Add ICU message format support
[chromium-blink-merge.git] / mojo / runner / linux_sandbox.cc
blob06165b2a0f6213d23109ee48bb947dec187b0294
1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "mojo/runner/linux_sandbox.h"
7 #include <fcntl.h>
8 #include <sys/syscall.h>
10 #include "base/bind.h"
11 #include "base/debug/leak_annotations.h"
12 #include "base/posix/eintr_wrapper.h"
13 #include "base/rand_util.h"
14 #include "base/sys_info.h"
15 #include "sandbox/linux/bpf_dsl/policy.h"
16 #include "sandbox/linux/bpf_dsl/trap_registry.h"
17 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
18 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
19 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
20 #include "sandbox/linux/services/credentials.h"
21 #include "sandbox/linux/services/namespace_sandbox.h"
22 #include "sandbox/linux/services/proc_util.h"
23 #include "sandbox/linux/services/thread_helpers.h"
25 using sandbox::syscall_broker::BrokerFilePermission;
27 namespace mandoline {
29 namespace {
31 intptr_t SandboxSIGSYSHandler(const struct sandbox::arch_seccomp_data& args,
32 void* aux) {
33 RAW_CHECK(aux);
34 const sandbox::syscall_broker::BrokerProcess* broker_process =
35 static_cast<const sandbox::syscall_broker::BrokerProcess*>(aux);
36 switch (args.nr) {
37 case __NR_access:
38 return broker_process->Access(reinterpret_cast<const char*>(args.args[0]),
39 static_cast<int>(args.args[1]));
40 case __NR_open:
41 return broker_process->Open(reinterpret_cast<const char*>(args.args[0]),
42 static_cast<int>(args.args[1]));
43 case __NR_faccessat:
44 if (static_cast<int>(args.args[0]) == AT_FDCWD) {
45 return broker_process->Access(
46 reinterpret_cast<const char*>(args.args[1]),
47 static_cast<int>(args.args[2]));
48 } else {
49 return -EPERM;
51 case __NR_openat:
52 // Allow using openat() as open().
53 if (static_cast<int>(args.args[0]) == AT_FDCWD) {
54 return broker_process->Open(reinterpret_cast<const char*>(args.args[1]),
55 static_cast<int>(args.args[2]));
56 } else {
57 return -EPERM;
59 default:
60 RAW_CHECK(false);
61 return -ENOSYS;
65 class SandboxPolicy : public sandbox::bpf_dsl::Policy {
66 public:
67 explicit SandboxPolicy(sandbox::syscall_broker::BrokerProcess* broker_process)
68 : broker_process_(broker_process) {}
69 ~SandboxPolicy() override {}
71 // Overridden from sandbox::bpf_dsl::Policy:
72 sandbox::bpf_dsl::ResultExpr EvaluateSyscall(int sysno) const override {
73 // This policy is only advisory/for noticing FS access for the moment.
74 switch (sysno) {
75 case __NR_access:
76 case __NR_open:
77 case __NR_faccessat:
78 case __NR_openat:
79 return sandbox::bpf_dsl::Trap(SandboxSIGSYSHandler, broker_process_);
82 return sandbox::bpf_dsl::Allow();
85 private:
86 // Not owned.
87 const sandbox::syscall_broker::BrokerProcess* broker_process_;
88 DISALLOW_COPY_AND_ASSIGN(SandboxPolicy);
91 } // namespace
93 LinuxSandbox::LinuxSandbox(const std::vector<BrokerFilePermission>& permissions)
94 : broker_(new sandbox::syscall_broker::BrokerProcess(EPERM, permissions)) {
95 broker_->Init(
96 base::Bind<bool (*)()>(&sandbox::Credentials::DropAllCapabilities));
97 policy_.reset(new SandboxPolicy(broker_.get()));
100 LinuxSandbox::~LinuxSandbox() {}
102 void LinuxSandbox::Warmup() {
103 proc_fd_ = sandbox::ProcUtil::OpenProc();
104 warmed_up_ = true;
106 // Verify that we haven't started threads or grabbed directory file
107 // descriptors.
108 sandbox::ThreadHelpers::AssertSingleThreaded(proc_fd_.get());
109 CHECK(!sandbox::ProcUtil::HasOpenDirectory(proc_fd_.get()));
112 void LinuxSandbox::EngageNamespaceSandbox() {
113 CHECK(warmed_up_);
114 CHECK_EQ(1, getpid());
115 CHECK(sandbox::NamespaceSandbox::InNewPidNamespace());
116 CHECK(sandbox::Credentials::MoveToNewUserNS());
117 CHECK(sandbox::Credentials::DropFileSystemAccess(proc_fd_.get()));
118 CHECK(sandbox::Credentials::DropAllCapabilities(proc_fd_.get()));
121 void LinuxSandbox::EngageSeccompSandbox() {
122 CHECK(warmed_up_);
123 sandbox::SandboxBPF sandbox(policy_.release());
124 base::ScopedFD proc_fd(HANDLE_EINTR(
125 openat(proc_fd_.get(), ".", O_RDONLY | O_DIRECTORY | O_CLOEXEC)));
126 CHECK(proc_fd.is_valid());
127 sandbox.SetProcFd(proc_fd.Pass());
128 CHECK(
129 sandbox.StartSandbox(sandbox::SandboxBPF::SeccompLevel::SINGLE_THREADED))
130 << "Starting the process with a sandbox failed. Missing kernel support.";
132 // The Broker is now bound to this process and should only be destroyed when
133 // the process exits or is killed.
134 ANNOTATE_LEAKING_OBJECT_PTR(broker_.release());
137 void LinuxSandbox::Seal() {
138 proc_fd_.reset();
141 } // namespace mandoline