| blob | 5396e440b8cc01415d2a60f086444166e936d806 |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include <dlfcn.h>
6 #include <fcntl.h>
7 #include <pthread.h>
8 #include <stdio.h>
9 #include <sys/socket.h>
10 #include <sys/stat.h>
11 #include <sys/types.h>
12 #include <sys/wait.h>
13 #include <unistd.h>
43 #if defined(OS_LINUX)
44 #include <sys/epoll.h>
45 #include <sys/prctl.h>
46 #include <sys/signal.h>
47 #else
48 #include <signal.h>
49 #endif
53 // See http://code.google.com/p/chromium/wiki/LinuxZygote
55 // With SELinux we can carve out a precise sandbox, so we don't have to play
56 // with intercepting libc calls.
57 #if !defined(CHROMIUM_SELINUX)
62 Pickle request;
70 request);
74 }
84 }
94 }
95 }
99 // Sandbox interception of libc calls.
100 //
101 // Because we are running in a sandbox certain libc calls will fail (localtime
102 // being the motivating example - it needs to read /etc/localtime). We need to
103 // intercept these calls and proxy them to the browser. However, these calls
104 // may come from us or from our libraries. In some cases we can't just change
105 // our code.
106 //
107 // It's for these cases that we have the following setup:
108 //
109 // We define global functions for those functions which we wish to override.
110 // Since we will be first in the dynamic resolution order, the dynamic linker
111 // will point callers to our versions of these functions. However, we have the
112 // same binary for both the browser and the renderers, which means that our
113 // overrides will apply in the browser too.
114 //
115 // The global |g_am_zygote_or_renderer| is true iff we are in a zygote or
116 // renderer process. It's set in ZygoteMain and inherited by the renderers when
117 // they fork. (This means that it'll be incorrect for global constructor
118 // functions and before ZygoteMain is called - beware).
119 //
120 // Our replacement functions can check this global and either proxy
121 // the call to the browser over the sandbox IPC
122 // (http://code.google.com/p/chromium/wiki/LinuxSandboxIPC) or they can use
123 // dlsym with RTLD_NEXT to resolve the symbol, ignoring any symbols in the
124 // current module.
125 //
126 // Other avenues:
127 //
128 // Our first attempt involved some assembly to patch the GOT of the current
129 // module. This worked, but was platform specific and doesn't catch the case
130 // where a library makes a call rather than current module.
131 //
132 // We also considered patching the function in place, but this would again by
133 // platform specific and the above technique seems to work well enough.
156 // http://code.google.com/p/chromium/issues/detail?id=16800
157 //
158 // Nvidia's libGL.so overrides dlsym for an unknown reason and replaces
159 // it with a version which doesn't work. In this case we'll get a NULL
160 // result. There's not a lot we can do at this point, so we just bodge it!
162 "reported to be caused by Nvidia's libGL. You should expect"
163 " time related functions to misbehave. "
165 }
175 }
177 // Define localtime_override() function with asm name "localtime", so that all
178 // references to localtime() will resolve to this function. Notice that we need
179 // to set visibility attribute to "default" to export the symbol, as it is set
180 // to "hidden" by default in chrome per build/common.gypi.
194 InitLibcLocaltimeFunctions));
196 }
197 }
199 // Use same trick to override localtime64(), localtime_r() and localtime64_r().
213 InitLibcLocaltimeFunctions));
215 }
216 }
229 InitLibcLocaltimeFunctions));
231 }
232 }
245 InitLibcLocaltimeFunctions));
247 }
248 }
252 // This function triggers the static and lazy construction of objects that need
253 // to be created before imposing the sandbox.
259 // ICU DateFormat class (used in base/time_format.cc) needs to get the
260 // Olson timezone ID by accessing the zoneinfo files on disk. After
261 // TimeZone::createDefault is called once here, the timezone ID is
262 // cached and there's no more need to access the file system.
265 #if defined(USE_NSS)
266 // NSS libraries are loaded before sandbox is activated. This is to allow
267 // successful initialization of NSS which tries to load extra library files.
269 #elif defined(USE_OPENSSL)
270 // OpenSSL is intentionally not supported in the sandboxed processes, see
271 // http://crbug.com/99163. If that ever changes we'll likely need to init
272 // OpenSSL here (at least, load the library and error strings).
273 #else
274 // It's possible that another hypothetical crypto stack would not require
275 // pre-sandbox init, but more likely this is just a build configuration error.
276 #error Which SSL library are you using?
277 #endif
279 // Ensure access to the Pepper plugins before the sandbox is turned on.
281 }
283 #if !defined(CHROMIUM_SELINUX)
284 // Do nothing here
286 }
288 // The current process will become a process reaper like init.
289 // We fork a child that will continue normally, when it dies, we can safely
290 // exit.
291 // We need to be careful we close the magic kZygoteIdFd properly in the parent
292 // before this function returns.
295 // We want to use send, so we can't use a pipe
299 }
301 // We use normal fork, not the ForkDelegate in this case since we are not a
302 // true Zygote yet.
308 }
310 // We are the parent, assuming the role of an init process.
311 // The disposition for SIGCHLD cannot be SIG_IGN or wait() will only return
312 // once all of our childs are dead. Since we're init we need to reap childs
313 // as they come.
321 // This "magic" socket must only appear in one process.
323 // Tell the child to continue
328 // Loop until we have reaped our one natural child
329 siginfo_t reaped_child_info;
336 // We're done waiting
339 }
340 // Exit with the same exit code as our parent. This is most likely
341 // useless. _exit with 0 if we got signaled.
343 }
344 }
346 // The child needs to wait for the parent to close kZygoteIdFd to avoid a
347 // race condition
355 else
357 }
358 }
360 // This will set the *using_suid_sandbox variable to true if the SUID sandbox
361 // is enabled. This does not necessarily exclude other types of sandboxing.
374 // Use the SUID sandbox. This still allows the seccomp sandbox to
375 // be enabled by the process later.
380 "Please read "
381 "https://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment."
383 }
389 // The setuid sandbox has created a new PID namespace and we need
390 // to assume the role of init.
394 }
396 }
398 #if !defined(OS_OPENBSD)
399 // Previously, we required that the binary be non-readable. This causes the
400 // kernel to mark the process as non-dumpable at startup. The thinking was
401 // that, although we were putting the renderers into a PID namespace (with
402 // the SUID sandbox), they would nonetheless be in the /same/ PID
403 // namespace. So they could ptrace each other unless they were non-dumpable.
404 //
405 // If the binary was readable, then there would be a window between process
406 // startup and the point where we set the non-dumpable flag in which a
407 // compromised renderer could ptrace attach.
408 //
409 // However, now that we have a zygote model, only the (trusted) zygote
410 // exists at this point and we can set the non-dumpable flag which is
411 // inherited by all our renderer children.
412 //
413 // Note: a non-dumpable process can't be debugged. To debug sandbox-related
414 // issues, one can specify --allow-sandbox-debugging to let the process be
415 // dumpable.
422 }
423 }
424 #endif
425 }
428 }
443 }
449 #if !defined(CHROMIUM_SELINUX)
452 #endif
455 // This will pre-initialize the various sandboxes that need it.
456 // There need to be a corresponding call to PreinitializeSandboxFinish()
457 // for each new process, this will be done in the Zygote child, once we know
458 // our process type.
469 }
471 // Turn on the SELinux or SUID sandbox.
481 }
485 "is not the init process. Please, make sure the SUID "
487 }
492 // This function call can return multiple times, once per fork().
494 }