diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
commit | 36d22d82aa202bb199967e9512281e9a53db42c9 (patch) | |
tree | 105e8c98ddea1c1e4784a60a5a6410fa416be2de /security/sandbox/linux/broker/SandboxBrokerCommon.cpp | |
parent | Initial commit. (diff) | |
download | firefox-esr-upstream.tar.xz firefox-esr-upstream.zip |
Adding upstream version 115.7.0esr.upstream/115.7.0esrupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/sandbox/linux/broker/SandboxBrokerCommon.cpp')
-rw-r--r-- | security/sandbox/linux/broker/SandboxBrokerCommon.cpp | 155 |
1 files changed, 155 insertions, 0 deletions
diff --git a/security/sandbox/linux/broker/SandboxBrokerCommon.cpp b/security/sandbox/linux/broker/SandboxBrokerCommon.cpp new file mode 100644 index 0000000000..2a9dcfff40 --- /dev/null +++ b/security/sandbox/linux/broker/SandboxBrokerCommon.cpp @@ -0,0 +1,155 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this file, + * You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "SandboxBrokerCommon.h" + +#include "mozilla/Assertions.h" + +// This file is built both within libxul and as a separate libmozsandbox +// library. We can only use profiler annotations within libxul. +#ifdef MOZILLA_INTERNAL_API +# include "mozilla/ProfilerThreadSleep.h" +#else +# define AUTO_PROFILER_THREAD_SLEEP +#endif + +#include <errno.h> +#include <sys/socket.h> +#include <sys/types.h> +#include <unistd.h> +#include <string.h> + +#ifndef MSG_CMSG_CLOEXEC +# ifdef XP_LINUX +// As always, Android's kernel headers are somewhat old. +# define MSG_CMSG_CLOEXEC 0x40000000 +# else +// Most of this code can support other POSIX OSes, but being able to +// receive fds and atomically make them close-on-exec is important, +// because this is running in a multithreaded process that can fork. +// In the future, if the broker becomes a dedicated executable, this +// can change. +# error "No MSG_CMSG_CLOEXEC?" +# endif // XP_LINUX +#endif // MSG_CMSG_CLOEXEC + +namespace mozilla { + +const char* SandboxBrokerCommon::OperationDescription[] = { + "open", + "access", + "stat", + "chmod", + "link", + "symlink", + "mkdir", + "rename", + "rmdir", + "unlink", + "readlink", + "connect", + "connect-abstract", +}; + +/* static */ +ssize_t SandboxBrokerCommon::RecvWithFd(int aFd, const iovec* aIO, + size_t aNumIO, int* aPassedFdPtr) { + struct msghdr msg = {}; + msg.msg_iov = const_cast<iovec*>(aIO); + msg.msg_iovlen = aNumIO; + + char cmsg_buf[CMSG_SPACE(sizeof(int))]; + if (aPassedFdPtr) { + msg.msg_control = cmsg_buf; + msg.msg_controllen = sizeof(cmsg_buf); + *aPassedFdPtr = -1; + } + + ssize_t rv; + do { + // MSG_CMSG_CLOEXEC is needed to prevent the parent process from + // accidentally leaking a copy of the child's response socket to a + // new child process. (The child won't be able to exec, so this + // doesn't matter as much for that direction.) + AUTO_PROFILER_THREAD_SLEEP; + rv = recvmsg(aFd, &msg, MSG_CMSG_CLOEXEC); + } while (rv < 0 && errno == EINTR); + + if (rv <= 0) { + return rv; + } + if (msg.msg_controllen > 0) { + MOZ_ASSERT(aPassedFdPtr); + struct cmsghdr* cmsg = CMSG_FIRSTHDR(&msg); + if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS) { + int* fds = reinterpret_cast<int*>(CMSG_DATA(cmsg)); + if (cmsg->cmsg_len != CMSG_LEN(sizeof(int))) { + // A client could, for example, send an extra 32-bit int if + // CMSG_SPACE pads to 64-bit size_t alignment. If so, treat + // it as an error, but also don't leak the fds. + for (size_t i = 0; CMSG_LEN(sizeof(int) * i) < cmsg->cmsg_len; ++i) { + close(fds[i]); + } + // In theory, the kernel should delete the message instead of + // giving us an empty one, if errors prevent transferring the + // fd. + MOZ_DIAGNOSTIC_ASSERT(cmsg->cmsg_len != 0); + errno = EMSGSIZE; + return -1; + } + *aPassedFdPtr = fds[0]; + } else { + errno = EPROTO; + return -1; + } + } + if (msg.msg_flags & (MSG_TRUNC | MSG_CTRUNC)) { + if (aPassedFdPtr && *aPassedFdPtr >= 0) { + close(*aPassedFdPtr); + *aPassedFdPtr = -1; + } + // MSG_CTRUNC usually means the fd was dropped due to fd + // exhaustion in the receiving process, so map that to `EMFILE`. + // MSG_TRUNC (truncation of the data part) shouldn't ever happen. + // (If the sender is malicious it can send too many bytes or fds, + // but this is about getting an accurate error message in genuine + // error cases.) + MOZ_DIAGNOSTIC_ASSERT((msg.msg_flags & MSG_TRUNC) == 0); + errno = EMFILE; + return -1; + } + + return rv; +} + +/* static */ +ssize_t SandboxBrokerCommon::SendWithFd(int aFd, const iovec* aIO, + size_t aNumIO, int aPassedFd) { + struct msghdr msg = {}; + msg.msg_iov = const_cast<iovec*>(aIO); + msg.msg_iovlen = aNumIO; + + char cmsg_buf[CMSG_SPACE(sizeof(int))]; + memset(cmsg_buf, 0, sizeof(cmsg_buf)); + if (aPassedFd != -1) { + msg.msg_control = cmsg_buf; + msg.msg_controllen = sizeof(cmsg_buf); + struct cmsghdr* cmsg = CMSG_FIRSTHDR(&msg); + cmsg->cmsg_level = SOL_SOCKET; + cmsg->cmsg_type = SCM_RIGHTS; + cmsg->cmsg_len = CMSG_LEN(sizeof(int)); + *reinterpret_cast<int*>(CMSG_DATA(cmsg)) = aPassedFd; + } + + ssize_t rv; + do { + rv = sendmsg(aFd, &msg, MSG_NOSIGNAL); + } while (rv < 0 && errno == EINTR); + + return rv; +} + +} // namespace mozilla |