1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this file,
5 * You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7 #include "SandboxBrokerCommon.h"
8
9 #include "mozilla/Assertions.h"
10
11 #include <errno.h>
12 #include <sys/socket.h>
13 #include <sys/types.h>
14 #include <unistd.h>
15 #include <string.h>
16
17 #ifndef MSG_CMSG_CLOEXEC
18 # ifdef XP_LINUX
19 // As always, Android's kernel headers are somewhat old.
20 # define MSG_CMSG_CLOEXEC 0x40000000
21 # else
22 // Most of this code can support other POSIX OSes, but being able to
23 // receive fds and atomically make them close-on-exec is important,
24 // because this is running in a multithreaded process that can fork.
25 // In the future, if the broker becomes a dedicated executable, this
26 // can change.
27 # error "No MSG_CMSG_CLOEXEC?"
28 # endif // XP_LINUX
29 #endif // MSG_CMSG_CLOEXEC
30
31 namespace mozilla {
32
33 const char* SandboxBrokerCommon::OperationDescription[] = {
34 "open",
35 "access",
36 "stat",
37 "chmod",
38 "link",
39 "symlink",
40 "mkdir",
41 "rename",
42 "rmdir",
43 "unlink",
44 "readlink",
45 "connect",
46 "connect-abstract",
47 };
48
49 /* static */
RecvWithFd(int aFd,const iovec * aIO,size_t aNumIO,int * aPassedFdPtr)50 ssize_t SandboxBrokerCommon::RecvWithFd(int aFd, const iovec* aIO,
51 size_t aNumIO, int* aPassedFdPtr) {
52 struct msghdr msg = {};
53 msg.msg_iov = const_cast<iovec*>(aIO);
54 msg.msg_iovlen = aNumIO;
55
56 char cmsg_buf[CMSG_SPACE(sizeof(int))];
57 if (aPassedFdPtr) {
58 msg.msg_control = cmsg_buf;
59 msg.msg_controllen = sizeof(cmsg_buf);
60 *aPassedFdPtr = -1;
61 }
62
63 ssize_t rv;
64 do {
65 // MSG_CMSG_CLOEXEC is needed to prevent the parent process from
66 // accidentally leaking a copy of the child's response socket to a
67 // new child process. (The child won't be able to exec, so this
68 // doesn't matter as much for that direction.)
69 rv = recvmsg(aFd, &msg, MSG_CMSG_CLOEXEC);
70 } while (rv < 0 && errno == EINTR);
71
72 if (rv <= 0) {
73 return rv;
74 }
75 if (msg.msg_controllen > 0) {
76 MOZ_ASSERT(aPassedFdPtr);
77 struct cmsghdr* cmsg = CMSG_FIRSTHDR(&msg);
78 if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS) {
79 int* fds = reinterpret_cast<int*>(CMSG_DATA(cmsg));
80 if (cmsg->cmsg_len != CMSG_LEN(sizeof(int))) {
81 // A client could, for example, send an extra 32-bit int if
82 // CMSG_SPACE pads to 64-bit size_t alignment. If so, treat
83 // it as an error, but also don't leak the fds.
84 for (size_t i = 0; CMSG_LEN(sizeof(int) * i) < cmsg->cmsg_len; ++i) {
85 close(fds[i]);
86 }
87 errno = EMSGSIZE;
88 return -1;
89 }
90 *aPassedFdPtr = fds[0];
91 } else {
92 errno = EPROTO;
93 return -1;
94 }
95 }
96 if (msg.msg_flags & (MSG_TRUNC | MSG_CTRUNC)) {
97 if (aPassedFdPtr && *aPassedFdPtr >= 0) {
98 close(*aPassedFdPtr);
99 *aPassedFdPtr = -1;
100 }
101 errno = EMSGSIZE;
102 return -1;
103 }
104
105 return rv;
106 }
107
108 /* static */
SendWithFd(int aFd,const iovec * aIO,size_t aNumIO,int aPassedFd)109 ssize_t SandboxBrokerCommon::SendWithFd(int aFd, const iovec* aIO,
110 size_t aNumIO, int aPassedFd) {
111 struct msghdr msg = {};
112 msg.msg_iov = const_cast<iovec*>(aIO);
113 msg.msg_iovlen = aNumIO;
114
115 char cmsg_buf[CMSG_SPACE(sizeof(int))];
116 memset(cmsg_buf, 0, sizeof(cmsg_buf));
117 if (aPassedFd != -1) {
118 msg.msg_control = cmsg_buf;
119 msg.msg_controllen = sizeof(cmsg_buf);
120 struct cmsghdr* cmsg = CMSG_FIRSTHDR(&msg);
121 cmsg->cmsg_level = SOL_SOCKET;
122 cmsg->cmsg_type = SCM_RIGHTS;
123 cmsg->cmsg_len = CMSG_LEN(sizeof(int));
124 *reinterpret_cast<int*>(CMSG_DATA(cmsg)) = aPassedFd;
125 }
126
127 ssize_t rv;
128 do {
129 rv = sendmsg(aFd, &msg, MSG_NOSIGNAL);
130 } while (rv < 0 && errno == EINTR);
131
132 return rv;
133 }
134
135 } // namespace mozilla
136