forked from chromium/chromium
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Namespace sandbox: add important security checks
When engaging the namespace sandbox, add important checks that the process is single threaded and has no directory file descriptor open. As part of this change, move the function engaging the namespace sandbox from the Zygote to the LinuxSandbox class. BUG=457377, 312380 Review URL: https://codereview.chromium.org/915823002 Cr-Commit-Position: refs/heads/master@{#315932}
- Loading branch information
jln
authored and
Commit bot
committed
Feb 12, 2015
1 parent
cffa416
commit b94f681
Showing
8 changed files
with
163 additions
and
74 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
79 changes: 79 additions & 0 deletions
79
content/common/sandbox_linux/sandbox_debug_handling_linux.cc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,79 @@ | ||
// Copyright 2015 The Chromium Authors. All rights reserved. | ||
// Use of this source code is governed by a BSD-style license that can be | ||
// found in the LICENSE file. | ||
|
||
#include "content/common/sandbox_linux/sandbox_debug_handling_linux.h" | ||
|
||
#include <errno.h> | ||
#include <signal.h> | ||
#include <sys/prctl.h> | ||
#include <unistd.h> | ||
|
||
#include "base/command_line.h" | ||
#include "base/logging.h" | ||
#include "base/macros.h" | ||
#include "base/strings/safe_sprintf.h" | ||
#include "content/public/common/content_switches.h" | ||
|
||
namespace content { | ||
|
||
namespace { | ||
|
||
void DoChrootSignalHandler(int) { | ||
const int old_errno = errno; | ||
const char kFirstMessage[] = "Chroot signal handler called.\n"; | ||
ignore_result(write(STDERR_FILENO, kFirstMessage, sizeof(kFirstMessage) - 1)); | ||
|
||
const int chroot_ret = chroot("/"); | ||
|
||
char kSecondMessage[100]; | ||
const ssize_t printed = base::strings::SafeSPrintf( | ||
kSecondMessage, "chroot() returned %d. Errno is %d.\n", chroot_ret, | ||
errno); | ||
if (printed > 0 && printed < static_cast<ssize_t>(sizeof(kSecondMessage))) { | ||
ignore_result(write(STDERR_FILENO, kSecondMessage, printed)); | ||
} | ||
errno = old_errno; | ||
} | ||
|
||
// This is a quick hack to allow testing sandbox crash reports in production | ||
// binaries. | ||
// This installs a signal handler for SIGUSR2 that performs a chroot(). | ||
// In most of our BPF policies, it is a "watched" system call which will | ||
// trigger a SIGSYS signal whose handler will crash. | ||
// This has been added during the investigation of https://crbug.com/415842. | ||
void InstallCrashTestHandler() { | ||
struct sigaction act = {}; | ||
act.sa_handler = DoChrootSignalHandler; | ||
CHECK_EQ(0, sigemptyset(&act.sa_mask)); | ||
act.sa_flags = 0; | ||
|
||
PCHECK(0 == sigaction(SIGUSR2, &act, NULL)); | ||
} | ||
|
||
bool IsSandboxDebuggingEnabled() { | ||
const base::CommandLine& command_line = | ||
*base::CommandLine::ForCurrentProcess(); | ||
return command_line.HasSwitch(switches::kAllowSandboxDebugging); | ||
} | ||
|
||
} // namespace | ||
|
||
// static | ||
bool SandboxDebugHandling::SetDumpableStatusAndHandlers() { | ||
if (IsSandboxDebuggingEnabled()) { | ||
// If sandbox debugging is allowed, install a handler for sandbox-related | ||
// crash testing. | ||
InstallCrashTestHandler(); | ||
return true; | ||
} | ||
|
||
if (prctl(PR_SET_DUMPABLE, 0) != 0) { | ||
PLOG(ERROR) << "Failed to set non-dumpable flag"; | ||
return false; | ||
} | ||
|
||
return prctl(PR_GET_DUMPABLE) == 0; | ||
} | ||
|
||
} // namespace content |
25 changes: 25 additions & 0 deletions
25
content/common/sandbox_linux/sandbox_debug_handling_linux.h
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
// Copyright 2015 The Chromium Authors. All rights reserved. | ||
// Use of this source code is governed by a BSD-style license that can be | ||
// found in the LICENSE file. | ||
|
||
#ifndef CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_DEBUG_HANDLING_LINUX_H_ | ||
#define CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_DEBUG_HANDLING_LINUX_H_ | ||
|
||
#include "base/macros.h" | ||
|
||
namespace content { | ||
|
||
class SandboxDebugHandling { | ||
public: | ||
// Depending on the command line, set the current process as | ||
// non dumpable. Also set any signal handlers for sandbox | ||
// debugging. | ||
static bool SetDumpableStatusAndHandlers(); | ||
|
||
private: | ||
DISALLOW_IMPLICIT_CONSTRUCTORS(SandboxDebugHandling); | ||
}; | ||
|
||
} // namespace content | ||
|
||
#endif // CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_DEBUG_HANDLING_LINUX_H_ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters