Add clock_gettime for "ime" sandbox.

After some attempts of loading our shared library in IME service with an ime-sandbox type, new process of IME service always crashed. strace logging: https://paste.googleplex.com/4705028050780160 Allow clock_gettime will fix that. Bug: 837156 Change-Id: I4e6bf7a777f57ef8f5184be8c60a59bd2fd7e163 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1677295Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Commit-Queue: Leo Zhang <googleo@chromium.org> Auto-Submit: Leo Zhang <googleo@chromium.org> Cr-Commit-Position: refs/heads/master@{#680293}

Add clock_gettime for "ime" sandbox.
After some attempts of loading our shared library in IME service with an ime-sandbox type, new process of IME service always crashed. strace logging: https://paste.googleplex.com/4705028050780160 Allow clock_gettime will fix that. Bug: 837156 Change-Id: I4e6bf7a777f57ef8f5184be8c60a59bd2fd7e163 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1677295Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Commit-Queue: Leo Zhang <googleo@chromium.org> Auto-Submit: Leo Zhang <googleo@chromium.org> Cr-Commit-Position: refs/heads/master@{#680293}
b1015468 · Leo Zhang · Commit Bot · 9187ac70 · b1015468 · b1015468
Commit b1015468 authored Jul 24, 2019 by Leo Zhang Committed by Commit Bot Jul 24, 2019
Showing with 29 additions and 20 deletions

chromeos/services/ime/ime_sandbox_hook.cc chromeos/services/ime/ime_sandbox_hook.cc +24 -18

services/service_manager/sandbox/linux/bpf_ime_policy_linux.cc ...ces/service_manager/sandbox/linux/bpf_ime_policy_linux.cc +5 -2

No files found.
--- a/chromeos/services/ime/ime_sandbox_hook.cc
+++ b/chromeos/services/ime/ime_sandbox_hook.cc
@@ -21,8 +21,6 @@ namespace ime {

 namespace {

-// The name of an IME decoder shared library.
-const char kLibImeDecoderName[] = "libimedecoder.so";
 // The path of input tools relative folder, which contains some 'pre-bundled'
 // static language dictionaries.
 const char kInputToolsBundleFolder[] = "input_methods/input_tools";
@@ -43,15 +41,6 @@ bool CreateFolderIfNotExist(const char* dir) {
  return base::CreateDirectory(path);
 }

-// This is where IME decoder shared library will be put.
-base::FilePath GetLibFolder() {
-#if defined(__x86_64__) || defined(__aarch64__)
-  return base::FilePath("/usr/lib64");
-#else
-  return base::FilePath("/usr/lib");
-#endif
-}
-
 // Whether IME instance shares a same language data path with each other.
 inline constexpr bool CrosImeSharedDataEnabled() {
 #if BUILDFLAG(ENABLE_CROS_IME_SHARED_DATA)
@@ -66,9 +55,22 @@ base::FilePath GetChromeOSAssetFolder() {
  return base::FilePath("/usr/share/chromeos-assets");
 }

-void AddDecoderPath(std::vector<BrokerFilePermission>* permissions) {
-  base::FilePath lib_path = GetLibFolder().AppendASCII(kLibImeDecoderName);
-  permissions->push_back(BrokerFilePermission::ReadOnly(lib_path.value()));
+void AddSharedLibraryAndDepsPath(
+    std::vector<BrokerFilePermission>* permissions) {
+  // Where IME decoder shared library and its dependencies will live.
+  static const char* kReadOnlyLibDirs[] =
+#if defined(__x86_64__) || defined(__aarch64__)
+      {"/usr/lib64", "/lib64"};
+#else
+      {"/usr/lib", "/lib"};
+#endif
+
+  for (const char* dir : kReadOnlyLibDirs) {
+    std::string path(dir);
+    permissions->push_back(
+        BrokerFilePermission::StatOnlyWithIntermediateDirs(path));
+    permissions->push_back(BrokerFilePermission::ReadOnlyRecursive(path + "/"));
+  }
 }

 void AddBundleFolder(std::vector<BrokerFilePermission>* permissions) {
@@ -98,10 +100,11 @@ void AddUserDataFolder(std::vector<BrokerFilePermission>* permissions) {
  // user dictionary can not be saved.
  bool success = CreateFolderIfNotExist(kUserHomePath);
  if (!success) {
-    LOG(WARNING) << "Unable to create ime folder under user profile folder";
+    LOG(WARNING) << "Unable to create IME folder under user profile folder";
+    return;
  }
-  // Still need to push this path, otherwise process will crash directly when
-  // decoder tries to access this folder.
+  // Push this path, otherwise process will crash directly when IME decoder
+  // tries to access this folder.
  permissions->push_back(
      BrokerFilePermission::ReadWriteCreateRecursive(kUserHomePath));
 }
@@ -111,7 +114,8 @@ std::vector<BrokerFilePermission> GetImeFilePermissions() {
  std::vector<BrokerFilePermission> permissions{
      BrokerFilePermission::ReadOnly("/dev/urandom"),
      BrokerFilePermission::ReadOnly("/sys/devices/system/cpu")};
-  AddDecoderPath(&permissions);
+
+  AddSharedLibraryAndDepsPath(&permissions);
  AddBundleFolder(&permissions);
  AddUserDataFolder(&permissions);
  AddSharedDataFolderIfEnabled(&permissions);
@@ -123,9 +127,11 @@ std::vector<BrokerFilePermission> GetImeFilePermissions() {
 bool ImePreSandboxHook(service_manager::SandboxLinux::Options options) {
  auto* instance = service_manager::SandboxLinux::GetInstance();
  instance->StartBrokerProcess(MakeBrokerCommandSet({
+                                   sandbox::syscall_broker::COMMAND_ACCESS,
                                   sandbox::syscall_broker::COMMAND_OPEN,
                                   sandbox::syscall_broker::COMMAND_MKDIR,
                                   sandbox::syscall_broker::COMMAND_STAT,
+                                   sandbox::syscall_broker::COMMAND_STAT64,
                                   sandbox::syscall_broker::COMMAND_RENAME,
                                   sandbox::syscall_broker::COMMAND_UNLINK,
                               }),

--- a/services/service_manager/sandbox/linux/bpf_ime_policy_linux.cc
+++ b/services/service_manager/sandbox/linux/bpf_ime_policy_linux.cc
@@ -18,14 +18,17 @@ using sandbox::syscall_broker::BrokerProcess;

 namespace service_manager {

-ImeProcessPolicy::ImeProcessPolicy() = default;
+ImeProcessPolicy::ImeProcessPolicy() {}

-ImeProcessPolicy::~ImeProcessPolicy() = default;
+ImeProcessPolicy::~ImeProcessPolicy() {}

 ResultExpr ImeProcessPolicy::EvaluateSyscall(int sysno) const {
  switch (sysno) {
 #if defined(__NR_uname)
    case __NR_uname:
+#endif
+#if defined(__NR_clock_gettime)
+    case __NR_clock_gettime:
 #endif
      return Allow();
    default: