1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "sandbox/linux/services/broker_process.h" 6 7 #include <fcntl.h> 8 #include <sys/socket.h> 9 #include <sys/stat.h> 10 #include <sys/syscall.h> 11 #include <sys/types.h> 12 #include <unistd.h> 13 14 #include <algorithm> 15 #include <string> 16 #include <vector> 17 18 #include "base/basictypes.h" 19 #include "base/logging.h" 20 #include "base/pickle.h" 21 #include "base/posix/eintr_wrapper.h" 22 #include "base/posix/unix_domain_socket_linux.h" 23 #include "build/build_config.h" 24 #include "sandbox/linux/services/linux_syscalls.h" 25 26 #if defined(OS_ANDROID) && !defined(MSG_CMSG_CLOEXEC) 27 #define MSG_CMSG_CLOEXEC 0x40000000 28 #endif 29 30 namespace { 31 32 static const size_t kMaxMessageLength = 4096; 33 34 // Some flags are local to the current process and cannot be sent over a Unix 35 // socket. They need special treatment from the client. 36 // O_CLOEXEC is tricky because in theory another thread could call execve() 37 // before special treatment is made on the client, so a client needs to call 38 // recvmsg(2) with MSG_CMSG_CLOEXEC. 39 // To make things worse, there are two CLOEXEC related flags, FD_CLOEXEC (see 40 // F_GETFD in fcntl(2)) and O_CLOEXEC (see F_GETFL in fcntl(2)). O_CLOEXEC 41 // doesn't affect the semantics on execve(), it's merely a note that the 42 // descriptor was originally opened with O_CLOEXEC as a flag. And it is sent 43 // over unix sockets just fine, so a receiver that would (incorrectly) look at 44 // O_CLOEXEC instead of FD_CLOEXEC may be tricked in thinking that the file 45 // descriptor will or won't be closed on execve(). 46 // Since we have to account for buggy userland (see crbug.com/237283), we will 47 // open(2) the file with O_CLOEXEC in the broker process if necessary, in 48 // addition to calling recvmsg(2) with MSG_CMSG_CLOEXEC. 49 static const int kCurrentProcessOpenFlagsMask = O_CLOEXEC; 50 51 // Check whether |requested_filename| is in |allowed_file_names|. 52 // See GetFileNameIfAllowedToOpen() for an explanation of |file_to_open|. 53 // async signal safe if |file_to_open| is NULL. 54 // TODO(jln): assert signal safety. 55 bool GetFileNameInWhitelist(const std::vector<std::string>& allowed_file_names, 56 const char* requested_filename, 57 const char** file_to_open) { 58 if (file_to_open && *file_to_open) { 59 // Make sure that callers never pass a non-empty string. In case callers 60 // wrongly forget to check the return value and look at the string 61 // instead, this could catch bugs. 62 RAW_LOG(FATAL, "*file_to_open should be NULL"); 63 return false; 64 } 65 66 // Look for |requested_filename| in |allowed_file_names|. 67 // We don't use ::find() because it takes a std::string and 68 // the conversion allocates memory. 69 std::vector<std::string>::const_iterator it; 70 for (it = allowed_file_names.begin(); it != allowed_file_names.end(); it++) { 71 if (strcmp(requested_filename, it->c_str()) == 0) { 72 if (file_to_open) 73 *file_to_open = it->c_str(); 74 return true; 75 } 76 } 77 return false; 78 } 79 80 // We maintain a list of flags that have been reviewed for "sanity" and that 81 // we're ok to allow in the broker. 82 // I.e. here is where we wouldn't add O_RESET_FILE_SYSTEM. 83 bool IsAllowedOpenFlags(int flags) { 84 // First, check the access mode 85 const int access_mode = flags & O_ACCMODE; 86 if (access_mode != O_RDONLY && access_mode != O_WRONLY && 87 access_mode != O_RDWR) { 88 return false; 89 } 90 91 // We only support a 2-parameters open, so we forbid O_CREAT. 92 if (flags & O_CREAT) { 93 return false; 94 } 95 96 // Some flags affect the behavior of the current process. We don't support 97 // them and don't allow them for now. 98 if (flags & kCurrentProcessOpenFlagsMask) { 99 // We make an exception for O_CLOEXEC. Buggy userland could check for 100 // O_CLOEXEC and the only way to set it is to originally open with this 101 // flag. See the comment around kCurrentProcessOpenFlagsMask. 102 if (!(flags & O_CLOEXEC)) 103 return false; 104 } 105 106 // Now check that all the flags are known to us. 107 const int creation_and_status_flags = flags & ~O_ACCMODE; 108 109 const int known_flags = 110 O_APPEND | O_ASYNC | O_CLOEXEC | O_CREAT | O_DIRECT | 111 O_DIRECTORY | O_EXCL | O_LARGEFILE | O_NOATIME | O_NOCTTY | 112 O_NOFOLLOW | O_NONBLOCK | O_NDELAY | O_SYNC | O_TRUNC; 113 114 const int unknown_flags = ~known_flags; 115 const bool has_unknown_flags = creation_and_status_flags & unknown_flags; 116 return !has_unknown_flags; 117 } 118 119 } // namespace 120 121 namespace sandbox { 122 123 BrokerProcess::BrokerProcess(const std::vector<std::string>& allowed_r_files, 124 const std::vector<std::string>& allowed_w_files, 125 bool fast_check_in_client, 126 bool quiet_failures_for_tests) 127 : initialized_(false), 128 is_child_(false), 129 fast_check_in_client_(fast_check_in_client), 130 quiet_failures_for_tests_(quiet_failures_for_tests), 131 broker_pid_(-1), 132 allowed_r_files_(allowed_r_files), 133 allowed_w_files_(allowed_w_files), 134 ipc_socketpair_(-1) { 135 } 136 137 BrokerProcess::~BrokerProcess() { 138 if (initialized_ && ipc_socketpair_ != -1) { 139 void (HANDLE_EINTR(close(ipc_socketpair_))); 140 } 141 } 142 143 bool BrokerProcess::Init(bool (*sandbox_callback)(void)) { 144 CHECK(!initialized_); 145 int socket_pair[2]; 146 // Use SOCK_SEQPACKET, because we need to preserve message boundaries 147 // but we also want to be notified (recvmsg should return and not block) 148 // when the connection has been broken (one of the processes died). 149 if (socketpair(AF_UNIX, SOCK_SEQPACKET, 0, socket_pair)) { 150 LOG(ERROR) << "Failed to create socketpair"; 151 return false; 152 } 153 154 int child_pid = fork(); 155 if (child_pid == -1) { 156 (void) HANDLE_EINTR(close(socket_pair[0])); 157 (void) HANDLE_EINTR(close(socket_pair[1])); 158 return false; 159 } 160 if (child_pid) { 161 // We are the parent and we have just forked our broker process. 162 (void) HANDLE_EINTR(close(socket_pair[0])); 163 // We should only be able to write to the IPC channel. We'll always send 164 // a new file descriptor to receive the reply on. 165 shutdown(socket_pair[1], SHUT_RD); 166 ipc_socketpair_ = socket_pair[1]; 167 is_child_ = false; 168 broker_pid_ = child_pid; 169 initialized_ = true; 170 return true; 171 } else { 172 // We are the broker. 173 (void) HANDLE_EINTR(close(socket_pair[1])); 174 // We should only be able to read from this IPC channel. We will send our 175 // replies on a new file descriptor attached to the requests. 176 shutdown(socket_pair[0], SHUT_WR); 177 ipc_socketpair_ = socket_pair[0]; 178 is_child_ = true; 179 // Enable the sandbox if provided. 180 if (sandbox_callback) { 181 CHECK(sandbox_callback()); 182 } 183 initialized_ = true; 184 for (;;) { 185 HandleRequest(); 186 } 187 _exit(1); 188 } 189 NOTREACHED(); 190 } 191 192 int BrokerProcess::Access(const char* pathname, int mode) const { 193 return PathAndFlagsSyscall(kCommandAccess, pathname, mode); 194 } 195 196 int BrokerProcess::Open(const char* pathname, int flags) const { 197 return PathAndFlagsSyscall(kCommandOpen, pathname, flags); 198 } 199 200 // Make a remote system call over IPC for syscalls that take a path and flags 201 // as arguments, currently open() and access(). 202 // Will return -errno like a real system call. 203 // This function needs to be async signal safe. 204 int BrokerProcess::PathAndFlagsSyscall(enum IPCCommands syscall_type, 205 const char* pathname, int flags) const { 206 int recvmsg_flags = 0; 207 RAW_CHECK(initialized_); // async signal safe CHECK(). 208 RAW_CHECK(syscall_type == kCommandOpen || syscall_type == kCommandAccess); 209 if (!pathname) 210 return -EFAULT; 211 212 // For this "remote system call" to work, we need to handle any flag that 213 // cannot be sent over a Unix socket in a special way. 214 // See the comments around kCurrentProcessOpenFlagsMask. 215 if (syscall_type == kCommandOpen && (flags & kCurrentProcessOpenFlagsMask)) { 216 // This implementation only knows about O_CLOEXEC, someone needs to look at 217 // this code if other flags are added. 218 RAW_CHECK(kCurrentProcessOpenFlagsMask == O_CLOEXEC); 219 recvmsg_flags |= MSG_CMSG_CLOEXEC; 220 } 221 222 // There is no point in forwarding a request that we know will be denied. 223 // Of course, the real security check needs to be on the other side of the 224 // IPC. 225 if (fast_check_in_client_) { 226 if (syscall_type == kCommandOpen && 227 !GetFileNameIfAllowedToOpen(pathname, flags, NULL)) { 228 return -EPERM; 229 } 230 if (syscall_type == kCommandAccess && 231 !GetFileNameIfAllowedToAccess(pathname, flags, NULL)) { 232 return -EPERM; 233 } 234 } 235 236 Pickle write_pickle; 237 write_pickle.WriteInt(syscall_type); 238 write_pickle.WriteString(pathname); 239 write_pickle.WriteInt(flags); 240 RAW_CHECK(write_pickle.size() <= kMaxMessageLength); 241 242 int returned_fd = -1; 243 uint8_t reply_buf[kMaxMessageLength]; 244 245 // Send a request (in write_pickle) as well that will include a new 246 // temporary socketpair (created internally by SendRecvMsg()). 247 // Then read the reply on this new socketpair in reply_buf and put an 248 // eventual attached file descriptor in |returned_fd|. 249 ssize_t msg_len = UnixDomainSocket::SendRecvMsgWithFlags(ipc_socketpair_, 250 reply_buf, 251 sizeof(reply_buf), 252 recvmsg_flags, 253 &returned_fd, 254 write_pickle); 255 if (msg_len <= 0) { 256 if (!quiet_failures_for_tests_) 257 RAW_LOG(ERROR, "Could not make request to broker process"); 258 return -ENOMEM; 259 } 260 261 Pickle read_pickle(reinterpret_cast<char*>(reply_buf), msg_len); 262 PickleIterator iter(read_pickle); 263 int return_value = -1; 264 // Now deserialize the return value and eventually return the file 265 // descriptor. 266 if (read_pickle.ReadInt(&iter, &return_value)) { 267 switch (syscall_type) { 268 case kCommandAccess: 269 // We should never have a fd to return. 270 RAW_CHECK(returned_fd == -1); 271 return return_value; 272 case kCommandOpen: 273 if (return_value < 0) { 274 RAW_CHECK(returned_fd == -1); 275 return return_value; 276 } else { 277 // We have a real file descriptor to return. 278 RAW_CHECK(returned_fd >= 0); 279 return returned_fd; 280 } 281 default: 282 RAW_LOG(ERROR, "Unsupported command"); 283 return -ENOSYS; 284 } 285 } else { 286 RAW_LOG(ERROR, "Could not read pickle"); 287 NOTREACHED(); 288 return -EPERM; 289 } 290 } 291 292 // Handle a request on the IPC channel ipc_socketpair_. 293 // A request should have a file descriptor attached on which we will reply and 294 // that we will then close. 295 // A request should start with an int that will be used as the command type. 296 bool BrokerProcess::HandleRequest() const { 297 298 std::vector<int> fds; 299 char buf[kMaxMessageLength]; 300 errno = 0; 301 const ssize_t msg_len = UnixDomainSocket::RecvMsg(ipc_socketpair_, buf, 302 sizeof(buf), &fds); 303 304 if (msg_len == 0 || (msg_len == -1 && errno == ECONNRESET)) { 305 // EOF from our parent, or our parent died, we should die. 306 _exit(0); 307 } 308 309 // The parent should send exactly one file descriptor, on which we 310 // will write the reply. 311 if (msg_len < 0 || fds.size() != 1 || fds.at(0) < 0) { 312 PLOG(ERROR) << "Error reading message from the client"; 313 return false; 314 } 315 316 const int temporary_ipc = fds.at(0); 317 318 Pickle pickle(buf, msg_len); 319 PickleIterator iter(pickle); 320 int command_type; 321 if (pickle.ReadInt(&iter, &command_type)) { 322 bool r = false; 323 // Go through all the possible IPC messages. 324 switch (command_type) { 325 case kCommandAccess: 326 case kCommandOpen: 327 // We reply on the file descriptor sent to us via the IPC channel. 328 r = HandleRemoteCommand(static_cast<IPCCommands>(command_type), 329 temporary_ipc, pickle, iter); 330 break; 331 default: 332 NOTREACHED(); 333 r = false; 334 break; 335 } 336 int ret = HANDLE_EINTR(close(temporary_ipc)); 337 DCHECK(!ret) << "Could not close temporary IPC channel"; 338 return r; 339 } 340 341 LOG(ERROR) << "Error parsing IPC request"; 342 return false; 343 } 344 345 // Handle a |command_type| request contained in |read_pickle| and send the reply 346 // on |reply_ipc|. 347 // Currently kCommandOpen and kCommandAccess are supported. 348 bool BrokerProcess::HandleRemoteCommand(IPCCommands command_type, int reply_ipc, 349 const Pickle& read_pickle, 350 PickleIterator iter) const { 351 // Currently all commands have two arguments: filename and flags. 352 std::string requested_filename; 353 int flags = 0; 354 if (!read_pickle.ReadString(&iter, &requested_filename) || 355 !read_pickle.ReadInt(&iter, &flags)) { 356 return -1; 357 } 358 359 Pickle write_pickle; 360 std::vector<int> opened_files; 361 362 switch (command_type) { 363 case kCommandAccess: 364 AccessFileForIPC(requested_filename, flags, &write_pickle); 365 break; 366 case kCommandOpen: 367 OpenFileForIPC(requested_filename, flags, &write_pickle, &opened_files); 368 break; 369 default: 370 LOG(ERROR) << "Invalid IPC command"; 371 break; 372 } 373 374 CHECK_LE(write_pickle.size(), kMaxMessageLength); 375 ssize_t sent = UnixDomainSocket::SendMsg(reply_ipc, write_pickle.data(), 376 write_pickle.size(), opened_files); 377 378 // Close anything we have opened in this process. 379 for (std::vector<int>::iterator it = opened_files.begin(); 380 it < opened_files.end(); ++it) { 381 int ret = HANDLE_EINTR(close(*it)); 382 DCHECK(!ret) << "Could not close file descriptor"; 383 } 384 385 if (sent <= 0) { 386 LOG(ERROR) << "Could not send IPC reply"; 387 return false; 388 } 389 return true; 390 } 391 392 // Perform access(2) on |requested_filename| with mode |mode| if allowed by our 393 // policy. Write the syscall return value (-errno) to |write_pickle|. 394 void BrokerProcess::AccessFileForIPC(const std::string& requested_filename, 395 int mode, Pickle* write_pickle) const { 396 DCHECK(write_pickle); 397 const char* file_to_access = NULL; 398 const bool safe_to_access_file = GetFileNameIfAllowedToAccess( 399 requested_filename.c_str(), mode, &file_to_access); 400 401 if (safe_to_access_file) { 402 CHECK(file_to_access); 403 int access_ret = access(file_to_access, mode); 404 int access_errno = errno; 405 if (!access_ret) 406 write_pickle->WriteInt(0); 407 else 408 write_pickle->WriteInt(-access_errno); 409 } else { 410 write_pickle->WriteInt(-EPERM); 411 } 412 } 413 414 // Open |requested_filename| with |flags| if allowed by our policy. 415 // Write the syscall return value (-errno) to |write_pickle| and append 416 // a file descriptor to |opened_files| if relevant. 417 void BrokerProcess::OpenFileForIPC(const std::string& requested_filename, 418 int flags, Pickle* write_pickle, 419 std::vector<int>* opened_files) const { 420 DCHECK(write_pickle); 421 DCHECK(opened_files); 422 const char* file_to_open = NULL; 423 const bool safe_to_open_file = GetFileNameIfAllowedToOpen( 424 requested_filename.c_str(), flags, &file_to_open); 425 426 if (safe_to_open_file) { 427 CHECK(file_to_open); 428 // We're doing a 2-parameter open, so we don't support O_CREAT. It doesn't 429 // hurt to always pass a third argument though. 430 int opened_fd = syscall(__NR_open, file_to_open, flags, 0); 431 if (opened_fd < 0) { 432 write_pickle->WriteInt(-errno); 433 } else { 434 // Success. 435 opened_files->push_back(opened_fd); 436 write_pickle->WriteInt(0); 437 } 438 } else { 439 write_pickle->WriteInt(-EPERM); 440 } 441 } 442 443 444 // Check if calling access() should be allowed on |requested_filename| with 445 // mode |requested_mode|. 446 // Note: access() being a system call to check permissions, this can get a bit 447 // confusing. We're checking if calling access() should even be allowed with 448 // the same policy we would use for open(). 449 // If |file_to_access| is not NULL, we will return the matching pointer from 450 // the whitelist. For paranoia a caller should then use |file_to_access|. See 451 // GetFileNameIfAllowedToOpen() fore more explanation. 452 // return true if calling access() on this file should be allowed, false 453 // otherwise. 454 // Async signal safe if and only if |file_to_access| is NULL. 455 bool BrokerProcess::GetFileNameIfAllowedToAccess(const char* requested_filename, 456 int requested_mode, const char** file_to_access) const { 457 // First, check if |requested_mode| is existence, ability to read or ability 458 // to write. We do not support X_OK. 459 if (requested_mode != F_OK && 460 requested_mode & ~(R_OK | W_OK)) { 461 return false; 462 } 463 switch (requested_mode) { 464 case F_OK: 465 // We allow to check for file existence if we can either read or write. 466 return GetFileNameInWhitelist(allowed_r_files_, requested_filename, 467 file_to_access) || 468 GetFileNameInWhitelist(allowed_w_files_, requested_filename, 469 file_to_access); 470 case R_OK: 471 return GetFileNameInWhitelist(allowed_r_files_, requested_filename, 472 file_to_access); 473 case W_OK: 474 return GetFileNameInWhitelist(allowed_w_files_, requested_filename, 475 file_to_access); 476 case R_OK | W_OK: 477 { 478 bool allowed_for_read_and_write = 479 GetFileNameInWhitelist(allowed_r_files_, requested_filename, NULL) && 480 GetFileNameInWhitelist(allowed_w_files_, requested_filename, 481 file_to_access); 482 return allowed_for_read_and_write; 483 } 484 default: 485 return false; 486 } 487 } 488 489 // Check if |requested_filename| can be opened with flags |requested_flags|. 490 // If |file_to_open| is not NULL, we will return the matching pointer from the 491 // whitelist. For paranoia, a caller should then use |file_to_open| rather 492 // than |requested_filename|, so that it never attempts to open an 493 // attacker-controlled file name, even if an attacker managed to fool the 494 // string comparison mechanism. 495 // Return true if opening should be allowed, false otherwise. 496 // Async signal safe if and only if |file_to_open| is NULL. 497 bool BrokerProcess::GetFileNameIfAllowedToOpen(const char* requested_filename, 498 int requested_flags, const char** file_to_open) const { 499 if (!IsAllowedOpenFlags(requested_flags)) { 500 return false; 501 } 502 switch (requested_flags & O_ACCMODE) { 503 case O_RDONLY: 504 return GetFileNameInWhitelist(allowed_r_files_, requested_filename, 505 file_to_open); 506 case O_WRONLY: 507 return GetFileNameInWhitelist(allowed_w_files_, requested_filename, 508 file_to_open); 509 case O_RDWR: 510 { 511 bool allowed_for_read_and_write = 512 GetFileNameInWhitelist(allowed_r_files_, requested_filename, NULL) && 513 GetFileNameInWhitelist(allowed_w_files_, requested_filename, 514 file_to_open); 515 return allowed_for_read_and_write; 516 } 517 default: 518 return false; 519 } 520 } 521 522 } // namespace sandbox. 523
