content/common/sandbox_linux/sandbox_linux.h

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_LINUX_H_
   6 #define CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_LINUX_H_
   7
   8 #include <string>
   9
  10 #include "base/basictypes.h"
  11 #include "base/memory/scoped_ptr.h"
  12 #include "content/public/common/sandbox_linux.h"
  13
  14 template <typename T> struct DefaultSingletonTraits;
  15 namespace base {
  16 class Thread;
  17 }
  18 namespace sandbox { class SetuidSandboxClient; }
  19
  20 namespace content {
  21
  22 // A singleton class to represent and change our sandboxing state for the
  23 // three main Linux sandboxes.
  24 class LinuxSandbox {
  25  public:
  26   // This is a list of sandbox IPC methods which the renderer may send to the
  27   // sandbox host. See http://code.google.com/p/chromium/wiki/LinuxSandboxIPC
  28   // This isn't the full list, values < 32 are reserved for methods called from
  29   // Skia.
  30   enum LinuxSandboxIPCMethods {
  31     METHOD_GET_FONT_FAMILY_FOR_CHAR = 32,
  32     METHOD_LOCALTIME = 33,
  33     METHOD_GET_CHILD_WITH_INODE = 34,
  34     METHOD_GET_STYLE_FOR_STRIKE = 35,
  35     METHOD_MAKE_SHARED_MEMORY_SEGMENT = 36,
  36     METHOD_MATCH_WITH_FALLBACK = 37,
  37   };
  38
  39   // Get our singleton instance.
  40   static LinuxSandbox* GetInstance();
  41
  42   // Do some initialization that can only be done before any of the sandboxes
  43   // are enabled. If using the setuid sandbox, this should be called manually
  44   // before the setuid sandbox is engaged.
  45   void PreinitializeSandbox();
  46
  47   // Initialize the sandbox with the given pre-built configuration. Currently
  48   // seccomp-bpf and address space limitations (the setuid sandbox works
  49   // differently and is set-up in the Zygote). This will instantiate the
  50   // LinuxSandbox singleton if it doesn't already exist.
  51   // This function should only be called without any thread running.
  52   static bool InitializeSandbox();
  53
  54   // Stop |thread| in a way that can be trusted by the sandbox.
  55   static void StopThread(base::Thread* thread);
  56
  57   // Returns the status of the renderer, worker and ppapi sandbox. Can only
  58   // be queried after going through PreinitializeSandbox(). This is a bitmask
  59   // and uses the constants defined in "enum LinuxSandboxStatus". Since the
  60   // status needs to be provided before the sandboxes are actually started,
  61   // this returns what will actually happen once InitializeSandbox()
  62   // is called from inside these processes.
  63   int GetStatus();
  64   // Returns true if the current process is single-threaded or if the number
  65   // of threads cannot be determined.
  66   bool IsSingleThreaded() const;
  67   // Did we start Seccomp BPF?
  68   bool seccomp_bpf_started() const;
  69
  70   // Simple accessor for our instance of the setuid sandbox. Will never return
  71   // NULL.
  72   // There is no StartSetuidSandbox(), the SetuidSandboxClient instance should
  73   // be used directly.
  74   sandbox::SetuidSandboxClient* setuid_sandbox_client() const;
  75
  76   // Check the policy and eventually start the seccomp-bpf sandbox. This should
  77   // never be called with threads started. If we detect that threads have
  78   // started we will crash.
  79   bool StartSeccompBPF(const std::string& process_type);
  80
  81   // Limit the address space of the current process (and its children).
  82   // to make some vulnerabilities harder to exploit.
  83   bool LimitAddressSpace(const std::string& process_type);
  84
  85  private:
  86   friend struct DefaultSingletonTraits<LinuxSandbox>;
  87
  88   // Some methods are static and get an instance of the Singleton. These
  89   // are the non-static implementations.
  90   bool InitializeSandboxImpl();
  91   void StopThreadImpl(base::Thread* thread);
  92   // We must have been pre_initialized_ before using this.
  93   bool seccomp_bpf_supported() const;
  94   // Returns true if it can be determined that the current process has open
  95   // directories that are not managed by the LinuxSandbox class. This would
  96   // be a vulnerability as it would allow to bypass the setuid sandbox.
  97   bool HasOpenDirectories() const;
  98   // The last part of the initialization is to make sure any temporary "hole"
  99   // in the sandbox is closed. For now, this consists of closing proc_fd_.
 100   void SealSandbox();
 101   // GetStatus() makes promises as to how the sandbox will behave. This
 102   // checks that no promises have been broken.
 103   void CheckForBrokenPromises(const std::string& process_type);
 104   // Stop |thread| and make sure it does not appear in /proc/self/tasks/
 105   // anymore.
 106   void StopThreadAndEnsureNotCounted(base::Thread* thread) const;
 107
 108   // A file descriptor to /proc. It's dangerous to have it around as it could
 109   // allow for sandbox bypasses. It needs to be closed before we consider
 110   // ourselves sandboxed.
 111   int proc_fd_;
 112   bool seccomp_bpf_started_;
 113   // The value returned by GetStatus(). Gets computed once and then cached.
 114   int sandbox_status_flags_;
 115   // Did PreinitializeSandbox() run?
 116   bool pre_initialized_;
 117   bool seccomp_bpf_supported_;  // Accurate if pre_initialized_.
 118   bool yama_is_enforcing_;  // Accurate if pre_initialized_.
 119   scoped_ptr<sandbox::SetuidSandboxClient> setuid_sandbox_client_;
 120
 121   ~LinuxSandbox();
 122   DISALLOW_IMPLICIT_CONSTRUCTORS(LinuxSandbox);
 123 };
 124
 125 }  // namespace content
 126
 127 #endif  // CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_LINUX_H_