 const int mode = 0;
43 if (IsRunningOnValgrind()) {
44 // Valgrind does not support AT_FDCWD, just use libc's open() in this case.
45 return open(pathname, flags, mode);
46 } else {
47 return syscall(__NR_openat, AT_FDCWD, pathname, flags, mode);
48 }
49 }
50
51 // Open |requested_filename| with |flags| if allowed by our policy.
52 // Write the syscall return value (-errno) to |write_pickle| and append
53 // a file descriptor to |opened_files| if relevant.
54 void OpenFileForIPC(const BrokerPolicy& policy,
55 const std::string& requested_filename,
56 int flags,
57 Pickle* write_pickle,
58 std::vector<int>* opened_files) {
59 DCHECK(write_pickle);
60 DCHECK(opened_files);
61 const char* file_to_open = NULL;
62 const bool safe_to_open_file = policy.GetFileNameIfAllowedToOpen(
63 requested_filename.c_str(), flags, &file_to_open);
64
65 if (safe_to_open_file) {
66 CHECK(file_to_open);
67 int opened_fd = sys_open(file_to_open, flags);
68 if (opened_fd < 0) {
69 write_pickle->WriteInt(-errno);
70 } else {
71 // Success.
72 opened_files->push_back(opened_fd);
73 write_pickle->WriteInt(0);
74 }
75 } else {
76 write_pickle->WriteInt(-policy.denied_errno());
77 }
78 }
79
80 // Perform access(2) on |requested_filename| with mode |mode| if allowed by our
81 // policy. Write the syscall return value (-errno) to |write_pickle|.
82 void AccessFileForIPC(const BrokerPolicy& policy,
83 const std::string& requested_filename,
84 int mode,
85 Pickle* write_pickle) {
86 DCHECK(write_pickle);
87 const char* file_to_access = NULL;
88 const bool safe_to_access_file = policy.GetFileNameIfAllowedToAccess(
89 requested_filename.c_str(), mode, &file_to_access);
90
91 if (safe_to_access_file) {
92 CHECK(file_to_access);
93 int access_ret = access(file_to_access, mode);
94 int access_errno = errno;
95 if (!access_ret)
96 write_pickle->WriteInt(0);
97 else
98 write_pickle->WriteInt(-access_errno);
99 } else {
100 write_pickle->WriteInt(-policy.denied_errno());
101 }
102 }
103
104 // Handle a |command_type| request contained in |read_pickle| and send the reply
105 // on |reply_ipc|.
106 // Currently COMMAND_OPEN and COMMAND_ACCESS are supported.
107 bool HandleRemoteCommand(const BrokerPolicy& policy,
108 IPCCommand command_type,
109 int reply_ipc,
110 const Pickle& read_pickle,
111 PickleIterator iter) {
112 // Currently all commands have two arguments: filename and flags.
113 std::string requested_filename;
114 int flags = 0;
115 if (!read_pickle.ReadString(&iter, &requested_filename) ||
116 !read_pickle.ReadInt(&iter, &flags)) {
117 return false;
118 }
119
120 Pickle write_pickle;
121 std::vector<int> opened_files;
122
123 switch (command_type) {
124 case COMMAND_ACCESS:
125 AccessFileForIPC(policy, requested_filename, flags, &write_pickle);
126 break;
127 case COMMAND_OPEN:
128 OpenFileForIPC(
129 policy, requested_filename, flags, &write_pickle, &opened_files);
130 break;
131 default:
132 LOG(ERROR) << "Invalid IPC command";
133 break;
134 }
135
136 CHECK_LE(write_pickle.size(), kMaxMessageLength);
137 ssize_t sent = UnixDomainSocket::SendMsg(
138 reply_ipc, write_pickle.data(), write_pickle.size(), opened_files);
139
140 // Close anything we have opened in this process.
141 for (std::vector<int>::iterator it = opened_files.begin();
142 it != opened_files.end();
143 ++it) {
144 int ret = IGNORE_EINTR(close(*it));
145 DCHECK(!ret) << "Could not close file descriptor";
146 }
147
148 if (sent <= 0) {
149 LOG(ERROR) << "Could not send IPC reply";
150 return false;
151 }
152 return true;
153 }
154
155 } // namespace
156
157 BrokerHost::BrokerHost(const BrokerPolicy& broker_policy,
158 BrokerChannel::EndPoint ipc_channel)
159 : broker_policy_(broker_policy), ipc_channel_(ipc_channel.Pass()) {
160 }
161
162 BrokerHost::~BrokerHost() {
163 }
164
165 // Handle a request on the IPC channel ipc_channel_.
166 // A request should have a file descriptor attached on which we will reply and
167 // that we will then close.
168 // A request should start with an int that will be used as the command type.
169 BrokerHost::RequestStatus BrokerHost::HandleRequest() const {
170 ScopedVector<base::ScopedFD> fds;
171 char buf[kMaxMessageLength];
172 errno = 0;
173 const ssize_t msg_len =
174 UnixDomainSocket::RecvMsg(ipc_channel_.get(), buf, sizeof(buf), &fds);
175
176 if (msg_len == 0 || (msg_len == -1 && errno == ECONNRESET)) {
177 // EOF from the client, or the client died, we should die.
178 return RequestStatus::LOST_CLIENT;
179 }
180
181 // The client should send exactly one file descriptor, on which we
182 // will write the reply.
183 // TODO(mdempsky): ScopedVector doesn't have 'at()', only 'operator[]'.
184 if (msg_len < 0 || fds.size() != 1 || fds[0]->get() < 0) {
185 PLOG(ERROR) << "Error reading message from the client";
186 return RequestStatus::FAILURE;
187 }
188
189 base::ScopedFD temporary_ipc(fds[0]->Pass());
190
191 Pickle pickle(buf, msg_len);
192 PickleIterator iter(pickle);
193 int command_type;
194 if (pickle.ReadInt(&iter, &command_type)) {
195 bool command_handled = false;
196 // Go through all the possible IPC messages.
197 switch (command_type) {
198 case COMMAND_ACCESS:
199 case COMMAND_OPEN:
200 // We reply on the file descriptor sent to us via the IPC channel.
201 command_handled = HandleRemoteCommand(
202 broker_policy_, static_cast<IPCCommand>(command_type),
203 temporary_ipc.get(), pickle, iter);
204 break;
205 default:
206 NOTREACHED();
207 break;
208 }
209
210 if (command_handled) {
211 return RequestStatus::SUCCESS;
212 } else {
213 return RequestStatus::FAILURE;
214 }
215
216 NOTREACHED();
217 }
218
219 LOG(ERROR) << "Error parsing IPC request";
220 return RequestStatus::FAILURE;
221 }
222
223 } // namespace syscall_broker
224
225 } // namespace sandbox