// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "content/zygote/zygote_main.h" #include <dlfcn.h> #include <errno.h> #include <fcntl.h> #include <pthread.h> #include <stdio.h> #include <sys/socket.h> #include <sys/stat.h> #include <sys/types.h> #include <sys/wait.h> #include <unistd.h> #include "base/basictypes.h" #include "base/bind.h" #include "base/callback.h" #include "base/command_line.h" #include "base/linux_util.h" #include "base/native_library.h" #include "base/pickle.h" #include "base/posix/unix_domain_socket_linux.h" #include "base/rand_util.h" #include "base/sys_info.h" #include "build/build_config.h" #include "content/common/child_process_sandbox_support_impl_linux.h" #include "content/common/font_config_ipc_linux.h" #include "content/common/pepper_plugin_list.h" #include "content/common/sandbox_linux/sandbox_linux.h" #include "content/common/zygote_commands_linux.h" #include "content/public/common/content_switches.h" #include "content/public/common/main_function_params.h" #include "content/public/common/pepper_plugin_info.h" #include "content/public/common/sandbox_linux.h" #include "content/public/common/zygote_fork_delegate_linux.h" #include "content/zygote/zygote_linux.h" #include "crypto/nss_util.h" #include "sandbox/linux/services/libc_urandom_override.h" #include "sandbox/linux/suid/client/setuid_sandbox_client.h" #include "third_party/icu/source/i18n/unicode/timezone.h" #include "third_party/skia/include/ports/SkFontConfigInterface.h" #if defined(OS_LINUX) #include <sys/epoll.h> #include <sys/prctl.h> #include <sys/signal.h> #else #include <signal.h> #endif #if defined(ENABLE_WEBRTC) #include "third_party/libjingle/overrides/init_webrtc.h" #endif namespace content { // See http://code.google.com/p/chromium/wiki/LinuxZygote static void ProxyLocaltimeCallToBrowser(time_t input, struct tm* output, char* timezone_out, size_t timezone_out_len) { Pickle request; request.WriteInt(LinuxSandbox::METHOD_LOCALTIME); request.WriteString( std::string(reinterpret_cast<char*>(&input), sizeof(input))); uint8_t reply_buf[512]; const ssize_t r = UnixDomainSocket::SendRecvMsg( GetSandboxFD(), reply_buf, sizeof(reply_buf), NULL, request); if (r == -1) { memset(output, 0, sizeof(struct tm)); return; } Pickle reply(reinterpret_cast<char*>(reply_buf), r); PickleIterator iter(reply); std::string result, timezone; if (!reply.ReadString(&iter, &result) || !reply.ReadString(&iter, &timezone) || result.size() != sizeof(struct tm)) { memset(output, 0, sizeof(struct tm)); return; } memcpy(output, result.data(), sizeof(struct tm)); if (timezone_out_len) { const size_t copy_len = std::min(timezone_out_len - 1, timezone.size()); memcpy(timezone_out, timezone.data(), copy_len); timezone_out[copy_len] = 0; output->tm_zone = timezone_out; } else { output->tm_zone = NULL; } } static bool g_am_zygote_or_renderer = false; // Sandbox interception of libc calls. // // Because we are running in a sandbox certain libc calls will fail (localtime // being the motivating example - it needs to read /etc/localtime). We need to // intercept these calls and proxy them to the browser. However, these calls // may come from us or from our libraries. In some cases we can't just change // our code. // // It's for these cases that we have the following setup: // // We define global functions for those functions which we wish to override. // Since we will be first in the dynamic resolution order, the dynamic linker // will point callers to our versions of these functions. However, we have the // same binary for both the browser and the renderers, which means that our // overrides will apply in the browser too. // // The global |g_am_zygote_or_renderer| is true iff we are in a zygote or // renderer process. It's set in ZygoteMain and inherited by the renderers when // they fork. (This means that it'll be incorrect for global constructor // functions and before ZygoteMain is called - beware). // // Our replacement functions can check this global and either proxy // the call to the browser over the sandbox IPC // (http://code.google.com/p/chromium/wiki/LinuxSandboxIPC) or they can use // dlsym with RTLD_NEXT to resolve the symbol, ignoring any symbols in the // current module. // // Other avenues: // // Our first attempt involved some assembly to patch the GOT of the current // module. This worked, but was platform specific and doesn't catch the case // where a library makes a call rather than current module. // // We also considered patching the function in place, but this would again by // platform specific and the above technique seems to work well enough. typedef struct tm* (*LocaltimeFunction)(const time_t* timep); typedef struct tm* (*LocaltimeRFunction)(const time_t* timep, struct tm* result); static pthread_once_t g_libc_localtime_funcs_guard = PTHREAD_ONCE_INIT; static LocaltimeFunction g_libc_localtime; static LocaltimeFunction g_libc_localtime64; static LocaltimeRFunction g_libc_localtime_r; static LocaltimeRFunction g_libc_localtime64_r; static void InitLibcLocaltimeFunctions() { g_libc_localtime = reinterpret_cast<LocaltimeFunction>( dlsym(RTLD_NEXT, "localtime")); g_libc_localtime64 = reinterpret_cast<LocaltimeFunction>( dlsym(RTLD_NEXT, "localtime64")); g_libc_localtime_r = reinterpret_cast<LocaltimeRFunction>( dlsym(RTLD_NEXT, "localtime_r")); g_libc_localtime64_r = reinterpret_cast<LocaltimeRFunction>( dlsym(RTLD_NEXT, "localtime64_r")); if (!g_libc_localtime || !g_libc_localtime_r) { // http://code.google.com/p/chromium/issues/detail?id=16800 // // Nvidia's libGL.so overrides dlsym for an unknown reason and replaces // it with a version which doesn't work. In this case we'll get a NULL // result. There's not a lot we can do at this point, so we just bodge it! LOG(ERROR) << "Your system is broken: dlsym doesn't work! This has been " "reported to be caused by Nvidia's libGL. You should expect" " time related functions to misbehave. " "http://code.google.com/p/chromium/issues/detail?id=16800"; } if (!g_libc_localtime) g_libc_localtime = gmtime; if (!g_libc_localtime64) g_libc_localtime64 = g_libc_localtime; if (!g_libc_localtime_r) g_libc_localtime_r = gmtime_r; if (!g_libc_localtime64_r) g_libc_localtime64_r = g_libc_localtime_r; } // Define localtime_override() function with asm name "localtime", so that all // references to localtime() will resolve to this function. Notice that we need // to set visibility attribute to "default" to export the symbol, as it is set // to "hidden" by default in chrome per build/common.gypi. __attribute__ ((__visibility__("default"))) struct tm* localtime_override(const time_t* timep) __asm__ ("localtime"); __attribute__ ((__visibility__("default"))) struct tm* localtime_override(const time_t* timep) { if (g_am_zygote_or_renderer) { static struct tm time_struct; static char timezone_string[64]; ProxyLocaltimeCallToBrowser(*timep, &time_struct, timezone_string, sizeof(timezone_string)); return &time_struct; } else { CHECK_EQ(0, pthread_once(&g_libc_localtime_funcs_guard, InitLibcLocaltimeFunctions)); return g_libc_localtime(timep); } } // Use same trick to override localtime64(), localtime_r() and localtime64_r(). __attribute__ ((__visibility__("default"))) struct tm* localtime64_override(const time_t* timep) __asm__ ("localtime64"); __attribute__ ((__visibility__("default"))) struct tm* localtime64_override(const time_t* timep) { if (g_am_zygote_or_renderer) { static struct tm time_struct; static char timezone_string[64]; ProxyLocaltimeCallToBrowser(*timep, &time_struct, timezone_string, sizeof(timezone_string)); return &time_struct; } else { CHECK_EQ(0, pthread_once(&g_libc_localtime_funcs_guard, InitLibcLocaltimeFunctions)); return g_libc_localtime64(timep); } } __attribute__ ((__visibility__("default"))) struct tm* localtime_r_override(const time_t* timep, struct tm* result) __asm__ ("localtime_r"); __attribute__ ((__visibility__("default"))) struct tm* localtime_r_override(const time_t* timep, struct tm* result) { if (g_am_zygote_or_renderer) { ProxyLocaltimeCallToBrowser(*timep, result, NULL, 0); return result; } else { CHECK_EQ(0, pthread_once(&g_libc_localtime_funcs_guard, InitLibcLocaltimeFunctions)); return g_libc_localtime_r(timep, result); } } __attribute__ ((__visibility__("default"))) struct tm* localtime64_r_override(const time_t* timep, struct tm* result) __asm__ ("localtime64_r"); __attribute__ ((__visibility__("default"))) struct tm* localtime64_r_override(const time_t* timep, struct tm* result) { if (g_am_zygote_or_renderer) { ProxyLocaltimeCallToBrowser(*timep, result, NULL, 0); return result; } else { CHECK_EQ(0, pthread_once(&g_libc_localtime_funcs_guard, InitLibcLocaltimeFunctions)); return g_libc_localtime64_r(timep, result); } } #if defined(ENABLE_PLUGINS) // Loads the (native) libraries but does not initialize them (i.e., does not // call PPP_InitializeModule). This is needed by the zygote on Linux to get // access to the plugins before entering the sandbox. void PreloadPepperPlugins() { std::vector<PepperPluginInfo> plugins; ComputePepperPluginList(&plugins); for (size_t i = 0; i < plugins.size(); ++i) { if (!plugins[i].is_internal && plugins[i].is_sandboxed) { std::string error; base::NativeLibrary library = base::LoadNativeLibrary(plugins[i].path, &error); VLOG_IF(1, !library) << "Unable to load plugin " << plugins[i].path.value() << " " << error; (void)library; // Prevent release-mode warning. } } } #endif // This function triggers the static and lazy construction of objects that need // to be created before imposing the sandbox. static void PreSandboxInit() { base::RandUint64(); base::SysInfo::AmountOfPhysicalMemory(); base::SysInfo::MaxSharedMemorySize(); base::SysInfo::NumberOfProcessors(); // ICU DateFormat class (used in base/time_format.cc) needs to get the // Olson timezone ID by accessing the zoneinfo files on disk. After // TimeZone::createDefault is called once here, the timezone ID is // cached and there's no more need to access the file system. scoped_ptr<icu::TimeZone> zone(icu::TimeZone::createDefault()); #if defined(USE_NSS) // NSS libraries are loaded before sandbox is activated. This is to allow // successful initialization of NSS which tries to load extra library files. crypto::LoadNSSLibraries(); #elif defined(USE_OPENSSL) // OpenSSL is intentionally not supported in the sandboxed processes, see // http://crbug.com/99163. If that ever changes we'll likely need to init // OpenSSL here (at least, load the library and error strings). #else // It's possible that another hypothetical crypto stack would not require // pre-sandbox init, but more likely this is just a build configuration error. #error Which SSL library are you using? #endif #if defined(ENABLE_PLUGINS) // Ensure access to the Pepper plugins before the sandbox is turned on. PreloadPepperPlugins(); #endif #if defined(ENABLE_WEBRTC) InitializeWebRtcModule(); #endif SkFontConfigInterface::SetGlobal( new FontConfigIPC(GetSandboxFD()))->unref(); } static void CloseFdAndHandleEintr(int fd) { close(fd); } // This will set the *using_suid_sandbox variable to true if the SUID sandbox // is enabled. This does not necessarily exclude other types of sandboxing. static bool EnterSuidSandbox(LinuxSandbox* linux_sandbox, bool* using_suid_sandbox, bool* has_started_new_init) { *using_suid_sandbox = false; *has_started_new_init = false; sandbox::SetuidSandboxClient* setuid_sandbox = linux_sandbox->setuid_sandbox_client(); if (!setuid_sandbox) return false; PreSandboxInit(); // Check that the pre-sandbox initialization didn't spawn threads. DCHECK(linux_sandbox->IsSingleThreaded()); if (setuid_sandbox->IsSuidSandboxChild()) { // Use the SUID sandbox. This still allows the seccomp sandbox to // be enabled by the process later. *using_suid_sandbox = true; if (!setuid_sandbox->IsSuidSandboxUpToDate()) { LOG(WARNING) << "You are using a wrong version of the setuid binary!\n" "Please read " "https://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment." "\n\n"; } if (!setuid_sandbox->ChrootMe()) return false; if (getpid() == 1) { // The setuid sandbox has created a new PID namespace and we need // to assume the role of init. // This "magic" socket must only appear in one process, so make sure // it gets closed in the parent after fork(). base::Closure zygoteid_fd_closer = base::Bind(CloseFdAndHandleEintr, kZygoteIdFd); const bool init_created = setuid_sandbox->CreateInitProcessReaper(&zygoteid_fd_closer); if (!init_created) { LOG(ERROR) << "Error creating an init process to reap zombies"; return false; } *has_started_new_init = true; } #if !defined(OS_OPENBSD) // Previously, we required that the binary be non-readable. This causes the // kernel to mark the process as non-dumpable at startup. The thinking was // that, although we were putting the renderers into a PID namespace (with // the SUID sandbox), they would nonetheless be in the /same/ PID // namespace. So they could ptrace each other unless they were non-dumpable. // // If the binary was readable, then there would be a window between process // startup and the point where we set the non-dumpable flag in which a // compromised renderer could ptrace attach. // // However, now that we have a zygote model, only the (trusted) zygote // exists at this point and we can set the non-dumpable flag which is // inherited by all our renderer children. // // Note: a non-dumpable process can't be debugged. To debug sandbox-related // issues, one can specify --allow-sandbox-debugging to let the process be // dumpable. const CommandLine& command_line = *CommandLine::ForCurrentProcess(); if (!command_line.HasSwitch(switches::kAllowSandboxDebugging)) { prctl(PR_SET_DUMPABLE, 0, 0, 0, 0); if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) { LOG(ERROR) << "Failed to set non-dumpable flag"; return false; } } #endif } return true; } bool ZygoteMain(const MainFunctionParams& params, ZygoteForkDelegate* forkdelegate) { g_am_zygote_or_renderer = true; sandbox::InitLibcUrandomOverrides(); LinuxSandbox* linux_sandbox = LinuxSandbox::GetInstance(); // This will pre-initialize the various sandboxes that need it. linux_sandbox->PreinitializeSandbox(); if (forkdelegate != NULL) { VLOG(1) << "ZygoteMain: initializing fork delegate"; forkdelegate->Init(GetSandboxFD()); } else { VLOG(1) << "ZygoteMain: fork delegate is NULL"; } // Turn on the sandbox. bool using_suid_sandbox = false; bool has_started_new_init = false; if (!EnterSuidSandbox(linux_sandbox, &using_suid_sandbox, &has_started_new_init)) { LOG(FATAL) << "Failed to enter sandbox. Fail safe abort. (errno: " << errno << ")"; return false; } sandbox::SetuidSandboxClient* setuid_sandbox = linux_sandbox->setuid_sandbox_client(); if (setuid_sandbox->IsInNewPIDNamespace() && !has_started_new_init) { LOG(ERROR) << "The SUID sandbox created a new PID namespace but Zygote " "is not the init process. Please, make sure the SUID " "binary is up to date."; } int sandbox_flags = linux_sandbox->GetStatus(); Zygote zygote(sandbox_flags, forkdelegate); // This function call can return multiple times, once per fork(). return zygote.ProcessRequests(); } } // namespace content