sandbox: Initialize sanitizer library for sandbox if using_sanitizer is set.

This variable is set to true in the build system if a sanitizer runtime is being linked. Since these are the exact circumstances in which we need to initialize the runtime library for sandboxing, have the sandbox initialization be controlled by this variable. This fixes an issue where we were failing to initialize the runtime for sandboxing if CFI diagnostics are enabled. Bug: 793560 Change-Id: I0c2fb922d2debe39a9bd0d6cc8ebf1b440e3ed63 Reviewed-on: https://chromium-review.googlesource.com/820450Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Peter Collingbourne <pcc@chromium.org> Cr-Commit-Position: refs/heads/master@{#523202}

sandbox: Initialize sanitizer library for sandbox if using_sanitizer is set.
This variable is set to true in the build system if a sanitizer runtime is being linked. Since these are the exact circumstances in which we need to initialize the runtime library for sandboxing, have the sandbox initialization be controlled by this variable. This fixes an issue where we were failing to initialize the runtime for sandboxing if CFI diagnostics are enabled. Bug: 793560 Change-Id: I0c2fb922d2debe39a9bd0d6cc8ebf1b440e3ed63 Reviewed-on: https://chromium-review.googlesource.com/820450Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Peter Collingbourne <pcc@chromium.org> Cr-Commit-Position: refs/heads/master@{#523202}
edde8283 · Peter Collingbourne · Commit Bot · f0f46772 · edde8283 · edde8283
Commit edde8283 authored Dec 11, 2017 by Peter Collingbourne Committed by Commit Bot Dec 11, 2017
3 changed files
--- a/services/service_manager/sandbox/BUILD.gn
+++ b/services/service_manager/sandbox/BUILD.gn
@@ -2,6 +2,9 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
+import("//build/buildflag_header.gni")
+import("//build/config/sanitizers/sanitizers.gni")
 component("sandbox") {
  sources = [
    "export.h",
@@ -21,6 +24,7 @@ component("sandbox") {
    "//services/service_manager/embedder:embedder_switches",
  ]
  deps = [
+    ":sanitizer_flags",
    "//base",
  ]
  if (is_linux) {
@@ -86,3 +90,8 @@ component("sandbox") {
    deps += [ "//sandbox/win:sandbox" ]
  }
 }
+buildflag_header("sanitizer_flags") {
+  header = "sanitizer_flags.h"
+  flags = [ "USING_SANITIZER=$using_sanitizer" ]
+}
--- a/services/service_manager/sandbox/linux/sandbox_linux.cc
+++ b/services/service_manager/sandbox/linux/sandbox_linux.cc
@@ -49,7 +49,7 @@
 #include "services/service_manager/sandbox/sandbox_type.h"
 #include "services/service_manager/sandbox/switches.h"
-#if defined(ANY_OF_AMTLU_SANITIZER)
+#if BUILDFLAG(USING_SANITIZER)
 #include <sanitizer/common_interface_defs.h>
 #endif
@@ -136,7 +136,7 @@ SandboxLinux::SandboxLinux()
  if (!setuid_sandbox_client_) {
    LOG(FATAL) << "Failed to instantiate the setuid sandbox client.";
  }
-#if defined(ANY_OF_AMTLU_SANITIZER)
+#if BUILDFLAG(USING_SANITIZER)
  sanitizer_args_ = std::make_unique<__sanitizer_sandbox_arguments>();
  *sanitizer_args_ = {0};
 #endif
@@ -157,7 +157,7 @@ SandboxLinux* SandboxLinux::GetInstance() {
 void SandboxLinux::PreinitializeSandbox() {
  CHECK(!pre_initialized_);
  seccomp_bpf_supported_ = false;
-#if defined(ANY_OF_AMTLU_SANITIZER)
+#if BUILDFLAG(USING_SANITIZER)
  // Sanitizers need to open some resources before the sandbox is enabled.
  // This should not fork, not launch threads, not open a directory.
  __sanitizer_sandbox_on_notify(sanitizer_args());
@@ -411,7 +411,8 @@ bool SandboxLinux::seccomp_bpf_with_tsync_supported() const {
 bool SandboxLinux::LimitAddressSpace(const std::string& process_type,
                                     const Options& options) {
-#if !defined(ANY_OF_AMTLU_SANITIZER)
+#if !defined(ADDRESS_SANITIZER) && !defined(MEMORY_SANITIZER) && \
+    !defined(THREAD_SANITIZER) && !defined(LEAK_SANITIZER)
  base::CommandLine* command_line = base::CommandLine::ForCurrentProcess();
  if (SandboxTypeFromCommandLine(*command_line) == SANDBOX_TYPE_NO_SANDBOX) {
    return false;
@@ -475,7 +476,7 @@ bool SandboxLinux::LimitAddressSpace(const std::string& process_type,
  base::SysInfo::AmountOfVirtualMemory();
  return false;
 #endif  // !defined(ADDRESS_SANITIZER) && !defined(MEMORY_SANITIZER) &&
-        // !defined(THREAD_SANITIZER)
+        // !defined(THREAD_SANITIZER) && !defined(LEAK_SANITIZER)
 }
 void SandboxLinux::StartBrokerProcess(

--- a/services/service_manager/sandbox/linux/sandbox_linux.h
+++ b/services/service_manager/sandbox/linux/sandbox_linux.h
@@ -17,12 +17,10 @@
 #include "services/service_manager/sandbox/export.h"
 #include "services/service_manager/sandbox/linux/sandbox_seccomp_bpf_linux.h"
 #include "services/service_manager/sandbox/sandbox_type.h"
+#include "services/service_manager/sandbox/sanitizer_flags.h"
-#if defined(ADDRESS_SANITIZER) || defined(MEMORY_SANITIZER) || \
+#if BUILDFLAG(USING_SANITIZER)
-    defined(THREAD_SANITIZER) || defined(LEAK_SANITIZER) ||    \
-    defined(UNDEFINED_SANITIZER) || defined(SANITIZER_COVERAGE)
 #include <sanitizer/common_interface_defs.h>
-#define ANY_OF_AMTLU_SANITIZER 1
 #endif
 namespace base {
@@ -189,7 +187,7 @@ class SERVICE_MANAGER_SANDBOX_EXPORT SandboxLinux {
    return proc_fd_;
  }
-#if defined(ANY_OF_AMTLU_SANITIZER)
+#if BUILDFLAG(USING_SANITIZER)
  __sanitizer_sandbox_arguments* sanitizer_args() const {
    return sanitizer_args_.get();
  };
@@ -260,7 +258,7 @@ class SERVICE_MANAGER_SANDBOX_EXPORT SandboxLinux {
  bool yama_is_enforcing_;                 // Accurate if pre_initialized_.
  bool initialize_sandbox_ran_;            // InitializeSandbox() was called.
  std::unique_ptr<sandbox::SetuidSandboxClient> setuid_sandbox_client_;
-#if defined(ANY_OF_AMTLU_SANITIZER)
+#if BUILDFLAG(USING_SANITIZER)
  std::unique_ptr<__sanitizer_sandbox_arguments> sanitizer_args_;
 #endif
  sandbox::syscall_broker::BrokerProcess* broker_process_;  // Leaked as global.