broker_host.cc | Explore in Territory

// Copyright 2014 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifdef UNSAFE_BUFFERS_BUILD
// TODO(crbug.com/351564777): Remove this and convert code to safer constructs.
#pragma allow_unsafe_buffers
#endif

#include "sandbox/linux/syscall_broker/broker_host.h"

#include <errno.h>
#include <fcntl.h>
#include <limits.h>
#include <stddef.h>
#include <sys/inotify.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

#include <array>
#include <string>
#include <tuple>
#include <utility>

#include "base/files/scoped_file.h"
#include "base/logging.h"
#include "base/posix/eintr_wrapper.h"
#include "base/strings/string_util.h"
#include "base/strings/stringprintf.h"
#include "sandbox/linux/services/syscall_wrappers.h"
#include "sandbox/linux/syscall_broker/broker_command.h"
#include "sandbox/linux/syscall_broker/broker_permission_list.h"
#include "sandbox/linux/syscall_broker/broker_simple_message.h"
#include "sandbox/linux/system_headers/linux_stat.h"
#include "sandbox/linux/system_headers/linux_syscalls.h"

namespace sandbox {
namespace syscall_broker {

namespace {

const char kProcSelf[] = …;
const size_t kProcSelfNumChars = …;

// A little open(2) wrapper to handle some oddities for us. In the general case
// make a direct system call since we want to keep in control of the broker
// process' system calls profile to be able to loosely sandbox it.
int sys_open(const char* pathname, int flags) { … }

}  // namespace

// Applies a rewrite from /proc/self/ to /proc/[pid of sandboxed process]/.
// Returns either a rewritten or the original pathname.
std::optional<std::string> BrokerHost::RewritePathname(const char* pathname) { … }

std::optional<std::pair<const char*, int>> BrokerHost::GetPathAndFlags(
    BrokerSimpleMessage* message) { … }

// Perform access(2) on |requested_filename| with mode |mode| if allowed by our
// permission_list. Write the syscall return value (-errno) to |reply|.
void BrokerHost::AccessFileForIPC(const char* requested_filename,
                                  int mode,
                                  BrokerSimpleMessage* reply) { … }

// Performs mkdir(2) on |requested_filename| with mode |mode| if allowed by our
// permission_list. Write the syscall return value (-errno) to |reply|.
void BrokerHost::MkdirFileForIPC(const char* requested_filename,
                                 int mode,
                                 BrokerSimpleMessage* reply) { … }

// Open |requested_filename| with |flags| if allowed by our permission list.
// Write the syscall return value (-errno) to |reply| and return the
// file descriptor in the |opened_file| if relevant.
void BrokerHost::OpenFileForIPC(const char* requested_filename,
                                int flags,
                                BrokerSimpleMessage* reply,
                                base::ScopedFD* opened_file) { … }

// Perform rename(2) on |old_filename| to |new_filename| and write the
// result to |return_val|.
void BrokerHost::RenameFileForIPC(const char* old_filename,
                                  const char* new_filename,
                                  BrokerSimpleMessage* reply) { … }

// Perform readlink(2) on |filename| using a buffer of MAX_PATH bytes.
void BrokerHost::ReadlinkFileForIPC(const char* requested_filename,
                                    BrokerSimpleMessage* reply) { … }

void BrokerHost::RmdirFileForIPC(const char* requested_filename,
                                 BrokerSimpleMessage* reply) { … }

// Perform stat(2) on |requested_filename| and write the result to
// |return_val|.
void BrokerHost::StatFileForIPC(BrokerCommand command_type,

                                const char* requested_filename,
                                bool follow_links,
                                BrokerSimpleMessage* reply) { … }

void BrokerHost::UnlinkFileForIPC(const char* requested_filename,
                                  BrokerSimpleMessage* reply) { … }

void BrokerHost::InotifyAddWatchForIPC(base::ScopedFD inotify_fd,
                                       const char* requested_filename,
                                       uint32_t mask,
                                       BrokerSimpleMessage* message) { … }

// Handle a |command_type| request contained in |iter| and write the reply
// to |reply|.
bool BrokerHost::HandleRemoteCommand(BrokerSimpleMessage* message,
                                     base::span<base::ScopedFD> recv_fds,
                                     BrokerSimpleMessage* reply,
                                     base::ScopedFD* opened_file) { … }

BrokerHost::BrokerHost(const BrokerSandboxConfig& policy,
                       BrokerChannel::EndPoint ipc_channel,
                       pid_t sandboxed_process_pid)
    : … { … }

BrokerHost::~BrokerHost() = default;

// Handle a request on the IPC channel ipc_channel_.
// A request should have a file descriptor attached on which we will reply and
// that we will then close.
// A request should start with an int that will be used as the command type.
void BrokerHost::LoopAndHandleRequests() { … }

}  // namespace syscall_broker

}  // namespace sandbox
chromium/sandbox/linux/syscall_broker/broker_host.cc
