1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "sandbox/linux/syscall_broker/broker_policy.h"
14 #include "base/logging.h"
15 #include "sandbox/linux/syscall_broker/broker_common.h"
18 namespace syscall_broker {
22 // We maintain a list of flags that have been reviewed for "sanity" and that
23 // we're ok to allow in the broker.
24 // I.e. here is where we wouldn't add O_RESET_FILE_SYSTEM.
25 bool IsAllowedOpenFlags(int flags) {
26 // First, check the access mode.
27 const int access_mode = flags & O_ACCMODE;
28 if (access_mode != O_RDONLY && access_mode != O_WRONLY &&
29 access_mode != O_RDWR) {
33 // We only support a 2-parameters open, so we forbid O_CREAT.
34 if (flags & O_CREAT) {
38 // Some flags affect the behavior of the current process. We don't support
39 // them and don't allow them for now.
40 if (flags & kCurrentProcessOpenFlagsMask)
43 // Now check that all the flags are known to us.
44 const int creation_and_status_flags = flags & ~O_ACCMODE;
46 const int known_flags = O_APPEND | O_ASYNC | O_CLOEXEC | O_CREAT | O_DIRECT |
47 O_DIRECTORY | O_EXCL | O_LARGEFILE | O_NOATIME |
48 O_NOCTTY | O_NOFOLLOW | O_NONBLOCK | O_NDELAY |
51 const int unknown_flags = ~known_flags;
52 const bool has_unknown_flags = creation_and_status_flags & unknown_flags;
53 return !has_unknown_flags;
56 // Needs to be async signal safe if |file_to_open| is NULL.
57 // TODO(jln): assert signal safety.
58 bool GetFileNameInWhitelist(const std::vector<std::string>& allowed_file_names,
59 const char* requested_filename,
60 const char** file_to_open) {
61 if (file_to_open && *file_to_open) {
62 // Make sure that callers never pass a non-empty string. In case callers
63 // wrongly forget to check the return value and look at the string
64 // instead, this could catch bugs.
65 RAW_LOG(FATAL, "*file_to_open should be NULL");
69 // Look for |requested_filename| in |allowed_file_names|.
70 // We don't use ::find() because it takes a std::string and
71 // the conversion allocates memory.
72 for (const auto& allowed_file_name : allowed_file_names) {
73 if (strcmp(requested_filename, allowed_file_name.c_str()) == 0) {
75 *file_to_open = allowed_file_name.c_str();
84 BrokerPolicy::BrokerPolicy(int denied_errno,
85 const std::vector<std::string>& allowed_r_files,
86 const std::vector<std::string>& allowed_w_files)
87 : denied_errno_(denied_errno),
88 allowed_r_files_(allowed_r_files),
89 allowed_w_files_(allowed_w_files) {
92 BrokerPolicy::~BrokerPolicy() {
95 // Check if calling access() should be allowed on |requested_filename| with
96 // mode |requested_mode|.
97 // Note: access() being a system call to check permissions, this can get a bit
98 // confusing. We're checking if calling access() should even be allowed with
99 // the same policy we would use for open().
100 // If |file_to_access| is not NULL, we will return the matching pointer from
101 // the whitelist. For paranoia a caller should then use |file_to_access|. See
102 // GetFileNameIfAllowedToOpen() for more explanation.
103 // return true if calling access() on this file should be allowed, false
105 // Async signal safe if and only if |file_to_access| is NULL.
106 bool BrokerPolicy::GetFileNameIfAllowedToAccess(
107 const char* requested_filename,
109 const char** file_to_access) const {
110 // First, check if |requested_mode| is existence, ability to read or ability
111 // to write. We do not support X_OK.
112 if (requested_mode != F_OK && requested_mode & ~(R_OK | W_OK)) {
115 switch (requested_mode) {
117 // We allow to check for file existence if we can either read or write.
118 return GetFileNameInWhitelist(
119 allowed_r_files_, requested_filename, file_to_access) ||
120 GetFileNameInWhitelist(
121 allowed_w_files_, requested_filename, file_to_access);
123 return GetFileNameInWhitelist(
124 allowed_r_files_, requested_filename, file_to_access);
126 return GetFileNameInWhitelist(
127 allowed_w_files_, requested_filename, file_to_access);
129 bool allowed_for_read_and_write =
130 GetFileNameInWhitelist(allowed_r_files_, requested_filename, NULL) &&
131 GetFileNameInWhitelist(
132 allowed_w_files_, requested_filename, file_to_access);
133 return allowed_for_read_and_write;
140 // Check if |requested_filename| can be opened with flags |requested_flags|.
141 // If |file_to_open| is not NULL, we will return the matching pointer from the
142 // whitelist. For paranoia, a caller should then use |file_to_open| rather
143 // than |requested_filename|, so that it never attempts to open an
144 // attacker-controlled file name, even if an attacker managed to fool the
145 // string comparison mechanism.
146 // Return true if opening should be allowed, false otherwise.
147 // Async signal safe if and only if |file_to_open| is NULL.
148 bool BrokerPolicy::GetFileNameIfAllowedToOpen(const char* requested_filename,
150 const char** file_to_open) const {
151 if (!IsAllowedOpenFlags(requested_flags)) {
154 switch (requested_flags & O_ACCMODE) {
156 return GetFileNameInWhitelist(
157 allowed_r_files_, requested_filename, file_to_open);
159 return GetFileNameInWhitelist(
160 allowed_w_files_, requested_filename, file_to_open);
162 bool allowed_for_read_and_write =
163 GetFileNameInWhitelist(allowed_r_files_, requested_filename, NULL) &&
164 GetFileNameInWhitelist(
165 allowed_w_files_, requested_filename, file_to_open);
166 return allowed_for_read_and_write;
173 } // namespace syscall_broker
175 } // namespace sandbox