Merge Chromium + Blink git repositories
[chromium-blink-merge.git] / mojo / runner / linux_sandbox.cc
blob6990f0acea51f7ce5688b9a428d7b0c5dc0f8c5c
1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "mojo/runner/linux_sandbox.h"
7 #include <fcntl.h>
8 #include <sys/syscall.h>
10 #include "base/bind.h"
11 #include "base/debug/leak_annotations.h"
12 #include "base/posix/eintr_wrapper.h"
13 #include "base/rand_util.h"
14 #include "base/sys_info.h"
15 #include "sandbox/linux/bpf_dsl/policy.h"
16 #include "sandbox/linux/bpf_dsl/trap_registry.h"
17 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h"
18 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
19 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
20 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
21 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
22 #include "sandbox/linux/services/credentials.h"
23 #include "sandbox/linux/services/namespace_sandbox.h"
24 #include "sandbox/linux/services/proc_util.h"
25 #include "sandbox/linux/services/thread_helpers.h"
27 using sandbox::syscall_broker::BrokerFilePermission;
29 namespace mandoline {
31 namespace {
33 intptr_t SandboxSIGSYSHandler(const struct sandbox::arch_seccomp_data& args,
34 void* aux) {
35 RAW_CHECK(aux);
36 const sandbox::syscall_broker::BrokerProcess* broker_process =
37 static_cast<const sandbox::syscall_broker::BrokerProcess*>(aux);
38 switch (args.nr) {
39 case __NR_access:
40 return broker_process->Access(reinterpret_cast<const char*>(args.args[0]),
41 static_cast<int>(args.args[1]));
42 case __NR_open:
43 return broker_process->Open(reinterpret_cast<const char*>(args.args[0]),
44 static_cast<int>(args.args[1]));
45 case __NR_faccessat:
46 if (static_cast<int>(args.args[0]) == AT_FDCWD) {
47 return broker_process->Access(
48 reinterpret_cast<const char*>(args.args[1]),
49 static_cast<int>(args.args[2]));
50 } else {
51 return -EPERM;
53 case __NR_openat:
54 // Allow using openat() as open().
55 if (static_cast<int>(args.args[0]) == AT_FDCWD) {
56 return broker_process->Open(reinterpret_cast<const char*>(args.args[1]),
57 static_cast<int>(args.args[2]));
58 } else {
59 return -EPERM;
61 default:
62 RAW_CHECK(false);
63 return -ENOSYS;
67 class SandboxPolicy : public sandbox::BaselinePolicy {
68 public:
69 explicit SandboxPolicy(sandbox::syscall_broker::BrokerProcess* broker_process)
70 : broker_process_(broker_process) {}
71 ~SandboxPolicy() override {}
73 // Overridden from sandbox::bpf_dsl::Policy:
74 sandbox::bpf_dsl::ResultExpr EvaluateSyscall(int sysno) const override {
75 // This policy is only advisory/for noticing FS access for the moment.
76 switch (sysno) {
77 case __NR_access:
78 case __NR_open:
79 case __NR_faccessat:
80 case __NR_openat:
81 return sandbox::bpf_dsl::Trap(SandboxSIGSYSHandler, broker_process_);
82 case __NR_sched_getaffinity:
83 return sandbox::RestrictSchedTarget(policy_pid(), sysno);
84 case __NR_ftruncate:
85 case __NR_getrlimit:
86 case __NR_uname:
87 return sandbox::bpf_dsl::Allow();
90 return BaselinePolicy::EvaluateSyscall(sysno);
93 private:
94 // Not owned.
95 const sandbox::syscall_broker::BrokerProcess* broker_process_;
96 DISALLOW_COPY_AND_ASSIGN(SandboxPolicy);
99 } // namespace
101 LinuxSandbox::LinuxSandbox(const std::vector<BrokerFilePermission>& permissions)
102 : broker_(new sandbox::syscall_broker::BrokerProcess(EPERM, permissions)) {
103 CHECK(broker_->Init(
104 base::Bind<bool (*)()>(&sandbox::Credentials::DropAllCapabilities)));
105 policy_.reset(new SandboxPolicy(broker_.get()));
108 LinuxSandbox::~LinuxSandbox() {}
110 void LinuxSandbox::Warmup() {
111 proc_fd_ = sandbox::ProcUtil::OpenProc();
112 warmed_up_ = true;
114 // Verify that we haven't started threads or grabbed directory file
115 // descriptors.
116 sandbox::ThreadHelpers::AssertSingleThreaded(proc_fd_.get());
117 CHECK(!sandbox::ProcUtil::HasOpenDirectory(proc_fd_.get()));
120 void LinuxSandbox::EngageNamespaceSandbox() {
121 CHECK(warmed_up_);
122 CHECK_EQ(1, getpid());
123 CHECK(sandbox::NamespaceSandbox::InNewPidNamespace());
124 CHECK(sandbox::Credentials::MoveToNewUserNS());
125 CHECK(sandbox::Credentials::DropFileSystemAccess(proc_fd_.get()));
126 CHECK(sandbox::Credentials::DropAllCapabilities(proc_fd_.get()));
129 void LinuxSandbox::EngageSeccompSandbox() {
130 CHECK(warmed_up_);
131 sandbox::SandboxBPF sandbox(policy_.release());
132 base::ScopedFD proc_fd(HANDLE_EINTR(
133 openat(proc_fd_.get(), ".", O_RDONLY | O_DIRECTORY | O_CLOEXEC)));
134 CHECK(proc_fd.is_valid());
135 sandbox.SetProcFd(proc_fd.Pass());
136 CHECK(
137 sandbox.StartSandbox(sandbox::SandboxBPF::SeccompLevel::SINGLE_THREADED))
138 << "Starting the process with a sandbox failed. Missing kernel support.";
140 // The Broker is now bound to this process and should only be destroyed when
141 // the process exits or is killed.
142 ANNOTATE_LEAKING_OBJECT_PTR(broker_.release());
145 void LinuxSandbox::Seal() {
146 proc_fd_.reset();
149 } // namespace mandoline