1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_LINUX_H_ 6 #define CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_LINUX_H_ 7 8 #include <string> 9 10 #include "base/basictypes.h" 11 #include "base/memory/scoped_ptr.h" 12 #include "content/public/common/sandbox_linux.h" 13 14 #if defined(ADDRESS_SANITIZER) || defined(MEMORY_SANITIZER) || \ 15 defined(LEAK_SANITIZER) 16 #include <sanitizer/common_interface_defs.h> 17 #endif 18 19 template <typename T> struct DefaultSingletonTraits; 20 namespace base { 21 class Thread; 22 } 23 namespace sandbox { class SetuidSandboxClient; } 24 25 namespace content { 26 27 // A singleton class to represent and change our sandboxing state for the 28 // three main Linux sandboxes. 29 class LinuxSandbox { 30 public: 31 // This is a list of sandbox IPC methods which the renderer may send to the 32 // sandbox host. See http://code.google.com/p/chromium/wiki/LinuxSandboxIPC 33 // This isn't the full list, values < 32 are reserved for methods called from 34 // Skia. 35 enum LinuxSandboxIPCMethods { 36 METHOD_GET_FALLBACK_FONT_FOR_CHAR = 32, 37 METHOD_LOCALTIME = 33, 38 DEPRECATED_METHOD_GET_CHILD_WITH_INODE = 34, 39 METHOD_GET_STYLE_FOR_STRIKE = 35, 40 METHOD_MAKE_SHARED_MEMORY_SEGMENT = 36, 41 METHOD_MATCH_WITH_FALLBACK = 37, 42 }; 43 44 // Get our singleton instance. 45 static LinuxSandbox* GetInstance(); 46 47 // Do some initialization that can only be done before any of the sandboxes 48 // are enabled. If using the setuid sandbox, this should be called manually 49 // before the setuid sandbox is engaged. 50 void PreinitializeSandbox(); 51 52 // Initialize the sandbox with the given pre-built configuration. Currently 53 // seccomp-bpf and address space limitations (the setuid sandbox works 54 // differently and is set-up in the Zygote). This will instantiate the 55 // LinuxSandbox singleton if it doesn't already exist. 56 // This function should only be called without any thread running. 57 static bool InitializeSandbox(); 58 59 // Stop |thread| in a way that can be trusted by the sandbox. 60 static void StopThread(base::Thread* thread); 61 62 // Returns the status of the renderer, worker and ppapi sandbox. Can only 63 // be queried after going through PreinitializeSandbox(). This is a bitmask 64 // and uses the constants defined in "enum LinuxSandboxStatus". Since the 65 // status needs to be provided before the sandboxes are actually started, 66 // this returns what will actually happen once InitializeSandbox() 67 // is called from inside these processes. 68 int GetStatus(); 69 // Returns true if the current process is single-threaded or if the number 70 // of threads cannot be determined. 71 bool IsSingleThreaded() const; 72 // Did we start Seccomp BPF? 73 bool seccomp_bpf_started() const; 74 75 // Simple accessor for our instance of the setuid sandbox. Will never return 76 // NULL. 77 // There is no StartSetuidSandbox(), the SetuidSandboxClient instance should 78 // be used directly. 79 sandbox::SetuidSandboxClient* setuid_sandbox_client() const; 80 81 // Check the policy and eventually start the seccomp-bpf sandbox. This should 82 // never be called with threads started. If we detect that threads have 83 // started we will crash. 84 bool StartSeccompBPF(const std::string& process_type); 85 86 // Limit the address space of the current process (and its children). 87 // to make some vulnerabilities harder to exploit. 88 bool LimitAddressSpace(const std::string& process_type); 89 90 #if defined(ADDRESS_SANITIZER) || defined(MEMORY_SANITIZER) || \ 91 defined(LEAK_SANITIZER) sanitizer_args()92 __sanitizer_sandbox_arguments* sanitizer_args() const { 93 return sanitizer_args_.get(); 94 }; 95 #endif 96 97 private: 98 friend struct DefaultSingletonTraits<LinuxSandbox>; 99 100 LinuxSandbox(); 101 ~LinuxSandbox(); 102 103 // Some methods are static and get an instance of the Singleton. These 104 // are the non-static implementations. 105 bool InitializeSandboxImpl(); 106 void StopThreadImpl(base::Thread* thread); 107 // We must have been pre_initialized_ before using this. 108 bool seccomp_bpf_supported() const; 109 // Returns true if it can be determined that the current process has open 110 // directories that are not managed by the LinuxSandbox class. This would 111 // be a vulnerability as it would allow to bypass the setuid sandbox. 112 bool HasOpenDirectories() const; 113 // The last part of the initialization is to make sure any temporary "hole" 114 // in the sandbox is closed. For now, this consists of closing proc_fd_. 115 void SealSandbox(); 116 // GetStatus() makes promises as to how the sandbox will behave. This 117 // checks that no promises have been broken. 118 void CheckForBrokenPromises(const std::string& process_type); 119 // Stop |thread| and make sure it does not appear in /proc/self/tasks/ 120 // anymore. 121 void StopThreadAndEnsureNotCounted(base::Thread* thread) const; 122 123 // A file descriptor to /proc. It's dangerous to have it around as it could 124 // allow for sandbox bypasses. It needs to be closed before we consider 125 // ourselves sandboxed. 126 int proc_fd_; 127 bool seccomp_bpf_started_; 128 // The value returned by GetStatus(). Gets computed once and then cached. 129 int sandbox_status_flags_; 130 // Did PreinitializeSandbox() run? 131 bool pre_initialized_; 132 bool seccomp_bpf_supported_; // Accurate if pre_initialized_. 133 bool yama_is_enforcing_; // Accurate if pre_initialized_. 134 scoped_ptr<sandbox::SetuidSandboxClient> setuid_sandbox_client_; 135 #if defined(ADDRESS_SANITIZER) || defined(MEMORY_SANITIZER) || \ 136 defined(LEAK_SANITIZER) 137 scoped_ptr<__sanitizer_sandbox_arguments> sanitizer_args_; 138 #endif 139 140 DISALLOW_COPY_AND_ASSIGN(LinuxSandbox); 141 }; 142 143 } // namespace content 144 145 #endif // CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_LINUX_H_ 146