debugd/src/crash_sender_tool.cc

// Copyright (c) 2013 The Chromium OS Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "debugd/src/crash_sender_tool.h"

#include <fcntl.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>

#include <memory>

#include <base/check.h>
#include <base/files/file.h>
#include <base/files/file_util.h>
#include <base/files/scoped_temp_dir.h>
#include <base/strings/string_number_conversions.h>
#include <brillo/dbus/exported_property_set.h>

#include "debugd/src/error_utils.h"
#include "debugd/src/process_with_id.h"

namespace debugd {
namespace {
constexpr char kErrorIOError[] = "org.chromium.debugd.error.IOError";
}  // namespace

constexpr char CrashSenderTool::kErrorBadFileName[];

void CrashSenderTool::UploadCrashes() {
  RunCrashSender(false /* ignore_hold_off_time */,
                 base::FilePath("") /* crash_directory */);
}

bool CrashSenderTool::UploadSingleCrash(
    const std::vector<std::tuple<std::string, base::ScopedFD>>& in_files,
    brillo::ErrorPtr* error) {
  // debugd runs in a non-root mount namespace and mounts a new tmpfs on /tmp
  // inside the namespace, so this should be invisible to all other processes
  // and not written to disk.
  //
  // *It is a privacy violation* if these files are visible to non-root
  // processes or are written unencrypted to disk!
  base::FilePath crash_directory("/tmp/crash");
  crash_directory = crash_directory.AddExtension(
      base::NumberToString(next_crash_directory_id_));
  next_crash_directory_id_++;

  // We need to be sure to clean up the tmp directory to avoid leaking
  // resources.
  base::ScopedTempDir crash_directory_holder;
  if (!crash_directory_holder.Set(crash_directory)) {
    DEBUGD_ADD_ERROR(error, kErrorIOError, "Create directory failed");
    return false;
  }

  for (const auto& in_file_tuple : in_files) {
    base::FilePath file_name(std::get<0>(in_file_tuple));
    const base::ScopedFD& file_descriptor = std::get<1>(in_file_tuple);

    // Sanitize file names to ensure a bad actor cannot ask us to write to
    // arbitrary files. crash_reporter should only send us the base file name,
    // so if it's not just a base file name, it's not from crash_reporter.
    // Also check for "..", "/", and "."
    if (file_name != file_name.BaseName() || file_name.ReferencesParent() ||
        file_name.IsAbsolute() ||
        file_name.value() == base::FilePath::kCurrentDirectory) {
      DEBUGD_ADD_ERROR(error, kErrorBadFileName, "Bad File Name");
      return false;
    }

    // Copy contents of file_descriptor to a new file named file_name inside
    // crash_directory.
    base::FilePath file_path = crash_directory.Append(file_name);
    base::File new_file(file_path,
                        base::File::FLAG_CREATE | base::File::FLAG_WRITE);
    if (!new_file.IsValid()) {
      LOG(WARNING) << "Error creating file " << file_path.value() << ": "
                   << base::File::ErrorToString(new_file.error_details());
      continue;
    }

    if (lseek(file_descriptor.get(), SEEK_SET, 0) == static_cast<off_t>(-1)) {
      PLOG(WARNING) << "lseek failed";
    }
    const int kBufferSize = 1 << 16;
    std::unique_ptr<char[]> buf(new char[kBufferSize]);
    ssize_t len;
    while ((len = HANDLE_EINTR(
                read(file_descriptor.get(), buf.get(), kBufferSize))) > 0) {
      if (!new_file.WriteAtCurrentPos(buf.get(), len)) {
        LOG(WARNING) << "Error writing to file " << file_path.value() << ": "
                     << base::File::ErrorToString(new_file.error_details());
        break;
      }
    }

    if (len < 0) {
      PLOG(WARNING) << "Failed to read from passed file descriptor";
    }

    // Ensure data is visible to crash_sender.
    new_file.Flush();
  }

  // Since crash_sender jails itself, it won't actually see our /tmp/crash.###
  // directory. Instead, open the directory and pass the /proc path to the
  // directory file descriptor as the crash directory.
  base::ScopedFD crash_directory_fd(
      HANDLE_EINTR(open(crash_directory.value().c_str(), O_RDONLY)));
  if (!crash_directory_fd.is_valid()) {
    DEBUGD_ADD_ERROR(error, kErrorIOError, "Open directory failed");
    return false;
  }

  base::FilePath munged_crash_directory("/proc/self/fd");
  munged_crash_directory = munged_crash_directory.Append(
      base::NumberToString(crash_directory_fd.get()));

  const bool ignore_hold_off_time = true;  // We already flushed all the files.
  RunCrashSender(ignore_hold_off_time, munged_crash_directory);

  return true;
}

void CrashSenderTool::RunCrashSender(bool ignore_hold_off_time,
                                     const base::FilePath& crash_directory) {
  // 'crash_sender' requires accessing user mounts to upload user crashes.
  ProcessWithId* p =
      CreateProcess(false /* sandboxed */, true /* access_root_mount_ns */);
  p->AddArg("/sbin/crash_sender");
  // This is being invoked directly by the user. Override some of the limits
  // we normally use to avoid interfering with user tasks.
  p->AddArg("--max_spread_time=0");
  p->AddArg("--ignore_rate_limits");

  if (ignore_hold_off_time) {
    p->AddArg("--ignore_hold_off_time");
  }

  if (!crash_directory.empty()) {
    p->AddArg("--crash_directory=" + crash_directory.value());
  }

  if (test_mode_) {
    p->AddArg("--test_mode");
  }

  p->Run();
}

void CrashSenderTool::OnTestModeChanged(
    const brillo::dbus_utils::ExportedPropertyBase* test_mode_property) {
  const auto* property =
      dynamic_cast<const brillo::dbus_utils::ExportedProperty<bool>*>(
          test_mode_property);
  DCHECK(property);
  test_mode_ = property->value();
  LOG(INFO) << "CrashSenderTestMode set to " << std::boolalpha << test_mode_;
}

}  // namespace debugd