1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <dirent.h>
6 #include <fcntl.h>
7 #include <sys/resource.h>
8 #include <sys/stat.h>
9 #include <sys/time.h>
10 #include <sys/types.h>
11 #include <unistd.h>
12
13 #include <limits>
14
15 #include "base/bind.h"
16 #include "base/callback_helpers.h"
17 #include "base/command_line.h"
18 #include "base/debug/stack_trace.h"
19 #include "base/files/scoped_file.h"
20 #include "base/logging.h"
21 #include "base/memory/scoped_ptr.h"
22 #include "base/memory/singleton.h"
23 #include "base/posix/eintr_wrapper.h"
24 #include "base/strings/string_number_conversions.h"
25 #include "base/sys_info.h"
26 #include "base/time/time.h"
27 #include "build/build_config.h"
28 #include "content/common/sandbox_linux/sandbox_linux.h"
29 #include "content/common/sandbox_linux/sandbox_seccomp_bpf_linux.h"
30 #include "content/public/common/content_switches.h"
31 #include "content/public/common/sandbox_linux.h"
32 #include "sandbox/linux/services/credentials.h"
33 #include "sandbox/linux/services/thread_helpers.h"
34 #include "sandbox/linux/services/yama.h"
35 #include "sandbox/linux/suid/client/setuid_sandbox_client.h"
36
37 #if defined(ADDRESS_SANITIZER) || defined(MEMORY_SANITIZER) || \
38 defined(LEAK_SANITIZER)
39 #include <sanitizer/common_interface_defs.h>
40 #endif
41
42 using sandbox::Yama;
43
44 namespace {
45
46 struct FDCloser {
operator ()__anon7d303cd00111::FDCloser47 inline void operator()(int* fd) const {
48 DCHECK(fd);
49 PCHECK(0 == IGNORE_EINTR(close(*fd)));
50 *fd = -1;
51 }
52 };
53
LogSandboxStarted(const std::string & sandbox_name)54 void LogSandboxStarted(const std::string& sandbox_name) {
55 const CommandLine& command_line = *CommandLine::ForCurrentProcess();
56 const std::string process_type =
57 command_line.GetSwitchValueASCII(switches::kProcessType);
58 const std::string activated_sandbox =
59 "Activated " + sandbox_name + " sandbox for process type: " +
60 process_type + ".";
61 #if defined(OS_CHROMEOS)
62 LOG(WARNING) << activated_sandbox;
63 #else
64 VLOG(1) << activated_sandbox;
65 #endif
66 }
67
68 #if !defined(ADDRESS_SANITIZER) && !defined(MEMORY_SANITIZER)
AddResourceLimit(int resource,rlim_t limit)69 bool AddResourceLimit(int resource, rlim_t limit) {
70 struct rlimit old_rlimit;
71 if (getrlimit(resource, &old_rlimit))
72 return false;
73 // Make sure we don't raise the existing limit.
74 const struct rlimit new_rlimit = {
75 std::min(old_rlimit.rlim_cur, limit),
76 std::min(old_rlimit.rlim_max, limit)
77 };
78 int rc = setrlimit(resource, &new_rlimit);
79 return rc == 0;
80 }
81 #endif
82
IsRunningTSAN()83 bool IsRunningTSAN() {
84 #if defined(THREAD_SANITIZER)
85 return true;
86 #else
87 return false;
88 #endif
89 }
90
91 // Try to open /proc/self/task/ with the help of |proc_fd|. |proc_fd| can be
92 // -1. Will return -1 on error and set errno like open(2).
OpenProcTaskFd(int proc_fd)93 int OpenProcTaskFd(int proc_fd) {
94 int proc_self_task = -1;
95 if (proc_fd >= 0) {
96 // If a handle to /proc is available, use it. This allows to bypass file
97 // system restrictions.
98 proc_self_task = openat(proc_fd, "self/task/", O_RDONLY | O_DIRECTORY);
99 } else {
100 // Otherwise, make an attempt to access the file system directly.
101 proc_self_task = open("/proc/self/task/", O_RDONLY | O_DIRECTORY);
102 }
103 return proc_self_task;
104 }
105
106 } // namespace
107
108 namespace content {
109
LinuxSandbox()110 LinuxSandbox::LinuxSandbox()
111 : proc_fd_(-1),
112 seccomp_bpf_started_(false),
113 sandbox_status_flags_(kSandboxLinuxInvalid),
114 pre_initialized_(false),
115 seccomp_bpf_supported_(false),
116 yama_is_enforcing_(false),
117 setuid_sandbox_client_(sandbox::SetuidSandboxClient::Create())
118 {
119 if (setuid_sandbox_client_ == NULL) {
120 LOG(FATAL) << "Failed to instantiate the setuid sandbox client.";
121 }
122 #if defined(ADDRESS_SANITIZER) || defined(MEMORY_SANITIZER) || \
123 defined(LEAK_SANITIZER)
124 sanitizer_args_ = make_scoped_ptr(new __sanitizer_sandbox_arguments);
125 *sanitizer_args_ = {0};
126 #endif
127 }
128
~LinuxSandbox()129 LinuxSandbox::~LinuxSandbox() {
130 }
131
GetInstance()132 LinuxSandbox* LinuxSandbox::GetInstance() {
133 LinuxSandbox* instance = Singleton<LinuxSandbox>::get();
134 CHECK(instance);
135 return instance;
136 }
137
PreinitializeSandbox()138 void LinuxSandbox::PreinitializeSandbox() {
139 CHECK(!pre_initialized_);
140 seccomp_bpf_supported_ = false;
141 #if defined(ADDRESS_SANITIZER) || defined(MEMORY_SANITIZER) || \
142 defined(LEAK_SANITIZER)
143 // Sanitizers need to open some resources before the sandbox is enabled.
144 // This should not fork, not launch threads, not open a directory.
145 __sanitizer_sandbox_on_notify(sanitizer_args());
146 sanitizer_args_.reset();
147 #endif
148
149 #if !defined(NDEBUG)
150 // The in-process stack dumping needs to open /proc/self/maps and cache
151 // its contents before the sandbox is enabled. It also pre-opens the
152 // object files that are already loaded in the process address space.
153 base::debug::EnableInProcessStackDumpingForSandbox();
154
155 // Open proc_fd_ only in Debug mode so that forgetting to close it doesn't
156 // produce a sandbox escape in Release mode.
157 proc_fd_ = open("/proc", O_DIRECTORY | O_RDONLY | O_CLOEXEC);
158 CHECK_GE(proc_fd_, 0);
159 #endif // !defined(NDEBUG)
160 // We "pre-warm" the code that detects supports for seccomp BPF.
161 if (SandboxSeccompBPF::IsSeccompBPFDesired()) {
162 if (!SandboxSeccompBPF::SupportsSandbox()) {
163 VLOG(1) << "Lacking support for seccomp-bpf sandbox.";
164 } else {
165 seccomp_bpf_supported_ = true;
166 }
167 }
168
169 // Yama is a "global", system-level status. We assume it will not regress
170 // after startup.
171 const int yama_status = Yama::GetStatus();
172 yama_is_enforcing_ = (yama_status & Yama::STATUS_PRESENT) &&
173 (yama_status & Yama::STATUS_ENFORCING);
174 pre_initialized_ = true;
175 }
176
InitializeSandbox()177 bool LinuxSandbox::InitializeSandbox() {
178 LinuxSandbox* linux_sandbox = LinuxSandbox::GetInstance();
179 return linux_sandbox->InitializeSandboxImpl();
180 }
181
StopThread(base::Thread * thread)182 void LinuxSandbox::StopThread(base::Thread* thread) {
183 LinuxSandbox* linux_sandbox = LinuxSandbox::GetInstance();
184 linux_sandbox->StopThreadImpl(thread);
185 }
186
GetStatus()187 int LinuxSandbox::GetStatus() {
188 CHECK(pre_initialized_);
189 if (kSandboxLinuxInvalid == sandbox_status_flags_) {
190 // Initialize sandbox_status_flags_.
191 sandbox_status_flags_ = 0;
192 if (setuid_sandbox_client_->IsSandboxed()) {
193 sandbox_status_flags_ |= kSandboxLinuxSUID;
194 if (setuid_sandbox_client_->IsInNewPIDNamespace())
195 sandbox_status_flags_ |= kSandboxLinuxPIDNS;
196 if (setuid_sandbox_client_->IsInNewNETNamespace())
197 sandbox_status_flags_ |= kSandboxLinuxNetNS;
198 }
199
200 // We report whether the sandbox will be activated when renderers, workers
201 // and PPAPI plugins go through sandbox initialization.
202 if (seccomp_bpf_supported() &&
203 SandboxSeccompBPF::ShouldEnableSeccompBPF(switches::kRendererProcess)) {
204 sandbox_status_flags_ |= kSandboxLinuxSeccompBPF;
205 }
206
207 if (yama_is_enforcing_) {
208 sandbox_status_flags_ |= kSandboxLinuxYama;
209 }
210 }
211
212 return sandbox_status_flags_;
213 }
214
215 // Threads are counted via /proc/self/task. This is a little hairy because of
216 // PID namespaces and existing sandboxes, so "self" must really be used instead
217 // of using the pid.
IsSingleThreaded() const218 bool LinuxSandbox::IsSingleThreaded() const {
219 bool is_single_threaded = false;
220 base::ScopedFD proc_self_task(OpenProcTaskFd(proc_fd_));
221
222 // In Debug mode, it's mandatory to be able to count threads to catch bugs.
223 #if !defined(NDEBUG)
224 // Using CHECK here since we want to check all the cases where
225 // !defined(NDEBUG)
226 // gets built.
227 CHECK(proc_self_task.is_valid())
228 << "Could not count threads, the sandbox was not "
229 << "pre-initialized properly.";
230 #endif // !defined(NDEBUG)
231
232 if (!proc_self_task.is_valid()) {
233 // Pretend to be monothreaded if it can't be determined (for instance the
234 // setuid sandbox is already engaged but no proc_fd_ is available).
235 is_single_threaded = true;
236 } else {
237 is_single_threaded =
238 sandbox::ThreadHelpers::IsSingleThreaded(proc_self_task.get());
239 }
240
241 return is_single_threaded;
242 }
243
seccomp_bpf_started() const244 bool LinuxSandbox::seccomp_bpf_started() const {
245 return seccomp_bpf_started_;
246 }
247
248 sandbox::SetuidSandboxClient*
setuid_sandbox_client() const249 LinuxSandbox::setuid_sandbox_client() const {
250 return setuid_sandbox_client_.get();
251 }
252
253 // For seccomp-bpf, we use the SandboxSeccompBPF class.
StartSeccompBPF(const std::string & process_type)254 bool LinuxSandbox::StartSeccompBPF(const std::string& process_type) {
255 CHECK(!seccomp_bpf_started_);
256 CHECK(pre_initialized_);
257 if (seccomp_bpf_supported())
258 seccomp_bpf_started_ = SandboxSeccompBPF::StartSandbox(process_type);
259
260 if (seccomp_bpf_started_)
261 LogSandboxStarted("seccomp-bpf");
262
263 return seccomp_bpf_started_;
264 }
265
InitializeSandboxImpl()266 bool LinuxSandbox::InitializeSandboxImpl() {
267 CommandLine* command_line = CommandLine::ForCurrentProcess();
268 const std::string process_type =
269 command_line->GetSwitchValueASCII(switches::kProcessType);
270
271 // We need to make absolutely sure that our sandbox is "sealed" before
272 // returning.
273 // Unretained() since the current object is a Singleton.
274 base::ScopedClosureRunner sandbox_sealer(
275 base::Bind(&LinuxSandbox::SealSandbox, base::Unretained(this)));
276 // Make sure that this function enables sandboxes as promised by GetStatus().
277 // Unretained() since the current object is a Singleton.
278 base::ScopedClosureRunner sandbox_promise_keeper(
279 base::Bind(&LinuxSandbox::CheckForBrokenPromises,
280 base::Unretained(this),
281 process_type));
282
283 // No matter what, it's always an error to call InitializeSandbox() after
284 // threads have been created.
285 if (!IsSingleThreaded()) {
286 std::string error_message = "InitializeSandbox() called with multiple "
287 "threads in process " + process_type;
288 // TSAN starts a helper thread, so we don't start the sandbox and don't
289 // even report an error about it.
290 if (IsRunningTSAN())
291 return false;
292
293 // The GPU process is allowed to call InitializeSandbox() with threads.
294 bool sandbox_failure_fatal = process_type != switches::kGpuProcess;
295 // This can be disabled with the '--gpu-sandbox-failures-fatal' flag.
296 // Setting the flag with no value or any value different than 'yes' or 'no'
297 // is equal to setting '--gpu-sandbox-failures-fatal=yes'.
298 if (process_type == switches::kGpuProcess &&
299 command_line->HasSwitch(switches::kGpuSandboxFailuresFatal)) {
300 const std::string switch_value =
301 command_line->GetSwitchValueASCII(switches::kGpuSandboxFailuresFatal);
302 sandbox_failure_fatal = switch_value != "no";
303 }
304
305 if (sandbox_failure_fatal)
306 LOG(FATAL) << error_message;
307
308 LOG(ERROR) << error_message;
309 return false;
310 }
311
312 // Only one thread is running, pre-initialize if not already done.
313 if (!pre_initialized_)
314 PreinitializeSandbox();
315
316 DCHECK(!HasOpenDirectories()) <<
317 "InitializeSandbox() called after unexpected directories have been " <<
318 "opened. This breaks the security of the setuid sandbox.";
319
320 // Attempt to limit the future size of the address space of the process.
321 LimitAddressSpace(process_type);
322
323 // Try to enable seccomp-bpf.
324 bool seccomp_bpf_started = StartSeccompBPF(process_type);
325
326 return seccomp_bpf_started;
327 }
328
StopThreadImpl(base::Thread * thread)329 void LinuxSandbox::StopThreadImpl(base::Thread* thread) {
330 DCHECK(thread);
331 StopThreadAndEnsureNotCounted(thread);
332 }
333
seccomp_bpf_supported() const334 bool LinuxSandbox::seccomp_bpf_supported() const {
335 CHECK(pre_initialized_);
336 return seccomp_bpf_supported_;
337 }
338
LimitAddressSpace(const std::string & process_type)339 bool LinuxSandbox::LimitAddressSpace(const std::string& process_type) {
340 (void) process_type;
341 #if !defined(ADDRESS_SANITIZER) && !defined(MEMORY_SANITIZER)
342 CommandLine* command_line = CommandLine::ForCurrentProcess();
343 if (command_line->HasSwitch(switches::kNoSandbox)) {
344 return false;
345 }
346
347 // Limit the address space to 4GB.
348 // This is in the hope of making some kernel exploits more complex and less
349 // reliable. It also limits sprays a little on 64-bit.
350 rlim_t address_space_limit = std::numeric_limits<uint32_t>::max();
351 #if defined(__LP64__)
352 // On 64 bits, V8 and possibly others will reserve massive memory ranges and
353 // rely on on-demand paging for allocation. Unfortunately, even
354 // MADV_DONTNEED ranges count towards RLIMIT_AS so this is not an option.
355 // See crbug.com/169327 for a discussion.
356 // On the GPU process, irrespective of V8, we can exhaust a 4GB address space
357 // under normal usage, see crbug.com/271119
358 // For now, increase limit to 16GB for renderer and worker and gpu processes
359 // to accomodate.
360 if (process_type == switches::kRendererProcess ||
361 process_type == switches::kWorkerProcess ||
362 process_type == switches::kGpuProcess) {
363 address_space_limit = 1L << 34;
364 }
365 #endif // defined(__LP64__)
366
367 // On all platforms, add a limit to the brk() heap that would prevent
368 // allocations that can't be index by an int.
369 const rlim_t kNewDataSegmentMaxSize = std::numeric_limits<int>::max();
370
371 bool limited_as = AddResourceLimit(RLIMIT_AS, address_space_limit);
372 bool limited_data = AddResourceLimit(RLIMIT_DATA, kNewDataSegmentMaxSize);
373
374 // Cache the resource limit before turning on the sandbox.
375 base::SysInfo::AmountOfVirtualMemory();
376
377 return limited_as && limited_data;
378 #else
379 base::SysInfo::AmountOfVirtualMemory();
380 return false;
381 #endif // !defined(ADDRESS_SANITIZER) && !defined(MEMORY_SANITIZER)
382 }
383
HasOpenDirectories() const384 bool LinuxSandbox::HasOpenDirectories() const {
385 return sandbox::Credentials().HasOpenDirectory(proc_fd_);
386 }
387
SealSandbox()388 void LinuxSandbox::SealSandbox() {
389 if (proc_fd_ >= 0) {
390 int ret = IGNORE_EINTR(close(proc_fd_));
391 CHECK_EQ(0, ret);
392 proc_fd_ = -1;
393 }
394 }
395
CheckForBrokenPromises(const std::string & process_type)396 void LinuxSandbox::CheckForBrokenPromises(const std::string& process_type) {
397 // Make sure that any promise made with GetStatus() wasn't broken.
398 bool promised_seccomp_bpf_would_start = false;
399 if (process_type == switches::kRendererProcess ||
400 process_type == switches::kWorkerProcess ||
401 process_type == switches::kPpapiPluginProcess) {
402 promised_seccomp_bpf_would_start =
403 (sandbox_status_flags_ != kSandboxLinuxInvalid) &&
404 (GetStatus() & kSandboxLinuxSeccompBPF);
405 }
406 if (promised_seccomp_bpf_would_start) {
407 CHECK(seccomp_bpf_started_);
408 }
409 }
410
StopThreadAndEnsureNotCounted(base::Thread * thread) const411 void LinuxSandbox::StopThreadAndEnsureNotCounted(base::Thread* thread) const {
412 DCHECK(thread);
413 base::ScopedFD proc_self_task(OpenProcTaskFd(proc_fd_));
414 PCHECK(proc_self_task.is_valid());
415 CHECK(sandbox::ThreadHelpers::StopThreadAndWatchProcFS(proc_self_task.get(),
416 thread));
417 }
418
419 } // namespace content
420