1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "sandbox/linux/services/broker_process.h"
6
7 #include <fcntl.h>
8 #include <signal.h>
9 #include <sys/socket.h>
10 #include <sys/stat.h>
11 #include <sys/syscall.h>
12 #include <sys/types.h>
13 #include <sys/wait.h>
14 #include <unistd.h>
15
16 #include <algorithm>
17 #include <string>
18 #include <vector>
19
20 #include "base/basictypes.h"
21 #include "base/callback.h"
22 #include "base/compiler_specific.h"
23 #include "base/files/scoped_file.h"
24 #include "base/logging.h"
25 #include "base/memory/scoped_vector.h"
26 #include "base/pickle.h"
27 #include "base/posix/eintr_wrapper.h"
28 #include "base/posix/unix_domain_socket_linux.h"
29 #include "base/process/process_metrics.h"
30 #include "base/third_party/valgrind/valgrind.h"
31 #include "build/build_config.h"
32 #include "sandbox/linux/services/linux_syscalls.h"
33
34 #if defined(OS_ANDROID) && !defined(MSG_CMSG_CLOEXEC)
35 #define MSG_CMSG_CLOEXEC 0x40000000
36 #endif
37
38 namespace {
39
IsRunningOnValgrind()40 bool IsRunningOnValgrind() { return RUNNING_ON_VALGRIND; }
41
42 // A little open(2) wrapper to handle some oddities for us. In the general case
43 // make a direct system call since we want to keep in control of the broker
44 // process' system calls profile to be able to loosely sandbox it.
sys_open(const char * pathname,int flags)45 int sys_open(const char* pathname, int flags) {
46 // Always pass a defined |mode| in case flags mistakenly contains O_CREAT.
47 const int mode = 0;
48 if (IsRunningOnValgrind()) {
49 // Valgrind does not support AT_FDCWD, just use libc's open() in this case.
50 return open(pathname, flags, mode);
51 } else {
52 return syscall(__NR_openat, AT_FDCWD, pathname, flags, mode);
53 }
54 }
55
56 static const size_t kMaxMessageLength = 4096;
57
58 // Some flags are local to the current process and cannot be sent over a Unix
59 // socket. They need special treatment from the client.
60 // O_CLOEXEC is tricky because in theory another thread could call execve()
61 // before special treatment is made on the client, so a client needs to call
62 // recvmsg(2) with MSG_CMSG_CLOEXEC.
63 // To make things worse, there are two CLOEXEC related flags, FD_CLOEXEC (see
64 // F_GETFD in fcntl(2)) and O_CLOEXEC (see F_GETFL in fcntl(2)). O_CLOEXEC
65 // doesn't affect the semantics on execve(), it's merely a note that the
66 // descriptor was originally opened with O_CLOEXEC as a flag. And it is sent
67 // over unix sockets just fine, so a receiver that would (incorrectly) look at
68 // O_CLOEXEC instead of FD_CLOEXEC may be tricked in thinking that the file
69 // descriptor will or won't be closed on execve().
70 static const int kCurrentProcessOpenFlagsMask = O_CLOEXEC;
71
72 // Check whether |requested_filename| is in |allowed_file_names|.
73 // See GetFileNameIfAllowedToOpen() for an explanation of |file_to_open|.
74 // async signal safe if |file_to_open| is NULL.
75 // TODO(jln): assert signal safety.
GetFileNameInWhitelist(const std::vector<std::string> & allowed_file_names,const char * requested_filename,const char ** file_to_open)76 bool GetFileNameInWhitelist(const std::vector<std::string>& allowed_file_names,
77 const char* requested_filename,
78 const char** file_to_open) {
79 if (file_to_open && *file_to_open) {
80 // Make sure that callers never pass a non-empty string. In case callers
81 // wrongly forget to check the return value and look at the string
82 // instead, this could catch bugs.
83 RAW_LOG(FATAL, "*file_to_open should be NULL");
84 return false;
85 }
86
87 // Look for |requested_filename| in |allowed_file_names|.
88 // We don't use ::find() because it takes a std::string and
89 // the conversion allocates memory.
90 std::vector<std::string>::const_iterator it;
91 for (it = allowed_file_names.begin(); it != allowed_file_names.end(); it++) {
92 if (strcmp(requested_filename, it->c_str()) == 0) {
93 if (file_to_open)
94 *file_to_open = it->c_str();
95 return true;
96 }
97 }
98 return false;
99 }
100
101 // We maintain a list of flags that have been reviewed for "sanity" and that
102 // we're ok to allow in the broker.
103 // I.e. here is where we wouldn't add O_RESET_FILE_SYSTEM.
IsAllowedOpenFlags(int flags)104 bool IsAllowedOpenFlags(int flags) {
105 // First, check the access mode.
106 const int access_mode = flags & O_ACCMODE;
107 if (access_mode != O_RDONLY && access_mode != O_WRONLY &&
108 access_mode != O_RDWR) {
109 return false;
110 }
111
112 // We only support a 2-parameters open, so we forbid O_CREAT.
113 if (flags & O_CREAT) {
114 return false;
115 }
116
117 // Some flags affect the behavior of the current process. We don't support
118 // them and don't allow them for now.
119 if (flags & kCurrentProcessOpenFlagsMask)
120 return false;
121
122 // Now check that all the flags are known to us.
123 const int creation_and_status_flags = flags & ~O_ACCMODE;
124
125 const int known_flags =
126 O_APPEND | O_ASYNC | O_CLOEXEC | O_CREAT | O_DIRECT |
127 O_DIRECTORY | O_EXCL | O_LARGEFILE | O_NOATIME | O_NOCTTY |
128 O_NOFOLLOW | O_NONBLOCK | O_NDELAY | O_SYNC | O_TRUNC;
129
130 const int unknown_flags = ~known_flags;
131 const bool has_unknown_flags = creation_and_status_flags & unknown_flags;
132 return !has_unknown_flags;
133 }
134
135 } // namespace
136
137 namespace sandbox {
138
BrokerProcess(int denied_errno,const std::vector<std::string> & allowed_r_files,const std::vector<std::string> & allowed_w_files,bool fast_check_in_client,bool quiet_failures_for_tests)139 BrokerProcess::BrokerProcess(int denied_errno,
140 const std::vector<std::string>& allowed_r_files,
141 const std::vector<std::string>& allowed_w_files,
142 bool fast_check_in_client,
143 bool quiet_failures_for_tests)
144 : denied_errno_(denied_errno),
145 initialized_(false),
146 is_child_(false),
147 fast_check_in_client_(fast_check_in_client),
148 quiet_failures_for_tests_(quiet_failures_for_tests),
149 broker_pid_(-1),
150 allowed_r_files_(allowed_r_files),
151 allowed_w_files_(allowed_w_files),
152 ipc_socketpair_(-1) {
153 }
154
~BrokerProcess()155 BrokerProcess::~BrokerProcess() {
156 if (initialized_ && ipc_socketpair_ != -1) {
157 // Closing the socket should be enough to notify the child to die,
158 // unless it has been duplicated.
159 PCHECK(0 == IGNORE_EINTR(close(ipc_socketpair_)));
160 PCHECK(0 == kill(broker_pid_, SIGKILL));
161 siginfo_t process_info;
162 // Reap the child.
163 int ret = HANDLE_EINTR(waitid(P_PID, broker_pid_, &process_info, WEXITED));
164 PCHECK(0 == ret);
165 }
166 }
167
Init(const base::Callback<bool (void)> & broker_process_init_callback)168 bool BrokerProcess::Init(
169 const base::Callback<bool(void)>& broker_process_init_callback) {
170 CHECK(!initialized_);
171 int socket_pair[2];
172 // Use SOCK_SEQPACKET, because we need to preserve message boundaries
173 // but we also want to be notified (recvmsg should return and not block)
174 // when the connection has been broken (one of the processes died).
175 if (socketpair(AF_UNIX, SOCK_SEQPACKET, 0, socket_pair)) {
176 LOG(ERROR) << "Failed to create socketpair";
177 return false;
178 }
179
180 #if !defined(THREAD_SANITIZER)
181 DCHECK_EQ(1, base::GetNumberOfThreads(base::GetCurrentProcessHandle()));
182 #endif
183 int child_pid = fork();
184 if (child_pid == -1) {
185 close(socket_pair[0]);
186 close(socket_pair[1]);
187 return false;
188 }
189 if (child_pid) {
190 // We are the parent and we have just forked our broker process.
191 close(socket_pair[0]);
192 // We should only be able to write to the IPC channel. We'll always send
193 // a new file descriptor to receive the reply on.
194 shutdown(socket_pair[1], SHUT_RD);
195 ipc_socketpair_ = socket_pair[1];
196 is_child_ = false;
197 broker_pid_ = child_pid;
198 initialized_ = true;
199 return true;
200 } else {
201 // We are the broker.
202 close(socket_pair[1]);
203 // We should only be able to read from this IPC channel. We will send our
204 // replies on a new file descriptor attached to the requests.
205 shutdown(socket_pair[0], SHUT_WR);
206 ipc_socketpair_ = socket_pair[0];
207 is_child_ = true;
208 CHECK(broker_process_init_callback.Run());
209 initialized_ = true;
210 for (;;) {
211 HandleRequest();
212 }
213 _exit(1);
214 }
215 NOTREACHED();
216 }
217
Access(const char * pathname,int mode) const218 int BrokerProcess::Access(const char* pathname, int mode) const {
219 return PathAndFlagsSyscall(kCommandAccess, pathname, mode);
220 }
221
Open(const char * pathname,int flags) const222 int BrokerProcess::Open(const char* pathname, int flags) const {
223 return PathAndFlagsSyscall(kCommandOpen, pathname, flags);
224 }
225
226 // Make a remote system call over IPC for syscalls that take a path and flags
227 // as arguments, currently open() and access().
228 // Will return -errno like a real system call.
229 // This function needs to be async signal safe.
PathAndFlagsSyscall(enum IPCCommands syscall_type,const char * pathname,int flags) const230 int BrokerProcess::PathAndFlagsSyscall(enum IPCCommands syscall_type,
231 const char* pathname, int flags) const {
232 int recvmsg_flags = 0;
233 RAW_CHECK(initialized_); // async signal safe CHECK().
234 RAW_CHECK(syscall_type == kCommandOpen || syscall_type == kCommandAccess);
235 if (!pathname)
236 return -EFAULT;
237
238 // For this "remote system call" to work, we need to handle any flag that
239 // cannot be sent over a Unix socket in a special way.
240 // See the comments around kCurrentProcessOpenFlagsMask.
241 if (syscall_type == kCommandOpen && (flags & kCurrentProcessOpenFlagsMask)) {
242 // This implementation only knows about O_CLOEXEC, someone needs to look at
243 // this code if other flags are added.
244 RAW_CHECK(kCurrentProcessOpenFlagsMask == O_CLOEXEC);
245 recvmsg_flags |= MSG_CMSG_CLOEXEC;
246 flags &= ~O_CLOEXEC;
247 }
248
249 // There is no point in forwarding a request that we know will be denied.
250 // Of course, the real security check needs to be on the other side of the
251 // IPC.
252 if (fast_check_in_client_) {
253 if (syscall_type == kCommandOpen &&
254 !GetFileNameIfAllowedToOpen(pathname, flags, NULL)) {
255 return -denied_errno_;
256 }
257 if (syscall_type == kCommandAccess &&
258 !GetFileNameIfAllowedToAccess(pathname, flags, NULL)) {
259 return -denied_errno_;
260 }
261 }
262
263 Pickle write_pickle;
264 write_pickle.WriteInt(syscall_type);
265 write_pickle.WriteString(pathname);
266 write_pickle.WriteInt(flags);
267 RAW_CHECK(write_pickle.size() <= kMaxMessageLength);
268
269 int returned_fd = -1;
270 uint8_t reply_buf[kMaxMessageLength];
271
272 // Send a request (in write_pickle) as well that will include a new
273 // temporary socketpair (created internally by SendRecvMsg()).
274 // Then read the reply on this new socketpair in reply_buf and put an
275 // eventual attached file descriptor in |returned_fd|.
276 ssize_t msg_len = UnixDomainSocket::SendRecvMsgWithFlags(ipc_socketpair_,
277 reply_buf,
278 sizeof(reply_buf),
279 recvmsg_flags,
280 &returned_fd,
281 write_pickle);
282 if (msg_len <= 0) {
283 if (!quiet_failures_for_tests_)
284 RAW_LOG(ERROR, "Could not make request to broker process");
285 return -ENOMEM;
286 }
287
288 Pickle read_pickle(reinterpret_cast<char*>(reply_buf), msg_len);
289 PickleIterator iter(read_pickle);
290 int return_value = -1;
291 // Now deserialize the return value and eventually return the file
292 // descriptor.
293 if (read_pickle.ReadInt(&iter, &return_value)) {
294 switch (syscall_type) {
295 case kCommandAccess:
296 // We should never have a fd to return.
297 RAW_CHECK(returned_fd == -1);
298 return return_value;
299 case kCommandOpen:
300 if (return_value < 0) {
301 RAW_CHECK(returned_fd == -1);
302 return return_value;
303 } else {
304 // We have a real file descriptor to return.
305 RAW_CHECK(returned_fd >= 0);
306 return returned_fd;
307 }
308 default:
309 RAW_LOG(ERROR, "Unsupported command");
310 return -ENOSYS;
311 }
312 } else {
313 RAW_LOG(ERROR, "Could not read pickle");
314 NOTREACHED();
315 return -ENOMEM;
316 }
317 }
318
319 // Handle a request on the IPC channel ipc_socketpair_.
320 // A request should have a file descriptor attached on which we will reply and
321 // that we will then close.
322 // A request should start with an int that will be used as the command type.
HandleRequest() const323 bool BrokerProcess::HandleRequest() const {
324 ScopedVector<base::ScopedFD> fds;
325 char buf[kMaxMessageLength];
326 errno = 0;
327 const ssize_t msg_len = UnixDomainSocket::RecvMsg(ipc_socketpair_, buf,
328 sizeof(buf), &fds);
329
330 if (msg_len == 0 || (msg_len == -1 && errno == ECONNRESET)) {
331 // EOF from our parent, or our parent died, we should die.
332 _exit(0);
333 }
334
335 // The parent should send exactly one file descriptor, on which we
336 // will write the reply.
337 // TODO(mdempsky): ScopedVector doesn't have 'at()', only 'operator[]'.
338 if (msg_len < 0 || fds.size() != 1 || fds[0]->get() < 0) {
339 PLOG(ERROR) << "Error reading message from the client";
340 return false;
341 }
342
343 base::ScopedFD temporary_ipc(fds[0]->Pass());
344
345 Pickle pickle(buf, msg_len);
346 PickleIterator iter(pickle);
347 int command_type;
348 if (pickle.ReadInt(&iter, &command_type)) {
349 bool r = false;
350 // Go through all the possible IPC messages.
351 switch (command_type) {
352 case kCommandAccess:
353 case kCommandOpen:
354 // We reply on the file descriptor sent to us via the IPC channel.
355 r = HandleRemoteCommand(static_cast<IPCCommands>(command_type),
356 temporary_ipc.get(), pickle, iter);
357 break;
358 default:
359 NOTREACHED();
360 r = false;
361 break;
362 }
363 return r;
364 }
365
366 LOG(ERROR) << "Error parsing IPC request";
367 return false;
368 }
369
370 // Handle a |command_type| request contained in |read_pickle| and send the reply
371 // on |reply_ipc|.
372 // Currently kCommandOpen and kCommandAccess are supported.
HandleRemoteCommand(IPCCommands command_type,int reply_ipc,const Pickle & read_pickle,PickleIterator iter) const373 bool BrokerProcess::HandleRemoteCommand(IPCCommands command_type, int reply_ipc,
374 const Pickle& read_pickle,
375 PickleIterator iter) const {
376 // Currently all commands have two arguments: filename and flags.
377 std::string requested_filename;
378 int flags = 0;
379 if (!read_pickle.ReadString(&iter, &requested_filename) ||
380 !read_pickle.ReadInt(&iter, &flags)) {
381 return -1;
382 }
383
384 Pickle write_pickle;
385 std::vector<int> opened_files;
386
387 switch (command_type) {
388 case kCommandAccess:
389 AccessFileForIPC(requested_filename, flags, &write_pickle);
390 break;
391 case kCommandOpen:
392 OpenFileForIPC(requested_filename, flags, &write_pickle, &opened_files);
393 break;
394 default:
395 LOG(ERROR) << "Invalid IPC command";
396 break;
397 }
398
399 CHECK_LE(write_pickle.size(), kMaxMessageLength);
400 ssize_t sent = UnixDomainSocket::SendMsg(reply_ipc, write_pickle.data(),
401 write_pickle.size(), opened_files);
402
403 // Close anything we have opened in this process.
404 for (std::vector<int>::iterator it = opened_files.begin();
405 it != opened_files.end(); ++it) {
406 int ret = IGNORE_EINTR(close(*it));
407 DCHECK(!ret) << "Could not close file descriptor";
408 }
409
410 if (sent <= 0) {
411 LOG(ERROR) << "Could not send IPC reply";
412 return false;
413 }
414 return true;
415 }
416
417 // Perform access(2) on |requested_filename| with mode |mode| if allowed by our
418 // policy. Write the syscall return value (-errno) to |write_pickle|.
AccessFileForIPC(const std::string & requested_filename,int mode,Pickle * write_pickle) const419 void BrokerProcess::AccessFileForIPC(const std::string& requested_filename,
420 int mode, Pickle* write_pickle) const {
421 DCHECK(write_pickle);
422 const char* file_to_access = NULL;
423 const bool safe_to_access_file = GetFileNameIfAllowedToAccess(
424 requested_filename.c_str(), mode, &file_to_access);
425
426 if (safe_to_access_file) {
427 CHECK(file_to_access);
428 int access_ret = access(file_to_access, mode);
429 int access_errno = errno;
430 if (!access_ret)
431 write_pickle->WriteInt(0);
432 else
433 write_pickle->WriteInt(-access_errno);
434 } else {
435 write_pickle->WriteInt(-denied_errno_);
436 }
437 }
438
439 // Open |requested_filename| with |flags| if allowed by our policy.
440 // Write the syscall return value (-errno) to |write_pickle| and append
441 // a file descriptor to |opened_files| if relevant.
OpenFileForIPC(const std::string & requested_filename,int flags,Pickle * write_pickle,std::vector<int> * opened_files) const442 void BrokerProcess::OpenFileForIPC(const std::string& requested_filename,
443 int flags, Pickle* write_pickle,
444 std::vector<int>* opened_files) const {
445 DCHECK(write_pickle);
446 DCHECK(opened_files);
447 const char* file_to_open = NULL;
448 const bool safe_to_open_file = GetFileNameIfAllowedToOpen(
449 requested_filename.c_str(), flags, &file_to_open);
450
451 if (safe_to_open_file) {
452 CHECK(file_to_open);
453 int opened_fd = sys_open(file_to_open, flags);
454 if (opened_fd < 0) {
455 write_pickle->WriteInt(-errno);
456 } else {
457 // Success.
458 opened_files->push_back(opened_fd);
459 write_pickle->WriteInt(0);
460 }
461 } else {
462 write_pickle->WriteInt(-denied_errno_);
463 }
464 }
465
466
467 // Check if calling access() should be allowed on |requested_filename| with
468 // mode |requested_mode|.
469 // Note: access() being a system call to check permissions, this can get a bit
470 // confusing. We're checking if calling access() should even be allowed with
471 // the same policy we would use for open().
472 // If |file_to_access| is not NULL, we will return the matching pointer from
473 // the whitelist. For paranoia a caller should then use |file_to_access|. See
474 // GetFileNameIfAllowedToOpen() fore more explanation.
475 // return true if calling access() on this file should be allowed, false
476 // otherwise.
477 // Async signal safe if and only if |file_to_access| is NULL.
GetFileNameIfAllowedToAccess(const char * requested_filename,int requested_mode,const char ** file_to_access) const478 bool BrokerProcess::GetFileNameIfAllowedToAccess(const char* requested_filename,
479 int requested_mode, const char** file_to_access) const {
480 // First, check if |requested_mode| is existence, ability to read or ability
481 // to write. We do not support X_OK.
482 if (requested_mode != F_OK &&
483 requested_mode & ~(R_OK | W_OK)) {
484 return false;
485 }
486 switch (requested_mode) {
487 case F_OK:
488 // We allow to check for file existence if we can either read or write.
489 return GetFileNameInWhitelist(allowed_r_files_, requested_filename,
490 file_to_access) ||
491 GetFileNameInWhitelist(allowed_w_files_, requested_filename,
492 file_to_access);
493 case R_OK:
494 return GetFileNameInWhitelist(allowed_r_files_, requested_filename,
495 file_to_access);
496 case W_OK:
497 return GetFileNameInWhitelist(allowed_w_files_, requested_filename,
498 file_to_access);
499 case R_OK | W_OK:
500 {
501 bool allowed_for_read_and_write =
502 GetFileNameInWhitelist(allowed_r_files_, requested_filename, NULL) &&
503 GetFileNameInWhitelist(allowed_w_files_, requested_filename,
504 file_to_access);
505 return allowed_for_read_and_write;
506 }
507 default:
508 return false;
509 }
510 }
511
512 // Check if |requested_filename| can be opened with flags |requested_flags|.
513 // If |file_to_open| is not NULL, we will return the matching pointer from the
514 // whitelist. For paranoia, a caller should then use |file_to_open| rather
515 // than |requested_filename|, so that it never attempts to open an
516 // attacker-controlled file name, even if an attacker managed to fool the
517 // string comparison mechanism.
518 // Return true if opening should be allowed, false otherwise.
519 // Async signal safe if and only if |file_to_open| is NULL.
GetFileNameIfAllowedToOpen(const char * requested_filename,int requested_flags,const char ** file_to_open) const520 bool BrokerProcess::GetFileNameIfAllowedToOpen(const char* requested_filename,
521 int requested_flags, const char** file_to_open) const {
522 if (!IsAllowedOpenFlags(requested_flags)) {
523 return false;
524 }
525 switch (requested_flags & O_ACCMODE) {
526 case O_RDONLY:
527 return GetFileNameInWhitelist(allowed_r_files_, requested_filename,
528 file_to_open);
529 case O_WRONLY:
530 return GetFileNameInWhitelist(allowed_w_files_, requested_filename,
531 file_to_open);
532 case O_RDWR:
533 {
534 bool allowed_for_read_and_write =
535 GetFileNameInWhitelist(allowed_r_files_, requested_filename, NULL) &&
536 GetFileNameInWhitelist(allowed_w_files_, requested_filename,
537 file_to_open);
538 return allowed_for_read_and_write;
539 }
540 default:
541 return false;
542 }
543 }
544
545 } // namespace sandbox.
546