content/common/sandbox_linux.h

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef CONTENT_COMMON_SANDBOX_LINUX_H_
   6 #define CONTENT_COMMON_SANDBOX_LINUX_H_
   7
   8 #include <string>
   9
  10 #include "base/basictypes.h"
  11 #include "base/memory/scoped_ptr.h"
  12 #include "content/public/common/sandbox_linux.h"
  13
  14 template <typename T> struct DefaultSingletonTraits;
  15 namespace sandbox { class SetuidSandboxClient; }
  16
  17 namespace content {
  18
  19 // A singleton class to represent and change our sandboxing state for the
  20 // three main Linux sandboxes.
  21 class LinuxSandbox {
  22  public:
  23   // This is a list of sandbox IPC methods which the renderer may send to the
  24   // sandbox host. See http://code.google.com/p/chromium/wiki/LinuxSandboxIPC
  25   // This isn't the full list, values < 32 are reserved for methods called from
  26   // Skia.
  27   enum LinuxSandboxIPCMethods {
  28     METHOD_GET_FONT_FAMILY_FOR_CHARS = 32,
  29     METHOD_LOCALTIME = 33,
  30     METHOD_GET_CHILD_WITH_INODE = 34,
  31     METHOD_GET_STYLE_FOR_STRIKE = 35,
  32     METHOD_MAKE_SHARED_MEMORY_SEGMENT = 36,
  33     METHOD_MATCH_WITH_FALLBACK = 37,
  34   };
  35
  36   // Get our singleton instance.
  37   static LinuxSandbox* GetInstance();
  38
  39   // Do some initialization that can only be done before any of the sandboxes
  40   // is enabled.
  41   //
  42   // There are two versions of this function. One takes a process_type
  43   // as an argument, the other doesn't.
  44   // It may be necessary to call PreinitializeSandboxBegin before knowing the
  45   // process type (this is for instance the case with the Zygote).
  46   // In that case, it is crucial that PreinitializeSandboxFinish() gets
  47   // called for every child process.
  48   // TODO(markus, jln) we know this is not always done at the moment
  49   // (crbug.com/139877).
  50   void PreinitializeSandbox(const std::string& process_type);
  51   // These should be called together.
  52   void PreinitializeSandboxBegin();
  53   void PreinitializeSandboxFinish(const std::string& process_type);
  54
  55   // Returns the Status of the sandbox. Can only be queried if we went through
  56   // PreinitializeSandbox() or PreinitializeSandboxBegin(). This is a bitmask
  57   // and uses the constants defined in "enum LinuxSandboxStatus".
  58   // Since we need to provide the status before the sandboxes are actually
  59   // started, this returns what will actually happen once the various Start*
  60   // functions are called from inside a renderer.
  61   int GetStatus() const;
  62   // Is the current process single threaded?
  63   bool IsSingleThreaded() const;
  64   // Did we start Seccomp BPF?
  65   bool seccomp_bpf_started() const;
  66
  67   // Simple accessor for our instance of the setuid sandbox. Will never return
  68   // NULL.
  69   // There is no StartSetuidSandbox(), the SetuidSandboxClient instance should
  70   // be used directly.
  71   sandbox::SetuidSandboxClient* setuid_sandbox_client() const;
  72
  73   // Check the policy and eventually start the seccomp-legacy sandbox.
  74   bool StartSeccompLegacy(const std::string& process_type);
  75   // Check the policy and eventually start the seccomp-bpf sandbox. This should
  76   // never be called with threads started. If we detect that thread have
  77   // started we will crash.
  78   bool StartSeccompBpf(const std::string& process_type);
  79
  80   // Limit the address space of the current process (and its children).
  81   // to make some vulnerabilities harder to exploit.
  82   bool LimitAddressSpace(const std::string& process_type);
  83
  84  private:
  85   friend struct DefaultSingletonTraits<LinuxSandbox>;
  86
  87   // We must have been pre_initialized_ before using either of these.
  88   bool seccomp_legacy_supported() const;
  89   bool seccomp_bpf_supported() const;
  90
  91   int proc_fd_;
  92   bool seccomp_bpf_started_;
  93   // Have we been through PreinitializeSandbox or PreinitializeSandboxBegin?
  94   bool pre_initialized_;
  95   bool seccomp_legacy_supported_;  // Accurate if pre_initialized_.
  96   bool seccomp_bpf_supported_;  // Accurate if pre_initialized_.
  97   scoped_ptr<sandbox::SetuidSandboxClient> setuid_sandbox_client_;
  98
  99   ~LinuxSandbox();
 100   DISALLOW_IMPLICIT_CONSTRUCTORS(LinuxSandbox);
 101 };
 102
 103 }  // namespace content
 104
 105 #endif  // CONTENT_COMMON_SANDBOX_LINUX_H_
 106