We started redesigning GpuMemoryBuffer interface to handle multiple buffers [0].
[chromium-blink-merge.git] / content / common / sandbox_linux / sandbox_linux.h
blob12aabcfc06da020d693ae8b721beb90f805723d1
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_LINUX_H_
6 #define CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_LINUX_H_
8 #include <string>
9 #include <vector>
11 #include "base/basictypes.h"
12 #include "base/memory/scoped_ptr.h"
13 #include "content/public/common/sandbox_linux.h"
15 #if defined(ADDRESS_SANITIZER) || defined(MEMORY_SANITIZER) || \
16 defined(THREAD_SANITIZER) || defined(LEAK_SANITIZER) || \
17 defined(UNDEFINED_SANITIZER) || defined(SANITIZER_COVERAGE)
18 #include <sanitizer/common_interface_defs.h>
19 #define ANY_OF_AMTLU_SANITIZER 1
20 #endif
22 template <typename T> struct DefaultSingletonTraits;
23 namespace base {
24 class Thread;
26 namespace sandbox { class SetuidSandboxClient; }
28 namespace content {
30 // A singleton class to represent and change our sandboxing state for the
31 // three main Linux sandboxes.
32 // The sandboxing model allows using two layers of sandboxing. The first layer
33 // can be implemented either with unprivileged namespaces or with the setuid
34 // sandbox. This class provides a way to engage the namespace sandbox, but does
35 // not deal with the legacy setuid sandbox directly.
36 // The second layer is mainly based on seccomp-bpf and is engaged with
37 // InitializeSandbox(). InitializeSandbox() is also responsible for "sealing"
38 // the first layer of sandboxing. That is, InitializeSandbox must always be
39 // called to have any meaningful sandboxing at all.
40 class LinuxSandbox {
41 public:
42 // This is a list of sandbox IPC methods which the renderer may send to the
43 // sandbox host. See http://code.google.com/p/chromium/wiki/LinuxSandboxIPC
44 // This isn't the full list, values < 32 are reserved for methods called from
45 // Skia.
46 enum LinuxSandboxIPCMethods {
47 METHOD_GET_FALLBACK_FONT_FOR_CHAR = 32,
48 METHOD_LOCALTIME = 33,
49 DEPRECATED_METHOD_GET_CHILD_WITH_INODE = 34,
50 METHOD_GET_STYLE_FOR_STRIKE = 35,
51 METHOD_MAKE_SHARED_MEMORY_SEGMENT = 36,
52 METHOD_MATCH_WITH_FALLBACK = 37,
55 // Get our singleton instance.
56 static LinuxSandbox* GetInstance();
58 // Do some initialization that can only be done before any of the sandboxes
59 // are enabled. If using the setuid sandbox, this should be called manually
60 // before the setuid sandbox is engaged.
61 // Security: When this runs, it is imperative that either InitializeSandbox()
62 // runs as well or that all file descriptors returned in
63 // GetFileDescriptorsToClose() get closed.
64 // Otherwise file descriptors that bypass the security of the setuid sandbox
65 // would be kept open. One must be particularly careful if a process performs
66 // a fork().
67 void PreinitializeSandbox();
69 // Check that the current process is the init process of a new PID
70 // namespace and then proceed to drop access to the file system by using
71 // a new unprivileged namespace. This is a layer-1 sandbox.
72 // In order for this sandbox to be effective, it must be "sealed" by calling
73 // InitializeSandbox().
74 void EngageNamespaceSandbox();
76 // Return a list of file descriptors to close if PreinitializeSandbox() ran
77 // but InitializeSandbox() won't. Avoid using.
78 // TODO(jln): get rid of this hack.
79 std::vector<int> GetFileDescriptorsToClose();
81 // Seal an eventual layer-1 sandbox and initialize the layer-2 sandbox with
82 // an adequate policy depending on the process type and command line
83 // arguments.
84 // Currently the layer-2 sandbox is composed of seccomp-bpf and address space
85 // limitations. This will instantiate the LinuxSandbox singleton if it
86 // doesn't already exist.
87 // This function should only be called without any thread running.
88 static bool InitializeSandbox();
90 // Stop |thread| in a way that can be trusted by the sandbox.
91 static void StopThread(base::Thread* thread);
93 // Returns the status of the renderer, worker and ppapi sandbox. Can only
94 // be queried after going through PreinitializeSandbox(). This is a bitmask
95 // and uses the constants defined in "enum LinuxSandboxStatus". Since the
96 // status needs to be provided before the sandboxes are actually started,
97 // this returns what will actually happen once InitializeSandbox()
98 // is called from inside these processes.
99 int GetStatus();
100 // Returns true if the current process is single-threaded or if the number
101 // of threads cannot be determined.
102 bool IsSingleThreaded() const;
103 // Did we start Seccomp BPF?
104 bool seccomp_bpf_started() const;
106 // Simple accessor for our instance of the setuid sandbox. Will never return
107 // NULL.
108 // There is no StartSetuidSandbox(), the SetuidSandboxClient instance should
109 // be used directly.
110 sandbox::SetuidSandboxClient* setuid_sandbox_client() const;
112 // Check the policy and eventually start the seccomp-bpf sandbox. This should
113 // never be called with threads started. If we detect that threads have
114 // started we will crash.
115 bool StartSeccompBPF(const std::string& process_type);
117 // Limit the address space of the current process (and its children).
118 // to make some vulnerabilities harder to exploit.
119 bool LimitAddressSpace(const std::string& process_type);
121 #if defined(ANY_OF_AMTLU_SANITIZER)
122 __sanitizer_sandbox_arguments* sanitizer_args() const {
123 return sanitizer_args_.get();
125 #endif
127 private:
128 friend struct DefaultSingletonTraits<LinuxSandbox>;
130 LinuxSandbox();
131 ~LinuxSandbox();
133 // Some methods are static and get an instance of the Singleton. These
134 // are the non-static implementations.
135 bool InitializeSandboxImpl();
136 void StopThreadImpl(base::Thread* thread);
137 // We must have been pre_initialized_ before using these.
138 bool seccomp_bpf_supported() const;
139 bool seccomp_bpf_with_tsync_supported() const;
140 // Returns true if it can be determined that the current process has open
141 // directories that are not managed by the LinuxSandbox class. This would
142 // be a vulnerability as it would allow to bypass the setuid sandbox.
143 bool HasOpenDirectories() const;
144 // The last part of the initialization is to make sure any temporary "hole"
145 // in the sandbox is closed. For now, this consists of closing proc_fd_.
146 void SealSandbox();
147 // GetStatus() makes promises as to how the sandbox will behave. This
148 // checks that no promises have been broken.
149 void CheckForBrokenPromises(const std::string& process_type);
150 // Stop |thread| and make sure it does not appear in /proc/self/tasks/
151 // anymore.
152 void StopThreadAndEnsureNotCounted(base::Thread* thread) const;
154 // A file descriptor to /proc. It's dangerous to have it around as it could
155 // allow for sandbox bypasses. It needs to be closed before we consider
156 // ourselves sandboxed.
157 int proc_fd_;
158 bool seccomp_bpf_started_;
159 // The value returned by GetStatus(). Gets computed once and then cached.
160 int sandbox_status_flags_;
161 // Did PreinitializeSandbox() run?
162 bool pre_initialized_;
163 bool seccomp_bpf_supported_; // Accurate if pre_initialized_.
164 bool seccomp_bpf_with_tsync_supported_; // Accurate if pre_initialized_.
165 bool yama_is_enforcing_; // Accurate if pre_initialized_.
166 bool initialize_sandbox_ran_; // InitializeSandbox() was called.
167 scoped_ptr<sandbox::SetuidSandboxClient> setuid_sandbox_client_;
168 #if defined(ANY_OF_AMTLU_SANITIZER)
169 scoped_ptr<__sanitizer_sandbox_arguments> sanitizer_args_;
170 #endif
172 DISALLOW_COPY_AND_ASSIGN(LinuxSandbox);
175 } // namespace content
177 #endif // CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_LINUX_H_