SandboxBrokerCommon.cpp (5019B)
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */ 3 /* This Source Code Form is subject to the terms of the Mozilla Public 4 * License, v. 2.0. If a copy of the MPL was not distributed with this file, 5 * You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 7 #include "SandboxBrokerCommon.h" 8 9 #include "mozilla/Assertions.h" 10 11 // This file is built both within libxul and as a separate libmozsandbox 12 // library. We can only use profiler annotations within libxul. 13 #ifdef MOZILLA_INTERNAL_API 14 # include "mozilla/ProfilerThreadSleep.h" 15 #else 16 # define AUTO_PROFILER_THREAD_SLEEP 17 #endif 18 19 #include <errno.h> 20 #include <sys/socket.h> 21 #include <sys/types.h> 22 #include <unistd.h> 23 #include <string.h> 24 25 #ifndef MSG_CMSG_CLOEXEC 26 # ifdef XP_LINUX 27 // As always, Android's kernel headers are somewhat old. 28 # define MSG_CMSG_CLOEXEC 0x40000000 29 # else 30 // Most of this code can support other POSIX OSes, but being able to 31 // receive fds and atomically make them close-on-exec is important, 32 // because this is running in a multithreaded process that can fork. 33 // In the future, if the broker becomes a dedicated executable, this 34 // can change. 35 # error "No MSG_CMSG_CLOEXEC?" 36 # endif // XP_LINUX 37 #endif // MSG_CMSG_CLOEXEC 38 39 namespace mozilla { 40 41 const char* SandboxBrokerCommon::OperationDescription[] = { 42 "open", 43 "access", 44 "stat", 45 "chmod", 46 "link", 47 "symlink", 48 "mkdir", 49 "rename", 50 "rmdir", 51 "unlink", 52 "readlink", 53 "connect", 54 "connect-abstract", 55 }; 56 57 /* static */ 58 ssize_t SandboxBrokerCommon::RecvWithFd(int aFd, const iovec* aIO, 59 size_t aNumIO, int* aPassedFdPtr) { 60 struct msghdr msg = {}; 61 msg.msg_iov = const_cast<iovec*>(aIO); 62 msg.msg_iovlen = aNumIO; 63 64 char cmsg_buf[CMSG_SPACE(sizeof(int))]; 65 if (aPassedFdPtr) { 66 msg.msg_control = cmsg_buf; 67 msg.msg_controllen = sizeof(cmsg_buf); 68 *aPassedFdPtr = -1; 69 } 70 71 ssize_t rv; 72 do { 73 // MSG_CMSG_CLOEXEC is needed to prevent the parent process from 74 // accidentally leaking a copy of the child's response socket to a 75 // new child process. (The child won't be able to exec, so this 76 // doesn't matter as much for that direction.) 77 AUTO_PROFILER_THREAD_SLEEP; 78 rv = recvmsg(aFd, &msg, MSG_CMSG_CLOEXEC); 79 } while (rv < 0 && errno == EINTR); 80 81 if (rv <= 0) { 82 return rv; 83 } 84 if (msg.msg_controllen > 0) { 85 MOZ_ASSERT(aPassedFdPtr); 86 struct cmsghdr* cmsg = CMSG_FIRSTHDR(&msg); 87 if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS) { 88 int* fds = reinterpret_cast<int*>(CMSG_DATA(cmsg)); 89 if (cmsg->cmsg_len != CMSG_LEN(sizeof(int))) { 90 // A client could, for example, send an extra 32-bit int if 91 // CMSG_SPACE pads to 64-bit size_t alignment. If so, treat 92 // it as an error, but also don't leak the fds. 93 for (size_t i = 0; CMSG_LEN(sizeof(int) * i) < cmsg->cmsg_len; ++i) { 94 close(fds[i]); 95 } 96 // In theory, the kernel should delete the message instead of 97 // giving us an empty one, if errors prevent transferring the 98 // fd. 99 MOZ_DIAGNOSTIC_ASSERT(cmsg->cmsg_len != 0); 100 errno = EPROTO; 101 return -1; 102 } 103 *aPassedFdPtr = fds[0]; 104 } else { 105 errno = EPROTO; 106 return -1; 107 } 108 } 109 if (msg.msg_flags & (MSG_TRUNC | MSG_CTRUNC)) { 110 if (aPassedFdPtr && *aPassedFdPtr >= 0) { 111 close(*aPassedFdPtr); 112 *aPassedFdPtr = -1; 113 } 114 // MSG_CTRUNC usually means the attached fd was dropped due to fd 115 // exhaustion in the receiving process, so map that to `EMFILE`. 116 // (It could also happen if the other process maliciously sends 117 // too many fds.) 118 // 119 // MSG_TRUNC (truncation of the data part) shouldn't ever happen. 120 // However, it has happened in the past, due to accidentally 121 // sending more data than the receiver was expecting. We assert 122 // that that doesn't happen (and, if it does, try to map it to a 123 // vaguely sensible error code). 124 MOZ_DIAGNOSTIC_ASSERT((msg.msg_flags & MSG_TRUNC) == 0); 125 errno = (msg.msg_flags & MSG_CTRUNC) ? EMFILE : EPROTO; 126 return -1; 127 } 128 129 return rv; 130 } 131 132 /* static */ 133 ssize_t SandboxBrokerCommon::SendWithFd(int aFd, const iovec* aIO, 134 size_t aNumIO, int aPassedFd) { 135 struct msghdr msg = {}; 136 msg.msg_iov = const_cast<iovec*>(aIO); 137 msg.msg_iovlen = aNumIO; 138 139 char cmsg_buf[CMSG_SPACE(sizeof(int))]; 140 memset(cmsg_buf, 0, sizeof(cmsg_buf)); 141 if (aPassedFd != -1) { 142 msg.msg_control = cmsg_buf; 143 msg.msg_controllen = sizeof(cmsg_buf); 144 struct cmsghdr* cmsg = CMSG_FIRSTHDR(&msg); 145 cmsg->cmsg_level = SOL_SOCKET; 146 cmsg->cmsg_type = SCM_RIGHTS; 147 cmsg->cmsg_len = CMSG_LEN(sizeof(int)); 148 *reinterpret_cast<int*>(CMSG_DATA(cmsg)) = aPassedFd; 149 } 150 151 ssize_t rv; 152 do { 153 rv = sendmsg(aFd, &msg, MSG_NOSIGNAL); 154 } while (rv < 0 && errno == EINTR); 155 156 return rv; 157 } 158 159 } // namespace mozilla