content/common/sandbox_linux.h

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef CONTENT_COMMON_SANDBOX_LINUX_H_
   6 #define CONTENT_COMMON_SANDBOX_LINUX_H_
   7
   8 #include <string>
   9
  10 #include "base/basictypes.h"
  11 #include "base/memory/scoped_ptr.h"
  12 #include "content/public/common/sandbox_linux.h"
  13
  14 template <typename T> struct DefaultSingletonTraits;
  15 namespace sandbox { class SetuidSandboxClient; }
  16
  17 namespace content {
  18
  19 // A singleton class to represent and change our sandboxing state for the
  20 // three main Linux sandboxes.
  21 class LinuxSandbox {
  22  public:
  23   // This is a list of sandbox IPC methods which the renderer may send to the
  24   // sandbox host. See http://code.google.com/p/chromium/wiki/LinuxSandboxIPC
  25   // This isn't the full list, values < 32 are reserved for methods called from
  26   // Skia.
  27   enum LinuxSandboxIPCMethods {
  28     METHOD_GET_FONT_FAMILY_FOR_CHAR = 32,
  29     METHOD_LOCALTIME = 33,
  30     METHOD_GET_CHILD_WITH_INODE = 34,
  31     METHOD_GET_STYLE_FOR_STRIKE = 35,
  32     METHOD_MAKE_SHARED_MEMORY_SEGMENT = 36,
  33     METHOD_MATCH_WITH_FALLBACK = 37,
  34   };
  35
  36   // Get our singleton instance.
  37   static LinuxSandbox* GetInstance();
  38
  39   // Do some initialization that can only be done before any of the sandboxes
  40   // are enabled. If using the setuid sandbox, this should be called manually
  41   // before the setuid sandbox is engaged.
  42   void PreinitializeSandbox();
  43
  44   // Initialize the sandbox with the given pre-built configuration. Currently
  45   // seccomp-bpf and address space limitations (the setuid sandbox works
  46   // differently and is set-up in the Zygote). This will instantiate the
  47   // LinuxSandbox singleton if it doesn't already exist.
  48   static bool InitializeSandbox();
  49
  50   // Returns the Status of the renderers' sandbox. Can only be queried after
  51   // going through PreinitializeSandbox(). This is a bitmask and uses the
  52   // constants defined in "enum LinuxSandboxStatus". Since the status needs to
  53   // be provided before the sandboxes are actually started, this returns what
  54   // will actually happen once the various Start* functions are called from
  55   // inside a renderer.
  56   int GetStatus() const;
  57   // Returns true if the current process is single-threaded or if the number
  58   // of threads cannot be determined.
  59   bool IsSingleThreaded() const;
  60   // Did we start Seccomp BPF?
  61   bool seccomp_bpf_started() const;
  62
  63   // Simple accessor for our instance of the setuid sandbox. Will never return
  64   // NULL.
  65   // There is no StartSetuidSandbox(), the SetuidSandboxClient instance should
  66   // be used directly.
  67   sandbox::SetuidSandboxClient* setuid_sandbox_client() const;
  68
  69   // Check the policy and eventually start the seccomp-bpf sandbox. This should
  70   // never be called with threads started. If we detect that threads have
  71   // started we will crash.
  72   bool StartSeccompBpf(const std::string& process_type);
  73
  74   // Limit the address space of the current process (and its children).
  75   // to make some vulnerabilities harder to exploit.
  76   bool LimitAddressSpace(const std::string& process_type);
  77
  78  private:
  79   friend struct DefaultSingletonTraits<LinuxSandbox>;
  80
  81   // We must have been pre_initialized_ before using this.
  82   bool seccomp_bpf_supported() const;
  83   // The last part of the initialization is to make sure any temporary "hole"
  84   // in the sandbox is closed. For now, this consists of closing proc_fd_.
  85   void SealSandbox();
  86
  87   // A file descriptor to /proc. It's dangerous to have it around as it could
  88   // allow for sandbox bypasses. It needs to be closed before we consider
  89   // ourselves sandboxed.
  90   int proc_fd_;
  91   bool seccomp_bpf_started_;
  92   // Did PreinitializeSandbox() run?
  93   bool pre_initialized_;
  94   bool seccomp_bpf_supported_;  // Accurate if pre_initialized_.
  95   scoped_ptr<sandbox::SetuidSandboxClient> setuid_sandbox_client_;
  96
  97   ~LinuxSandbox();
  98   DISALLOW_IMPLICIT_CONSTRUCTORS(LinuxSandbox);
  99 };
 100
 101 }  // namespace content
 102
 103 #endif  // CONTENT_COMMON_SANDBOX_LINUX_H_
 104