[email protected] | 1777304 | 2010-07-28 17:35:07 | [diff] [blame] | 1 | // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
[email protected] | cc8f146 | 2009-06-12 17:36:55 | [diff] [blame] | 2 | // Use of this source code is governed by a BSD-style license that can be |
| 3 | // found in the LICENSE file. |
| 4 | |
[email protected] | a0f200ea | 2009-08-06 18:44:06 | [diff] [blame] | 5 | #include <dlfcn.h> |
[email protected] | a9c54a17 | 2009-11-07 06:09:38 | [diff] [blame] | 6 | #include <fcntl.h> |
[email protected] | 724df99 | 2010-09-21 18:19:10 | [diff] [blame] | 7 | #include <pthread.h> |
[email protected] | 83a0cbe | 2009-11-04 04:22:47 | [diff] [blame] | 8 | #include <sys/epoll.h> |
[email protected] | 83a0cbe | 2009-11-04 04:22:47 | [diff] [blame] | 9 | #include <sys/prctl.h> |
[email protected] | 8ecd3aad | 2009-11-04 08:32:22 | [diff] [blame] | 10 | #include <sys/signal.h> |
| 11 | #include <sys/socket.h> |
[email protected] | a9c54a17 | 2009-11-07 06:09:38 | [diff] [blame] | 12 | #include <sys/stat.h> |
[email protected] | 8ecd3aad | 2009-11-04 08:32:22 | [diff] [blame] | 13 | #include <sys/types.h> |
[email protected] | 83a0cbe | 2009-11-04 04:22:47 | [diff] [blame] | 14 | #include <sys/wait.h> |
[email protected] | 8ecd3aad | 2009-11-04 08:32:22 | [diff] [blame] | 15 | #include <unistd.h> |
| 16 | |
| 17 | #if defined(CHROMIUM_SELINUX) |
| 18 | #include <selinux/selinux.h> |
| 19 | #include <selinux/context.h> |
| 20 | #endif |
[email protected] | cc8f146 | 2009-06-12 17:36:55 | [diff] [blame] | 21 | |
[email protected] | a042173 | 2011-02-23 03:55:40 | [diff] [blame] | 22 | #include "content/browser/zygote_host_linux.h" |
| 23 | |
[email protected] | 789f70c7 | 2009-07-24 13:55:43 | [diff] [blame] | 24 | #include "base/basictypes.h" |
[email protected] | cc8f146 | 2009-06-12 17:36:55 | [diff] [blame] | 25 | #include "base/command_line.h" |
| 26 | #include "base/eintr_wrapper.h" |
[email protected] | 5d91c9e | 2010-07-28 17:25:28 | [diff] [blame] | 27 | #include "base/file_path.h" |
[email protected] | cc8f146 | 2009-06-12 17:36:55 | [diff] [blame] | 28 | #include "base/global_descriptors_posix.h" |
[email protected] | 8ecd3aad | 2009-11-04 08:32:22 | [diff] [blame] | 29 | #include "base/hash_tables.h" |
| 30 | #include "base/linux_util.h" |
[email protected] | ed450f3 | 2011-03-16 01:26:49 | [diff] [blame^] | 31 | #include "base/nss_util.h" |
[email protected] | c9e45da0 | 2009-08-05 17:35:08 | [diff] [blame] | 32 | #include "base/path_service.h" |
[email protected] | cc8f146 | 2009-06-12 17:36:55 | [diff] [blame] | 33 | #include "base/pickle.h" |
[email protected] | 4d36536b | 2010-08-20 06:23:27 | [diff] [blame] | 34 | #include "base/process_util.h" |
[email protected] | 4378a82 | 2009-07-08 01:15:14 | [diff] [blame] | 35 | #include "base/rand_util.h" |
[email protected] | 1831acf | 2009-10-05 16:38:41 | [diff] [blame] | 36 | #include "base/scoped_ptr.h" |
[email protected] | 80a086c5 | 2009-08-04 17:52:04 | [diff] [blame] | 37 | #include "base/sys_info.h" |
[email protected] | 8015de3 | 2009-11-18 04:13:33 | [diff] [blame] | 38 | #include "build/build_config.h" |
[email protected] | cc8f146 | 2009-06-12 17:36:55 | [diff] [blame] | 39 | #include "chrome/common/chrome_descriptors.h" |
[email protected] | 4730db9 | 2009-07-22 00:40:48 | [diff] [blame] | 40 | #include "chrome/common/chrome_switches.h" |
[email protected] | cf3ac397 | 2010-12-22 20:02:29 | [diff] [blame] | 41 | #include "chrome/common/font_config_ipc_linux.h" |
[email protected] | 1777304 | 2010-07-28 17:35:07 | [diff] [blame] | 42 | #include "chrome/common/pepper_plugin_registry.h" |
[email protected] | cc8f146 | 2009-06-12 17:36:55 | [diff] [blame] | 43 | #include "chrome/common/process_watcher.h" |
[email protected] | 443b80e | 2010-12-14 00:42:23 | [diff] [blame] | 44 | #include "chrome/common/result_codes.h" |
[email protected] | 73fa6399 | 2009-07-20 20:30:07 | [diff] [blame] | 45 | #include "chrome/common/sandbox_methods_linux.h" |
[email protected] | 74e9fa2 | 2010-12-29 21:06:43 | [diff] [blame] | 46 | #include "chrome/common/set_process_title.h" |
[email protected] | cf3ac397 | 2010-12-22 20:02:29 | [diff] [blame] | 47 | #include "chrome/common/unix_domain_socket_posix.h" |
[email protected] | 415c2cd | 2011-03-11 21:56:11 | [diff] [blame] | 48 | #include "content/common/main_function_params.h" |
[email protected] | c9e45da0 | 2009-08-05 17:35:08 | [diff] [blame] | 49 | #include "media/base/media.h" |
[email protected] | 808ea57 | 2010-09-01 16:22:01 | [diff] [blame] | 50 | #include "seccompsandbox/sandbox.h" |
[email protected] | cf3ac397 | 2010-12-22 20:02:29 | [diff] [blame] | 51 | #include "skia/ext/SkFontHost_fontconfig_control.h" |
[email protected] | 1831acf | 2009-10-05 16:38:41 | [diff] [blame] | 52 | #include "unicode/timezone.h" |
| 53 | |
[email protected] | 58680ce | 2010-09-18 00:09:15 | [diff] [blame] | 54 | #if defined(ARCH_CPU_X86_FAMILY) && !defined(CHROMIUM_SELINUX) && \ |
| 55 | !defined(__clang__) |
[email protected] | 36ea6c6f | 2010-03-17 20:08:01 | [diff] [blame] | 56 | // The seccomp sandbox is enabled on all ia32 and x86-64 processor as long as |
[email protected] | 58680ce | 2010-09-18 00:09:15 | [diff] [blame] | 57 | // we aren't using SELinux or clang. |
[email protected] | 36ea6c6f | 2010-03-17 20:08:01 | [diff] [blame] | 58 | #define SECCOMP_SANDBOX |
| 59 | #endif |
| 60 | |
[email protected] | cc8f146 | 2009-06-12 17:36:55 | [diff] [blame] | 61 | // http://code.google.com/p/chromium/wiki/LinuxZygote |
| 62 | |
[email protected] | 8ecd3aad | 2009-11-04 08:32:22 | [diff] [blame] | 63 | static const int kBrowserDescriptor = 3; |
[email protected] | 73fa6399 | 2009-07-20 20:30:07 | [diff] [blame] | 64 | static const int kMagicSandboxIPCDescriptor = 5; |
[email protected] | 8ecd3aad | 2009-11-04 08:32:22 | [diff] [blame] | 65 | static const int kZygoteIdDescriptor = 7; |
| 66 | static bool g_suid_sandbox_active = false; |
[email protected] | 36ea6c6f | 2010-03-17 20:08:01 | [diff] [blame] | 67 | #if defined(SECCOMP_SANDBOX) |
[email protected] | 4f03cbc | 2009-11-19 00:50:48 | [diff] [blame] | 68 | // |g_proc_fd| is used only by the seccomp sandbox. |
[email protected] | a9c54a17 | 2009-11-07 06:09:38 | [diff] [blame] | 69 | static int g_proc_fd = -1; |
[email protected] | 4f03cbc | 2009-11-19 00:50:48 | [diff] [blame] | 70 | #endif |
[email protected] | 73fa6399 | 2009-07-20 20:30:07 | [diff] [blame] | 71 | |
[email protected] | a89a55dd | 2010-04-19 14:51:13 | [diff] [blame] | 72 | #if defined(CHROMIUM_SELINUX) |
| 73 | static void SELinuxTransitionToTypeOrDie(const char* type) { |
| 74 | security_context_t security_context; |
| 75 | if (getcon(&security_context)) |
| 76 | LOG(FATAL) << "Cannot get SELinux context"; |
| 77 | |
| 78 | context_t context = context_new(security_context); |
| 79 | context_type_set(context, type); |
| 80 | const int r = setcon(context_str(context)); |
| 81 | context_free(context); |
| 82 | freecon(security_context); |
| 83 | |
| 84 | if (r) { |
| 85 | LOG(FATAL) << "dynamic transition to type '" << type << "' failed. " |
| 86 | "(this binary has been built with SELinux support, but maybe " |
| 87 | "the policies haven't been loaded into the kernel?)"; |
| 88 | } |
| 89 | } |
| 90 | #endif // CHROMIUM_SELINUX |
| 91 | |
[email protected] | cc8f146 | 2009-06-12 17:36:55 | [diff] [blame] | 92 | // This is the object which implements the zygote. The ZygoteMain function, |
[email protected] | 6188344 | 2010-07-12 15:14:34 | [diff] [blame] | 93 | // which is called from ChromeMain, simply constructs one of these objects and |
| 94 | // runs it. |
[email protected] | cc8f146 | 2009-06-12 17:36:55 | [diff] [blame] | 95 | class Zygote { |
| 96 | public: |
[email protected] | 715b4f26 | 2010-07-13 14:17:28 | [diff] [blame] | 97 | explicit Zygote(int sandbox_flags) |
| 98 | : sandbox_flags_(sandbox_flags) { |
| 99 | } |
| 100 | |
[email protected] | cc8f146 | 2009-06-12 17:36:55 | [diff] [blame] | 101 | bool ProcessRequests() { |
| 102 | // A SOCK_SEQPACKET socket is installed in fd 3. We get commands from the |
| 103 | // browser on it. |
[email protected] | 8ecd3aad | 2009-11-04 08:32:22 | [diff] [blame] | 104 | // A SOCK_DGRAM is installed in fd 5. This is the sandbox IPC channel. |
[email protected] | abe3ad9 | 2009-06-15 18:15:08 | [diff] [blame] | 105 | // See http://code.google.com/p/chromium/wiki/LinuxSandboxIPC |
[email protected] | cc8f146 | 2009-06-12 17:36:55 | [diff] [blame] | 106 | |
| 107 | // We need to accept SIGCHLD, even though our handler is a no-op because |
| 108 | // otherwise we cannot wait on children. (According to POSIX 2001.) |
| 109 | struct sigaction action; |
| 110 | memset(&action, 0, sizeof(action)); |
| 111 | action.sa_handler = SIGCHLDHandler; |
| 112 | CHECK(sigaction(SIGCHLD, &action, NULL) == 0); |
| 113 | |
[email protected] | 8ecd3aad | 2009-11-04 08:32:22 | [diff] [blame] | 114 | if (g_suid_sandbox_active) { |
| 115 | // Let the ZygoteHost know we are ready to go. |
| 116 | // The receiving code is in chrome/browser/zygote_host_linux.cc. |
| 117 | std::vector<int> empty; |
[email protected] | cf3ac397 | 2010-12-22 20:02:29 | [diff] [blame] | 118 | bool r = UnixDomainSocket::SendMsg(kBrowserDescriptor, kZygoteMagic, |
| 119 | sizeof(kZygoteMagic), empty); |
[email protected] | 8ecd3aad | 2009-11-04 08:32:22 | [diff] [blame] | 120 | CHECK(r) << "Sending zygote magic failed"; |
| 121 | } |
| 122 | |
[email protected] | cc8f146 | 2009-06-12 17:36:55 | [diff] [blame] | 123 | for (;;) { |
[email protected] | c548be2 | 2010-03-08 12:55:57 | [diff] [blame] | 124 | // This function call can return multiple times, once per fork(). |
[email protected] | 8ecd3aad | 2009-11-04 08:32:22 | [diff] [blame] | 125 | if (HandleRequestFromBrowser(kBrowserDescriptor)) |
[email protected] | cc8f146 | 2009-06-12 17:36:55 | [diff] [blame] | 126 | return true; |
| 127 | } |
| 128 | } |
| 129 | |
| 130 | private: |
| 131 | // See comment below, where sigaction is called. |
| 132 | static void SIGCHLDHandler(int signal) { } |
| 133 | |
| 134 | // --------------------------------------------------------------------------- |
| 135 | // Requests from the browser... |
| 136 | |
| 137 | // Read and process a request from the browser. Returns true if we are in a |
| 138 | // new process and thus need to unwind back into ChromeMain. |
| 139 | bool HandleRequestFromBrowser(int fd) { |
| 140 | std::vector<int> fds; |
[email protected] | abe3ad9 | 2009-06-15 18:15:08 | [diff] [blame] | 141 | static const unsigned kMaxMessageLength = 1024; |
[email protected] | cc8f146 | 2009-06-12 17:36:55 | [diff] [blame] | 142 | char buf[kMaxMessageLength]; |
[email protected] | cf3ac397 | 2010-12-22 20:02:29 | [diff] [blame] | 143 | const ssize_t len = UnixDomainSocket::RecvMsg(fd, buf, sizeof(buf), &fds); |
[email protected] | 7ae27b9 | 2010-09-24 17:33:36 | [diff] [blame] | 144 | |
| 145 | if (len == 0 || (len == -1 && errno == ECONNRESET)) { |
| 146 | // EOF from the browser. We should die. |
| 147 | _exit(0); |
[email protected] | cc8f146 | 2009-06-12 17:36:55 | [diff] [blame] | 148 | return false; |
| 149 | } |
| 150 | |
[email protected] | 7ae27b9 | 2010-09-24 17:33:36 | [diff] [blame] | 151 | if (len == -1) { |
| 152 | PLOG(ERROR) << "Error reading message from browser"; |
[email protected] | cc8f146 | 2009-06-12 17:36:55 | [diff] [blame] | 153 | return false; |
| 154 | } |
| 155 | |
| 156 | Pickle pickle(buf, len); |
| 157 | void* iter = NULL; |
| 158 | |
| 159 | int kind; |
[email protected] | 57113ea | 2009-06-18 02:23:16 | [diff] [blame] | 160 | if (pickle.ReadInt(&iter, &kind)) { |
| 161 | switch (kind) { |
| 162 | case ZygoteHost::kCmdFork: |
[email protected] | c548be2 | 2010-03-08 12:55:57 | [diff] [blame] | 163 | // This function call can return multiple times, once per fork(). |
[email protected] | 57113ea | 2009-06-18 02:23:16 | [diff] [blame] | 164 | return HandleForkRequest(fd, pickle, iter, fds); |
| 165 | case ZygoteHost::kCmdReap: |
| 166 | if (!fds.empty()) |
| 167 | break; |
[email protected] | c548be2 | 2010-03-08 12:55:57 | [diff] [blame] | 168 | HandleReapRequest(fd, pickle, iter); |
| 169 | return false; |
[email protected] | 443b80e | 2010-12-14 00:42:23 | [diff] [blame] | 170 | case ZygoteHost::kCmdGetTerminationStatus: |
[email protected] | 57113ea | 2009-06-18 02:23:16 | [diff] [blame] | 171 | if (!fds.empty()) |
| 172 | break; |
[email protected] | 443b80e | 2010-12-14 00:42:23 | [diff] [blame] | 173 | HandleGetTerminationStatus(fd, pickle, iter); |
[email protected] | c548be2 | 2010-03-08 12:55:57 | [diff] [blame] | 174 | return false; |
[email protected] | 715b4f26 | 2010-07-13 14:17:28 | [diff] [blame] | 175 | case ZygoteHost::kCmdGetSandboxStatus: |
| 176 | HandleGetSandboxStatus(fd, pickle, iter); |
| 177 | return false; |
[email protected] | 57113ea | 2009-06-18 02:23:16 | [diff] [blame] | 178 | default: |
| 179 | NOTREACHED(); |
| 180 | break; |
| 181 | } |
[email protected] | cc8f146 | 2009-06-12 17:36:55 | [diff] [blame] | 182 | } |
| 183 | |
[email protected] | cc8f146 | 2009-06-12 17:36:55 | [diff] [blame] | 184 | LOG(WARNING) << "Error parsing message from browser"; |
| 185 | for (std::vector<int>::const_iterator |
| 186 | i = fds.begin(); i != fds.end(); ++i) |
| 187 | close(*i); |
| 188 | return false; |
| 189 | } |
| 190 | |
[email protected] | c548be2 | 2010-03-08 12:55:57 | [diff] [blame] | 191 | void HandleReapRequest(int fd, const Pickle& pickle, void* iter) { |
[email protected] | 8ecd3aad | 2009-11-04 08:32:22 | [diff] [blame] | 192 | base::ProcessId child; |
| 193 | base::ProcessId actual_child; |
[email protected] | cc8f146 | 2009-06-12 17:36:55 | [diff] [blame] | 194 | |
| 195 | if (!pickle.ReadInt(&iter, &child)) { |
| 196 | LOG(WARNING) << "Error parsing reap request from browser"; |
[email protected] | c548be2 | 2010-03-08 12:55:57 | [diff] [blame] | 197 | return; |
[email protected] | cc8f146 | 2009-06-12 17:36:55 | [diff] [blame] | 198 | } |
| 199 | |
[email protected] | 8ecd3aad | 2009-11-04 08:32:22 | [diff] [blame] | 200 | if (g_suid_sandbox_active) { |
| 201 | actual_child = real_pids_to_sandbox_pids[child]; |
| 202 | if (!actual_child) |
[email protected] | c548be2 | 2010-03-08 12:55:57 | [diff] [blame] | 203 | return; |
[email protected] | 8ecd3aad | 2009-11-04 08:32:22 | [diff] [blame] | 204 | real_pids_to_sandbox_pids.erase(child); |
| 205 | } else { |
| 206 | actual_child = child; |
| 207 | } |
| 208 | |
| 209 | ProcessWatcher::EnsureProcessTerminated(actual_child); |
[email protected] | cc8f146 | 2009-06-12 17:36:55 | [diff] [blame] | 210 | } |
| 211 | |
[email protected] | 443b80e | 2010-12-14 00:42:23 | [diff] [blame] | 212 | void HandleGetTerminationStatus(int fd, const Pickle& pickle, void* iter) { |
[email protected] | 57113ea | 2009-06-18 02:23:16 | [diff] [blame] | 213 | base::ProcessHandle child; |
| 214 | |
| 215 | if (!pickle.ReadInt(&iter, &child)) { |
[email protected] | 443b80e | 2010-12-14 00:42:23 | [diff] [blame] | 216 | LOG(WARNING) << "Error parsing GetTerminationStatus request " |
| 217 | << "from browser"; |
[email protected] | c548be2 | 2010-03-08 12:55:57 | [diff] [blame] | 218 | return; |
[email protected] | 57113ea | 2009-06-18 02:23:16 | [diff] [blame] | 219 | } |
| 220 | |
[email protected] | 443b80e | 2010-12-14 00:42:23 | [diff] [blame] | 221 | base::TerminationStatus status; |
| 222 | int exit_code; |
[email protected] | 8ecd3aad | 2009-11-04 08:32:22 | [diff] [blame] | 223 | if (g_suid_sandbox_active) |
| 224 | child = real_pids_to_sandbox_pids[child]; |
[email protected] | 443b80e | 2010-12-14 00:42:23 | [diff] [blame] | 225 | if (child) { |
| 226 | status = base::GetTerminationStatus(child, &exit_code); |
| 227 | } else { |
| 228 | // Assume that if we can't find the child in the sandbox, then |
| 229 | // it terminated normally. |
| 230 | status = base::TERMINATION_STATUS_NORMAL_TERMINATION; |
| 231 | exit_code = ResultCodes::NORMAL_EXIT; |
| 232 | } |
[email protected] | 57113ea | 2009-06-18 02:23:16 | [diff] [blame] | 233 | |
| 234 | Pickle write_pickle; |
[email protected] | 443b80e | 2010-12-14 00:42:23 | [diff] [blame] | 235 | write_pickle.WriteInt(static_cast<int>(status)); |
| 236 | write_pickle.WriteInt(exit_code); |
[email protected] | 8a86140 | 2011-01-28 19:59:11 | [diff] [blame] | 237 | ssize_t written = |
| 238 | HANDLE_EINTR(write(fd, write_pickle.data(), write_pickle.size())); |
| 239 | if (written != static_cast<ssize_t>(write_pickle.size())) |
[email protected] | 19cb929 | 2010-04-16 23:00:15 | [diff] [blame] | 240 | PLOG(ERROR) << "write"; |
[email protected] | 57113ea | 2009-06-18 02:23:16 | [diff] [blame] | 241 | } |
| 242 | |
[email protected] | 28ecba3 | 2010-09-16 10:03:09 | [diff] [blame] | 243 | // This is equivalent to fork(), except that, when using the SUID |
| 244 | // sandbox, it returns the real PID of the child process as it |
| 245 | // appears outside the sandbox, rather than returning the PID inside |
| 246 | // the sandbox. |
| 247 | int ForkWithRealPid() { |
| 248 | if (!g_suid_sandbox_active) |
| 249 | return fork(); |
| 250 | |
| 251 | int dummy_fd; |
| 252 | ino_t dummy_inode; |
| 253 | int pipe_fds[2] = { -1, -1 }; |
[email protected] | 073040b | 2010-09-26 02:35:45 | [diff] [blame] | 254 | base::ProcessId pid = 0; |
[email protected] | 28ecba3 | 2010-09-16 10:03:09 | [diff] [blame] | 255 | |
| 256 | dummy_fd = socket(PF_UNIX, SOCK_DGRAM, 0); |
| 257 | if (dummy_fd < 0) { |
| 258 | LOG(ERROR) << "Failed to create dummy FD"; |
| 259 | goto error; |
| 260 | } |
| 261 | if (!base::FileDescriptorGetInode(&dummy_inode, dummy_fd)) { |
| 262 | LOG(ERROR) << "Failed to get inode for dummy FD"; |
| 263 | goto error; |
| 264 | } |
| 265 | if (pipe(pipe_fds) != 0) { |
| 266 | LOG(ERROR) << "Failed to create pipe"; |
| 267 | goto error; |
| 268 | } |
| 269 | |
| 270 | pid = fork(); |
| 271 | if (pid < 0) { |
| 272 | goto error; |
| 273 | } else if (pid == 0) { |
| 274 | // In the child process. |
| 275 | close(pipe_fds[1]); |
| 276 | char buffer[1]; |
| 277 | // Wait until the parent process has discovered our PID. We |
| 278 | // should not fork any child processes (which the seccomp |
| 279 | // sandbox does) until then, because that can interfere with the |
| 280 | // parent's discovery of our PID. |
| 281 | if (HANDLE_EINTR(read(pipe_fds[0], buffer, 1)) != 1 || |
| 282 | buffer[0] != 'x') { |
| 283 | LOG(FATAL) << "Failed to synchronise with parent zygote process"; |
| 284 | } |
| 285 | close(pipe_fds[0]); |
| 286 | close(dummy_fd); |
| 287 | return 0; |
| 288 | } else { |
| 289 | // In the parent process. |
| 290 | close(dummy_fd); |
| 291 | dummy_fd = -1; |
| 292 | close(pipe_fds[0]); |
| 293 | pipe_fds[0] = -1; |
| 294 | uint8_t reply_buf[512]; |
| 295 | Pickle request; |
| 296 | request.WriteInt(LinuxSandbox::METHOD_GET_CHILD_WITH_INODE); |
| 297 | request.WriteUInt64(dummy_inode); |
| 298 | |
[email protected] | cf3ac397 | 2010-12-22 20:02:29 | [diff] [blame] | 299 | const ssize_t r = UnixDomainSocket::SendRecvMsg( |
| 300 | kMagicSandboxIPCDescriptor, reply_buf, sizeof(reply_buf), NULL, |
| 301 | request); |
[email protected] | 28ecba3 | 2010-09-16 10:03:09 | [diff] [blame] | 302 | if (r == -1) { |
| 303 | LOG(ERROR) << "Failed to get child process's real PID"; |
| 304 | goto error; |
| 305 | } |
| 306 | |
| 307 | base::ProcessId real_pid; |
| 308 | Pickle reply(reinterpret_cast<char*>(reply_buf), r); |
| 309 | void* iter2 = NULL; |
| 310 | if (!reply.ReadInt(&iter2, &real_pid)) |
| 311 | goto error; |
[email protected] | 073040b | 2010-09-26 02:35:45 | [diff] [blame] | 312 | if (real_pid <= 0) { |
| 313 | // METHOD_GET_CHILD_WITH_INODE failed. Did the child die already? |
| 314 | LOG(ERROR) << "METHOD_GET_CHILD_WITH_INODE failed"; |
| 315 | goto error; |
| 316 | } |
[email protected] | 28ecba3 | 2010-09-16 10:03:09 | [diff] [blame] | 317 | real_pids_to_sandbox_pids[real_pid] = pid; |
| 318 | if (HANDLE_EINTR(write(pipe_fds[1], "x", 1)) != 1) { |
| 319 | LOG(ERROR) << "Failed to synchronise with child process"; |
| 320 | goto error; |
| 321 | } |
| 322 | close(pipe_fds[1]); |
| 323 | return real_pid; |
| 324 | } |
| 325 | |
| 326 | error: |
[email protected] | 72f891f4 | 2011-01-12 17:00:52 | [diff] [blame] | 327 | if (pid > 0) { |
| 328 | if (waitpid(pid, NULL, WNOHANG) == -1) |
| 329 | LOG(ERROR) << "Failed to wait for process"; |
| 330 | } |
[email protected] | 28ecba3 | 2010-09-16 10:03:09 | [diff] [blame] | 331 | if (dummy_fd >= 0) |
| 332 | close(dummy_fd); |
| 333 | if (pipe_fds[0] >= 0) |
| 334 | close(pipe_fds[0]); |
| 335 | if (pipe_fds[1] >= 0) |
| 336 | close(pipe_fds[1]); |
| 337 | return -1; |
| 338 | } |
| 339 | |
[email protected] | cc8f146 | 2009-06-12 17:36:55 | [diff] [blame] | 340 | // Handle a 'fork' request from the browser: this means that the browser |
| 341 | // wishes to start a new renderer. |
[email protected] | 8ecd3aad | 2009-11-04 08:32:22 | [diff] [blame] | 342 | bool HandleForkRequest(int fd, const Pickle& pickle, void* iter, |
[email protected] | cc8f146 | 2009-06-12 17:36:55 | [diff] [blame] | 343 | std::vector<int>& fds) { |
| 344 | std::vector<std::string> args; |
| 345 | int argc, numfds; |
| 346 | base::GlobalDescriptors::Mapping mapping; |
[email protected] | 8ecd3aad | 2009-11-04 08:32:22 | [diff] [blame] | 347 | base::ProcessId child; |
[email protected] | cc8f146 | 2009-06-12 17:36:55 | [diff] [blame] | 348 | |
| 349 | if (!pickle.ReadInt(&iter, &argc)) |
| 350 | goto error; |
| 351 | |
| 352 | for (int i = 0; i < argc; ++i) { |
| 353 | std::string arg; |
| 354 | if (!pickle.ReadString(&iter, &arg)) |
| 355 | goto error; |
| 356 | args.push_back(arg); |
| 357 | } |
| 358 | |
| 359 | if (!pickle.ReadInt(&iter, &numfds)) |
| 360 | goto error; |
| 361 | if (numfds != static_cast<int>(fds.size())) |
| 362 | goto error; |
| 363 | |
| 364 | for (int i = 0; i < numfds; ++i) { |
| 365 | base::GlobalDescriptors::Key key; |
| 366 | if (!pickle.ReadUInt32(&iter, &key)) |
| 367 | goto error; |
| 368 | mapping.push_back(std::make_pair(key, fds[i])); |
| 369 | } |
| 370 | |
[email protected] | abe3ad9 | 2009-06-15 18:15:08 | [diff] [blame] | 371 | mapping.push_back(std::make_pair( |
[email protected] | 8ecd3aad | 2009-11-04 08:32:22 | [diff] [blame] | 372 | static_cast<uint32_t>(kSandboxIPCChannel), kMagicSandboxIPCDescriptor)); |
| 373 | |
[email protected] | 28ecba3 | 2010-09-16 10:03:09 | [diff] [blame] | 374 | child = ForkWithRealPid(); |
[email protected] | cc8f146 | 2009-06-12 17:36:55 | [diff] [blame] | 375 | |
| 376 | if (!child) { |
[email protected] | 36ea6c6f | 2010-03-17 20:08:01 | [diff] [blame] | 377 | #if defined(SECCOMP_SANDBOX) |
[email protected] | a9c54a17 | 2009-11-07 06:09:38 | [diff] [blame] | 378 | // Try to open /proc/self/maps as the seccomp sandbox needs access to it |
| 379 | if (g_proc_fd >= 0) { |
| 380 | int proc_self_maps = openat(g_proc_fd, "self/maps", O_RDONLY); |
| 381 | if (proc_self_maps >= 0) { |
| 382 | SeccompSandboxSetProcSelfMaps(proc_self_maps); |
| 383 | } |
| 384 | close(g_proc_fd); |
| 385 | g_proc_fd = -1; |
| 386 | } |
[email protected] | 8015de3 | 2009-11-18 04:13:33 | [diff] [blame] | 387 | #endif |
[email protected] | a9c54a17 | 2009-11-07 06:09:38 | [diff] [blame] | 388 | |
[email protected] | 8ecd3aad | 2009-11-04 08:32:22 | [diff] [blame] | 389 | close(kBrowserDescriptor); // our socket from the browser |
[email protected] | cbcf9cc3 | 2010-02-17 04:05:59 | [diff] [blame] | 390 | if (g_suid_sandbox_active) |
| 391 | close(kZygoteIdDescriptor); // another socket from the browser |
[email protected] | 9b85081af | 2010-12-07 21:26:47 | [diff] [blame] | 392 | base::GlobalDescriptors::GetInstance()->Reset(mapping); |
[email protected] | 0189bbd | 2009-10-12 22:50:39 | [diff] [blame] | 393 | |
[email protected] | a89a55dd | 2010-04-19 14:51:13 | [diff] [blame] | 394 | #if defined(CHROMIUM_SELINUX) |
| 395 | SELinuxTransitionToTypeOrDie("chromium_renderer_t"); |
| 396 | #endif |
| 397 | |
[email protected] | 0189bbd | 2009-10-12 22:50:39 | [diff] [blame] | 398 | // Reset the process-wide command line to our new command line. |
[email protected] | cc8f146 | 2009-06-12 17:36:55 | [diff] [blame] | 399 | CommandLine::Reset(); |
[email protected] | 0189bbd | 2009-10-12 22:50:39 | [diff] [blame] | 400 | CommandLine::Init(0, NULL); |
| 401 | CommandLine::ForCurrentProcess()->InitFromArgv(args); |
[email protected] | 74e9fa2 | 2010-12-29 21:06:43 | [diff] [blame] | 402 | |
| 403 | // Update the process title. The argv was already cached by the call to |
| 404 | // SetProcessTitleFromCommandLine in ChromeMain, so we can pass NULL here |
| 405 | // (we don't have the original argv at this point). |
| 406 | SetProcessTitleFromCommandLine(NULL); |
| 407 | |
[email protected] | c548be2 | 2010-03-08 12:55:57 | [diff] [blame] | 408 | // The fork() request is handled further up the call stack. |
[email protected] | cc8f146 | 2009-06-12 17:36:55 | [diff] [blame] | 409 | return true; |
[email protected] | 8ecd3aad | 2009-11-04 08:32:22 | [diff] [blame] | 410 | } else if (child < 0) { |
[email protected] | 466cffd | 2010-06-09 18:10:56 | [diff] [blame] | 411 | LOG(ERROR) << "Zygote could not fork: " << errno; |
[email protected] | 8ecd3aad | 2009-11-04 08:32:22 | [diff] [blame] | 412 | goto error; |
[email protected] | cc8f146 | 2009-06-12 17:36:55 | [diff] [blame] | 413 | } |
| 414 | |
[email protected] | 28ecba3 | 2010-09-16 10:03:09 | [diff] [blame] | 415 | for (std::vector<int>::const_iterator |
| 416 | i = fds.begin(); i != fds.end(); ++i) |
| 417 | close(*i); |
[email protected] | 83a0cbe | 2009-11-04 04:22:47 | [diff] [blame] | 418 | |
[email protected] | 28ecba3 | 2010-09-16 10:03:09 | [diff] [blame] | 419 | if (HANDLE_EINTR(write(fd, &child, sizeof(child))) < 0) |
| 420 | PLOG(ERROR) << "write"; |
| 421 | return false; |
[email protected] | 83a0cbe | 2009-11-04 04:22:47 | [diff] [blame] | 422 | |
| 423 | error: |
[email protected] | 8ecd3aad | 2009-11-04 08:32:22 | [diff] [blame] | 424 | LOG(ERROR) << "Error parsing fork request from browser"; |
[email protected] | 83a0cbe | 2009-11-04 04:22:47 | [diff] [blame] | 425 | for (std::vector<int>::const_iterator |
| 426 | i = fds.begin(); i != fds.end(); ++i) |
| 427 | close(*i); |
[email protected] | cc8f146 | 2009-06-12 17:36:55 | [diff] [blame] | 428 | return false; |
| 429 | } |
[email protected] | 8ecd3aad | 2009-11-04 08:32:22 | [diff] [blame] | 430 | |
[email protected] | 715b4f26 | 2010-07-13 14:17:28 | [diff] [blame] | 431 | bool HandleGetSandboxStatus(int fd, const Pickle& pickle, void* iter) { |
| 432 | if (HANDLE_EINTR(write(fd, &sandbox_flags_, sizeof(sandbox_flags_)) != |
| 433 | sizeof(sandbox_flags_))) { |
| 434 | PLOG(ERROR) << "write"; |
| 435 | } |
| 436 | |
| 437 | return false; |
| 438 | } |
| 439 | |
[email protected] | 8ecd3aad | 2009-11-04 08:32:22 | [diff] [blame] | 440 | // In the SUID sandbox, we try to use a new PID namespace. Thus the PIDs |
| 441 | // fork() returns are not the real PIDs, so we need to map the Real PIDS |
| 442 | // into the sandbox PID namespace. |
| 443 | typedef base::hash_map<base::ProcessHandle, base::ProcessHandle> ProcessMap; |
| 444 | ProcessMap real_pids_to_sandbox_pids; |
[email protected] | 715b4f26 | 2010-07-13 14:17:28 | [diff] [blame] | 445 | |
| 446 | const int sandbox_flags_; |
[email protected] | cc8f146 | 2009-06-12 17:36:55 | [diff] [blame] | 447 | }; |
| 448 | |
[email protected] | ad6d2c4 | 2009-09-15 20:13:38 | [diff] [blame] | 449 | // With SELinux we can carve out a precise sandbox, so we don't have to play |
| 450 | // with intercepting libc calls. |
| 451 | #if !defined(CHROMIUM_SELINUX) |
| 452 | |
[email protected] | a0f200ea | 2009-08-06 18:44:06 | [diff] [blame] | 453 | static void ProxyLocaltimeCallToBrowser(time_t input, struct tm* output, |
| 454 | char* timezone_out, |
| 455 | size_t timezone_out_len) { |
[email protected] | 73fa6399 | 2009-07-20 20:30:07 | [diff] [blame] | 456 | Pickle request; |
| 457 | request.WriteInt(LinuxSandbox::METHOD_LOCALTIME); |
| 458 | request.WriteString( |
| 459 | std::string(reinterpret_cast<char*>(&input), sizeof(input))); |
| 460 | |
| 461 | uint8_t reply_buf[512]; |
[email protected] | cf3ac397 | 2010-12-22 20:02:29 | [diff] [blame] | 462 | const ssize_t r = UnixDomainSocket::SendRecvMsg( |
[email protected] | 73fa6399 | 2009-07-20 20:30:07 | [diff] [blame] | 463 | kMagicSandboxIPCDescriptor, reply_buf, sizeof(reply_buf), NULL, request); |
| 464 | if (r == -1) { |
| 465 | memset(output, 0, sizeof(struct tm)); |
| 466 | return; |
| 467 | } |
| 468 | |
| 469 | Pickle reply(reinterpret_cast<char*>(reply_buf), r); |
| 470 | void* iter = NULL; |
[email protected] | 9debcda5 | 2009-07-22 20:06:51 | [diff] [blame] | 471 | std::string result, timezone; |
[email protected] | 73fa6399 | 2009-07-20 20:30:07 | [diff] [blame] | 472 | if (!reply.ReadString(&iter, &result) || |
[email protected] | 9debcda5 | 2009-07-22 20:06:51 | [diff] [blame] | 473 | !reply.ReadString(&iter, &timezone) || |
[email protected] | 73fa6399 | 2009-07-20 20:30:07 | [diff] [blame] | 474 | result.size() != sizeof(struct tm)) { |
| 475 | memset(output, 0, sizeof(struct tm)); |
| 476 | return; |
| 477 | } |
| 478 | |
| 479 | memcpy(output, result.data(), sizeof(struct tm)); |
[email protected] | 9debcda5 | 2009-07-22 20:06:51 | [diff] [blame] | 480 | if (timezone_out_len) { |
| 481 | const size_t copy_len = std::min(timezone_out_len - 1, timezone.size()); |
| 482 | memcpy(timezone_out, timezone.data(), copy_len); |
| 483 | timezone_out[copy_len] = 0; |
| 484 | output->tm_zone = timezone_out; |
| 485 | } else { |
| 486 | output->tm_zone = NULL; |
| 487 | } |
[email protected] | 73fa6399 | 2009-07-20 20:30:07 | [diff] [blame] | 488 | } |
| 489 | |
[email protected] | a0f200ea | 2009-08-06 18:44:06 | [diff] [blame] | 490 | static bool g_am_zygote_or_renderer = false; |
| 491 | |
| 492 | // Sandbox interception of libc calls. |
| 493 | // |
| 494 | // Because we are running in a sandbox certain libc calls will fail (localtime |
| 495 | // being the motivating example - it needs to read /etc/localtime). We need to |
| 496 | // intercept these calls and proxy them to the browser. However, these calls |
| 497 | // may come from us or from our libraries. In some cases we can't just change |
| 498 | // our code. |
| 499 | // |
| 500 | // It's for these cases that we have the following setup: |
| 501 | // |
| 502 | // We define global functions for those functions which we wish to override. |
| 503 | // Since we will be first in the dynamic resolution order, the dynamic linker |
| 504 | // will point callers to our versions of these functions. However, we have the |
| 505 | // same binary for both the browser and the renderers, which means that our |
| 506 | // overrides will apply in the browser too. |
| 507 | // |
| 508 | // The global |g_am_zygote_or_renderer| is true iff we are in a zygote or |
| 509 | // renderer process. It's set in ZygoteMain and inherited by the renderers when |
| 510 | // they fork. (This means that it'll be incorrect for global constructor |
| 511 | // functions and before ZygoteMain is called - beware). |
| 512 | // |
| 513 | // Our replacement functions can check this global and either proxy |
| 514 | // the call to the browser over the sandbox IPC |
| 515 | // (http://code.google.com/p/chromium/wiki/LinuxSandboxIPC) or they can use |
| 516 | // dlsym with RTLD_NEXT to resolve the symbol, ignoring any symbols in the |
| 517 | // current module. |
| 518 | // |
| 519 | // Other avenues: |
| 520 | // |
| 521 | // Our first attempt involved some assembly to patch the GOT of the current |
| 522 | // module. This worked, but was platform specific and doesn't catch the case |
| 523 | // where a library makes a call rather than current module. |
| 524 | // |
| 525 | // We also considered patching the function in place, but this would again by |
| 526 | // platform specific and the above technique seems to work well enough. |
| 527 | |
[email protected] | 724df99 | 2010-09-21 18:19:10 | [diff] [blame] | 528 | typedef struct tm* (*LocaltimeFunction)(const time_t* timep); |
| 529 | typedef struct tm* (*LocaltimeRFunction)(const time_t* timep, |
| 530 | struct tm* result); |
| 531 | |
| 532 | static pthread_once_t g_libc_localtime_funcs_guard = PTHREAD_ONCE_INIT; |
| 533 | static LocaltimeFunction g_libc_localtime; |
| 534 | static LocaltimeRFunction g_libc_localtime_r; |
| 535 | |
| 536 | static void InitLibcLocaltimeFunctions() { |
| 537 | g_libc_localtime = reinterpret_cast<LocaltimeFunction>( |
| 538 | dlsym(RTLD_NEXT, "localtime")); |
| 539 | g_libc_localtime_r = reinterpret_cast<LocaltimeRFunction>( |
| 540 | dlsym(RTLD_NEXT, "localtime_r")); |
| 541 | |
| 542 | if (!g_libc_localtime || !g_libc_localtime_r) { |
| 543 | // http://code.google.com/p/chromium/issues/detail?id=16800 |
| 544 | // |
| 545 | // Nvidia's libGL.so overrides dlsym for an unknown reason and replaces |
| 546 | // it with a version which doesn't work. In this case we'll get a NULL |
| 547 | // result. There's not a lot we can do at this point, so we just bodge it! |
| 548 | LOG(ERROR) << "Your system is broken: dlsym doesn't work! This has been " |
| 549 | "reported to be caused by Nvidia's libGL. You should expect" |
| 550 | " time related functions to misbehave. " |
| 551 | "http://code.google.com/p/chromium/issues/detail?id=16800"; |
| 552 | } |
| 553 | |
| 554 | if (!g_libc_localtime) |
| 555 | g_libc_localtime = gmtime; |
| 556 | if (!g_libc_localtime_r) |
| 557 | g_libc_localtime_r = gmtime_r; |
| 558 | } |
[email protected] | a5d7bb8 | 2009-09-08 22:30:58 | [diff] [blame] | 559 | |
[email protected] | 73fa6399 | 2009-07-20 20:30:07 | [diff] [blame] | 560 | struct tm* localtime(const time_t* timep) { |
[email protected] | a0f200ea | 2009-08-06 18:44:06 | [diff] [blame] | 561 | if (g_am_zygote_or_renderer) { |
| 562 | static struct tm time_struct; |
| 563 | static char timezone_string[64]; |
| 564 | ProxyLocaltimeCallToBrowser(*timep, &time_struct, timezone_string, |
| 565 | sizeof(timezone_string)); |
| 566 | return &time_struct; |
| 567 | } else { |
[email protected] | 724df99 | 2010-09-21 18:19:10 | [diff] [blame] | 568 | CHECK_EQ(0, pthread_once(&g_libc_localtime_funcs_guard, |
| 569 | InitLibcLocaltimeFunctions)); |
| 570 | return g_libc_localtime(timep); |
[email protected] | a0f200ea | 2009-08-06 18:44:06 | [diff] [blame] | 571 | } |
[email protected] | 73fa6399 | 2009-07-20 20:30:07 | [diff] [blame] | 572 | } |
| 573 | |
| 574 | struct tm* localtime_r(const time_t* timep, struct tm* result) { |
[email protected] | a0f200ea | 2009-08-06 18:44:06 | [diff] [blame] | 575 | if (g_am_zygote_or_renderer) { |
| 576 | ProxyLocaltimeCallToBrowser(*timep, result, NULL, 0); |
| 577 | return result; |
| 578 | } else { |
[email protected] | 724df99 | 2010-09-21 18:19:10 | [diff] [blame] | 579 | CHECK_EQ(0, pthread_once(&g_libc_localtime_funcs_guard, |
| 580 | InitLibcLocaltimeFunctions)); |
| 581 | return g_libc_localtime_r(timep, result); |
[email protected] | a0f200ea | 2009-08-06 18:44:06 | [diff] [blame] | 582 | } |
[email protected] | 73fa6399 | 2009-07-20 20:30:07 | [diff] [blame] | 583 | } |
| 584 | |
[email protected] | ad6d2c4 | 2009-09-15 20:13:38 | [diff] [blame] | 585 | #endif // !CHROMIUM_SELINUX |
[email protected] | a5d7bb8 | 2009-09-08 22:30:58 | [diff] [blame] | 586 | |
[email protected] | ad6d2c4 | 2009-09-15 20:13:38 | [diff] [blame] | 587 | // This function triggers the static and lazy construction of objects that need |
| 588 | // to be created before imposing the sandbox. |
| 589 | static void PreSandboxInit() { |
[email protected] | b841941 | 2010-03-29 20:18:29 | [diff] [blame] | 590 | base::RandUint64(); |
[email protected] | 4378a82 | 2009-07-08 01:15:14 | [diff] [blame] | 591 | |
[email protected] | b841941 | 2010-03-29 20:18:29 | [diff] [blame] | 592 | base::SysInfo::MaxSharedMemorySize(); |
[email protected] | 80a086c5 | 2009-08-04 17:52:04 | [diff] [blame] | 593 | |
[email protected] | b841941 | 2010-03-29 20:18:29 | [diff] [blame] | 594 | // ICU DateFormat class (used in base/time_format.cc) needs to get the |
| 595 | // Olson timezone ID by accessing the zoneinfo files on disk. After |
| 596 | // TimeZone::createDefault is called once here, the timezone ID is |
| 597 | // cached and there's no more need to access the file system. |
| 598 | scoped_ptr<icu::TimeZone> zone(icu::TimeZone::createDefault()); |
[email protected] | 1831acf | 2009-10-05 16:38:41 | [diff] [blame] | 599 | |
[email protected] | b841941 | 2010-03-29 20:18:29 | [diff] [blame] | 600 | FilePath module_path; |
| 601 | if (PathService::Get(base::DIR_MODULE, &module_path)) |
| 602 | media::InitializeMediaLibrary(module_path); |
[email protected] | 1777304 | 2010-07-28 17:35:07 | [diff] [blame] | 603 | |
[email protected] | ed450f3 | 2011-03-16 01:26:49 | [diff] [blame^] | 604 | // Remoting requires NSS to function properly. It is not used for other |
| 605 | // reasons so load NSS only if remoting is enabled. |
| 606 | const CommandLine& command_line = *CommandLine::ForCurrentProcess(); |
| 607 | if (command_line.HasSwitch(switches::kEnableRemoting)) { |
| 608 | // We are going to fork to engage the sandbox and we have not loaded |
| 609 | // any security modules so it is safe to disable the fork check in NSS. |
| 610 | base::DisableNSSForkCheck(); |
| 611 | |
| 612 | // Initialize NSS so that we load the necessary library files |
| 613 | // before we enter the sandbox. |
| 614 | base::ForceNSSNoDBInit(); |
| 615 | base::EnsureNSSInit(); |
| 616 | } |
| 617 | |
[email protected] | 1777304 | 2010-07-28 17:35:07 | [diff] [blame] | 618 | // Ensure access to the Pepper plugins before the sandbox is turned on. |
| 619 | PepperPluginRegistry::PreloadModules(); |
[email protected] | ad6d2c4 | 2009-09-15 20:13:38 | [diff] [blame] | 620 | } |
| 621 | |
| 622 | #if !defined(CHROMIUM_SELINUX) |
| 623 | static bool EnterSandbox() { |
[email protected] | b841941 | 2010-03-29 20:18:29 | [diff] [blame] | 624 | // The SUID sandbox sets this environment variable to a file descriptor |
| 625 | // over which we can signal that we have completed our startup and can be |
| 626 | // chrooted. |
[email protected] | ad6d2c4 | 2009-09-15 20:13:38 | [diff] [blame] | 627 | const char* const sandbox_fd_string = getenv("SBX_D"); |
[email protected] | ad6d2c4 | 2009-09-15 20:13:38 | [diff] [blame] | 628 | |
[email protected] | 0dc3232 | 2010-09-16 09:46:59 | [diff] [blame] | 629 | if (sandbox_fd_string) { |
| 630 | // Use the SUID sandbox. This still allows the seccomp sandbox to |
| 631 | // be enabled by the process later. |
[email protected] | 8ecd3aad | 2009-11-04 08:32:22 | [diff] [blame] | 632 | g_suid_sandbox_active = true; |
| 633 | |
[email protected] | ad6d2c4 | 2009-09-15 20:13:38 | [diff] [blame] | 634 | char* endptr; |
| 635 | const long fd_long = strtol(sandbox_fd_string, &endptr, 10); |
| 636 | if (!*sandbox_fd_string || *endptr || fd_long < 0 || fd_long > INT_MAX) |
| 637 | return false; |
| 638 | const int fd = fd_long; |
| 639 | |
| 640 | PreSandboxInit(); |
[email protected] | c9e45da0 | 2009-08-05 17:35:08 | [diff] [blame] | 641 | |
[email protected] | eaebefaf | 2010-02-23 22:58:18 | [diff] [blame] | 642 | static const char kMsgChrootMe = 'C'; |
| 643 | static const char kMsgChrootSuccessful = 'O'; |
[email protected] | abe3ad9 | 2009-06-15 18:15:08 | [diff] [blame] | 644 | |
[email protected] | eaebefaf | 2010-02-23 22:58:18 | [diff] [blame] | 645 | if (HANDLE_EINTR(write(fd, &kMsgChrootMe, 1)) != 1) { |
[email protected] | 0e161112 | 2009-07-10 18:17:32 | [diff] [blame] | 646 | LOG(ERROR) << "Failed to write to chroot pipe: " << errno; |
[email protected] | abe3ad9 | 2009-06-15 18:15:08 | [diff] [blame] | 647 | return false; |
[email protected] | 0e161112 | 2009-07-10 18:17:32 | [diff] [blame] | 648 | } |
[email protected] | abe3ad9 | 2009-06-15 18:15:08 | [diff] [blame] | 649 | |
[email protected] | 87ed695 | 2009-07-16 02:52:15 | [diff] [blame] | 650 | // We need to reap the chroot helper process in any event: |
| 651 | wait(NULL); |
| 652 | |
[email protected] | abe3ad9 | 2009-06-15 18:15:08 | [diff] [blame] | 653 | char reply; |
[email protected] | 87f8ce6 | 2009-07-10 19:14:31 | [diff] [blame] | 654 | if (HANDLE_EINTR(read(fd, &reply, 1)) != 1) { |
[email protected] | 0e161112 | 2009-07-10 18:17:32 | [diff] [blame] | 655 | LOG(ERROR) << "Failed to read from chroot pipe: " << errno; |
[email protected] | abe3ad9 | 2009-06-15 18:15:08 | [diff] [blame] | 656 | return false; |
[email protected] | 0e161112 | 2009-07-10 18:17:32 | [diff] [blame] | 657 | } |
[email protected] | 87f8ce6 | 2009-07-10 19:14:31 | [diff] [blame] | 658 | |
[email protected] | eaebefaf | 2010-02-23 22:58:18 | [diff] [blame] | 659 | if (reply != kMsgChrootSuccessful) { |
[email protected] | 0e161112 | 2009-07-10 18:17:32 | [diff] [blame] | 660 | LOG(ERROR) << "Error code reply from chroot helper"; |
[email protected] | abe3ad9 | 2009-06-15 18:15:08 | [diff] [blame] | 661 | return false; |
[email protected] | 0e161112 | 2009-07-10 18:17:32 | [diff] [blame] | 662 | } |
[email protected] | abe3ad9 | 2009-06-15 18:15:08 | [diff] [blame] | 663 | |
[email protected] | cf3ac397 | 2010-12-22 20:02:29 | [diff] [blame] | 664 | SkiaFontConfigSetImplementation( |
| 665 | new FontConfigIPC(kMagicSandboxIPCDescriptor)); |
[email protected] | abe3ad9 | 2009-06-15 18:15:08 | [diff] [blame] | 666 | |
[email protected] | 415493be | 2009-07-10 17:50:24 | [diff] [blame] | 667 | // Previously, we required that the binary be non-readable. This causes the |
| 668 | // kernel to mark the process as non-dumpable at startup. The thinking was |
| 669 | // that, although we were putting the renderers into a PID namespace (with |
| 670 | // the SUID sandbox), they would nonetheless be in the /same/ PID |
| 671 | // namespace. So they could ptrace each other unless they were non-dumpable. |
| 672 | // |
| 673 | // If the binary was readable, then there would be a window between process |
| 674 | // startup and the point where we set the non-dumpable flag in which a |
| 675 | // compromised renderer could ptrace attach. |
| 676 | // |
| 677 | // However, now that we have a zygote model, only the (trusted) zygote |
| 678 | // exists at this point and we can set the non-dumpable flag which is |
| 679 | // inherited by all our renderer children. |
[email protected] | 4730db9 | 2009-07-22 00:40:48 | [diff] [blame] | 680 | // |
| 681 | // Note: a non-dumpable process can't be debugged. To debug sandbox-related |
| 682 | // issues, one can specify --allow-sandbox-debugging to let the process be |
| 683 | // dumpable. |
| 684 | const CommandLine& command_line = *CommandLine::ForCurrentProcess(); |
| 685 | if (!command_line.HasSwitch(switches::kAllowSandboxDebugging)) { |
| 686 | prctl(PR_SET_DUMPABLE, 0, 0, 0, 0); |
| 687 | if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) { |
| 688 | LOG(ERROR) << "Failed to set non-dumpable flag"; |
| 689 | return false; |
| 690 | } |
[email protected] | 0e161112 | 2009-07-10 18:17:32 | [diff] [blame] | 691 | } |
[email protected] | cc9a9a88 | 2011-03-03 20:09:10 | [diff] [blame] | 692 | } else if (CommandLine::ForCurrentProcess()->HasSwitch( |
| 693 | switches::kEnableSeccompSandbox)) { |
[email protected] | 0dc3232 | 2010-09-16 09:46:59 | [diff] [blame] | 694 | PreSandboxInit(); |
[email protected] | cf3ac397 | 2010-12-22 20:02:29 | [diff] [blame] | 695 | SkiaFontConfigSetImplementation( |
| 696 | new FontConfigIPC(kMagicSandboxIPCDescriptor)); |
[email protected] | abe3ad9 | 2009-06-15 18:15:08 | [diff] [blame] | 697 | } else { |
| 698 | SkiaFontConfigUseDirectImplementation(); |
| 699 | } |
| 700 | |
| 701 | return true; |
| 702 | } |
[email protected] | ad6d2c4 | 2009-09-15 20:13:38 | [diff] [blame] | 703 | #else // CHROMIUM_SELINUX |
| 704 | |
| 705 | static bool EnterSandbox() { |
| 706 | PreSandboxInit(); |
| 707 | SkiaFontConfigUseIPCImplementation(kMagicSandboxIPCDescriptor); |
[email protected] | ad6d2c4 | 2009-09-15 20:13:38 | [diff] [blame] | 708 | return true; |
| 709 | } |
| 710 | |
| 711 | #endif // CHROMIUM_SELINUX |
[email protected] | abe3ad9 | 2009-06-15 18:15:08 | [diff] [blame] | 712 | |
[email protected] | cc8f146 | 2009-06-12 17:36:55 | [diff] [blame] | 713 | bool ZygoteMain(const MainFunctionParams& params) { |
[email protected] | ad6d2c4 | 2009-09-15 20:13:38 | [diff] [blame] | 714 | #if !defined(CHROMIUM_SELINUX) |
[email protected] | a0f200ea | 2009-08-06 18:44:06 | [diff] [blame] | 715 | g_am_zygote_or_renderer = true; |
[email protected] | ad6d2c4 | 2009-09-15 20:13:38 | [diff] [blame] | 716 | #endif |
[email protected] | a0f200ea | 2009-08-06 18:44:06 | [diff] [blame] | 717 | |
[email protected] | 36ea6c6f | 2010-03-17 20:08:01 | [diff] [blame] | 718 | #if defined(SECCOMP_SANDBOX) |
[email protected] | a9c54a17 | 2009-11-07 06:09:38 | [diff] [blame] | 719 | // The seccomp sandbox needs access to files in /proc, which might be denied |
| 720 | // after one of the other sandboxes have been started. So, obtain a suitable |
| 721 | // file handle in advance. |
[email protected] | cc9a9a88 | 2011-03-03 20:09:10 | [diff] [blame] | 722 | if (CommandLine::ForCurrentProcess()->HasSwitch( |
| 723 | switches::kEnableSeccompSandbox)) { |
[email protected] | a9c54a17 | 2009-11-07 06:09:38 | [diff] [blame] | 724 | g_proc_fd = open("/proc", O_DIRECTORY | O_RDONLY); |
| 725 | if (g_proc_fd < 0) { |
| 726 | LOG(ERROR) << "WARNING! Cannot access \"/proc\". Disabling seccomp " |
| 727 | "sandboxing."; |
| 728 | } |
| 729 | } |
[email protected] | 36ea6c6f | 2010-03-17 20:08:01 | [diff] [blame] | 730 | #endif // SECCOMP_SANDBOX |
[email protected] | a9c54a17 | 2009-11-07 06:09:38 | [diff] [blame] | 731 | |
| 732 | // Turn on the SELinux or SUID sandbox |
| 733 | if (!EnterSandbox()) { |
| 734 | LOG(FATAL) << "Failed to enter sandbox. Fail safe abort. (errno: " |
| 735 | << errno << ")"; |
| 736 | return false; |
| 737 | } |
| 738 | |
[email protected] | 715b4f26 | 2010-07-13 14:17:28 | [diff] [blame] | 739 | int sandbox_flags = 0; |
| 740 | if (getenv("SBX_D")) |
| 741 | sandbox_flags |= ZygoteHost::kSandboxSUID; |
| 742 | if (getenv("SBX_PID_NS")) |
| 743 | sandbox_flags |= ZygoteHost::kSandboxPIDNS; |
| 744 | if (getenv("SBX_NET_NS")) |
| 745 | sandbox_flags |= ZygoteHost::kSandboxNetNS; |
| 746 | |
[email protected] | 36ea6c6f | 2010-03-17 20:08:01 | [diff] [blame] | 747 | #if defined(SECCOMP_SANDBOX) |
[email protected] | a9c54a17 | 2009-11-07 06:09:38 | [diff] [blame] | 748 | // The seccomp sandbox will be turned on when the renderers start. But we can |
| 749 | // already check if sufficient support is available so that we only need to |
| 750 | // print one error message for the entire browser session. |
[email protected] | cc9a9a88 | 2011-03-03 20:09:10 | [diff] [blame] | 751 | if (g_proc_fd >= 0 && CommandLine::ForCurrentProcess()->HasSwitch( |
| 752 | switches::kEnableSeccompSandbox)) { |
[email protected] | a9c54a17 | 2009-11-07 06:09:38 | [diff] [blame] | 753 | if (!SupportsSeccompSandbox(g_proc_fd)) { |
[email protected] | e8c916a | 2009-11-04 17:52:47 | [diff] [blame] | 754 | // There are a good number of users who cannot use the seccomp sandbox |
| 755 | // (e.g. because their distribution does not enable seccomp mode by |
| 756 | // default). While we would prefer to deny execution in this case, it |
| 757 | // seems more realistic to continue in degraded mode. |
[email protected] | 1b5d28f | 2010-02-18 15:53:36 | [diff] [blame] | 758 | LOG(ERROR) << "WARNING! This machine lacks support needed for the " |
| 759 | "Seccomp sandbox. Running renderers with Seccomp " |
| 760 | "sandboxing disabled."; |
[email protected] | e8c916a | 2009-11-04 17:52:47 | [diff] [blame] | 761 | } else { |
[email protected] | 8e96e50 | 2010-10-21 20:57:12 | [diff] [blame] | 762 | VLOG(1) << "Enabling experimental Seccomp sandbox."; |
[email protected] | 715b4f26 | 2010-07-13 14:17:28 | [diff] [blame] | 763 | sandbox_flags |= ZygoteHost::kSandboxSeccomp; |
[email protected] | e8c916a | 2009-11-04 17:52:47 | [diff] [blame] | 764 | } |
| 765 | } |
[email protected] | 36ea6c6f | 2010-03-17 20:08:01 | [diff] [blame] | 766 | #endif // SECCOMP_SANDBOX |
[email protected] | e8c916a | 2009-11-04 17:52:47 | [diff] [blame] | 767 | |
[email protected] | 715b4f26 | 2010-07-13 14:17:28 | [diff] [blame] | 768 | Zygote zygote(sandbox_flags); |
[email protected] | c548be2 | 2010-03-08 12:55:57 | [diff] [blame] | 769 | // This function call can return multiple times, once per fork(). |
[email protected] | cc8f146 | 2009-06-12 17:36:55 | [diff] [blame] | 770 | return zygote.ProcessRequests(); |
| 771 | } |