search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
cros: Don't check consume kiosk flag for enterprise managed device.
[chromium-blink-merge.git] / content / common / sandbox_linux.cc
blob523e29d344ac077b018ebc9ac5cea2e63a5e079e
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <fcntl.h>
6 #include <sys/resource.h>
7 #include <sys/stat.h>
8 #include <sys/time.h>
9 #include <sys/types.h>
10
11 #include <limits>
12
13 #include "base/bind.h"
14 #include "base/bind_helpers.h"
15 #include "base/command_line.h"
16 #include "base/logging.h"
17 #include "base/memory/singleton.h"
18 #include "base/posix/eintr_wrapper.h"
19 #include "base/time.h"
20 #include "content/common/sandbox_linux.h"
21 #include "content/common/sandbox_seccomp_bpf_linux.h"
22 #include "content/public/common/content_switches.h"
23 #include "content/public/common/sandbox_linux.h"
24 #include "sandbox/linux/suid/client/setuid_sandbox_client.h"
25
26 namespace {
27
28 void LogSandboxStarted(const std::string& sandbox_name) {
29 const CommandLine& command_line = *CommandLine::ForCurrentProcess();
30 const std::string process_type =
31 command_line.GetSwitchValueASCII(switches::kProcessType);
32 const std::string activated_sandbox =
33 "Activated " + sandbox_name + " sandbox for process type: " +
34 process_type + ".";
35 #if defined(OS_CHROMEOS)
36 LOG(WARNING) << activated_sandbox;
37 #else
38 VLOG(1) << activated_sandbox;
39 #endif
40 }
41
42 bool AddResourceLimit(int resource, rlim_t limit) {
43 struct rlimit old_rlimit;
44 if (getrlimit(resource, &old_rlimit))
45 return false;
46 // Make sure we don't raise the existing limit.
47 const struct rlimit new_rlimit = {
48 std::min(old_rlimit.rlim_cur, limit),
49 std::min(old_rlimit.rlim_max, limit)
50 };
51 int rc = setrlimit(resource, &new_rlimit);
52 return rc == 0;
53 }
54
55 } // namespace
56
57 namespace content {
58
59 LinuxSandbox::LinuxSandbox()
60 : proc_fd_(-1),
61 seccomp_bpf_started_(false),
62 pre_initialized_(false),
63 seccomp_bpf_supported_(false),
64 setuid_sandbox_client_(sandbox::SetuidSandboxClient::Create()) {
65 if (setuid_sandbox_client_ == NULL) {
66 LOG(FATAL) << "Failed to instantiate the setuid sandbox client.";
67 }
68 }
69
70 LinuxSandbox::~LinuxSandbox() {
71 }
72
73 LinuxSandbox* LinuxSandbox::GetInstance() {
74 LinuxSandbox* instance = Singleton<LinuxSandbox>::get();
75 CHECK(instance);
76 return instance;
77 }
78
79 #if defined(ADDRESS_SANITIZER) && defined(OS_LINUX)
80 // ASan API call to notify the tool the sandbox is going to be turned on.
81 extern "C" void __sanitizer_sandbox_on_notify(void *reserved);
82 #endif
83
84 void LinuxSandbox::PreinitializeSandbox() {
85 CHECK(!pre_initialized_);
86 seccomp_bpf_supported_ = false;
87 #if defined(ADDRESS_SANITIZER) && defined(OS_LINUX)
88 // ASan needs to open some resources before the sandbox is enabled.
89 // This should not fork, not launch threads, not open a directory.
90 __sanitizer_sandbox_on_notify(/*reserved*/NULL);
91 #endif
92
93 #if !defined(NDEBUG)
94 // Open proc_fd_ only in Debug mode so that forgetting to close it doesn't
95 // produce a sandbox escape in Release mode.
96 proc_fd_ = open("/proc", O_DIRECTORY | O_RDONLY);
97 CHECK_GE(proc_fd_, 0);
98 #endif // !defined(NDEBUG)
99 // We "pre-warm" the code that detects supports for seccomp BPF.
100 if (SandboxSeccompBpf::IsSeccompBpfDesired()) {
101 if (!SandboxSeccompBpf::SupportsSandbox()) {
102 VLOG(1) << "Lacking support for seccomp-bpf sandbox.";
103 } else {
104 seccomp_bpf_supported_ = true;
105 }
106 }
107 pre_initialized_ = true;
108 }
109
110 bool LinuxSandbox::InitializeSandbox() {
111 bool seccomp_bpf_started = false;
112 LinuxSandbox* linux_sandbox = LinuxSandbox::GetInstance();
113 // We need to make absolutely sure that our sandbox is "sealed" before
114 // InitializeSandbox does exit.
115 base::ScopedClosureRunner sandbox_sealer(
116 base::Bind(&LinuxSandbox::SealSandbox, base::Unretained(linux_sandbox)));
117 const std::string process_type =
118 CommandLine::ForCurrentProcess()->GetSwitchValueASCII(
119 switches::kProcessType);
120
121 // No matter what, it's always an error to call InitializeSandbox() after
122 // threads have been created.
123 if (!linux_sandbox->IsSingleThreaded()) {
124 std::string error_message = "InitializeSandbox() called with multiple "
125 "threads in process " + process_type;
126 // The GPU process is allowed to call InitializeSandbox() with threads for
127 // now, because it loads third party libraries.
128 if (process_type != switches::kGpuProcess)
129 DCHECK(false) << error_message;
130 LOG(ERROR) << error_message;
131 return false;
132 }
133
134 // Attempt to limit the future size of the address space of the process.
135 linux_sandbox->LimitAddressSpace(process_type);
136
137 // First, try to enable seccomp-bpf.
138 seccomp_bpf_started = linux_sandbox->StartSeccompBpf(process_type);
139
140 return seccomp_bpf_started;
141 }
142
143 int LinuxSandbox::GetStatus() const {
144 CHECK(pre_initialized_);
145 int sandbox_flags = 0;
146 if (setuid_sandbox_client_->IsSandboxed()) {
147 sandbox_flags |= kSandboxLinuxSUID;
148 if (setuid_sandbox_client_->IsInNewPIDNamespace())
149 sandbox_flags |= kSandboxLinuxPIDNS;
150 if (setuid_sandbox_client_->IsInNewNETNamespace())
151 sandbox_flags |= kSandboxLinuxNetNS;
152 }
153
154 if (seccomp_bpf_supported() &&
155 SandboxSeccompBpf::ShouldEnableSeccompBpf(switches::kRendererProcess)) {
156 // We report whether the sandbox will be activated when renderers go
157 // through sandbox initialization.
158 sandbox_flags |= kSandboxLinuxSeccompBpf;
159 }
160
161 return sandbox_flags;
162 }
163
164 // Threads are counted via /proc/self/task. This is a little hairy because of
165 // PID namespaces and existing sandboxes, so "self" must really be used instead
166 // of using the pid.
167 bool LinuxSandbox::IsSingleThreaded() const {
168 struct stat task_stat;
169 int fstat_ret;
170 if (proc_fd_ >= 0) {
171 // If a handle to /proc is available, use it. This allows to bypass file
172 // system restrictions.
173 fstat_ret = fstatat(proc_fd_, "self/task/", &task_stat, 0);
174 } else {
175 // Otherwise, make an attempt to access the file system directly.
176 fstat_ret = fstatat(AT_FDCWD, "/proc/self/task/", &task_stat, 0);
177 }
178 // In Debug mode, it's mandatory to be able to count threads to catch bugs.
179 #if !defined(NDEBUG)
180 // Using DCHECK here would be incorrect. DCHECK can be enabled in non
181 // official release mode.
182 CHECK_EQ(0, fstat_ret) << "Could not count threads, the sandbox was not "
183 << "pre-initialized properly.";
184 #endif // !defined(NDEBUG)
185 if (fstat_ret) {
186 // Pretend to be monothreaded if it can't be determined (for instance the
187 // setuid sandbox is already engaged but no proc_fd_ is available).
188 return true;
189 }
190
191 // At least "..", "." and the current thread should be present.
192 CHECK_LE(3UL, task_stat.st_nlink);
193 // Counting threads via /proc/self/task could be racy. For the purpose of
194 // determining if the current proces is monothreaded it works: if at any
195 // time it becomes monothreaded, it'll stay so.
196 return task_stat.st_nlink == 3;
197 }
198
199 bool LinuxSandbox::seccomp_bpf_started() const {
200 return seccomp_bpf_started_;
201 }
202
203 sandbox::SetuidSandboxClient*
204 LinuxSandbox::setuid_sandbox_client() const {
205 return setuid_sandbox_client_.get();
206 }
207
208 // For seccomp-bpf, we use the SandboxSeccompBpf class.
209 bool LinuxSandbox::StartSeccompBpf(const std::string& process_type) {
210 CHECK(!seccomp_bpf_started_);
211 if (!pre_initialized_)
212 PreinitializeSandbox();
213 if (seccomp_bpf_supported())
214 seccomp_bpf_started_ = SandboxSeccompBpf::StartSandbox(process_type);
215
216 if (seccomp_bpf_started_)
217 LogSandboxStarted("seccomp-bpf");
218
219 return seccomp_bpf_started_;
220 }
221
222 bool LinuxSandbox::seccomp_bpf_supported() const {
223 CHECK(pre_initialized_);
224 return seccomp_bpf_supported_;
225 }
226
227 bool LinuxSandbox::LimitAddressSpace(const std::string& process_type) {
228 (void) process_type;
229 #if !defined(ADDRESS_SANITIZER)
230 CommandLine* command_line = CommandLine::ForCurrentProcess();
231 if (command_line->HasSwitch(switches::kNoSandbox)) {
232 return false;
233 }
234
235 // Limit the address space to 4GB.
236 // This is in the hope of making some kernel exploits more complex and less
237 // reliable. It also limits sprays a little on 64-bit.
238 rlim_t address_space_limit = std::numeric_limits<uint32_t>::max();
239 #if defined(__LP64__)
240 // On 64 bits, V8 and possibly others will reserve massive memory ranges and
241 // rely on on-demand paging for allocation. Unfortunately, even
242 // MADV_DONTNEED ranges count towards RLIMIT_AS so this is not an option.
243 // See crbug.com/169327 for a discussion.
244 // For now, increase limit to 16GB for renderer and worker processes to
245 // accomodate.
246 if (process_type == switches::kRendererProcess ||
247 process_type == switches::kWorkerProcess) {
248 address_space_limit = 1L << 34;
249 }
250 #endif // defined(__LP64__)
251
252 // On all platforms, add a limit to the brk() heap that would prevent
253 // allocations that can't be index by an int.
254 const rlim_t kNewDataSegmentMaxSize = std::numeric_limits<int>::max();
255
256 bool limited_as = AddResourceLimit(RLIMIT_AS, address_space_limit);
257 bool limited_data = AddResourceLimit(RLIMIT_DATA, kNewDataSegmentMaxSize);
258 return limited_as && limited_data;
259 #else
260 return false;
261 #endif // !defined(ADDRESS_SANITIZER)
262 }
263
264 void LinuxSandbox::SealSandbox() {
265 if (proc_fd_ >= 0) {
266 int ret = HANDLE_EINTR(close(proc_fd_));
267 CHECK_EQ(0, ret);
268 proc_fd_ = -1;
269 }
270 }
271
272 } // namespace content
273