debugd/src/crash_sender_tool.cc - mirrors/cros/chromiumos/platform2 - Git at Google

 // Copyright (c) 2013 The Chromium OS Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #include "debugd/src/crash_sender_tool.h"

 #include <fcntl.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <unistd.h>

 #include <memory>

 #include <base/files/file.h>
 #include <base/files/file_util.h>
 #include <base/files/scoped_temp_dir.h>
 #include <base/strings/string_number_conversions.h>
 #include <brillo/dbus/exported_property_set.h>

 #include "debugd/src/error_utils.h"
 #include "debugd/src/process_with_id.h"

 namespace debugd {
 namespace {
 constexpr char kErrorIOError[] = "org.chromium.debugd.error.IOError";
 }  // namespace

 constexpr char CrashSenderTool::kErrorBadFileName[];

 void CrashSenderTool::UploadCrashes() {
   RunCrashSender(false /* ignore_hold_off_time */,
                  base::FilePath("") /* crash_directory */);
 }

 bool CrashSenderTool::UploadSingleCrash(
     const std::vector<std::tuple<std::string, base::ScopedFD>>& in_files,
     brillo::ErrorPtr* error) {
   // debugd runs in a non-root mount namespace and mounts a new tmpfs on /tmp
   // inside the namespace, so this should be invisible to all other processes
   // and not written to disk.
   //
   // *It is a privacy violation* if these files are visible to non-root
   // processes or are written unencrypted to disk!
   base::FilePath crash_directory("/tmp/crash");
   crash_directory = crash_directory.AddExtension(
       base::NumberToString(next_crash_directory_id_));
   next_crash_directory_id_++;

   // We need to be sure to clean up the tmp directory to avoid leaking
   // resources.
   base::ScopedTempDir crash_directory_holder;
   if (!crash_directory_holder.Set(crash_directory)) {
     DEBUGD_ADD_ERROR(error, kErrorIOError, "Create directory failed");
     return false;
   }

   for (const auto& in_file_tuple : in_files) {
     base::FilePath file_name(std::get<0>(in_file_tuple));
     const base::ScopedFD& file_descriptor = std::get<1>(in_file_tuple);

     // Sanitize file names to ensure a bad actor cannot ask us to write to
     // arbitrary files. crash_reporter should only send us the base file name,
     // so if it's not just a base file name, it's not from crash_reporter.
     // Also check for "..", "/", and "."
     if (file_name != file_name.BaseName() || file_name.ReferencesParent() ||
         file_name.IsAbsolute() ||
         file_name.value() == base::FilePath::kCurrentDirectory) {
       DEBUGD_ADD_ERROR(error, kErrorBadFileName, "Bad File Name");
       return false;
     }

     // Copy contents of file_descriptor to a new file named file_name inside
     // crash_directory.
     base::FilePath file_path = crash_directory.Append(file_name);
     base::File new_file(file_path,
                         base::File::FLAG_CREATE | base::File::FLAG_WRITE);
     if (!new_file.IsValid()) {
       LOG(WARNING) << "Error creating file " << file_path.value() << ": "
                    << base::File::ErrorToString(new_file.error_details());
       continue;
     }

     if (lseek(file_descriptor.get(), SEEK_SET, 0) == static_cast<off_t>(-1)) {
       PLOG(WARNING) << "lseek failed";
     }
     const int kBufferSize = 1 << 16;
     std::unique_ptr<char[]> buf(new char[kBufferSize]);
     ssize_t len;
     while ((len = HANDLE_EINTR(
                 read(file_descriptor.get(), buf.get(), kBufferSize))) > 0) {
       if (!new_file.WriteAtCurrentPos(buf.get(), len)) {
         LOG(WARNING) << "Error writing to file " << file_path.value() << ": "
                      << base::File::ErrorToString(new_file.error_details());
         break;
       }
     }

     if (len < 0) {
       PLOG(WARNING) << "Failed to read from passed file descriptor";
     }

     // Ensure data is visible to crash_sender.
     new_file.Flush();
   }

   // Since crash_sender jails itself, it won't actually see our /tmp/crash.###
   // directory. Instead, open the directory and pass the /proc path to the
   // directory file descriptor as the crash directory.
   base::ScopedFD crash_directory_fd(
       HANDLE_EINTR(open(crash_directory.value().c_str(), O_RDONLY)));
   if (!crash_directory_fd.is_valid()) {
     DEBUGD_ADD_ERROR(error, kErrorIOError, "Open directory failed");
     return false;
   }

   base::FilePath munged_crash_directory("/proc/self/fd");
   munged_crash_directory = munged_crash_directory.Append(
       base::NumberToString(crash_directory_fd.get()));

   const bool ignore_hold_off_time = true;  // We already flushed all the files.
   RunCrashSender(ignore_hold_off_time, munged_crash_directory);

   return true;
 }

 void CrashSenderTool::RunCrashSender(bool ignore_hold_off_time,
                                      const base::FilePath& crash_directory) {
   // 'crash_sender' requires accessing user mounts to upload user crashes.
   ProcessWithId* p =
       CreateProcess(false /* sandboxed */, true /* access_root_mount_ns */);
   p->AddArg("/sbin/crash_sender");
   // This is being invoked directly by the user. Override some of the limits
   // we normally use to avoid interfering with user tasks.
   p->AddArg("--max_spread_time=0");
   p->AddArg("--ignore_rate_limits");

   if (ignore_hold_off_time) {
     p->AddArg("--ignore_hold_off_time");
   }

   if (!crash_directory.empty()) {
     p->AddArg("--crash_directory=" + crash_directory.value());
   }

   if (test_mode_) {
     p->AddArg("--test_mode");
   }

   p->Run();
 }

 void CrashSenderTool::OnTestModeChanged(
     const brillo::dbus_utils::ExportedPropertyBase* test_mode_property) {
   const auto* property =
       dynamic_cast<const brillo::dbus_utils::ExportedProperty<bool>*>(
           test_mode_property);
   DCHECK(property);
   test_mode_ = property->value();
   LOG(INFO) << "CrashSenderTestMode set to " << std::boolalpha << test_mode_;
 }

 }  // namespace debugd
	// Copyright (c) 2013 The Chromium OS Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#include "debugd/src/crash_sender_tool.h"

	#include <fcntl.h>
	#include <sys/stat.h>
	#include <sys/types.h>
	#include <unistd.h>

	#include <memory>

	#include <base/files/file.h>
	#include <base/files/file_util.h>
	#include <base/files/scoped_temp_dir.h>
	#include <base/strings/string_number_conversions.h>
	#include <brillo/dbus/exported_property_set.h>

	#include "debugd/src/error_utils.h"
	#include "debugd/src/process_with_id.h"

	namespace debugd {
	namespace {
	constexpr char kErrorIOError[] = "org.chromium.debugd.error.IOError";
	} // namespace

	constexpr char CrashSenderTool::kErrorBadFileName[];

	void CrashSenderTool::UploadCrashes() {
	RunCrashSender(false /* ignore_hold_off_time */,
	base::FilePath("") /* crash_directory */);
	}

	bool CrashSenderTool::UploadSingleCrash(
	const std::vector<std::tuple<std::string, base::ScopedFD>>& in_files,
	brillo::ErrorPtr* error) {
	// debugd runs in a non-root mount namespace and mounts a new tmpfs on /tmp
	// inside the namespace, so this should be invisible to all other processes
	// and not written to disk.
	//
	// It is a privacy violation if these files are visible to non-root
	// processes or are written unencrypted to disk!
	base::FilePath crash_directory("/tmp/crash");
	crash_directory = crash_directory.AddExtension(
	base::NumberToString(next_crash_directory_id_));
	next_crash_directory_id_++;

	// We need to be sure to clean up the tmp directory to avoid leaking
	// resources.
	base::ScopedTempDir crash_directory_holder;
	if (!crash_directory_holder.Set(crash_directory)) {
	DEBUGD_ADD_ERROR(error, kErrorIOError, "Create directory failed");
	return false;
	}

	for (const auto& in_file_tuple : in_files) {
	base::FilePath file_name(std::get<0>(in_file_tuple));
	const base::ScopedFD& file_descriptor = std::get<1>(in_file_tuple);

	// Sanitize file names to ensure a bad actor cannot ask us to write to
	// arbitrary files. crash_reporter should only send us the base file name,
	// so if it's not just a base file name, it's not from crash_reporter.
	// Also check for "..", "/", and "."
	if (file_name != file_name.BaseName() \|\| file_name.ReferencesParent() \|\|
	file_name.IsAbsolute() \|\|
	file_name.value() == base::FilePath::kCurrentDirectory) {
	DEBUGD_ADD_ERROR(error, kErrorBadFileName, "Bad File Name");
	return false;
	}

	// Copy contents of file_descriptor to a new file named file_name inside
	// crash_directory.
	base::FilePath file_path = crash_directory.Append(file_name);
	base::File new_file(file_path,
	base::File::FLAG_CREATE \| base::File::FLAG_WRITE);
	if (!new_file.IsValid()) {
	LOG(WARNING) << "Error creating file " << file_path.value() << ": "
	<< base::File::ErrorToString(new_file.error_details());
	continue;
	}

	if (lseek(file_descriptor.get(), SEEK_SET, 0) == static_cast<off_t>(-1)) {
	PLOG(WARNING) << "lseek failed";
	}
	const int kBufferSize = 1 << 16;
	std::unique_ptr<char[]> buf(new char[kBufferSize]);
	ssize_t len;
	while ((len = HANDLE_EINTR(
	read(file_descriptor.get(), buf.get(), kBufferSize))) > 0) {
	if (!new_file.WriteAtCurrentPos(buf.get(), len)) {
	LOG(WARNING) << "Error writing to file " << file_path.value() << ": "
	<< base::File::ErrorToString(new_file.error_details());
	break;
	}
	}

	if (len < 0) {
	PLOG(WARNING) << "Failed to read from passed file descriptor";
	}

	// Ensure data is visible to crash_sender.
	new_file.Flush();
	}

	// Since crash_sender jails itself, it won't actually see our /tmp/crash.###
	// directory. Instead, open the directory and pass the /proc path to the
	// directory file descriptor as the crash directory.
	base::ScopedFD crash_directory_fd(
	HANDLE_EINTR(open(crash_directory.value().c_str(), O_RDONLY)));
	if (!crash_directory_fd.is_valid()) {
	DEBUGD_ADD_ERROR(error, kErrorIOError, "Open directory failed");
	return false;
	}

	base::FilePath munged_crash_directory("/proc/self/fd");
	munged_crash_directory = munged_crash_directory.Append(
	base::NumberToString(crash_directory_fd.get()));

	const bool ignore_hold_off_time = true; // We already flushed all the files.
	RunCrashSender(ignore_hold_off_time, munged_crash_directory);

	return true;
	}

	void CrashSenderTool::RunCrashSender(bool ignore_hold_off_time,
	const base::FilePath& crash_directory) {
	// 'crash_sender' requires accessing user mounts to upload user crashes.
	ProcessWithId* p =
	CreateProcess(false /* sandboxed /, true / access_root_mount_ns */);
	p->AddArg("/sbin/crash_sender");
	// This is being invoked directly by the user. Override some of the limits
	// we normally use to avoid interfering with user tasks.
	p->AddArg("--max_spread_time=0");
	p->AddArg("--ignore_rate_limits");

	if (ignore_hold_off_time) {
	p->AddArg("--ignore_hold_off_time");
	}

	if (!crash_directory.empty()) {
	p->AddArg("--crash_directory=" + crash_directory.value());
	}

	if (test_mode_) {
	p->AddArg("--test_mode");
	}

	p->Run();
	}

	void CrashSenderTool::OnTestModeChanged(
	const brillo::dbus_utils::ExportedPropertyBase* test_mode_property) {
	const auto* property =
	dynamic_cast<const brillo::dbus_utils::ExportedProperty<bool>*>(
	test_mode_property);
	DCHECK(property);
	test_mode_ = property->value();
	LOG(INFO) << "CrashSenderTestMode set to " << std::boolalpha << test_mode_;
	}

	} // namespace debugd