File: broker_process.h

package info (click to toggle)
chromium 139.0.7258.127-2
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 6,122,156 kB
  • sloc: cpp: 35,100,771; ansic: 7,163,530; javascript: 4,103,002; python: 1,436,920; asm: 946,517; xml: 746,709; pascal: 187,653; perl: 88,691; sh: 88,436; objc: 79,953; sql: 51,488; cs: 44,583; fortran: 24,137; makefile: 22,147; tcl: 15,277; php: 13,980; yacc: 8,984; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (126 lines) | stat: -rw-r--r-- 4,838 bytes parent folder | download | duplicates (7) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
 
// Copyright 2012 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef SANDBOX_LINUX_SYSCALL_BROKER_BROKER_PROCESS_H_
#define SANDBOX_LINUX_SYSCALL_BROKER_BROKER_PROCESS_H_

#include <sys/stat.h>

#include <memory>
#include <optional>
#include <string>
#include <vector>

#include "base/functional/callback_forward.h"
#include "sandbox/linux/syscall_broker/broker_sandbox_config.h"
#include "sandbox/sandbox_export.h"

namespace sandbox {

namespace syscall_broker {

class BrokerClient;

// Create a new "broker" process to which we can send requests via an IPC
// channel by forking the current process.
// This is a low level IPC mechanism that is suitable to be called from a
// signal handler.
// A process would typically create a broker process before entering
// sandboxing.
// 1. BrokerProcess open_broker(read_allowlist, write_allowlist);
// 2. CHECK(open_broker.Init(NULL));
// 3. Enable sandbox.
// 4. Use open_broker.Open() to open files.
class SANDBOX_EXPORT BrokerProcess {
 public:
  enum class BrokerType { SIGNAL_BASED };

  using BrokerSideCallback =
      base::OnceCallback<bool(const BrokerSandboxConfig&)>;

  // |policy| is the policy for the broker process.
  //
  // |denied_errno| is the error code returned when methods such as Open() or
  // Access() are invoked on a file which is not in the allowlist (EACCESS would
  // be a typical value).
  //
  // |fast_check_in_client| controls whether requests are
  // first filtered on the client side before being proxied. Apart from tests,
  // this should always be true since our main clients are not always
  // well-behaved. They may have third party libraries that don't know about
  // sandboxing, and typically try to open all sorts of stuff they don't really
  // need. It's important to reduce this load given that there is only one
  // pipeline to the broker process, and it is not multi-threaded.
  //
  // |quiet_failures_for_tests| is reserved for unit tests, don't use it.
  BrokerProcess(std::optional<BrokerSandboxConfig> policy,
                BrokerType broker_type,
                bool fast_check_in_client = true,
                bool quiet_failures_for_tests = false);

  BrokerProcess(const BrokerProcess&) = delete;
  BrokerProcess& operator=(const BrokerProcess&) = delete;

  ~BrokerProcess();

  // Will initialize the broker process. There should be no threads at this
  // point, since we need to fork().
  // broker_process_init_callback will be called in the new broker process,
  // after fork() returns.
  bool Fork(BrokerSideCallback broker_process_init_callback);

  // Return the PID of the child created by Fork().
  int broker_pid() const { return broker_pid_; }

  // Can be used in bpf_dsl::Policy::EvaluateSyscall() implementations to
  // determine if the system call |sysno| should be trapped and forwarded
  // to the broker process for handling. This examines the
  // |policy_->allowed_command_set| iff |fast_check_in_client_| is true. If
  // the fast checks are disabled, then all possible brokerable system
  // calls are forwarded to the broker process for handling.
  bool IsSyscallAllowed(int sysno) const;

  // Gets the signal-based BrokerClient created by Fork().
  syscall_broker::BrokerClient* GetBrokerClientSignalBased() const {
    return broker_client_.get();
  }

 private:
  friend class BrokerProcessTestHelper;
  friend class HandleFilesystemViaBrokerPolicy;

  // IsSyscallBrokerable() answers the same question as IsSyscallAllowed(),
  // but takes |fast_check| as a parameter. If |fast_check| is false, do not
  // check |policy_->allowed_command_set| before returning true for a syscall
  // that is brokerable.
  bool IsSyscallBrokerable(int sysno, bool fast_check) const;

  // Close the IPC channel with the other party. This should only be used
  // by tests and none of the class methods should be used afterwards.
  void CloseChannel();

  // Forks the signal-based broker, where syscall emulation is performed using
  // signals in the sandboxed process that connect to the broker via Unix
  // socket.
  bool ForkSignalBasedBroker(BrokerSideCallback broker_process_init_callback);

  // Variables initialized by the constructor.
  std::optional<BrokerSandboxConfig>
      policy_;  // Can also be created by SendPolicy().
  const BrokerType broker_type_;
  const bool fast_check_in_client_;
  const bool quiet_failures_for_tests_;

  bool initialized_ = false;  // Whether we've been through Fork() yet.
  pid_t broker_pid_ = -1;  // The PID of the broker (child) created in Fork().

  // Created in the parent process.
  std::unique_ptr<syscall_broker::BrokerClient> broker_client_;
};

}  // namespace syscall_broker

}  // namespace sandbox

#endif  // SANDBOX_LINUX_SYSCALL_BROKER_BROKER_PROCESS_H_