DXR will be turned off on Tuesday, December 29th. It will redirect to Searchfox.
See the announcement on Discourse.

DXR is a code search and navigation tool aimed at making sense of large projects. It supports full-text and regex searches as well as structural queries.

Header

Mercurial (56e7b9127e89)

VCS Links

Line Code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this file,
 * You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "SandboxBrokerClient.h"
#include "SandboxInfo.h"
#include "SandboxLogging.h"

#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/un.h>
#include <unistd.h>

#include "mozilla/Assertions.h"
#include "mozilla/NullPtr.h"
#include "base/strings/safe_sprintf.h"

namespace mozilla {

SandboxBrokerClient::SandboxBrokerClient(int aFd)
: mFileDesc(aFd)
{
}

SandboxBrokerClient::~SandboxBrokerClient()
{
  close(mFileDesc);
}

int
SandboxBrokerClient::DoCall(const Request* aReq, const char* aPath,
                            const char* aPath2, void* aResponseBuff,
                            bool expectFd)
{
  // Remap /proc/self to the actual pid, so that the broker can open
  // it.  This happens here instead of in the broker to follow the
  // principle of least privilege and keep the broker as simple as
  // possible.  (Note: when pid namespaces happen, this will also need
  // to remap the inner pid to the outer pid.)
  // We only remap the first path.
  static const char kProcSelf[] = "/proc/self/";
  static const size_t kProcSelfLen = sizeof(kProcSelf) - 1;
  const char* path = aPath;
  // This buffer just needs to be large enough for any such path that
  // the policy would actually allow.  sizeof("/proc/2147483647/") == 18.
  char rewrittenPath[64];
  if (strncmp(aPath, kProcSelf, kProcSelfLen) == 0) {
    ssize_t len =
      base::strings::SafeSPrintf(rewrittenPath, "/proc/%d/%s",
                                 getpid(), aPath + kProcSelfLen);
    if (static_cast<size_t>(len) < sizeof(rewrittenPath)) {
      if (SandboxInfo::Get().Test(SandboxInfo::kVerbose)) {
        SANDBOX_LOG_ERROR("rewriting %s -> %s", aPath, rewrittenPath);
      }
      path = rewrittenPath;
    } else {
      SANDBOX_LOG_ERROR("not rewriting unexpectedly long path %s", aPath);
    }
  }

  struct iovec ios[3];
  int respFds[2];

  // Set up iovecs for request + path.
  ios[0].iov_base = const_cast<Request*>(aReq);
  ios[0].iov_len = sizeof(*aReq);
  ios[1].iov_base = const_cast<char*>(path);
  ios[1].iov_len = strlen(path) + 1;
  if (aPath2 != nullptr) {
    ios[2].iov_base = const_cast<char*>(aPath2);
    ios[2].iov_len = strlen(aPath2) + 1;
  } else {
    ios[2].iov_base = nullptr;
    ios[2].iov_len = 0;
  }
  if (ios[1].iov_len > kMaxPathLen) {
    return -ENAMETOOLONG;
  }
  if (ios[2].iov_len > kMaxPathLen) {
    return -ENAMETOOLONG;
  }

  // Create response socket and send request.
  if (socketpair(AF_UNIX, SOCK_SEQPACKET, 0, respFds) < 0) {
    return -errno;
  }
  const ssize_t sent = SendWithFd(mFileDesc, ios, 3, respFds[1]);
  const int sendErrno = errno;
  MOZ_ASSERT(sent < 0 ||
             static_cast<size_t>(sent) == ios[0].iov_len
                                        + ios[1].iov_len
                                        + ios[2].iov_len);
  close(respFds[1]);
  if (sent < 0) {
    close(respFds[0]);
    return -sendErrno;
  }

  // Set up iovecs for response.
  Response resp;
  ios[0].iov_base = &resp;
  ios[0].iov_len = sizeof(resp);
  if (aResponseBuff) {
    ios[1].iov_base = aResponseBuff;
    ios[1].iov_len = aReq->mBufSize;
  } else {
    ios[1].iov_base = nullptr;
    ios[1].iov_len = 0;
  }

  // Wait for response and return appropriately.
  int openedFd = -1;
  const ssize_t recvd = RecvWithFd(respFds[0], ios, aResponseBuff ? 2 : 1,
                                   expectFd ? &openedFd : nullptr);
  const int recvErrno = errno;
  close(respFds[0]);
  if (recvd < 0) {
    return -recvErrno;
  }
  if (recvd == 0) {
    SANDBOX_LOG_ERROR("Unexpected EOF, op %d flags 0%o path %s",
                      aReq->mOp, aReq->mFlags, path);
    return -EIO;
  }
  MOZ_ASSERT(static_cast<size_t>(recvd) <= ios[0].iov_len + ios[1].iov_len);
  // Some calls such as readlink return a size if successful
  if (resp.mError >= 0) {
    // Success!
    if (expectFd) {
      MOZ_ASSERT(openedFd >= 0);
      return openedFd;
    }
    return resp.mError;
  }
  if (SandboxInfo::Get().Test(SandboxInfo::kVerbose)) {
    // Keep in mind that "rejected" files can include ones that don't
    // actually exist, if it's something that's optional or part of a
    // search path (e.g., shared libraries).  In those cases, this
    // error message is expected.
    SANDBOX_LOG_ERROR("Failed errno %d op %s flags 0%o path %s",
                      resp.mError, OperationDescription[aReq->mOp],
                      aReq->mFlags, path);
  }
  if (openedFd >= 0) {
    close(openedFd);
  }
  return resp.mError;
}

int
SandboxBrokerClient::Open(const char* aPath, int aFlags)
{
  Request req = { SANDBOX_FILE_OPEN, aFlags, 0 };
  int maybeFd = DoCall(&req, aPath, nullptr, nullptr, true);
  if (maybeFd >= 0) {
    // NSPR has opinions about file flags.  Fix O_CLOEXEC.
    if ((aFlags & O_CLOEXEC) == 0) {
      fcntl(maybeFd, F_SETFD, 0);
    }
  }
  return maybeFd;
}

int
SandboxBrokerClient::Access(const char* aPath, int aMode)
{
  Request req = { SANDBOX_FILE_ACCESS, aMode, 0 };
  return DoCall(&req, aPath, nullptr, nullptr, false);
}

int
SandboxBrokerClient::Stat(const char* aPath, statstruct* aStat)
{
  Request req = { SANDBOX_FILE_STAT, 0, sizeof(statstruct) };
  return DoCall(&req, aPath, nullptr, (void*)aStat, false);
}

int
SandboxBrokerClient::LStat(const char* aPath, statstruct* aStat)
{
  Request req = { SANDBOX_FILE_STAT, O_NOFOLLOW, sizeof(statstruct) };
  return DoCall(&req, aPath, nullptr, (void*)aStat, false);
}

int
SandboxBrokerClient::Chmod(const char* aPath, int aMode)
{
  Request req = {SANDBOX_FILE_CHMOD, aMode, 0};
  return DoCall(&req, aPath, nullptr, nullptr, false);
}

int
SandboxBrokerClient::Link(const char* aOldPath, const char* aNewPath)
{
  Request req = {SANDBOX_FILE_LINK, 0, 0};
  return DoCall(&req, aOldPath, aNewPath, nullptr, false);
}

int
SandboxBrokerClient::Symlink(const char* aOldPath, const char* aNewPath)
{
  Request req = {SANDBOX_FILE_SYMLINK, 0, 0};
  return DoCall(&req, aOldPath, aNewPath, nullptr, false);
}

int
SandboxBrokerClient::Rename(const char* aOldPath, const char* aNewPath)
{
  Request req = {SANDBOX_FILE_RENAME, 0, 0};
  return DoCall(&req, aOldPath, aNewPath, nullptr, false);
}

int
SandboxBrokerClient::Mkdir(const char* aPath, int aMode)
{
  Request req = {SANDBOX_FILE_MKDIR, aMode, 0};
  return DoCall(&req, aPath, nullptr, nullptr, false);
}

int
SandboxBrokerClient::Unlink(const char* aPath)
{
  Request req = {SANDBOX_FILE_UNLINK, 0, 0};
  return DoCall(&req, aPath, nullptr, nullptr, false);
}

int
SandboxBrokerClient::Rmdir(const char* aPath)
{
  Request req = {SANDBOX_FILE_RMDIR, 0, 0};
  return DoCall(&req, aPath, nullptr, nullptr, false);
}

int
SandboxBrokerClient::Readlink(const char* aPath, void* aBuff, size_t aSize)
{
  Request req = {SANDBOX_FILE_READLINK, 0, aSize};
  return DoCall(&req, aPath, nullptr, aBuff, false);
}

int
SandboxBrokerClient::Connect(const sockaddr_un* aAddr, size_t aLen, int aType)
{
  static const size_t maxLen = sizeof(aAddr->sun_path);
  const char* path = aAddr->sun_path;
  const auto addrEnd = reinterpret_cast<const char*>(aAddr) + aLen;
  // Ensure that the length isn't impossibly small.
  if (addrEnd <= path) {
    return -EINVAL;
  }
  // Unix domain only
  if (aAddr->sun_family != AF_UNIX) {
    return -EAFNOSUPPORT;
  }
  // How much of sun_path may be accessed?
  auto bufLen = static_cast<size_t>(addrEnd - path);
  if (bufLen > maxLen) {
    bufLen = maxLen;
  }
  // Require null-termination.  (Linux doesn't require it, but
  // applications usually null-terminate for portability, and not
  // handling unterminated strings means we don't have to copy the path.)
  const size_t pathLen = strnlen(path, bufLen);
  if (pathLen == bufLen) {
    return -ENAMETOOLONG;
  }
  // Abstract addresses aren't handled (yet?).
  if (pathLen == 0) {
    return -ECONNREFUSED;
  }

  const Request req = { SANDBOX_SOCKET_CONNECT, aType, 0 };
  return DoCall(&req, path, nullptr, nullptr, true);
}

} // namespace mozilla