The Tor Browser: security/sandbox/linux/Sandbox.cpp@b8a032363ba2 (annotated)

security/sandbox/linux/Sandbox.cpp@b8a032363ba2 (annotated)

security/sandbox/linux/Sandbox.cpp

Thu, 22 Jan 2015 13:21:57 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Thu, 22 Jan 2015 13:21:57 +0100
branch: TOR_BUG_9701
changeset 15: b8a032363ba2
permissions: -rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 #include "mozilla/Sandbox.h"
 #include <unistd.h>
 #include <stdio.h>
 #include <sys/ptrace.h>
 #include <sys/prctl.h>
 #include <sys/syscall.h>
 #include <signal.h>
 #include <string.h>
 #include <linux/futex.h>
 #include <sys/time.h>
 #include <dirent.h>
 #include <stdlib.h>
 #include <pthread.h>
 #include <errno.h>
 #include "mozilla/Atomics.h"
 #include "mozilla/NullPtr.h"
 #include "mozilla/unused.h"
 #include "mozilla/dom/Exceptions.h"
 #include "nsString.h"
 #include "nsThreadUtils.h"
 #ifdef MOZ_CRASHREPORTER
 #include "nsExceptionHandler.h"
 #endif
 #if defined(ANDROID)
 #include "android_ucontext.h"
 #include <android/log.h>
 #endif
 #if defined(MOZ_CONTENT_SANDBOX)
 #include "linux_seccomp.h"
 #include "SandboxFilter.h"
 #endif
 #ifdef MOZ_LOGGING
 #define FORCE_PR_LOG 1
 #endif
 #include "prlog.h"
 #include "prenv.h"
 namespace mozilla {
 #if defined(ANDROID)
 #define LOG_ERROR(args...) __android_log_print(ANDROID_LOG_ERROR, "Sandbox", ## args)
 #elif defined(PR_LOGGING)
 static PRLogModuleInfo* gSeccompSandboxLog;
 #define LOG_ERROR(args...) PR_LOG(gSeccompSandboxLog, PR_LOG_ERROR, (args))
 #else
 #define LOG_ERROR(args...)
 #endif
 /**
  * Log JS stack info in the same place as the sandbox violation
  * message.  Useful in case the responsible code is JS and all we have
  * are logs and a minidump with the C++ stacks (e.g., on TBPL).
  */
 static void
 SandboxLogJSStack(void)
 {
   if (!NS_IsMainThread()) {
     // This might be a worker thread... or it might be a non-JS
     // thread, or a non-NSPR thread.  There's isn't a good API for
     // dealing with this, yet.
     return;
   }
   nsCOMPtr<nsIStackFrame> frame = dom::GetCurrentJSStack();
   for (int i = 0; frame != nullptr; ++i) {
     nsAutoString fileName, funName;
     int32_t lineNumber;
     // Don't stop unwinding if an attribute can't be read.
     fileName.SetIsVoid(true);
     unused << frame->GetFilename(fileName);
     lineNumber = 0;
     unused << frame->GetLineNumber(&lineNumber);
     funName.SetIsVoid(true);
     unused << frame->GetName(funName);
     if (!funName.IsVoid() || !fileName.IsVoid()) {
       LOG_ERROR("JS frame %d: %s %s line %d", i,
                 funName.IsVoid() ?
                   "(anonymous)" : NS_ConvertUTF16toUTF8(funName).get(),
                 fileName.IsVoid() ?
                   "(no file)" : NS_ConvertUTF16toUTF8(fileName).get(),
                 lineNumber);
     }
     nsCOMPtr<nsIStackFrame> nextFrame;
     nsresult rv = frame->GetCaller(getter_AddRefs(nextFrame));
     NS_ENSURE_SUCCESS_VOID(rv);
     frame = nextFrame;
   }
 }
 /**
  * This is the SIGSYS handler function. It is used to report to the user
  * which system call has been denied by Seccomp.
  * This function also makes the process exit as denying the system call
  * will otherwise generally lead to unexpected behavior from the process,
  * since we don't know if all functions will handle such denials gracefully.
  *
  * @see InstallSyscallReporter() function.
  */
 #ifdef MOZ_CONTENT_SANDBOX_REPORTER
 static void
 Reporter(int nr, siginfo_t *info, void *void_context)
 {
   ucontext_t *ctx = static_cast<ucontext_t*>(void_context);
   unsigned long syscall_nr, args[6];
   pid_t pid = getpid(), tid = syscall(__NR_gettid);
   if (nr != SIGSYS) {
     return;
   }
   if (info->si_code != SYS_SECCOMP) {
     return;
   }
   if (!ctx) {
     return;
   }
   syscall_nr = SECCOMP_SYSCALL(ctx);
   args[0] = SECCOMP_PARM1(ctx);
   args[1] = SECCOMP_PARM2(ctx);
   args[2] = SECCOMP_PARM3(ctx);
   args[3] = SECCOMP_PARM4(ctx);
   args[4] = SECCOMP_PARM5(ctx);
   args[5] = SECCOMP_PARM6(ctx);
   LOG_ERROR("seccomp sandbox violation: pid %d, syscall %lu, args %lu %lu %lu"
             " %lu %lu %lu.  Killing process.", pid, syscall_nr,
             args[0], args[1], args[2], args[3], args[4], args[5]);
 #ifdef MOZ_CRASHREPORTER
   bool dumped = CrashReporter::WriteMinidumpForSigInfo(nr, info, void_context);
   if (!dumped) {
     LOG_ERROR("Failed to write minidump");
   }
 #endif
   // Do this last, in case it crashes or deadlocks.
   SandboxLogJSStack();
   // Try to reraise, so the parent sees that this process crashed.
   // (If tgkill is forbidden, then seccomp will raise SIGSYS, which
   // also accomplishes that goal.)
   signal(SIGSYS, SIG_DFL);
   syscall(__NR_tgkill, pid, tid, nr);
   _exit(127);
 }
 /**
  * The reporter is called when the process receives a SIGSYS signal.
  * The signal is sent by the kernel when Seccomp encounter a system call
  * that has not been allowed.
  * We register an action for that signal (calling the Reporter function).
  *
  * This function should not be used in production and thus generally be
  * called from debug code. In production, the process is directly killed.
  * For this reason, the function is ifdef'd, as there is no reason to
  * compile it while unused.
  *
  * @return 0 on success, -1 on failure.
  * @see Reporter() function.
  */
 static int
 InstallSyscallReporter(void)
 {
   struct sigaction act;
   sigset_t mask;
   memset(&act, 0, sizeof(act));
   sigemptyset(&mask);
   sigaddset(&mask, SIGSYS);
   act.sa_sigaction = &Reporter;
   act.sa_flags = SA_SIGINFO | SA_NODEFER;
   if (sigaction(SIGSYS, &act, nullptr) < 0) {
     return -1;
   }
   if (sigemptyset(&mask) ||
     sigaddset(&mask, SIGSYS) ||
     sigprocmask(SIG_UNBLOCK, &mask, nullptr)) {
       return -1;
   }
   return 0;
 }
 #endif
 /**
  * This function installs the syscall filter, a.k.a. seccomp.
  * PR_SET_NO_NEW_PRIVS ensures that it is impossible to grant more
  * syscalls to the process beyond this point (even after fork()).
  * SECCOMP_MODE_FILTER is the "bpf" mode of seccomp which allows
  * to pass a bpf program (in our case, it contains a syscall
  * whitelist).
  *
  * @return 0 on success, 1 on failure.
  * @see sock_fprog (the seccomp_prog).
  */
 static int
 InstallSyscallFilter(void)
 {
 #ifdef MOZ_DMD
   char* e = PR_GetEnv("DMD");
   if (e && strcmp(e, "") != 0 && strcmp(e, "0") != 0) {
     LOG_ERROR("SANDBOX DISABLED FOR DMD!  See bug 956961.");
     // Must treat this as "failure" in order to prevent infinite loop;
     // cf. the PR_GET_SECCOMP check below.
     return 1;
   }
 #endif
   if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
     return 1;
   }
   const sock_fprog *filter = GetSandboxFilter();
   if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, (unsigned long)filter, 0, 0)) {
     return 1;
   }
   return 0;
 }
 // Use signals for permissions that need to be set per-thread.
 // The communication channel from the signal handler back to the main thread.
 static mozilla::Atomic<int> sSetSandboxDone;
 // about:memory has the first 3 RT signals.  (We should allocate
 // signals centrally instead of hard-coding them like this.)
 static const int sSetSandboxSignum = SIGRTMIN + 3;
 static bool
 SetThreadSandbox()
 {
   bool didAnything = false;
   if (PR_GetEnv("MOZ_DISABLE_CONTENT_SANDBOX") == nullptr &&
       prctl(PR_GET_SECCOMP, 0, 0, 0, 0) == 0) {
     if (InstallSyscallFilter() == 0) {
       didAnything = true;
     }
     /*
      * Bug 880797: when all B2G devices are required to support
      * seccomp-bpf, this should exit/crash if InstallSyscallFilter
      * returns nonzero (ifdef MOZ_WIDGET_GONK).
      */
   }
   return didAnything;
 }
 static void
 SetThreadSandboxHandler(int signum)
 {
   // The non-zero number sent back to the main thread indicates
   // whether action was taken.
   if (SetThreadSandbox()) {
     sSetSandboxDone = 2;
   } else {
     sSetSandboxDone = 1;
   }
   // Wake up the main thread.  See the FUTEX_WAIT call, below, for an
   // explanation.
   syscall(__NR_futex, reinterpret_cast<int*>(&sSetSandboxDone),
           FUTEX_WAKE, 1);
 }
 static void
 BroadcastSetThreadSandbox()
 {
   pid_t pid, tid;
   DIR *taskdp;
   struct dirent *de;
   static_assert(sizeof(mozilla::Atomic<int>) == sizeof(int),
                 "mozilla::Atomic<int> isn't represented by an int");
   MOZ_ASSERT(NS_IsMainThread());
   pid = getpid();
   taskdp = opendir("/proc/self/task");
   if (taskdp == nullptr) {
     LOG_ERROR("opendir /proc/self/task: %s\n", strerror(errno));
     MOZ_CRASH();
   }
   if (signal(sSetSandboxSignum, SetThreadSandboxHandler) != SIG_DFL) {
     LOG_ERROR("signal %d in use!\n", sSetSandboxSignum);
     MOZ_CRASH();
   }
   // In case this races with a not-yet-deprivileged thread cloning
   // itself, repeat iterating over all threads until we find none
   // that are still privileged.
   bool sandboxProgress;
   do {
     sandboxProgress = false;
     // For each thread...
     while ((de = readdir(taskdp))) {
       char *endptr;
       tid = strtol(de->d_name, &endptr, 10);
       if (*endptr != '\0' || tid <= 0) {
         // Not a task ID.
         continue;
       }
       if (tid == pid) {
         // Drop the main thread's privileges last, below, so
         // we can continue to signal other threads.
         continue;
       }
       // Reset the futex cell and signal.
       sSetSandboxDone = 0;
       if (syscall(__NR_tgkill, pid, tid, sSetSandboxSignum) != 0) {
         if (errno == ESRCH) {
           LOG_ERROR("Thread %d unexpectedly exited.", tid);
           // Rescan threads, in case it forked before exiting.
           sandboxProgress = true;
           continue;
         }
         LOG_ERROR("tgkill(%d,%d): %s\n", pid, tid, strerror(errno));
         MOZ_CRASH();
       }
       // It's unlikely, but if the thread somehow manages to exit
       // after receiving the signal but before entering the signal
       // handler, we need to avoid blocking forever.
       //
       // Using futex directly lets the signal handler send the wakeup
       // from an async signal handler (pthread mutex/condvar calls
       // aren't allowed), and to use a relative timeout that isn't
       // affected by changes to the system clock (not possible with
       // POSIX semaphores).
       //
       // If a thread doesn't respond within a reasonable amount of
       // time, but still exists, we crash -- the alternative is either
       // blocking forever or silently losing security, and it
       // shouldn't actually happen.
       static const int crashDelay = 10; // seconds
       struct timespec timeLimit;
       clock_gettime(CLOCK_MONOTONIC, &timeLimit);
       timeLimit.tv_sec += crashDelay;
       while (true) {
         static const struct timespec futexTimeout = { 0, 10*1000*1000 }; // 10ms
         // Atomically: if sSetSandboxDone == 0, then sleep.
         if (syscall(__NR_futex, reinterpret_cast<int*>(&sSetSandboxDone),
                   FUTEX_WAIT, 0, &futexTimeout) != 0) {
           if (errno != EWOULDBLOCK && errno != ETIMEDOUT && errno != EINTR) {
             LOG_ERROR("FUTEX_WAIT: %s\n", strerror(errno));
             MOZ_CRASH();
           }
         }
         // Did the handler finish?
         if (sSetSandboxDone > 0) {
           if (sSetSandboxDone == 2) {
             sandboxProgress = true;
           }
           break;
         }
         // Has the thread ceased to exist?
         if (syscall(__NR_tgkill, pid, tid, 0) != 0) {
           if (errno == ESRCH) {
             LOG_ERROR("Thread %d unexpectedly exited.", tid);
           }
           // Rescan threads, in case it forked before exiting.
           // Also, if it somehow failed in a way that wasn't ESRCH,
           // and still exists, that will be handled on the next pass.
           sandboxProgress = true;
           break;
         }
         struct timespec now;
         clock_gettime(CLOCK_MONOTONIC, &now);
         if (now.tv_sec > timeLimit.tv_nsec ||
             (now.tv_sec == timeLimit.tv_nsec &&
              now.tv_nsec > timeLimit.tv_nsec)) {
           LOG_ERROR("Thread %d unresponsive for %d seconds.  Killing process.",
                     tid, crashDelay);
           MOZ_CRASH();
         }
       }
     }
     rewinddir(taskdp);
   } while (sandboxProgress);
   unused << signal(sSetSandboxSignum, SIG_DFL);
   unused << closedir(taskdp);
   // And now, deprivilege the main thread:
   SetThreadSandbox();
 }
 // This function can overapproximate (i.e., return true even if
 // sandboxing isn't supported, but not the reverse).  See bug 993145.
 static bool
 IsSandboxingSupported(void)
 {
   return prctl(PR_GET_SECCOMP) != -1;
 }
 /**
  * Starts the seccomp sandbox for this process and sets user/group-based privileges.
  * Should be called only once, and before any potentially harmful content is loaded.
  *
  * Should normally make the process exit on failure.
 */
 void
 SetCurrentProcessSandbox()
 {
 #if !defined(ANDROID) && defined(PR_LOGGING)
   if (!gSeccompSandboxLog) {
     gSeccompSandboxLog = PR_NewLogModule("SeccompSandbox");
   }
   PR_ASSERT(gSeccompSandboxLog);
 #endif
 #if defined(MOZ_CONTENT_SANDBOX_REPORTER)
   if (InstallSyscallReporter()) {
     LOG_ERROR("install_syscall_reporter() failed\n");
   }
 #endif
   if (IsSandboxingSupported()) {
     BroadcastSetThreadSandbox();
   }
 }
 } // namespace mozilla

The Tor Browser / annotate

security/sandbox/linux/Sandbox.cpp@b8a032363ba2 (annotated)

security/sandbox/linux/Sandbox.cpp