Preload decoder DSO before engaging the sandbox

Due to an upcoming change in glibc, we won't be able to support
dlopening after engaging the sandbox unless a very new kernel.

So we preload the libimedecoder in the sandbox hook and remove the
permissions of its shared library dependencies from the sandbox.


TEST=builds and run on vm.

Bug: 837156
Change-Id: I64bcb651c055553390785d8cb1eaa2e516157a3b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2423826Reviewed-by: Matthew Denton <mpdenton@chromium.org>
Commit-Queue: Leo Zhang <googleo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#810065}

chromeos/services/ime/constants.cc

@@ -24,6 +24,7 @@ const base::FilePath::CharType kSharedInputMethodsDirPath[] =
     FILE_PATH_LITERAL("/home/chronos/" IME_DIR_STRING);
 const base::FilePath::CharType kLanguageDataDirName[] =
     FILE_PATH_LITERAL("google");
+const char kCrosImeDecoderLib[] = "libimedecoder.so";
 #else
 // IME service does not support third-party IME yet, so the paths below kind
 // of act like a placeholder. In the future, put some well-designed paths here.
@@ -35,6 +36,8 @@ const base::FilePath::CharType kSharedInputMethodsDirPath[] =
     FILE_PATH_LITERAL("/tmp/" IME_DIR_STRING);
 const base::FilePath::CharType kLanguageDataDirName[] =
     FILE_PATH_LITERAL("data");
+// IME service does not support third-party IME decoder yet.
+const char kCrosImeDecoderLib[] = "";
 #endif
 
 const char kGoogleKeyboardDownloadDomain[] = "dl.google.com";

chromeos/services/ime/constants.h

@@ -44,6 +44,10 @@ extern const base::FilePath::CharType kLanguageDataDirName[];
 // The domain of Google Keyboard language dictionary download URL.
 COMPONENT_EXPORT(CHROMEOS_IME_CONSTANTS)
 extern const char kGoogleKeyboardDownloadDomain[];
+
+// The name of ChromeOS IME decoder shared Library.
+COMPONENT_EXPORT(CHROMEOS_IME_CONSTANTS)
+extern const char kCrosImeDecoderLib[];
 }  // namespace ime
 }  // namespace chromeos
 

chromeos/services/ime/decoder/decoder_engine.cc

@@ -7,7 +7,6 @@
 #include "base/bind_helpers.h"
 #include "base/files/file_path.h"
 #include "base/files/file_util.h"
-#include "build/buildflag.h"
 #include "chromeos/services/ime/constants.h"
 #include "chromeos/services/ime/public/cpp/buildflags.h"
 #include "chromeos/services/ime/public/proto/messages.pb.h"
@@ -20,13 +19,6 @@ namespace {
 // Whether to create a fake main entry.
 bool g_fake_main_entry_for_testing = false;
 
-#if BUILDFLAG(ENABLE_CROS_IME_SANITY_TEST_SO)
-// This is for development purposes only.
-const char kDecoderLibName[] = "imesanitytest";
-#else
-const char kDecoderLibName[] = "imedecoder";
-#endif
-
 // A client delegate that makes calls on client side.
 class ClientDelegate : public ImeClientDelegate {
  public:
@@ -79,7 +71,7 @@ void FakeEngineMainEntryForTesting() {
 
 DecoderEngine::DecoderEngine(ImeCrosPlatform* platform) : platform_(platform) {
   if (g_fake_main_entry_for_testing) {
-    // TODO(b/156897880): Impl the fake main entry.
+    // TODO(b/156897880): Add a fake main entry.
   } else {
     if (!TryLoadDecoder()) {
       LOG(ERROR) << "DecoderEngine INIT FAILED!";
@@ -93,8 +85,8 @@ bool DecoderEngine::TryLoadDecoder() {
   if (engine_main_entry_)
     return true;
 
-  // Load the decoder library.
-  base::FilePath lib_path(base::GetNativeLibraryName(kDecoderLibName));
+  // Load the decoder whose DSO has been preloaded before sandbox is engaged.
+  base::FilePath lib_path(kCrosImeDecoderLib);
   library_ = base::ScopedNativeLibrary(lib_path);
 
   if (!library_.is_valid()) {

chromeos/services/ime/ime_sandbox_hook.cc

@@ -4,6 +4,7 @@
 
 #include "chromeos/services/ime/ime_sandbox_hook.h"
 
+#include <dlfcn.h>
 #include <vector>
 
 #include "base/files/file_path.h"
@@ -31,22 +32,11 @@ inline constexpr bool CrosImeSharedDataEnabled() {
 #endif
 }
 
-void AddSharedLibraryAndDepsPath(
-    std::vector<BrokerFilePermission>* permissions) {
-  // Where IME decoder shared library and its dependencies will live.
-  static const char* kReadOnlyLibDirs[] =
-#if defined(__x86_64__) || defined(__aarch64__)
-      {"/usr/lib64", "/lib64"};
-#else
-      {"/usr/lib", "/lib"};
-#endif
+constexpr int dlopen_flag = RTLD_LAZY | RTLD_NODELETE;
 
-  for (const char* dir : kReadOnlyLibDirs) {
-    std::string path(dir);
-    permissions->push_back(
-        BrokerFilePermission::StatOnlyWithIntermediateDirs(path));
-    permissions->push_back(BrokerFilePermission::ReadOnlyRecursive(path + "/"));
-  }
+void PreloadSharedLibrary() {
+  if (!dlopen(kCrosImeDecoderLib, dlopen_flag))
+    LOG(ERROR) << "Unable to open " << kCrosImeDecoderLib << " : " << dlerror();
 }
 
 void AddBundleFolder(std::vector<BrokerFilePermission>* permissions) {
@@ -93,7 +83,7 @@ std::vector<BrokerFilePermission> GetImeFilePermissions() {
       BrokerFilePermission::ReadOnly("/dev/urandom"),
       BrokerFilePermission::ReadOnly("/sys/devices/system/cpu")};
 
-  AddSharedLibraryAndDepsPath(&permissions);
+  PreloadSharedLibrary();
   AddBundleFolder(&permissions);
   AddUserDataFolder(&permissions);
   AddSharedDataFolderIfEnabled(&permissions);

chromeos/services/ime/public/cpp/BUILD.gn

@@ -10,10 +10,7 @@ import("//third_party/libprotobuf-mutator/fuzzable_proto_library.gni")
 buildflag_header("buildflags") {
   header = "buildflags.h"
 
-  flags = [
-    "ENABLE_CROS_IME_SHARED_DATA=$enable_cros_ime_shared_data",
-    "ENABLE_CROS_IME_SANITY_TEST_SO=$enable_cros_ime_sanity_test_so",
-  ]
+  flags = [ "ENABLE_CROS_IME_SHARED_DATA=$enable_cros_ime_shared_data" ]
 }
 
 source_set("rulebased") {

chromeos/services/ime/public/features.gni

@@ -5,8 +5,4 @@
 declare_args() {
   # Enable share language modules between IME services.
   enable_cros_ime_shared_data = false
-
-  # Enable to load a shared library for sanity tests only.
-  # This is for debugging purposes only.
-  enable_cros_ime_sanity_test_so = false
 }