diff options
Diffstat (limited to 'security/sandbox/chromium/base/posix')
5 files changed, 319 insertions, 0 deletions
diff --git a/security/sandbox/chromium/base/posix/can_lower_nice_to.cc b/security/sandbox/chromium/base/posix/can_lower_nice_to.cc new file mode 100644 index 0000000000..b1686dcae1 --- /dev/null +++ b/security/sandbox/chromium/base/posix/can_lower_nice_to.cc @@ -0,0 +1,60 @@ +// Copyright 2018 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "base/posix/can_lower_nice_to.h" + +#include <limits.h> +#include <sys/resource.h> +#include <sys/types.h> +#include <unistd.h> + +#include "build/build_config.h" + +// Not defined on AIX by default. +#if defined(OS_AIX) +#if defined(RLIMIT_NICE) +#error Assumption about OS_AIX is incorrect +#endif +#define RLIMIT_NICE 20 +#endif + +namespace base { +namespace internal { + +bool CanLowerNiceTo(int nice_value) { + // On a POSIX system, the nice value of a thread can be lowered 1. by the root + // user, 2. by a user with the CAP_SYS_NICE permission or 3. by any user if + // the target value is within the range allowed by RLIMIT_NICE. + + // 1. Check for root user. + if (geteuid() == 0) + return true; + + // 2. Skip checking the CAP_SYS_NICE permission because it would require + // libcap.so. + + // 3. Check whether the target value is within the range allowed by + // RLIMIT_NICE. + // + // NZERO should be defined in <limits.h> per POSIX, and should be at least 20. + // (NZERO-1) is the highest possible niceness value (i.e. lowest priority). + // Most platforms use NZERO=20. + // + // RLIMIT_NICE tells us how much we can reduce niceness (increase priority) if + // we start at NZERO. For example, if NZERO is 20 and the rlimit is 30, we can + // lower niceness anywhere within the [-10, 19] range (20 - 30 = -10). + // + // So, we are allowed to reduce niceness to a minimum of NZERO - rlimit: + struct rlimit rlim; + if (getrlimit(RLIMIT_NICE, &rlim) != 0) + return false; + const int lowest_nice_allowed = NZERO - static_cast<int>(rlim.rlim_cur); + + // And lowering niceness to |nice_value| is allowed if it is greater than or + // equal to the limit: + return nice_value >= lowest_nice_allowed; +} + +} // namespace internal +} // namespace base diff --git a/security/sandbox/chromium/base/posix/can_lower_nice_to.h b/security/sandbox/chromium/base/posix/can_lower_nice_to.h new file mode 100644 index 0000000000..aa8f02e9f7 --- /dev/null +++ b/security/sandbox/chromium/base/posix/can_lower_nice_to.h @@ -0,0 +1,19 @@ +// Copyright 2018 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef BASE_POSIX_CAN_LOWER_NICE_TO_H_ +#define BASE_POSIX_CAN_LOWER_NICE_TO_H_ + +namespace base { +namespace internal { + +// Returns true if lowering the nice value of a process or thread to +// |nice_value| using setpriority() or nice() should succeed. Note: A lower nice +// value means a higher priority. +bool CanLowerNiceTo(int nice_value); + +} // namespace internal +} // namespace base + +#endif // BASE_POSIX_CAN_LOWER_NICE_TO_H_ diff --git a/security/sandbox/chromium/base/posix/eintr_wrapper.h b/security/sandbox/chromium/base/posix/eintr_wrapper.h new file mode 100644 index 0000000000..0e6e437953 --- /dev/null +++ b/security/sandbox/chromium/base/posix/eintr_wrapper.h @@ -0,0 +1,68 @@ +// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// This provides a wrapper around system calls which may be interrupted by a +// signal and return EINTR. See man 7 signal. +// To prevent long-lasting loops (which would likely be a bug, such as a signal +// that should be masked) to go unnoticed, there is a limit after which the +// caller will nonetheless see an EINTR in Debug builds. +// +// On Windows and Fuchsia, this wrapper macro does nothing because there are no +// signals. +// +// Don't wrap close calls in HANDLE_EINTR. Use IGNORE_EINTR if the return +// value of close is significant. See http://crbug.com/269623. + +#ifndef BASE_POSIX_EINTR_WRAPPER_H_ +#define BASE_POSIX_EINTR_WRAPPER_H_ + +#include "build/build_config.h" + +#if defined(OS_POSIX) + +#include <errno.h> + +#if defined(NDEBUG) + +#define HANDLE_EINTR(x) ({ \ + decltype(x) eintr_wrapper_result; \ + do { \ + eintr_wrapper_result = (x); \ + } while (eintr_wrapper_result == -1 && errno == EINTR); \ + eintr_wrapper_result; \ +}) + +#else + +#define HANDLE_EINTR(x) ({ \ + int eintr_wrapper_counter = 0; \ + decltype(x) eintr_wrapper_result; \ + do { \ + eintr_wrapper_result = (x); \ + } while (eintr_wrapper_result == -1 && errno == EINTR && \ + eintr_wrapper_counter++ < 100); \ + eintr_wrapper_result; \ +}) + +#endif // NDEBUG + +#define IGNORE_EINTR(x) ({ \ + decltype(x) eintr_wrapper_result; \ + do { \ + eintr_wrapper_result = (x); \ + if (eintr_wrapper_result == -1 && errno == EINTR) { \ + eintr_wrapper_result = 0; \ + } \ + } while (0); \ + eintr_wrapper_result; \ +}) + +#else // !OS_POSIX + +#define HANDLE_EINTR(x) (x) +#define IGNORE_EINTR(x) (x) + +#endif // !OS_POSIX + +#endif // BASE_POSIX_EINTR_WRAPPER_H_ diff --git a/security/sandbox/chromium/base/posix/safe_strerror.cc b/security/sandbox/chromium/base/posix/safe_strerror.cc new file mode 100644 index 0000000000..aef5742d33 --- /dev/null +++ b/security/sandbox/chromium/base/posix/safe_strerror.cc @@ -0,0 +1,128 @@ +// Copyright (c) 2006-2009 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#if defined(__ANDROID__) +// Post-L versions of bionic define the GNU-specific strerror_r if _GNU_SOURCE +// is defined, but the symbol is renamed to __gnu_strerror_r which only exists +// on those later versions. To preserve ABI compatibility with older versions, +// undefine _GNU_SOURCE and use the POSIX version. +#undef _GNU_SOURCE +#endif + +#include "base/posix/safe_strerror.h" + +#include <errno.h> +#include <stdio.h> +#include <string.h> + +#include "build/build_config.h" + +namespace base { + +#if defined(__GLIBC__) || defined(OS_NACL) +#define USE_HISTORICAL_STRERRO_R 1 +#else +#define USE_HISTORICAL_STRERRO_R 0 +#endif + +#if USE_HISTORICAL_STRERRO_R && defined(__GNUC__) +// GCC will complain about the unused second wrap function unless we tell it +// that we meant for them to be potentially unused, which is exactly what this +// attribute is for. +#define POSSIBLY_UNUSED __attribute__((unused)) +#else +#define POSSIBLY_UNUSED +#endif + +#if USE_HISTORICAL_STRERRO_R +// glibc has two strerror_r functions: a historical GNU-specific one that +// returns type char *, and a POSIX.1-2001 compliant one available since 2.3.4 +// that returns int. This wraps the GNU-specific one. +static void POSSIBLY_UNUSED wrap_posix_strerror_r( + char *(*strerror_r_ptr)(int, char *, size_t), + int err, + char *buf, + size_t len) { + // GNU version. + char *rc = (*strerror_r_ptr)(err, buf, len); + if (rc != buf) { + // glibc did not use buf and returned a static string instead. Copy it + // into buf. + buf[0] = '\0'; + strncat(buf, rc, len - 1); + } + // The GNU version never fails. Unknown errors get an "unknown error" message. + // The result is always null terminated. +} +#endif // USE_HISTORICAL_STRERRO_R + +// Wrapper for strerror_r functions that implement the POSIX interface. POSIX +// does not define the behaviour for some of the edge cases, so we wrap it to +// guarantee that they are handled. This is compiled on all POSIX platforms, but +// it will only be used on Linux if the POSIX strerror_r implementation is +// being used (see below). +static void POSSIBLY_UNUSED wrap_posix_strerror_r( + int (*strerror_r_ptr)(int, char *, size_t), + int err, + char *buf, + size_t len) { + int old_errno = errno; + // Have to cast since otherwise we get an error if this is the GNU version + // (but in such a scenario this function is never called). Sadly we can't use + // C++-style casts because the appropriate one is reinterpret_cast but it's + // considered illegal to reinterpret_cast a type to itself, so we get an + // error in the opposite case. + int result = (*strerror_r_ptr)(err, buf, len); + if (result == 0) { + // POSIX is vague about whether the string will be terminated, although + // it indirectly implies that typically ERANGE will be returned, instead + // of truncating the string. We play it safe by always terminating the + // string explicitly. + buf[len - 1] = '\0'; + } else { + // Error. POSIX is vague about whether the return value is itself a system + // error code or something else. On Linux currently it is -1 and errno is + // set. On BSD-derived systems it is a system error and errno is unchanged. + // We try and detect which case it is so as to put as much useful info as + // we can into our message. + int strerror_error; // The error encountered in strerror + int new_errno = errno; + if (new_errno != old_errno) { + // errno was changed, so probably the return value is just -1 or something + // else that doesn't provide any info, and errno is the error. + strerror_error = new_errno; + } else { + // Either the error from strerror_r was the same as the previous value, or + // errno wasn't used. Assume the latter. + strerror_error = result; + } + // snprintf truncates and always null-terminates. + snprintf(buf, + len, + "Error %d while retrieving error %d", + strerror_error, + err); + } + errno = old_errno; +} + +void safe_strerror_r(int err, char *buf, size_t len) { + if (buf == nullptr || len <= 0) { + return; + } + // If using glibc (i.e., Linux), the compiler will automatically select the + // appropriate overloaded function based on the function type of strerror_r. + // The other one will be elided from the translation unit since both are + // static. + wrap_posix_strerror_r(&strerror_r, err, buf, len); +} + +std::string safe_strerror(int err) { + const int buffer_size = 256; + char buf[buffer_size]; + safe_strerror_r(err, buf, sizeof(buf)); + return std::string(buf); +} + +} // namespace base diff --git a/security/sandbox/chromium/base/posix/safe_strerror.h b/security/sandbox/chromium/base/posix/safe_strerror.h new file mode 100644 index 0000000000..2945312910 --- /dev/null +++ b/security/sandbox/chromium/base/posix/safe_strerror.h @@ -0,0 +1,44 @@ +// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef BASE_POSIX_SAFE_STRERROR_H_ +#define BASE_POSIX_SAFE_STRERROR_H_ + +#include <stddef.h> + +#include <string> + +#include "base/base_export.h" + +namespace base { + +// BEFORE using anything from this file, first look at PLOG and friends in +// logging.h and use them instead if applicable. +// +// This file declares safe, portable alternatives to the POSIX strerror() +// function. strerror() is inherently unsafe in multi-threaded apps and should +// never be used. Doing so can cause crashes. Additionally, the thread-safe +// alternative strerror_r varies in semantics across platforms. Use these +// functions instead. + +// Thread-safe strerror function with dependable semantics that never fails. +// It will write the string form of error "err" to buffer buf of length len. +// If there is an error calling the OS's strerror_r() function then a message to +// that effect will be printed into buf, truncating if necessary. The final +// result is always null-terminated. The value of errno is never changed. +// +// Use this instead of strerror_r(). +BASE_EXPORT void safe_strerror_r(int err, char *buf, size_t len); + +// Calls safe_strerror_r with a buffer of suitable size and returns the result +// in a C++ string. +// +// Use this instead of strerror(). Note though that safe_strerror_r will be +// more robust in the case of heap corruption errors, since it doesn't need to +// allocate a string. +BASE_EXPORT std::string safe_strerror(int err); + +} // namespace base + +#endif // BASE_POSIX_SAFE_STRERROR_H_ |