search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
We started redesigning GpuMemoryBuffer interface to handle multiple buffers [0].
[chromium-blink-merge.git] / content / common / sandbox_linux / sandbox_linux.cc
blob5eee4e1d6c14d47e785a0ac42e4c8a77a93d6383
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <dirent.h>
6 #include <fcntl.h>
7 #include <sys/resource.h>
8 #include <sys/stat.h>
9 #include <sys/time.h>
10 #include <sys/types.h>
11 #include <unistd.h>
12
13 #include <limits>
14 #include <string>
15 #include <vector>
16
17 #include "base/bind.h"
18 #include "base/callback_helpers.h"
19 #include "base/command_line.h"
20 #include "base/debug/stack_trace.h"
21 #include "base/files/scoped_file.h"
22 #include "base/logging.h"
23 #include "base/macros.h"
24 #include "base/memory/scoped_ptr.h"
25 #include "base/memory/singleton.h"
26 #include "base/posix/eintr_wrapper.h"
27 #include "base/strings/string_number_conversions.h"
28 #include "base/sys_info.h"
29 #include "base/time/time.h"
30 #include "build/build_config.h"
31 #include "content/common/sandbox_linux/sandbox_debug_handling_linux.h"
32 #include "content/common/sandbox_linux/sandbox_linux.h"
33 #include "content/common/sandbox_linux/sandbox_seccomp_bpf_linux.h"
34 #include "content/public/common/content_switches.h"
35 #include "content/public/common/sandbox_linux.h"
36 #include "sandbox/linux/services/credentials.h"
37 #include "sandbox/linux/services/namespace_sandbox.h"
38 #include "sandbox/linux/services/proc_util.h"
39 #include "sandbox/linux/services/resource_limits.h"
40 #include "sandbox/linux/services/thread_helpers.h"
41 #include "sandbox/linux/services/yama.h"
42 #include "sandbox/linux/suid/client/setuid_sandbox_client.h"
43
44 #if defined(ANY_OF_AMTLU_SANITIZER)
45 #include <sanitizer/common_interface_defs.h>
46 #endif
47
48 using sandbox::Yama;
49
50 namespace {
51
52 struct FDCloser {
53 inline void operator()(int* fd) const {
54 DCHECK(fd);
55 PCHECK(0 == IGNORE_EINTR(close(*fd)));
56 *fd = -1;
57 }
58 };
59
60 void LogSandboxStarted(const std::string& sandbox_name) {
61 const base::CommandLine& command_line =
62 *base::CommandLine::ForCurrentProcess();
63 const std::string process_type =
64 command_line.GetSwitchValueASCII(switches::kProcessType);
65 const std::string activated_sandbox =
66 "Activated " + sandbox_name + " sandbox for process type: " +
67 process_type + ".";
68 VLOG(1) << activated_sandbox;
69 }
70
71 bool IsRunningTSAN() {
72 #if defined(THREAD_SANITIZER)
73 return true;
74 #else
75 return false;
76 #endif
77 }
78
79 // Get a file descriptor to /proc. Either duplicate |proc_fd| or try to open
80 // it by using the filesystem directly.
81 // TODO(jln): get rid of this ugly interface.
82 base::ScopedFD OpenProc(int proc_fd) {
83 int ret_proc_fd = -1;
84 if (proc_fd >= 0) {
85 // If a handle to /proc is available, use it. This allows to bypass file
86 // system restrictions.
87 ret_proc_fd =
88 HANDLE_EINTR(openat(proc_fd, ".", O_RDONLY | O_DIRECTORY | O_CLOEXEC));
89 } else {
90 // Otherwise, make an attempt to access the file system directly.
91 ret_proc_fd = HANDLE_EINTR(
92 openat(AT_FDCWD, "/proc/", O_RDONLY | O_DIRECTORY | O_CLOEXEC));
93 }
94 DCHECK_LE(0, ret_proc_fd);
95 return base::ScopedFD(ret_proc_fd);
96 }
97
98 } // namespace
99
100 namespace content {
101
102 LinuxSandbox::LinuxSandbox()
103 : proc_fd_(-1),
104 seccomp_bpf_started_(false),
105 sandbox_status_flags_(kSandboxLinuxInvalid),
106 pre_initialized_(false),
107 seccomp_bpf_supported_(false),
108 seccomp_bpf_with_tsync_supported_(false),
109 yama_is_enforcing_(false),
110 initialize_sandbox_ran_(false),
111 setuid_sandbox_client_(sandbox::SetuidSandboxClient::Create()) {
112 if (setuid_sandbox_client_ == NULL) {
113 LOG(FATAL) << "Failed to instantiate the setuid sandbox client.";
114 }
115 #if defined(ANY_OF_AMTLU_SANITIZER)
116 sanitizer_args_ = make_scoped_ptr(new __sanitizer_sandbox_arguments);
117 *sanitizer_args_ = {0};
118 #endif
119 }
120
121 LinuxSandbox::~LinuxSandbox() {
122 if (pre_initialized_) {
123 CHECK(initialize_sandbox_ran_);
124 }
125 }
126
127 LinuxSandbox* LinuxSandbox::GetInstance() {
128 LinuxSandbox* instance = Singleton<LinuxSandbox>::get();
129 CHECK(instance);
130 return instance;
131 }
132
133 void LinuxSandbox::PreinitializeSandbox() {
134 CHECK(!pre_initialized_);
135 seccomp_bpf_supported_ = false;
136 #if defined(ANY_OF_AMTLU_SANITIZER)
137 // Sanitizers need to open some resources before the sandbox is enabled.
138 // This should not fork, not launch threads, not open a directory.
139 __sanitizer_sandbox_on_notify(sanitizer_args());
140 sanitizer_args_.reset();
141 #endif
142
143 #if !defined(NDEBUG)
144 // The in-process stack dumping needs to open /proc/self/maps and cache
145 // its contents before the sandbox is enabled. It also pre-opens the
146 // object files that are already loaded in the process address space.
147 base::debug::EnableInProcessStackDumpingForSandbox();
148 #endif // !defined(NDEBUG)
149
150 // Open proc_fd_. It would break the security of the setuid sandbox if it was
151 // not closed.
152 // If LinuxSandbox::PreinitializeSandbox() runs, InitializeSandbox() must run
153 // as well.
154 proc_fd_ = HANDLE_EINTR(open("/proc", O_DIRECTORY | O_RDONLY | O_CLOEXEC));
155 CHECK_GE(proc_fd_, 0);
156 // We "pre-warm" the code that detects supports for seccomp BPF.
157 if (SandboxSeccompBPF::IsSeccompBPFDesired()) {
158 if (!SandboxSeccompBPF::SupportsSandbox()) {
159 VLOG(1) << "Lacking support for seccomp-bpf sandbox.";
160 } else {
161 seccomp_bpf_supported_ = true;
162 }
163
164 if (SandboxSeccompBPF::SupportsSandboxWithTsync()) {
165 seccomp_bpf_with_tsync_supported_ = true;
166 }
167 }
168
169 // Yama is a "global", system-level status. We assume it will not regress
170 // after startup.
171 const int yama_status = Yama::GetStatus();
172 yama_is_enforcing_ = (yama_status & Yama::STATUS_PRESENT) &&
173 (yama_status & Yama::STATUS_ENFORCING);
174 pre_initialized_ = true;
175 }
176
177 void LinuxSandbox::EngageNamespaceSandbox() {
178 CHECK(pre_initialized_);
179 // Check being in a new PID namespace created by the namespace sandbox and
180 // being the init process.
181 CHECK(sandbox::NamespaceSandbox::InNewPidNamespace());
182 const pid_t pid = getpid();
183 CHECK_EQ(1, pid);
184
185 CHECK(sandbox::Credentials::MoveToNewUserNS());
186 // Note: this requires SealSandbox() to be called later in this process to be
187 // safe, as this class is keeping a file descriptor to /proc/.
188 CHECK(sandbox::Credentials::DropFileSystemAccess(proc_fd_));
189 CHECK(sandbox::Credentials::DropAllCapabilities(proc_fd_));
190
191 // This needs to happen after moving to a new user NS, since doing so involves
192 // writing the UID/GID map.
193 CHECK(SandboxDebugHandling::SetDumpableStatusAndHandlers());
194 }
195
196 std::vector<int> LinuxSandbox::GetFileDescriptorsToClose() {
197 std::vector<int> fds;
198 if (proc_fd_ >= 0) {
199 fds.push_back(proc_fd_);
200 }
201 return fds;
202 }
203
204 bool LinuxSandbox::InitializeSandbox() {
205 LinuxSandbox* linux_sandbox = LinuxSandbox::GetInstance();
206 return linux_sandbox->InitializeSandboxImpl();
207 }
208
209 void LinuxSandbox::StopThread(base::Thread* thread) {
210 LinuxSandbox* linux_sandbox = LinuxSandbox::GetInstance();
211 linux_sandbox->StopThreadImpl(thread);
212 }
213
214 int LinuxSandbox::GetStatus() {
215 if (!pre_initialized_) {
216 return 0;
217 }
218 if (kSandboxLinuxInvalid == sandbox_status_flags_) {
219 // Initialize sandbox_status_flags_.
220 sandbox_status_flags_ = 0;
221 if (setuid_sandbox_client_->IsSandboxed()) {
222 sandbox_status_flags_ |= kSandboxLinuxSUID;
223 if (setuid_sandbox_client_->IsInNewPIDNamespace())
224 sandbox_status_flags_ |= kSandboxLinuxPIDNS;
225 if (setuid_sandbox_client_->IsInNewNETNamespace())
226 sandbox_status_flags_ |= kSandboxLinuxNetNS;
227 } else if (sandbox::NamespaceSandbox::InNewUserNamespace()) {
228 sandbox_status_flags_ |= kSandboxLinuxUserNS;
229 if (sandbox::NamespaceSandbox::InNewPidNamespace())
230 sandbox_status_flags_ |= kSandboxLinuxPIDNS;
231 if (sandbox::NamespaceSandbox::InNewNetNamespace())
232 sandbox_status_flags_ |= kSandboxLinuxNetNS;
233 }
234
235 // We report whether the sandbox will be activated when renderers, workers
236 // and PPAPI plugins go through sandbox initialization.
237 if (seccomp_bpf_supported() &&
238 SandboxSeccompBPF::ShouldEnableSeccompBPF(switches::kRendererProcess)) {
239 sandbox_status_flags_ |= kSandboxLinuxSeccompBPF;
240 }
241
242 if (seccomp_bpf_with_tsync_supported() &&
243 SandboxSeccompBPF::ShouldEnableSeccompBPF(switches::kRendererProcess)) {
244 sandbox_status_flags_ |= kSandboxLinuxSeccompTSYNC;
245 }
246
247 if (yama_is_enforcing_) {
248 sandbox_status_flags_ |= kSandboxLinuxYama;
249 }
250 }
251
252 return sandbox_status_flags_;
253 }
254
255 // Threads are counted via /proc/self/task. This is a little hairy because of
256 // PID namespaces and existing sandboxes, so "self" must really be used instead
257 // of using the pid.
258 bool LinuxSandbox::IsSingleThreaded() const {
259 base::ScopedFD proc_fd(OpenProc(proc_fd_));
260
261 CHECK(proc_fd.is_valid()) << "Could not count threads, the sandbox was not "
262 << "pre-initialized properly.";
263
264 const bool is_single_threaded =
265 sandbox::ThreadHelpers::IsSingleThreaded(proc_fd.get());
266
267 return is_single_threaded;
268 }
269
270 bool LinuxSandbox::seccomp_bpf_started() const {
271 return seccomp_bpf_started_;
272 }
273
274 sandbox::SetuidSandboxClient*
275 LinuxSandbox::setuid_sandbox_client() const {
276 return setuid_sandbox_client_.get();
277 }
278
279 // For seccomp-bpf, we use the SandboxSeccompBPF class.
280 bool LinuxSandbox::StartSeccompBPF(const std::string& process_type) {
281 CHECK(!seccomp_bpf_started_);
282 CHECK(pre_initialized_);
283 if (seccomp_bpf_supported()) {
284 seccomp_bpf_started_ =
285 SandboxSeccompBPF::StartSandbox(process_type, OpenProc(proc_fd_));
286 }
287
288 if (seccomp_bpf_started_) {
289 LogSandboxStarted("seccomp-bpf");
290 }
291
292 return seccomp_bpf_started_;
293 }
294
295 bool LinuxSandbox::InitializeSandboxImpl() {
296 DCHECK(!initialize_sandbox_ran_);
297 initialize_sandbox_ran_ = true;
298
299 base::CommandLine* command_line = base::CommandLine::ForCurrentProcess();
300 const std::string process_type =
301 command_line->GetSwitchValueASCII(switches::kProcessType);
302
303 // We need to make absolutely sure that our sandbox is "sealed" before
304 // returning.
305 // Unretained() since the current object is a Singleton.
306 base::ScopedClosureRunner sandbox_sealer(
307 base::Bind(&LinuxSandbox::SealSandbox, base::Unretained(this)));
308 // Make sure that this function enables sandboxes as promised by GetStatus().
309 // Unretained() since the current object is a Singleton.
310 base::ScopedClosureRunner sandbox_promise_keeper(
311 base::Bind(&LinuxSandbox::CheckForBrokenPromises,
312 base::Unretained(this),
313 process_type));
314
315 // No matter what, it's always an error to call InitializeSandbox() after
316 // threads have been created.
317 if (!IsSingleThreaded()) {
318 std::string error_message = "InitializeSandbox() called with multiple "
319 "threads in process " + process_type;
320 // TSAN starts a helper thread, so we don't start the sandbox and don't
321 // even report an error about it.
322 if (IsRunningTSAN())
323 return false;
324
325 // The GPU process is allowed to call InitializeSandbox() with threads.
326 bool sandbox_failure_fatal = process_type != switches::kGpuProcess;
327 // This can be disabled with the '--gpu-sandbox-failures-fatal' flag.
328 // Setting the flag with no value or any value different than 'yes' or 'no'
329 // is equal to setting '--gpu-sandbox-failures-fatal=yes'.
330 if (process_type == switches::kGpuProcess &&
331 command_line->HasSwitch(switches::kGpuSandboxFailuresFatal)) {
332 const std::string switch_value =
333 command_line->GetSwitchValueASCII(switches::kGpuSandboxFailuresFatal);
334 sandbox_failure_fatal = switch_value != "no";
335 }
336
337 if (sandbox_failure_fatal)
338 LOG(FATAL) << error_message;
339
340 LOG(ERROR) << error_message;
341 return false;
342 }
343
344 // Only one thread is running, pre-initialize if not already done.
345 if (!pre_initialized_)
346 PreinitializeSandbox();
347
348 DCHECK(!HasOpenDirectories()) <<
349 "InitializeSandbox() called after unexpected directories have been " <<
350 "opened. This breaks the security of the setuid sandbox.";
351
352 // Attempt to limit the future size of the address space of the process.
353 LimitAddressSpace(process_type);
354
355 // Try to enable seccomp-bpf.
356 bool seccomp_bpf_started = StartSeccompBPF(process_type);
357
358 return seccomp_bpf_started;
359 }
360
361 void LinuxSandbox::StopThreadImpl(base::Thread* thread) {
362 DCHECK(thread);
363 StopThreadAndEnsureNotCounted(thread);
364 }
365
366 bool LinuxSandbox::seccomp_bpf_supported() const {
367 CHECK(pre_initialized_);
368 return seccomp_bpf_supported_;
369 }
370
371 bool LinuxSandbox::seccomp_bpf_with_tsync_supported() const {
372 CHECK(pre_initialized_);
373 return seccomp_bpf_with_tsync_supported_;
374 }
375
376 bool LinuxSandbox::LimitAddressSpace(const std::string& process_type) {
377 (void) process_type;
378 #if !defined(ADDRESS_SANITIZER) && !defined(MEMORY_SANITIZER) && \
379 !defined(THREAD_SANITIZER)
380 base::CommandLine* command_line = base::CommandLine::ForCurrentProcess();
381 if (command_line->HasSwitch(switches::kNoSandbox)) {
382 return false;
383 }
384
385 // Limit the address space to 4GB.
386 // This is in the hope of making some kernel exploits more complex and less
387 // reliable. It also limits sprays a little on 64-bit.
388 rlim_t address_space_limit = std::numeric_limits<uint32_t>::max();
389 #if defined(__LP64__)
390 // On 64 bits, V8 and possibly others will reserve massive memory ranges and
391 // rely on on-demand paging for allocation. Unfortunately, even
392 // MADV_DONTNEED ranges count towards RLIMIT_AS so this is not an option.
393 // See crbug.com/169327 for a discussion.
394 // On the GPU process, irrespective of V8, we can exhaust a 4GB address space
395 // under normal usage, see crbug.com/271119
396 // For now, increase limit to 16GB for renderer and worker and gpu processes
397 // to accomodate.
398 if (process_type == switches::kRendererProcess ||
399 process_type == switches::kGpuProcess) {
400 address_space_limit = 1L << 34;
401 }
402 #endif // defined(__LP64__)
403
404 // On all platforms, add a limit to the brk() heap that would prevent
405 // allocations that can't be index by an int.
406 const rlim_t kNewDataSegmentMaxSize = std::numeric_limits<int>::max();
407
408 bool limited_as =
409 sandbox::ResourceLimits::Lower(RLIMIT_AS, address_space_limit);
410 bool limited_data =
411 sandbox::ResourceLimits::Lower(RLIMIT_DATA, kNewDataSegmentMaxSize);
412
413 // Cache the resource limit before turning on the sandbox.
414 base::SysInfo::AmountOfVirtualMemory();
415
416 return limited_as && limited_data;
417 #else
418 base::SysInfo::AmountOfVirtualMemory();
419 return false;
420 #endif // !defined(ADDRESS_SANITIZER) && !defined(MEMORY_SANITIZER) &&
421 // !defined(THREAD_SANITIZER)
422 }
423
424 bool LinuxSandbox::HasOpenDirectories() const {
425 return sandbox::ProcUtil::HasOpenDirectory(proc_fd_);
426 }
427
428 void LinuxSandbox::SealSandbox() {
429 if (proc_fd_ >= 0) {
430 int ret = IGNORE_EINTR(close(proc_fd_));
431 CHECK_EQ(0, ret);
432 proc_fd_ = -1;
433 }
434 }
435
436 void LinuxSandbox::CheckForBrokenPromises(const std::string& process_type) {
437 // Make sure that any promise made with GetStatus() wasn't broken.
438 bool promised_seccomp_bpf_would_start = false;
439 if (process_type == switches::kRendererProcess ||
440 process_type == switches::kPpapiPluginProcess) {
441 promised_seccomp_bpf_would_start =
442 (sandbox_status_flags_ != kSandboxLinuxInvalid) &&
443 (GetStatus() & kSandboxLinuxSeccompBPF);
444 }
445 if (promised_seccomp_bpf_would_start) {
446 CHECK(seccomp_bpf_started_);
447 }
448 }
449
450 void LinuxSandbox::StopThreadAndEnsureNotCounted(base::Thread* thread) const {
451 DCHECK(thread);
452 base::ScopedFD proc_fd(OpenProc(proc_fd_));
453 PCHECK(proc_fd.is_valid());
454 CHECK(
455 sandbox::ThreadHelpers::StopThreadAndWatchProcFS(proc_fd.get(), thread));
456 }
457
458 } // namespace content