1// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#ifndef CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_LINUX_H_ 6#define CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_LINUX_H_ 7 8#include <string> 9 10#include "base/basictypes.h" 11#include "base/memory/scoped_ptr.h" 12#include "content/public/common/sandbox_linux.h" 13 14template <typename T> struct DefaultSingletonTraits; 15namespace base { 16class Thread; 17} 18namespace sandbox { class SetuidSandboxClient; } 19 20namespace content { 21 22// A singleton class to represent and change our sandboxing state for the 23// three main Linux sandboxes. 24class LinuxSandbox { 25 public: 26 // This is a list of sandbox IPC methods which the renderer may send to the 27 // sandbox host. See http://code.google.com/p/chromium/wiki/LinuxSandboxIPC 28 // This isn't the full list, values < 32 are reserved for methods called from 29 // Skia. 30 enum LinuxSandboxIPCMethods { 31 METHOD_GET_FONT_FAMILY_FOR_CHAR = 32, 32 METHOD_LOCALTIME = 33, 33 METHOD_GET_CHILD_WITH_INODE = 34, 34 METHOD_GET_STYLE_FOR_STRIKE = 35, 35 METHOD_MAKE_SHARED_MEMORY_SEGMENT = 36, 36 METHOD_MATCH_WITH_FALLBACK = 37, 37 }; 38 39 // Get our singleton instance. 40 static LinuxSandbox* GetInstance(); 41 42 // Do some initialization that can only be done before any of the sandboxes 43 // are enabled. If using the setuid sandbox, this should be called manually 44 // before the setuid sandbox is engaged. 45 void PreinitializeSandbox(); 46 47 // Initialize the sandbox with the given pre-built configuration. Currently 48 // seccomp-bpf and address space limitations (the setuid sandbox works 49 // differently and is set-up in the Zygote). This will instantiate the 50 // LinuxSandbox singleton if it doesn't already exist. 51 // This function should only be called without any thread running. 52 static bool InitializeSandbox(); 53 54 // Stop |thread| in a way that can be trusted by the sandbox. 55 static void StopThread(base::Thread* thread); 56 57 // Returns the status of the renderer, worker and ppapi sandbox. Can only 58 // be queried after going through PreinitializeSandbox(). This is a bitmask 59 // and uses the constants defined in "enum LinuxSandboxStatus". Since the 60 // status needs to be provided before the sandboxes are actually started, 61 // this returns what will actually happen once InitializeSandbox() 62 // is called from inside these processes. 63 int GetStatus(); 64 // Returns true if the current process is single-threaded or if the number 65 // of threads cannot be determined. 66 bool IsSingleThreaded() const; 67 // Did we start Seccomp BPF? 68 bool seccomp_bpf_started() const; 69 70 // Simple accessor for our instance of the setuid sandbox. Will never return 71 // NULL. 72 // There is no StartSetuidSandbox(), the SetuidSandboxClient instance should 73 // be used directly. 74 sandbox::SetuidSandboxClient* setuid_sandbox_client() const; 75 76 // Check the policy and eventually start the seccomp-bpf sandbox. This should 77 // never be called with threads started. If we detect that threads have 78 // started we will crash. 79 bool StartSeccompBPF(const std::string& process_type); 80 81 // Limit the address space of the current process (and its children). 82 // to make some vulnerabilities harder to exploit. 83 bool LimitAddressSpace(const std::string& process_type); 84 85 private: 86 friend struct DefaultSingletonTraits<LinuxSandbox>; 87 88 // Some methods are static and get an instance of the Singleton. These 89 // are the non-static implementations. 90 bool InitializeSandboxImpl(); 91 void StopThreadImpl(base::Thread* thread); 92 // We must have been pre_initialized_ before using this. 93 bool seccomp_bpf_supported() const; 94 // Returns true if it can be determined that the current process has open 95 // directories that are not managed by the LinuxSandbox class. This would 96 // be a vulnerability as it would allow to bypass the setuid sandbox. 97 bool HasOpenDirectories() const; 98 // The last part of the initialization is to make sure any temporary "hole" 99 // in the sandbox is closed. For now, this consists of closing proc_fd_. 100 void SealSandbox(); 101 // GetStatus() makes promises as to how the sandbox will behave. This 102 // checks that no promises have been broken. 103 void CheckForBrokenPromises(const std::string& process_type); 104 // Stop |thread| and make sure it does not appear in /proc/self/tasks/ 105 // anymore. 106 void StopThreadAndEnsureNotCounted(base::Thread* thread) const; 107 108 // A file descriptor to /proc. It's dangerous to have it around as it could 109 // allow for sandbox bypasses. It needs to be closed before we consider 110 // ourselves sandboxed. 111 int proc_fd_; 112 bool seccomp_bpf_started_; 113 // The value returned by GetStatus(). Gets computed once and then cached. 114 int sandbox_status_flags_; 115 // Did PreinitializeSandbox() run? 116 bool pre_initialized_; 117 bool seccomp_bpf_supported_; // Accurate if pre_initialized_. 118 scoped_ptr<sandbox::SetuidSandboxClient> setuid_sandbox_client_; 119 120 ~LinuxSandbox(); 121 DISALLOW_IMPLICIT_CONSTRUCTORS(LinuxSandbox); 122}; 123 124} // namespace content 125 126#endif // CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_LINUX_H_ 127