1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "sandbox/linux/services/broker_process.h"
6
7 #include <fcntl.h>
8 #include <sys/socket.h>
9 #include <sys/stat.h>
10 #include <sys/syscall.h>
11 #include <sys/types.h>
12 #include <unistd.h>
13
14 #include <algorithm>
15 #include <string>
16 #include <vector>
17
18 #include "base/basictypes.h"
19 #include "base/compiler_specific.h"
20 #include "base/logging.h"
21 #include "base/pickle.h"
22 #include "base/posix/eintr_wrapper.h"
23 #include "base/posix/unix_domain_socket_linux.h"
24 #include "base/process/process_metrics.h"
25 #include "build/build_config.h"
26 #include "sandbox/linux/services/linux_syscalls.h"
27
28 #if defined(OS_ANDROID) && !defined(MSG_CMSG_CLOEXEC)
29 #define MSG_CMSG_CLOEXEC 0x40000000
30 #endif
31
32 namespace {
33
34 static const size_t kMaxMessageLength = 4096;
35
36 // Some flags are local to the current process and cannot be sent over a Unix
37 // socket. They need special treatment from the client.
38 // O_CLOEXEC is tricky because in theory another thread could call execve()
39 // before special treatment is made on the client, so a client needs to call
40 // recvmsg(2) with MSG_CMSG_CLOEXEC.
41 // To make things worse, there are two CLOEXEC related flags, FD_CLOEXEC (see
42 // F_GETFD in fcntl(2)) and O_CLOEXEC (see F_GETFL in fcntl(2)). O_CLOEXEC
43 // doesn't affect the semantics on execve(), it's merely a note that the
44 // descriptor was originally opened with O_CLOEXEC as a flag. And it is sent
45 // over unix sockets just fine, so a receiver that would (incorrectly) look at
46 // O_CLOEXEC instead of FD_CLOEXEC may be tricked in thinking that the file
47 // descriptor will or won't be closed on execve().
48 static const int kCurrentProcessOpenFlagsMask = O_CLOEXEC;
49
50 // Check whether |requested_filename| is in |allowed_file_names|.
51 // See GetFileNameIfAllowedToOpen() for an explanation of |file_to_open|.
52 // async signal safe if |file_to_open| is NULL.
53 // TODO(jln): assert signal safety.
GetFileNameInWhitelist(const std::vector<std::string> & allowed_file_names,const char * requested_filename,const char ** file_to_open)54 bool GetFileNameInWhitelist(const std::vector<std::string>& allowed_file_names,
55 const char* requested_filename,
56 const char** file_to_open) {
57 if (file_to_open && *file_to_open) {
58 // Make sure that callers never pass a non-empty string. In case callers
59 // wrongly forget to check the return value and look at the string
60 // instead, this could catch bugs.
61 RAW_LOG(FATAL, "*file_to_open should be NULL");
62 return false;
63 }
64
65 // Look for |requested_filename| in |allowed_file_names|.
66 // We don't use ::find() because it takes a std::string and
67 // the conversion allocates memory.
68 std::vector<std::string>::const_iterator it;
69 for (it = allowed_file_names.begin(); it != allowed_file_names.end(); it++) {
70 if (strcmp(requested_filename, it->c_str()) == 0) {
71 if (file_to_open)
72 *file_to_open = it->c_str();
73 return true;
74 }
75 }
76 return false;
77 }
78
79 // We maintain a list of flags that have been reviewed for "sanity" and that
80 // we're ok to allow in the broker.
81 // I.e. here is where we wouldn't add O_RESET_FILE_SYSTEM.
IsAllowedOpenFlags(int flags)82 bool IsAllowedOpenFlags(int flags) {
83 // First, check the access mode.
84 const int access_mode = flags & O_ACCMODE;
85 if (access_mode != O_RDONLY && access_mode != O_WRONLY &&
86 access_mode != O_RDWR) {
87 return false;
88 }
89
90 // We only support a 2-parameters open, so we forbid O_CREAT.
91 if (flags & O_CREAT) {
92 return false;
93 }
94
95 // Some flags affect the behavior of the current process. We don't support
96 // them and don't allow them for now.
97 if (flags & kCurrentProcessOpenFlagsMask)
98 return false;
99
100 // Now check that all the flags are known to us.
101 const int creation_and_status_flags = flags & ~O_ACCMODE;
102
103 const int known_flags =
104 O_APPEND | O_ASYNC | O_CLOEXEC | O_CREAT | O_DIRECT |
105 O_DIRECTORY | O_EXCL | O_LARGEFILE | O_NOATIME | O_NOCTTY |
106 O_NOFOLLOW | O_NONBLOCK | O_NDELAY | O_SYNC | O_TRUNC;
107
108 const int unknown_flags = ~known_flags;
109 const bool has_unknown_flags = creation_and_status_flags & unknown_flags;
110 return !has_unknown_flags;
111 }
112
113 } // namespace
114
115 namespace sandbox {
116
BrokerProcess(int denied_errno,const std::vector<std::string> & allowed_r_files,const std::vector<std::string> & allowed_w_files,bool fast_check_in_client,bool quiet_failures_for_tests)117 BrokerProcess::BrokerProcess(int denied_errno,
118 const std::vector<std::string>& allowed_r_files,
119 const std::vector<std::string>& allowed_w_files,
120 bool fast_check_in_client,
121 bool quiet_failures_for_tests)
122 : denied_errno_(denied_errno),
123 initialized_(false),
124 is_child_(false),
125 fast_check_in_client_(fast_check_in_client),
126 quiet_failures_for_tests_(quiet_failures_for_tests),
127 broker_pid_(-1),
128 allowed_r_files_(allowed_r_files),
129 allowed_w_files_(allowed_w_files),
130 ipc_socketpair_(-1) {
131 }
132
~BrokerProcess()133 BrokerProcess::~BrokerProcess() {
134 if (initialized_ && ipc_socketpair_ != -1) {
135 close(ipc_socketpair_);
136 }
137 }
138
Init(bool (* sandbox_callback)(void))139 bool BrokerProcess::Init(bool (*sandbox_callback)(void)) {
140 CHECK(!initialized_);
141 int socket_pair[2];
142 // Use SOCK_SEQPACKET, because we need to preserve message boundaries
143 // but we also want to be notified (recvmsg should return and not block)
144 // when the connection has been broken (one of the processes died).
145 if (socketpair(AF_UNIX, SOCK_SEQPACKET, 0, socket_pair)) {
146 LOG(ERROR) << "Failed to create socketpair";
147 return false;
148 }
149
150 DCHECK_EQ(1, base::GetNumberOfThreads(base::GetCurrentProcessHandle()));
151 int child_pid = fork();
152 if (child_pid == -1) {
153 close(socket_pair[0]);
154 close(socket_pair[1]);
155 return false;
156 }
157 if (child_pid) {
158 // We are the parent and we have just forked our broker process.
159 close(socket_pair[0]);
160 // We should only be able to write to the IPC channel. We'll always send
161 // a new file descriptor to receive the reply on.
162 shutdown(socket_pair[1], SHUT_RD);
163 ipc_socketpair_ = socket_pair[1];
164 is_child_ = false;
165 broker_pid_ = child_pid;
166 initialized_ = true;
167 return true;
168 } else {
169 // We are the broker.
170 close(socket_pair[1]);
171 // We should only be able to read from this IPC channel. We will send our
172 // replies on a new file descriptor attached to the requests.
173 shutdown(socket_pair[0], SHUT_WR);
174 ipc_socketpair_ = socket_pair[0];
175 is_child_ = true;
176 // Enable the sandbox if provided.
177 if (sandbox_callback) {
178 CHECK(sandbox_callback());
179 }
180 initialized_ = true;
181 for (;;) {
182 HandleRequest();
183 }
184 _exit(1);
185 }
186 NOTREACHED();
187 }
188
Access(const char * pathname,int mode) const189 int BrokerProcess::Access(const char* pathname, int mode) const {
190 return PathAndFlagsSyscall(kCommandAccess, pathname, mode);
191 }
192
Open(const char * pathname,int flags) const193 int BrokerProcess::Open(const char* pathname, int flags) const {
194 return PathAndFlagsSyscall(kCommandOpen, pathname, flags);
195 }
196
197 // Make a remote system call over IPC for syscalls that take a path and flags
198 // as arguments, currently open() and access().
199 // Will return -errno like a real system call.
200 // This function needs to be async signal safe.
PathAndFlagsSyscall(enum IPCCommands syscall_type,const char * pathname,int flags) const201 int BrokerProcess::PathAndFlagsSyscall(enum IPCCommands syscall_type,
202 const char* pathname, int flags) const {
203 int recvmsg_flags = 0;
204 RAW_CHECK(initialized_); // async signal safe CHECK().
205 RAW_CHECK(syscall_type == kCommandOpen || syscall_type == kCommandAccess);
206 if (!pathname)
207 return -EFAULT;
208
209 // For this "remote system call" to work, we need to handle any flag that
210 // cannot be sent over a Unix socket in a special way.
211 // See the comments around kCurrentProcessOpenFlagsMask.
212 if (syscall_type == kCommandOpen && (flags & kCurrentProcessOpenFlagsMask)) {
213 // This implementation only knows about O_CLOEXEC, someone needs to look at
214 // this code if other flags are added.
215 RAW_CHECK(kCurrentProcessOpenFlagsMask == O_CLOEXEC);
216 recvmsg_flags |= MSG_CMSG_CLOEXEC;
217 flags &= ~O_CLOEXEC;
218 }
219
220 // There is no point in forwarding a request that we know will be denied.
221 // Of course, the real security check needs to be on the other side of the
222 // IPC.
223 if (fast_check_in_client_) {
224 if (syscall_type == kCommandOpen &&
225 !GetFileNameIfAllowedToOpen(pathname, flags, NULL)) {
226 return -denied_errno_;
227 }
228 if (syscall_type == kCommandAccess &&
229 !GetFileNameIfAllowedToAccess(pathname, flags, NULL)) {
230 return -denied_errno_;
231 }
232 }
233
234 Pickle write_pickle;
235 write_pickle.WriteInt(syscall_type);
236 write_pickle.WriteString(pathname);
237 write_pickle.WriteInt(flags);
238 RAW_CHECK(write_pickle.size() <= kMaxMessageLength);
239
240 int returned_fd = -1;
241 uint8_t reply_buf[kMaxMessageLength];
242
243 // Send a request (in write_pickle) as well that will include a new
244 // temporary socketpair (created internally by SendRecvMsg()).
245 // Then read the reply on this new socketpair in reply_buf and put an
246 // eventual attached file descriptor in |returned_fd|.
247 ssize_t msg_len = UnixDomainSocket::SendRecvMsgWithFlags(ipc_socketpair_,
248 reply_buf,
249 sizeof(reply_buf),
250 recvmsg_flags,
251 &returned_fd,
252 write_pickle);
253 if (msg_len <= 0) {
254 if (!quiet_failures_for_tests_)
255 RAW_LOG(ERROR, "Could not make request to broker process");
256 return -ENOMEM;
257 }
258
259 Pickle read_pickle(reinterpret_cast<char*>(reply_buf), msg_len);
260 PickleIterator iter(read_pickle);
261 int return_value = -1;
262 // Now deserialize the return value and eventually return the file
263 // descriptor.
264 if (read_pickle.ReadInt(&iter, &return_value)) {
265 switch (syscall_type) {
266 case kCommandAccess:
267 // We should never have a fd to return.
268 RAW_CHECK(returned_fd == -1);
269 return return_value;
270 case kCommandOpen:
271 if (return_value < 0) {
272 RAW_CHECK(returned_fd == -1);
273 return return_value;
274 } else {
275 // We have a real file descriptor to return.
276 RAW_CHECK(returned_fd >= 0);
277 return returned_fd;
278 }
279 default:
280 RAW_LOG(ERROR, "Unsupported command");
281 return -ENOSYS;
282 }
283 } else {
284 RAW_LOG(ERROR, "Could not read pickle");
285 NOTREACHED();
286 return -ENOMEM;
287 }
288 }
289
290 // Handle a request on the IPC channel ipc_socketpair_.
291 // A request should have a file descriptor attached on which we will reply and
292 // that we will then close.
293 // A request should start with an int that will be used as the command type.
HandleRequest() const294 bool BrokerProcess::HandleRequest() const {
295
296 std::vector<int> fds;
297 char buf[kMaxMessageLength];
298 errno = 0;
299 const ssize_t msg_len = UnixDomainSocket::RecvMsg(ipc_socketpair_, buf,
300 sizeof(buf), &fds);
301
302 if (msg_len == 0 || (msg_len == -1 && errno == ECONNRESET)) {
303 // EOF from our parent, or our parent died, we should die.
304 _exit(0);
305 }
306
307 // The parent should send exactly one file descriptor, on which we
308 // will write the reply.
309 if (msg_len < 0 || fds.size() != 1 || fds.at(0) < 0) {
310 PLOG(ERROR) << "Error reading message from the client";
311 return false;
312 }
313
314 const int temporary_ipc = fds.at(0);
315
316 Pickle pickle(buf, msg_len);
317 PickleIterator iter(pickle);
318 int command_type;
319 if (pickle.ReadInt(&iter, &command_type)) {
320 bool r = false;
321 // Go through all the possible IPC messages.
322 switch (command_type) {
323 case kCommandAccess:
324 case kCommandOpen:
325 // We reply on the file descriptor sent to us via the IPC channel.
326 r = HandleRemoteCommand(static_cast<IPCCommands>(command_type),
327 temporary_ipc, pickle, iter);
328 break;
329 default:
330 NOTREACHED();
331 r = false;
332 break;
333 }
334 int ret = IGNORE_EINTR(close(temporary_ipc));
335 DCHECK(!ret) << "Could not close temporary IPC channel";
336 return r;
337 }
338
339 LOG(ERROR) << "Error parsing IPC request";
340 return false;
341 }
342
343 // Handle a |command_type| request contained in |read_pickle| and send the reply
344 // on |reply_ipc|.
345 // Currently kCommandOpen and kCommandAccess are supported.
HandleRemoteCommand(IPCCommands command_type,int reply_ipc,const Pickle & read_pickle,PickleIterator iter) const346 bool BrokerProcess::HandleRemoteCommand(IPCCommands command_type, int reply_ipc,
347 const Pickle& read_pickle,
348 PickleIterator iter) const {
349 // Currently all commands have two arguments: filename and flags.
350 std::string requested_filename;
351 int flags = 0;
352 if (!read_pickle.ReadString(&iter, &requested_filename) ||
353 !read_pickle.ReadInt(&iter, &flags)) {
354 return -1;
355 }
356
357 Pickle write_pickle;
358 std::vector<int> opened_files;
359
360 switch (command_type) {
361 case kCommandAccess:
362 AccessFileForIPC(requested_filename, flags, &write_pickle);
363 break;
364 case kCommandOpen:
365 OpenFileForIPC(requested_filename, flags, &write_pickle, &opened_files);
366 break;
367 default:
368 LOG(ERROR) << "Invalid IPC command";
369 break;
370 }
371
372 CHECK_LE(write_pickle.size(), kMaxMessageLength);
373 ssize_t sent = UnixDomainSocket::SendMsg(reply_ipc, write_pickle.data(),
374 write_pickle.size(), opened_files);
375
376 // Close anything we have opened in this process.
377 for (std::vector<int>::iterator it = opened_files.begin();
378 it < opened_files.end(); ++it) {
379 int ret = IGNORE_EINTR(close(*it));
380 DCHECK(!ret) << "Could not close file descriptor";
381 }
382
383 if (sent <= 0) {
384 LOG(ERROR) << "Could not send IPC reply";
385 return false;
386 }
387 return true;
388 }
389
390 // Perform access(2) on |requested_filename| with mode |mode| if allowed by our
391 // policy. Write the syscall return value (-errno) to |write_pickle|.
AccessFileForIPC(const std::string & requested_filename,int mode,Pickle * write_pickle) const392 void BrokerProcess::AccessFileForIPC(const std::string& requested_filename,
393 int mode, Pickle* write_pickle) const {
394 DCHECK(write_pickle);
395 const char* file_to_access = NULL;
396 const bool safe_to_access_file = GetFileNameIfAllowedToAccess(
397 requested_filename.c_str(), mode, &file_to_access);
398
399 if (safe_to_access_file) {
400 CHECK(file_to_access);
401 int access_ret = access(file_to_access, mode);
402 int access_errno = errno;
403 if (!access_ret)
404 write_pickle->WriteInt(0);
405 else
406 write_pickle->WriteInt(-access_errno);
407 } else {
408 write_pickle->WriteInt(-denied_errno_);
409 }
410 }
411
412 // Open |requested_filename| with |flags| if allowed by our policy.
413 // Write the syscall return value (-errno) to |write_pickle| and append
414 // a file descriptor to |opened_files| if relevant.
OpenFileForIPC(const std::string & requested_filename,int flags,Pickle * write_pickle,std::vector<int> * opened_files) const415 void BrokerProcess::OpenFileForIPC(const std::string& requested_filename,
416 int flags, Pickle* write_pickle,
417 std::vector<int>* opened_files) const {
418 DCHECK(write_pickle);
419 DCHECK(opened_files);
420 const char* file_to_open = NULL;
421 const bool safe_to_open_file = GetFileNameIfAllowedToOpen(
422 requested_filename.c_str(), flags, &file_to_open);
423
424 if (safe_to_open_file) {
425 CHECK(file_to_open);
426 // We're doing a 2-parameter open, so we don't support O_CREAT. It doesn't
427 // hurt to always pass a third argument though.
428 int opened_fd = syscall(__NR_open, file_to_open, flags, 0);
429 if (opened_fd < 0) {
430 write_pickle->WriteInt(-errno);
431 } else {
432 // Success.
433 opened_files->push_back(opened_fd);
434 write_pickle->WriteInt(0);
435 }
436 } else {
437 write_pickle->WriteInt(-denied_errno_);
438 }
439 }
440
441
442 // Check if calling access() should be allowed on |requested_filename| with
443 // mode |requested_mode|.
444 // Note: access() being a system call to check permissions, this can get a bit
445 // confusing. We're checking if calling access() should even be allowed with
446 // the same policy we would use for open().
447 // If |file_to_access| is not NULL, we will return the matching pointer from
448 // the whitelist. For paranoia a caller should then use |file_to_access|. See
449 // GetFileNameIfAllowedToOpen() fore more explanation.
450 // return true if calling access() on this file should be allowed, false
451 // otherwise.
452 // Async signal safe if and only if |file_to_access| is NULL.
GetFileNameIfAllowedToAccess(const char * requested_filename,int requested_mode,const char ** file_to_access) const453 bool BrokerProcess::GetFileNameIfAllowedToAccess(const char* requested_filename,
454 int requested_mode, const char** file_to_access) const {
455 // First, check if |requested_mode| is existence, ability to read or ability
456 // to write. We do not support X_OK.
457 if (requested_mode != F_OK &&
458 requested_mode & ~(R_OK | W_OK)) {
459 return false;
460 }
461 switch (requested_mode) {
462 case F_OK:
463 // We allow to check for file existence if we can either read or write.
464 return GetFileNameInWhitelist(allowed_r_files_, requested_filename,
465 file_to_access) ||
466 GetFileNameInWhitelist(allowed_w_files_, requested_filename,
467 file_to_access);
468 case R_OK:
469 return GetFileNameInWhitelist(allowed_r_files_, requested_filename,
470 file_to_access);
471 case W_OK:
472 return GetFileNameInWhitelist(allowed_w_files_, requested_filename,
473 file_to_access);
474 case R_OK | W_OK:
475 {
476 bool allowed_for_read_and_write =
477 GetFileNameInWhitelist(allowed_r_files_, requested_filename, NULL) &&
478 GetFileNameInWhitelist(allowed_w_files_, requested_filename,
479 file_to_access);
480 return allowed_for_read_and_write;
481 }
482 default:
483 return false;
484 }
485 }
486
487 // Check if |requested_filename| can be opened with flags |requested_flags|.
488 // If |file_to_open| is not NULL, we will return the matching pointer from the
489 // whitelist. For paranoia, a caller should then use |file_to_open| rather
490 // than |requested_filename|, so that it never attempts to open an
491 // attacker-controlled file name, even if an attacker managed to fool the
492 // string comparison mechanism.
493 // Return true if opening should be allowed, false otherwise.
494 // Async signal safe if and only if |file_to_open| is NULL.
GetFileNameIfAllowedToOpen(const char * requested_filename,int requested_flags,const char ** file_to_open) const495 bool BrokerProcess::GetFileNameIfAllowedToOpen(const char* requested_filename,
496 int requested_flags, const char** file_to_open) const {
497 if (!IsAllowedOpenFlags(requested_flags)) {
498 return false;
499 }
500 switch (requested_flags & O_ACCMODE) {
501 case O_RDONLY:
502 return GetFileNameInWhitelist(allowed_r_files_, requested_filename,
503 file_to_open);
504 case O_WRONLY:
505 return GetFileNameInWhitelist(allowed_w_files_, requested_filename,
506 file_to_open);
507 case O_RDWR:
508 {
509 bool allowed_for_read_and_write =
510 GetFileNameInWhitelist(allowed_r_files_, requested_filename, NULL) &&
511 GetFileNameInWhitelist(allowed_w_files_, requested_filename,
512 file_to_open);
513 return allowed_for_read_and_write;
514 }
515 default:
516 return false;
517 }
518 }
519
520 } // namespace sandbox.
521