1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
7 #include <sys/resource.h>
10 #include <sys/types.h>
17 #include "base/bind.h"
18 #include "base/callback_helpers.h"
19 #include "base/command_line.h"
20 #include "base/debug/stack_trace.h"
21 #include "base/files/scoped_file.h"
22 #include "base/logging.h"
23 #include "base/macros.h"
24 #include "base/memory/scoped_ptr.h"
25 #include "base/memory/singleton.h"
26 #include "base/posix/eintr_wrapper.h"
27 #include "base/strings/string_number_conversions.h"
28 #include "base/sys_info.h"
29 #include "base/time/time.h"
30 #include "build/build_config.h"
31 #include "content/common/sandbox_linux/sandbox_debug_handling_linux.h"
32 #include "content/common/sandbox_linux/sandbox_linux.h"
33 #include "content/common/sandbox_linux/sandbox_seccomp_bpf_linux.h"
34 #include "content/public/common/content_switches.h"
35 #include "content/public/common/sandbox_linux.h"
36 #include "sandbox/linux/services/credentials.h"
37 #include "sandbox/linux/services/namespace_sandbox.h"
38 #include "sandbox/linux/services/proc_util.h"
39 #include "sandbox/linux/services/resource_limits.h"
40 #include "sandbox/linux/services/thread_helpers.h"
41 #include "sandbox/linux/services/yama.h"
42 #include "sandbox/linux/suid/client/setuid_sandbox_client.h"
44 #if defined(ANY_OF_AMTLU_SANITIZER)
45 #include <sanitizer/common_interface_defs.h>
53 inline void operator()(int* fd
) const {
55 PCHECK(0 == IGNORE_EINTR(close(*fd
)));
60 void LogSandboxStarted(const std::string
& sandbox_name
) {
61 const base::CommandLine
& command_line
=
62 *base::CommandLine::ForCurrentProcess();
63 const std::string process_type
=
64 command_line
.GetSwitchValueASCII(switches::kProcessType
);
65 const std::string activated_sandbox
=
66 "Activated " + sandbox_name
+ " sandbox for process type: " +
68 VLOG(1) << activated_sandbox
;
71 bool IsRunningTSAN() {
72 #if defined(THREAD_SANITIZER)
79 // Get a file descriptor to /proc. Either duplicate |proc_fd| or try to open
80 // it by using the filesystem directly.
81 // TODO(jln): get rid of this ugly interface.
82 base::ScopedFD
OpenProc(int proc_fd
) {
85 // If a handle to /proc is available, use it. This allows to bypass file
86 // system restrictions.
88 HANDLE_EINTR(openat(proc_fd
, ".", O_RDONLY
| O_DIRECTORY
| O_CLOEXEC
));
90 // Otherwise, make an attempt to access the file system directly.
91 ret_proc_fd
= HANDLE_EINTR(
92 openat(AT_FDCWD
, "/proc/", O_RDONLY
| O_DIRECTORY
| O_CLOEXEC
));
94 DCHECK_LE(0, ret_proc_fd
);
95 return base::ScopedFD(ret_proc_fd
);
102 LinuxSandbox::LinuxSandbox()
104 seccomp_bpf_started_(false),
105 sandbox_status_flags_(kSandboxLinuxInvalid
),
106 pre_initialized_(false),
107 seccomp_bpf_supported_(false),
108 seccomp_bpf_with_tsync_supported_(false),
109 yama_is_enforcing_(false),
110 initialize_sandbox_ran_(false),
111 setuid_sandbox_client_(sandbox::SetuidSandboxClient::Create()) {
112 if (setuid_sandbox_client_
== NULL
) {
113 LOG(FATAL
) << "Failed to instantiate the setuid sandbox client.";
115 #if defined(ANY_OF_AMTLU_SANITIZER)
116 sanitizer_args_
= make_scoped_ptr(new __sanitizer_sandbox_arguments
);
117 *sanitizer_args_
= {0};
121 LinuxSandbox::~LinuxSandbox() {
122 if (pre_initialized_
) {
123 CHECK(initialize_sandbox_ran_
);
127 LinuxSandbox
* LinuxSandbox::GetInstance() {
128 LinuxSandbox
* instance
= Singleton
<LinuxSandbox
>::get();
133 void LinuxSandbox::PreinitializeSandbox() {
134 CHECK(!pre_initialized_
);
135 seccomp_bpf_supported_
= false;
136 #if defined(ANY_OF_AMTLU_SANITIZER)
137 // Sanitizers need to open some resources before the sandbox is enabled.
138 // This should not fork, not launch threads, not open a directory.
139 __sanitizer_sandbox_on_notify(sanitizer_args());
140 sanitizer_args_
.reset();
143 #if !defined(NDEBUG) || (defined(CFI_ENFORCEMENT) && !defined(OFFICIAL_BUILD))
144 // The in-process stack dumping needs to open /proc/self/maps and cache
145 // its contents before the sandbox is enabled. It also pre-opens the
146 // object files that are already loaded in the process address space.
147 base::debug::EnableInProcessStackDumpingForSandbox();
148 #endif // !defined(NDEBUG)
150 // Open proc_fd_. It would break the security of the setuid sandbox if it was
152 // If LinuxSandbox::PreinitializeSandbox() runs, InitializeSandbox() must run
154 proc_fd_
= HANDLE_EINTR(open("/proc", O_DIRECTORY
| O_RDONLY
| O_CLOEXEC
));
155 CHECK_GE(proc_fd_
, 0);
156 // We "pre-warm" the code that detects supports for seccomp BPF.
157 if (SandboxSeccompBPF::IsSeccompBPFDesired()) {
158 if (!SandboxSeccompBPF::SupportsSandbox()) {
159 VLOG(1) << "Lacking support for seccomp-bpf sandbox.";
161 seccomp_bpf_supported_
= true;
164 if (SandboxSeccompBPF::SupportsSandboxWithTsync()) {
165 seccomp_bpf_with_tsync_supported_
= true;
169 // Yama is a "global", system-level status. We assume it will not regress
171 const int yama_status
= Yama::GetStatus();
172 yama_is_enforcing_
= (yama_status
& Yama::STATUS_PRESENT
) &&
173 (yama_status
& Yama::STATUS_ENFORCING
);
174 pre_initialized_
= true;
177 void LinuxSandbox::EngageNamespaceSandbox() {
178 CHECK(pre_initialized_
);
179 // Check being in a new PID namespace created by the namespace sandbox and
180 // being the init process.
181 CHECK(sandbox::NamespaceSandbox::InNewPidNamespace());
182 const pid_t pid
= getpid();
185 CHECK(sandbox::Credentials::MoveToNewUserNS());
186 // Note: this requires SealSandbox() to be called later in this process to be
187 // safe, as this class is keeping a file descriptor to /proc/.
188 CHECK(sandbox::Credentials::DropFileSystemAccess(proc_fd_
));
190 // We do not drop CAP_SYS_ADMIN because we need it to place each child process
191 // in its own PID namespace later on.
192 std::vector
<sandbox::Credentials::Capability
> caps
;
193 caps
.push_back(sandbox::Credentials::Capability::SYS_ADMIN
);
194 CHECK(sandbox::Credentials::SetCapabilities(proc_fd_
, caps
));
196 // This needs to happen after moving to a new user NS, since doing so involves
197 // writing the UID/GID map.
198 CHECK(SandboxDebugHandling::SetDumpableStatusAndHandlers());
201 std::vector
<int> LinuxSandbox::GetFileDescriptorsToClose() {
202 std::vector
<int> fds
;
204 fds
.push_back(proc_fd_
);
209 bool LinuxSandbox::InitializeSandbox() {
210 LinuxSandbox
* linux_sandbox
= LinuxSandbox::GetInstance();
211 return linux_sandbox
->InitializeSandboxImpl();
214 void LinuxSandbox::StopThread(base::Thread
* thread
) {
215 LinuxSandbox
* linux_sandbox
= LinuxSandbox::GetInstance();
216 linux_sandbox
->StopThreadImpl(thread
);
219 int LinuxSandbox::GetStatus() {
220 if (!pre_initialized_
) {
223 if (kSandboxLinuxInvalid
== sandbox_status_flags_
) {
224 // Initialize sandbox_status_flags_.
225 sandbox_status_flags_
= 0;
226 if (setuid_sandbox_client_
->IsSandboxed()) {
227 sandbox_status_flags_
|= kSandboxLinuxSUID
;
228 if (setuid_sandbox_client_
->IsInNewPIDNamespace())
229 sandbox_status_flags_
|= kSandboxLinuxPIDNS
;
230 if (setuid_sandbox_client_
->IsInNewNETNamespace())
231 sandbox_status_flags_
|= kSandboxLinuxNetNS
;
232 } else if (sandbox::NamespaceSandbox::InNewUserNamespace()) {
233 sandbox_status_flags_
|= kSandboxLinuxUserNS
;
234 if (sandbox::NamespaceSandbox::InNewPidNamespace())
235 sandbox_status_flags_
|= kSandboxLinuxPIDNS
;
236 if (sandbox::NamespaceSandbox::InNewNetNamespace())
237 sandbox_status_flags_
|= kSandboxLinuxNetNS
;
240 // We report whether the sandbox will be activated when renderers, workers
241 // and PPAPI plugins go through sandbox initialization.
242 if (seccomp_bpf_supported() &&
243 SandboxSeccompBPF::ShouldEnableSeccompBPF(switches::kRendererProcess
)) {
244 sandbox_status_flags_
|= kSandboxLinuxSeccompBPF
;
247 if (seccomp_bpf_with_tsync_supported() &&
248 SandboxSeccompBPF::ShouldEnableSeccompBPF(switches::kRendererProcess
)) {
249 sandbox_status_flags_
|= kSandboxLinuxSeccompTSYNC
;
252 if (yama_is_enforcing_
) {
253 sandbox_status_flags_
|= kSandboxLinuxYama
;
257 return sandbox_status_flags_
;
260 // Threads are counted via /proc/self/task. This is a little hairy because of
261 // PID namespaces and existing sandboxes, so "self" must really be used instead
263 bool LinuxSandbox::IsSingleThreaded() const {
264 base::ScopedFD
proc_fd(OpenProc(proc_fd_
));
266 CHECK(proc_fd
.is_valid()) << "Could not count threads, the sandbox was not "
267 << "pre-initialized properly.";
269 const bool is_single_threaded
=
270 sandbox::ThreadHelpers::IsSingleThreaded(proc_fd
.get());
272 return is_single_threaded
;
275 bool LinuxSandbox::seccomp_bpf_started() const {
276 return seccomp_bpf_started_
;
279 sandbox::SetuidSandboxClient
*
280 LinuxSandbox::setuid_sandbox_client() const {
281 return setuid_sandbox_client_
.get();
284 // For seccomp-bpf, we use the SandboxSeccompBPF class.
285 bool LinuxSandbox::StartSeccompBPF(const std::string
& process_type
) {
286 CHECK(!seccomp_bpf_started_
);
287 CHECK(pre_initialized_
);
288 if (seccomp_bpf_supported()) {
289 seccomp_bpf_started_
=
290 SandboxSeccompBPF::StartSandbox(process_type
, OpenProc(proc_fd_
));
293 if (seccomp_bpf_started_
) {
294 LogSandboxStarted("seccomp-bpf");
297 return seccomp_bpf_started_
;
300 bool LinuxSandbox::InitializeSandboxImpl() {
301 DCHECK(!initialize_sandbox_ran_
);
302 initialize_sandbox_ran_
= true;
304 base::CommandLine
* command_line
= base::CommandLine::ForCurrentProcess();
305 const std::string process_type
=
306 command_line
->GetSwitchValueASCII(switches::kProcessType
);
308 // We need to make absolutely sure that our sandbox is "sealed" before
310 // Unretained() since the current object is a Singleton.
311 base::ScopedClosureRunner
sandbox_sealer(
312 base::Bind(&LinuxSandbox::SealSandbox
, base::Unretained(this)));
313 // Make sure that this function enables sandboxes as promised by GetStatus().
314 // Unretained() since the current object is a Singleton.
315 base::ScopedClosureRunner
sandbox_promise_keeper(
316 base::Bind(&LinuxSandbox::CheckForBrokenPromises
,
317 base::Unretained(this),
320 // No matter what, it's always an error to call InitializeSandbox() after
321 // threads have been created.
322 if (!IsSingleThreaded()) {
323 std::string error_message
= "InitializeSandbox() called with multiple "
324 "threads in process " + process_type
;
325 // TSAN starts a helper thread, so we don't start the sandbox and don't
326 // even report an error about it.
330 // The GPU process is allowed to call InitializeSandbox() with threads.
331 bool sandbox_failure_fatal
= process_type
!= switches::kGpuProcess
;
332 // This can be disabled with the '--gpu-sandbox-failures-fatal' flag.
333 // Setting the flag with no value or any value different than 'yes' or 'no'
334 // is equal to setting '--gpu-sandbox-failures-fatal=yes'.
335 if (process_type
== switches::kGpuProcess
&&
336 command_line
->HasSwitch(switches::kGpuSandboxFailuresFatal
)) {
337 const std::string switch_value
=
338 command_line
->GetSwitchValueASCII(switches::kGpuSandboxFailuresFatal
);
339 sandbox_failure_fatal
= switch_value
!= "no";
342 if (sandbox_failure_fatal
)
343 LOG(FATAL
) << error_message
;
345 LOG(ERROR
) << error_message
;
349 // Only one thread is running, pre-initialize if not already done.
350 if (!pre_initialized_
)
351 PreinitializeSandbox();
353 DCHECK(!HasOpenDirectories()) <<
354 "InitializeSandbox() called after unexpected directories have been " <<
355 "opened. This breaks the security of the setuid sandbox.";
357 // Attempt to limit the future size of the address space of the process.
358 LimitAddressSpace(process_type
);
360 // Try to enable seccomp-bpf.
361 bool seccomp_bpf_started
= StartSeccompBPF(process_type
);
363 return seccomp_bpf_started
;
366 void LinuxSandbox::StopThreadImpl(base::Thread
* thread
) {
368 StopThreadAndEnsureNotCounted(thread
);
371 bool LinuxSandbox::seccomp_bpf_supported() const {
372 CHECK(pre_initialized_
);
373 return seccomp_bpf_supported_
;
376 bool LinuxSandbox::seccomp_bpf_with_tsync_supported() const {
377 CHECK(pre_initialized_
);
378 return seccomp_bpf_with_tsync_supported_
;
381 bool LinuxSandbox::LimitAddressSpace(const std::string
& process_type
) {
383 #if !defined(ADDRESS_SANITIZER) && !defined(MEMORY_SANITIZER) && \
384 !defined(THREAD_SANITIZER)
385 base::CommandLine
* command_line
= base::CommandLine::ForCurrentProcess();
386 if (command_line
->HasSwitch(switches::kNoSandbox
)) {
390 // Limit the address space to 4GB.
391 // This is in the hope of making some kernel exploits more complex and less
392 // reliable. It also limits sprays a little on 64-bit.
393 rlim_t address_space_limit
= std::numeric_limits
<uint32_t>::max();
394 #if defined(__LP64__)
395 // On 64 bits, V8 and possibly others will reserve massive memory ranges and
396 // rely on on-demand paging for allocation. Unfortunately, even
397 // MADV_DONTNEED ranges count towards RLIMIT_AS so this is not an option.
398 // See crbug.com/169327 for a discussion.
399 // On the GPU process, irrespective of V8, we can exhaust a 4GB address space
400 // under normal usage, see crbug.com/271119
401 // For now, increase limit to 16GB for renderer and worker and gpu processes
403 if (process_type
== switches::kRendererProcess
||
404 process_type
== switches::kGpuProcess
) {
405 address_space_limit
= 1L << 34;
407 #endif // defined(__LP64__)
409 // On all platforms, add a limit to the brk() heap that would prevent
410 // allocations that can't be index by an int.
411 const rlim_t kNewDataSegmentMaxSize
= std::numeric_limits
<int>::max();
414 sandbox::ResourceLimits::Lower(RLIMIT_AS
, address_space_limit
);
416 sandbox::ResourceLimits::Lower(RLIMIT_DATA
, kNewDataSegmentMaxSize
);
418 // Cache the resource limit before turning on the sandbox.
419 base::SysInfo::AmountOfVirtualMemory();
421 return limited_as
&& limited_data
;
423 base::SysInfo::AmountOfVirtualMemory();
425 #endif // !defined(ADDRESS_SANITIZER) && !defined(MEMORY_SANITIZER) &&
426 // !defined(THREAD_SANITIZER)
429 bool LinuxSandbox::HasOpenDirectories() const {
430 return sandbox::ProcUtil::HasOpenDirectory(proc_fd_
);
433 void LinuxSandbox::SealSandbox() {
435 int ret
= IGNORE_EINTR(close(proc_fd_
));
441 void LinuxSandbox::CheckForBrokenPromises(const std::string
& process_type
) {
442 // Make sure that any promise made with GetStatus() wasn't broken.
443 bool promised_seccomp_bpf_would_start
= false;
444 if (process_type
== switches::kRendererProcess
||
445 process_type
== switches::kPpapiPluginProcess
) {
446 promised_seccomp_bpf_would_start
=
447 (sandbox_status_flags_
!= kSandboxLinuxInvalid
) &&
448 (GetStatus() & kSandboxLinuxSeccompBPF
);
450 if (promised_seccomp_bpf_would_start
) {
451 CHECK(seccomp_bpf_started_
);
455 void LinuxSandbox::StopThreadAndEnsureNotCounted(base::Thread
* thread
) const {
457 base::ScopedFD
proc_fd(OpenProc(proc_fd_
));
458 PCHECK(proc_fd
.is_valid());
460 sandbox::ThreadHelpers::StopThreadAndWatchProcFS(proc_fd
.get(), thread
));
463 } // namespace content