159 lines
4.9 KiB
C++
159 lines
4.9 KiB
C++
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
|
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
|
|
* You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
#include "SandboxBrokerCommon.h"
|
|
|
|
#include "mozilla/Assertions.h"
|
|
|
|
// This file is built both within libxul and as a separate libmozsandbox
|
|
// library. We can only use profiler annotations within libxul.
|
|
#ifdef MOZILLA_INTERNAL_API
|
|
# include "mozilla/ProfilerThreadSleep.h"
|
|
#else
|
|
# define AUTO_PROFILER_THREAD_SLEEP
|
|
#endif
|
|
|
|
#include <errno.h>
|
|
#include <sys/socket.h>
|
|
#include <sys/types.h>
|
|
#include <unistd.h>
|
|
#include <string.h>
|
|
|
|
#ifndef MSG_CMSG_CLOEXEC
|
|
# ifdef XP_LINUX
|
|
// As always, Android's kernel headers are somewhat old.
|
|
# define MSG_CMSG_CLOEXEC 0x40000000
|
|
# else
|
|
// Most of this code can support other POSIX OSes, but being able to
|
|
// receive fds and atomically make them close-on-exec is important,
|
|
// because this is running in a multithreaded process that can fork.
|
|
// In the future, if the broker becomes a dedicated executable, this
|
|
// can change.
|
|
# error "No MSG_CMSG_CLOEXEC?"
|
|
# endif // XP_LINUX
|
|
#endif // MSG_CMSG_CLOEXEC
|
|
|
|
namespace mozilla {
|
|
|
|
const char* SandboxBrokerCommon::OperationDescription[] = {
|
|
"open",
|
|
"access",
|
|
"stat",
|
|
"chmod",
|
|
"link",
|
|
"symlink",
|
|
"mkdir",
|
|
"rename",
|
|
"rmdir",
|
|
"unlink",
|
|
"readlink",
|
|
"connect",
|
|
"connect-abstract",
|
|
};
|
|
|
|
/* static */
|
|
ssize_t SandboxBrokerCommon::RecvWithFd(int aFd, const iovec* aIO,
|
|
size_t aNumIO, int* aPassedFdPtr) {
|
|
struct msghdr msg = {};
|
|
msg.msg_iov = const_cast<iovec*>(aIO);
|
|
msg.msg_iovlen = aNumIO;
|
|
|
|
char cmsg_buf[CMSG_SPACE(sizeof(int))];
|
|
if (aPassedFdPtr) {
|
|
msg.msg_control = cmsg_buf;
|
|
msg.msg_controllen = sizeof(cmsg_buf);
|
|
*aPassedFdPtr = -1;
|
|
}
|
|
|
|
ssize_t rv;
|
|
do {
|
|
// MSG_CMSG_CLOEXEC is needed to prevent the parent process from
|
|
// accidentally leaking a copy of the child's response socket to a
|
|
// new child process. (The child won't be able to exec, so this
|
|
// doesn't matter as much for that direction.)
|
|
AUTO_PROFILER_THREAD_SLEEP;
|
|
rv = recvmsg(aFd, &msg, MSG_CMSG_CLOEXEC);
|
|
} while (rv < 0 && errno == EINTR);
|
|
|
|
if (rv <= 0) {
|
|
return rv;
|
|
}
|
|
if (msg.msg_controllen > 0) {
|
|
MOZ_ASSERT(aPassedFdPtr);
|
|
struct cmsghdr* cmsg = CMSG_FIRSTHDR(&msg);
|
|
if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS) {
|
|
int* fds = reinterpret_cast<int*>(CMSG_DATA(cmsg));
|
|
if (cmsg->cmsg_len != CMSG_LEN(sizeof(int))) {
|
|
// A client could, for example, send an extra 32-bit int if
|
|
// CMSG_SPACE pads to 64-bit size_t alignment. If so, treat
|
|
// it as an error, but also don't leak the fds.
|
|
for (size_t i = 0; CMSG_LEN(sizeof(int) * i) < cmsg->cmsg_len; ++i) {
|
|
close(fds[i]);
|
|
}
|
|
// In theory, the kernel should delete the message instead of
|
|
// giving us an empty one, if errors prevent transferring the
|
|
// fd.
|
|
MOZ_DIAGNOSTIC_ASSERT(cmsg->cmsg_len != 0);
|
|
errno = EPROTO;
|
|
return -1;
|
|
}
|
|
*aPassedFdPtr = fds[0];
|
|
} else {
|
|
errno = EPROTO;
|
|
return -1;
|
|
}
|
|
}
|
|
if (msg.msg_flags & (MSG_TRUNC | MSG_CTRUNC)) {
|
|
if (aPassedFdPtr && *aPassedFdPtr >= 0) {
|
|
close(*aPassedFdPtr);
|
|
*aPassedFdPtr = -1;
|
|
}
|
|
// MSG_CTRUNC usually means the attached fd was dropped due to fd
|
|
// exhaustion in the receiving process, so map that to `EMFILE`.
|
|
// (It could also happen if the other process maliciously sends
|
|
// too many fds.)
|
|
//
|
|
// MSG_TRUNC (truncation of the data part) shouldn't ever happen.
|
|
// However, it has happened in the past, due to accidentally
|
|
// sending more data than the receiver was expecting. We assert
|
|
// that that doesn't happen (and, if it does, try to map it to a
|
|
// vaguely sensible error code).
|
|
MOZ_DIAGNOSTIC_ASSERT((msg.msg_flags & MSG_TRUNC) == 0);
|
|
errno = (msg.msg_flags & MSG_CTRUNC) ? EMFILE : EPROTO;
|
|
return -1;
|
|
}
|
|
|
|
return rv;
|
|
}
|
|
|
|
/* static */
|
|
ssize_t SandboxBrokerCommon::SendWithFd(int aFd, const iovec* aIO,
|
|
size_t aNumIO, int aPassedFd) {
|
|
struct msghdr msg = {};
|
|
msg.msg_iov = const_cast<iovec*>(aIO);
|
|
msg.msg_iovlen = aNumIO;
|
|
|
|
char cmsg_buf[CMSG_SPACE(sizeof(int))];
|
|
memset(cmsg_buf, 0, sizeof(cmsg_buf));
|
|
if (aPassedFd != -1) {
|
|
msg.msg_control = cmsg_buf;
|
|
msg.msg_controllen = sizeof(cmsg_buf);
|
|
struct cmsghdr* cmsg = CMSG_FIRSTHDR(&msg);
|
|
cmsg->cmsg_level = SOL_SOCKET;
|
|
cmsg->cmsg_type = SCM_RIGHTS;
|
|
cmsg->cmsg_len = CMSG_LEN(sizeof(int));
|
|
*reinterpret_cast<int*>(CMSG_DATA(cmsg)) = aPassedFd;
|
|
}
|
|
|
|
ssize_t rv;
|
|
do {
|
|
rv = sendmsg(aFd, &msg, MSG_NOSIGNAL);
|
|
} while (rv < 0 && errno == EINTR);
|
|
|
|
return rv;
|
|
}
|
|
|
|
} // namespace mozilla
|