search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge Chromium + Blink git repositories
[chromium-blink-merge.git] / sandbox / linux / syscall_broker / broker_host.cc
blobe5957ed224eadb82242ff7c7362783dd2dea3c01
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "sandbox/linux/syscall_broker/broker_host.h"
6
7 #include <fcntl.h>
8 #include <sys/socket.h>
9 #include <sys/stat.h>
10 #include <sys/syscall.h>
11 #include <sys/types.h>
12 #include <unistd.h>
13
14 #include <string>
15 #include <vector>
16
17 #include "base/files/scoped_file.h"
18 #include "base/logging.h"
19 #include "base/pickle.h"
20 #include "base/posix/eintr_wrapper.h"
21 #include "base/posix/unix_domain_socket_linux.h"
22 #include "base/third_party/valgrind/valgrind.h"
23 #include "sandbox/linux/syscall_broker/broker_common.h"
24 #include "sandbox/linux/syscall_broker/broker_policy.h"
25 #include "sandbox/linux/system_headers/linux_syscalls.h"
26
27 namespace sandbox {
28
29 namespace syscall_broker {
30
31 namespace {
32
33 bool IsRunningOnValgrind() {
34 return RUNNING_ON_VALGRIND;
35 }
36
37 // A little open(2) wrapper to handle some oddities for us. In the general case
38 // make a direct system call since we want to keep in control of the broker
39 // process' system calls profile to be able to loosely sandbox it.
40 int sys_open(const char* pathname, int flags) {
41 // Hardcode mode to rw------- when creating files.
42 int mode;
43 if (flags & O_CREAT) {
44 mode = 0600;
45 } else {
46 mode = 0;
47 }
48 if (IsRunningOnValgrind()) {
49 // Valgrind does not support AT_FDCWD, just use libc's open() in this case.
50 return open(pathname, flags, mode);
51 } else {
52 return syscall(__NR_openat, AT_FDCWD, pathname, flags, mode);
53 }
54 }
55
56 // Open |requested_filename| with |flags| if allowed by our policy.
57 // Write the syscall return value (-errno) to |write_pickle| and append
58 // a file descriptor to |opened_files| if relevant.
59 void OpenFileForIPC(const BrokerPolicy& policy,
60 const std::string& requested_filename,
61 int flags,
62 base::Pickle* write_pickle,
63 std::vector<int>* opened_files) {
64 DCHECK(write_pickle);
65 DCHECK(opened_files);
66 const char* file_to_open = NULL;
67 bool unlink_after_open = false;
68 const bool safe_to_open_file = policy.GetFileNameIfAllowedToOpen(
69 requested_filename.c_str(), flags, &file_to_open, &unlink_after_open);
70
71 if (safe_to_open_file) {
72 CHECK(file_to_open);
73 int opened_fd = sys_open(file_to_open, flags);
74 if (opened_fd < 0) {
75 write_pickle->WriteInt(-errno);
76 } else {
77 // Success.
78 if (unlink_after_open) {
79 unlink(file_to_open);
80 }
81 opened_files->push_back(opened_fd);
82 write_pickle->WriteInt(0);
83 }
84 } else {
85 write_pickle->WriteInt(-policy.denied_errno());
86 }
87 }
88
89 // Perform access(2) on |requested_filename| with mode |mode| if allowed by our
90 // policy. Write the syscall return value (-errno) to |write_pickle|.
91 void AccessFileForIPC(const BrokerPolicy& policy,
92 const std::string& requested_filename,
93 int mode,
94 base::Pickle* write_pickle) {
95 DCHECK(write_pickle);
96 const char* file_to_access = NULL;
97 const bool safe_to_access_file = policy.GetFileNameIfAllowedToAccess(
98 requested_filename.c_str(), mode, &file_to_access);
99
100 if (safe_to_access_file) {
101 CHECK(file_to_access);
102 int access_ret = access(file_to_access, mode);
103 int access_errno = errno;
104 if (!access_ret)
105 write_pickle->WriteInt(0);
106 else
107 write_pickle->WriteInt(-access_errno);
108 } else {
109 write_pickle->WriteInt(-policy.denied_errno());
110 }
111 }
112
113 // Handle a |command_type| request contained in |iter| and send the reply
114 // on |reply_ipc|.
115 // Currently COMMAND_OPEN and COMMAND_ACCESS are supported.
116 bool HandleRemoteCommand(const BrokerPolicy& policy,
117 IPCCommand command_type,
118 int reply_ipc,
119 base::PickleIterator iter) {
120 // Currently all commands have two arguments: filename and flags.
121 std::string requested_filename;
122 int flags = 0;
123 if (!iter.ReadString(&requested_filename) || !iter.ReadInt(&flags))
124 return false;
125
126 base::Pickle write_pickle;
127 std::vector<int> opened_files;
128
129 switch (command_type) {
130 case COMMAND_ACCESS:
131 AccessFileForIPC(policy, requested_filename, flags, &write_pickle);
132 break;
133 case COMMAND_OPEN:
134 OpenFileForIPC(
135 policy, requested_filename, flags, &write_pickle, &opened_files);
136 break;
137 default:
138 LOG(ERROR) << "Invalid IPC command";
139 break;
140 }
141
142 CHECK_LE(write_pickle.size(), kMaxMessageLength);
143 ssize_t sent = base::UnixDomainSocket::SendMsg(
144 reply_ipc, write_pickle.data(), write_pickle.size(), opened_files);
145
146 // Close anything we have opened in this process.
147 for (std::vector<int>::iterator it = opened_files.begin();
148 it != opened_files.end();
149 ++it) {
150 int ret = IGNORE_EINTR(close(*it));
151 DCHECK(!ret) << "Could not close file descriptor";
152 }
153
154 if (sent <= 0) {
155 LOG(ERROR) << "Could not send IPC reply";
156 return false;
157 }
158 return true;
159 }
160
161 } // namespace
162
163 BrokerHost::BrokerHost(const BrokerPolicy& broker_policy,
164 BrokerChannel::EndPoint ipc_channel)
165 : broker_policy_(broker_policy), ipc_channel_(ipc_channel.Pass()) {
166 }
167
168 BrokerHost::~BrokerHost() {
169 }
170
171 // Handle a request on the IPC channel ipc_channel_.
172 // A request should have a file descriptor attached on which we will reply and
173 // that we will then close.
174 // A request should start with an int that will be used as the command type.
175 BrokerHost::RequestStatus BrokerHost::HandleRequest() const {
176 ScopedVector<base::ScopedFD> fds;
177 char buf[kMaxMessageLength];
178 errno = 0;
179 const ssize_t msg_len = base::UnixDomainSocket::RecvMsg(
180 ipc_channel_.get(), buf, sizeof(buf), &fds);
181
182 if (msg_len == 0 || (msg_len == -1 && errno == ECONNRESET)) {
183 // EOF from the client, or the client died, we should die.
184 return RequestStatus::LOST_CLIENT;
185 }
186
187 // The client should send exactly one file descriptor, on which we
188 // will write the reply.
189 // TODO(mdempsky): ScopedVector doesn't have 'at()', only 'operator[]'.
190 if (msg_len < 0 || fds.size() != 1 || fds[0]->get() < 0) {
191 PLOG(ERROR) << "Error reading message from the client";
192 return RequestStatus::FAILURE;
193 }
194
195 base::ScopedFD temporary_ipc(fds[0]->Pass());
196
197 base::Pickle pickle(buf, msg_len);
198 base::PickleIterator iter(pickle);
199 int command_type;
200 if (iter.ReadInt(&command_type)) {
201 bool command_handled = false;
202 // Go through all the possible IPC messages.
203 switch (command_type) {
204 case COMMAND_ACCESS:
205 case COMMAND_OPEN:
206 // We reply on the file descriptor sent to us via the IPC channel.
207 command_handled = HandleRemoteCommand(
208 broker_policy_, static_cast<IPCCommand>(command_type),
209 temporary_ipc.get(), iter);
210 break;
211 default:
212 NOTREACHED();
213 break;
214 }
215
216 if (command_handled) {
217 return RequestStatus::SUCCESS;
218 } else {
219 return RequestStatus::FAILURE;
220 }
221
222 NOTREACHED();
223 }
224
225 LOG(ERROR) << "Error parsing IPC request";
226 return RequestStatus::FAILURE;
227 }
228
229 } // namespace syscall_broker
230
231 } // namespace sandbox