Broker readlink system call subject to read permissions.

This allows the readlink call to trap into a broker process rather
than being denied inside a sandbox.

Bug: 715679
Change-Id: Id03f45b298ba3c09de9a9b8ac3afc93a368bb4d5
Reviewed-on: https://chromium-review.googlesource.com/795012Reviewed-by: Robert Sesek <rsesek@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Cr-Commit-Position: refs/heads/master@{#520996}

sandbox/linux/syscall_broker/broker_client.cc

@@ -229,5 +229,50 @@ int BrokerClient::Rename(const char* oldpath, const char* newpath) {
   return return_value;
 }
 
+int BrokerClient::Readlink(const char* path, char* buf, size_t bufsize) {
+  if (fast_check_in_client_) {
+    bool ignore;
+    if (!broker_policy_.GetFileNameIfAllowedToOpen(path, O_RDONLY, nullptr,
+                                                   &ignore)) {
+      return -broker_policy_.denied_errno();
+    }
+  }
+
+  base::Pickle write_pickle;
+  write_pickle.WriteInt(COMMAND_READLINK);
+  write_pickle.WriteString(path);
+  RAW_CHECK(write_pickle.size() <= kMaxMessageLength);
+
+  int returned_fd = -1;
+  uint8_t reply_buf[kMaxMessageLength];
+  ssize_t msg_len = base::UnixDomainSocket::SendRecvMsg(
+      ipc_channel_.get(), reply_buf, sizeof(reply_buf), &returned_fd,
+      write_pickle);
+
+  if (msg_len <= 0) {
+    if (!quiet_failures_for_tests_)
+      RAW_LOG(ERROR, "Could not make request to broker process");
+    return -ENOMEM;
+  }
+
+  base::Pickle read_pickle(reinterpret_cast<char*>(reply_buf), msg_len);
+  base::PickleIterator iter(read_pickle);
+  int return_value = -1;
+  int return_length = 0;
+  const char* return_data = nullptr;
+  if (!iter.ReadInt(&return_value))
+    return -ENOMEM;
+  if (return_value < 0)
+    return return_value;
+  if (!iter.ReadData(&return_data, &return_length))
+    return -ENOMEM;
+  if (return_length < 0)
+    return -ENOMEM;
+  if (static_cast<size_t>(return_length) > bufsize)
+    return -ENAMETOOLONG;
+  memcpy(buf, return_data, return_length);
+  return return_value;
+}
+
 }  // namespace syscall_broker
 }  // namespace sandbox

sandbox/linux/syscall_broker/broker_client.h

@@ -65,6 +65,9 @@ class BrokerClient {
   // This is async signal safe.
   int Rename(const char* oldpath, const char* newpath);
 
+  // Can be used in place of Readlink().
+  int Readlink(const char* path, char* buf, size_t bufsize);
+
   // Get the file descriptor used for IPC. This is used for tests.
   int GetIPCDescriptor() const { return ipc_channel_.get(); }
 

sandbox/linux/syscall_broker/broker_common.h

@@ -9,7 +9,6 @@
 #include <stddef.h>
 
 namespace sandbox {
-
 namespace syscall_broker {
 
 const size_t kMaxMessageLength = 4096;
@@ -35,10 +34,10 @@ enum IPCCommand {
   COMMAND_STAT,
   COMMAND_STAT64,
   COMMAND_RENAME,
+  COMMAND_READLINK,
 };
 
 }  // namespace syscall_broker
-
 }  // namespace sandbox
 
 #endif  // SANDBOX_LINUX_SYSCALL_BROKER_BROKER_COMMON_H_

sandbox/linux/syscall_broker/broker_host.cc

@@ -6,6 +6,7 @@
 
 #include <errno.h>
 #include <fcntl.h>
+#include <limits.h>
 #include <stddef.h>
 #include <sys/socket.h>
 #include <sys/stat.h>
@@ -110,7 +111,6 @@ void StatFileForIPC(const BrokerPolicy& policy,
                     IPCCommand command_type,
                     const std::string& requested_filename,
                     base::Pickle* write_pickle) {
-  DCHECK(write_pickle);
   DCHECK(command_type == COMMAND_STAT || command_type == COMMAND_STAT64);
   const char* file_to_access = nullptr;
   if (!policy.GetFileNameIfAllowedToAccess(requested_filename.c_str(), F_OK,
@@ -143,7 +143,6 @@ void RenameFileForIPC(const BrokerPolicy& policy,
                       const std::string& old_filename,
                       const std::string& new_filename,
                       base::Pickle* write_pickle) {
-  DCHECK(write_pickle);
   bool ignore;
   const char* old_file_to_access = nullptr;
   const char* new_file_to_access = nullptr;
@@ -161,6 +160,27 @@ void RenameFileForIPC(const BrokerPolicy& policy,
   write_pickle->WriteInt(0);
 }
 
+// Perform readlink(2) on |filename| using a buffer of MAX_PATH bytes.
+void ReadlinkFileForIPC(const BrokerPolicy& policy,
+                        const std::string& filename,
+                        base::Pickle* write_pickle) {
+  bool ignore;
+  const char* file_to_access = nullptr;
+  if (!policy.GetFileNameIfAllowedToOpen(filename.c_str(), O_RDONLY,
+                                         &file_to_access, &ignore)) {
+    write_pickle->WriteInt(-policy.denied_errno());
+    return;
+  }
+  char buf[PATH_MAX];
+  ssize_t result = readlink(file_to_access, buf, sizeof(buf));
+  if (result < 0) {
+    write_pickle->WriteInt(-errno);
+    return;
+  }
+  write_pickle->WriteInt(result);
+  write_pickle->WriteData(buf, result);
+}
+
 // Handle a |command_type| request contained in |iter| and write the reply
 // to |write_pickle|, adding any files opened to |opened_files|.
 bool HandleRemoteCommand(const BrokerPolicy& policy,
@@ -206,6 +226,13 @@ bool HandleRemoteCommand(const BrokerPolicy& policy,
       RenameFileForIPC(policy, old_filename, new_filename, write_pickle);
       break;
     }
+    case COMMAND_READLINK: {
+      std::string filename;
+      if (!iter.ReadString(&filename))
+        return false;
+      ReadlinkFileForIPC(policy, filename, write_pickle);
+      break;
+    }
     default:
       LOG(ERROR) << "Invalid IPC command";
       return false;

sandbox/linux/syscall_broker/broker_process.cc

@@ -129,6 +129,11 @@ int BrokerProcess::Rename(const char* oldpath, const char* newpath) const {
   return broker_client_->Rename(oldpath, newpath);
 }
 
+int BrokerProcess::Readlink(const char* path, char* buf, size_t bufsize) const {
+  RAW_CHECK(initialized_);
+  return broker_client_->Readlink(path, buf, bufsize);
+}
+
 #if defined(MEMORY_SANITIZER)
 #define BROKER_UNPOISON_STRING(x) __msan_unpoison_string(x)
 #else
@@ -196,6 +201,22 @@ intptr_t BrokerProcess::SIGSYS_Handler(const sandbox::arch_seccomp_data& args,
       return broker_process->Stat(reinterpret_cast<const char*>(args.args[1]),
                                   reinterpret_cast<struct stat*>(args.args[2]));
 #endif
+#if defined(__NR_readlink)
+    case __NR_readlink:
+      return broker_process->Readlink(
+          reinterpret_cast<const char*>(args.args[0]),
+          reinterpret_cast<char*>(args.args[1]),
+          static_cast<size_t>(args.args[2]));
+#endif
+#if defined(__NR_readlinkat)
+    case __NR_readlinkat:
+      if (static_cast<int>(args.args[0]) != AT_FDCWD)
+        return -EPERM;
+      return broker_process->Readlink(
+          reinterpret_cast<const char*>(args.args[1]),
+          reinterpret_cast<char*>(args.args[2]),
+          static_cast<size_t>(args.args[3]));
+#endif
 #if defined(__NR_rename)
     case __NR_rename:
       return broker_process->Rename(

sandbox/linux/syscall_broker/broker_process.h

@@ -83,6 +83,10 @@ class SANDBOX_EXPORT BrokerProcess {
   // It's similar to the rename() system call and will return -errno on errors.
   int Rename(const char* oldpath, const char* newpath) const;
 
+  // Can be used in place of readlink(). Will be async signal safe.
+  // It's similar to the read() system call and will return -errno on errors.
+  int Readlink(const char* path, char* buf, size_t bufsize) const;
+
   int broker_pid() const { return broker_pid_; }
 
   // Handler to be used with a bpf_dsl Trap() function to forward system calls