linux: add wrappers for send/recvmsg

sendmsg() and recvmsg() are complicated to use. Refactor their usage
into functions with a simpler, tested interface and use those instead.
This also adds CreateCredentialSocketpair() to create a pair of
connected sockets with SO_PASSCRED set. This option should be set
before the possibility of any calls to sendmsg() with the socket pair
to avoid race conditions in properly setting credentials.

Also update the handler to use Strategy::kNoPtrace (which causes the
crash dump to fail without breaking the socket connection) if the
credentials were invalid, which can happen if SO_PASSCRED was set after
the call to sendmsg() or if the sending process does not exist in this
namespace.

Change-Id: Id09f87125540255687a3c35d5bed7fa01ec07cff
Reviewed-on: https://chromium-review.googlesource.com/c/crashpad/crashpad/+/1584639
Reviewed-by: Mark Mentovai <mark@chromium.org>

client/crashpad_client_linux_test.cc

@@ -16,7 +16,6 @@
 
 #include <dlfcn.h>
 #include <stdlib.h>
-#include <sys/socket.h>
 #include <sys/syscall.h>
 #include <sys/types.h>
 #include <unistd.h>
@@ -38,6 +37,7 @@
 #include "util/file/filesystem.h"
 #include "util/linux/exception_handler_client.h"
 #include "util/linux/exception_information.h"
+#include "util/linux/socket.h"
 #include "util/misc/address_types.h"
 #include "util/misc/from_pointer_cast.h"
 #include "util/posix/signals.h"
@@ -245,16 +245,8 @@ class StartHandlerForClientTest {
 
   bool Initialize(bool sanitize) {
     sanitize_ = sanitize;
-
+    return UnixCredentialSocket::CreateCredentialSocketpair(&client_sock_,
-    int socks[2];
+                                                            &server_sock_);
-    if (socketpair(AF_UNIX, SOCK_STREAM, 0, socks) != 0) {
-      PLOG(ERROR) << "socketpair";
-      return false;
-    }
-    client_sock_.reset(socks[0]);
-    server_sock_.reset(socks[1]);
-
-    return true;
   }
 
   bool StartHandlerOnDemand() {

handler/linux/exception_handler_server.cc

@@ -33,6 +33,7 @@
 #include "util/file/file_io.h"
 #include "util/file/filesystem.h"
 #include "util/linux/proc_task_reader.h"
+#include "util/linux/socket.h"
 #include "util/misc/as_underlying_type.h"
 
 namespace crashpad {
@@ -154,6 +155,11 @@ class PtraceStrategyDeciderImpl : public PtraceStrategyDecider {
   Strategy ChooseStrategy(int sock,
                           bool multiple_clients,
                           const ucred& client_credentials) override {
+    if (client_credentials.pid <= 0) {
+      LOG(ERROR) << "invalid credentials";
+      return Strategy::kNoPtrace;
+    }
+
     switch (GetPtraceScope()) {
       case PtraceScope::kClassic:
         if (getuid() == client_credentials.uid || HaveCapSysPtrace()) {
@@ -402,56 +408,18 @@ bool ExceptionHandlerServer::UninstallClientSocket(Event* event) {
 
 bool ExceptionHandlerServer::ReceiveClientMessage(Event* event) {
   ExceptionHandlerProtocol::ClientToServerMessage message;
-  iovec iov;
+  ucred creds;
-  iov.iov_base = &message;
+  if (!UnixCredentialSocket::RecvMsg(
-  iov.iov_len = sizeof(message);
+          event->fd.get(), &message, sizeof(message), &creds)) {
-
-  msghdr msg;
-  msg.msg_name = nullptr;
-  msg.msg_namelen = 0;
-  msg.msg_iov = &iov;
-  msg.msg_iovlen = 1;
-
-  char cmsg_buf[CMSG_SPACE(sizeof(ucred))];
-  msg.msg_control = cmsg_buf;
-  msg.msg_controllen = sizeof(cmsg_buf);
-  msg.msg_flags = 0;
-
-  int res = HANDLE_EINTR(recvmsg(event->fd.get(), &msg, 0));
-  if (res < 0) {
-    PLOG(ERROR) << "recvmsg";
-    return false;
-  }
-  if (res == 0) {
-    // The client had an orderly shutdown.
     return false;
   }
 
-  if (msg.msg_name != nullptr || msg.msg_namelen != 0) {
+  switch (message.type) {
-    LOG(ERROR) << "unexpected msg name";
-    return false;
-  }
-
-  if (msg.msg_iovlen != 1) {
-    LOG(ERROR) << "unexpected iovlen";
-    return false;
-  }
-
-  if (msg.msg_iov[0].iov_len !=
-      sizeof(ExceptionHandlerProtocol::ClientToServerMessage)) {
-    LOG(ERROR) << "unexpected message size " << msg.msg_iov[0].iov_len;
-    return false;
-  }
-  auto client_msg =
-      reinterpret_cast<ExceptionHandlerProtocol::ClientToServerMessage*>(
-          msg.msg_iov[0].iov_base);
-
-  switch (client_msg->type) {
     case ExceptionHandlerProtocol::ClientToServerMessage::kCrashDumpRequest:
       return HandleCrashDumpRequest(
-          msg,
+          creds,
-          client_msg->client_info,
+          message.client_info,
-          client_msg->requesting_thread_stack_address,
+          message.requesting_thread_stack_address,
           event->fd.get(),
           event->type == Event::Type::kSharedSocketMessage);
   }
@@ -462,38 +430,16 @@ bool ExceptionHandlerServer::ReceiveClientMessage(Event* event) {
 }
 
 bool ExceptionHandlerServer::HandleCrashDumpRequest(
-    const msghdr& msg,
+    const ucred& creds,
     const ExceptionHandlerProtocol::ClientInformation& client_info,
     VMAddress requesting_thread_stack_address,
     int client_sock,
     bool multiple_clients) {
-  cmsghdr* cmsg = CMSG_FIRSTHDR(&msg);
+  pid_t client_process_id = creds.pid;
-  if (cmsg == nullptr) {
-    LOG(ERROR) << "missing credentials";
-    return false;
-  }
-
-  if (cmsg->cmsg_level != SOL_SOCKET) {
-    LOG(ERROR) << "unexpected cmsg_level " << cmsg->cmsg_level;
-    return false;
-  }
-
-  if (cmsg->cmsg_type != SCM_CREDENTIALS) {
-    LOG(ERROR) << "unexpected cmsg_type " << cmsg->cmsg_type;
-    return false;
-  }
-
-  if (cmsg->cmsg_len != CMSG_LEN(sizeof(ucred))) {
-    LOG(ERROR) << "unexpected cmsg_len " << cmsg->cmsg_len;
-    return false;
-  }
-
-  ucred* client_credentials = reinterpret_cast<ucred*>(CMSG_DATA(cmsg));
-  pid_t client_process_id = client_credentials->pid;
   pid_t requesting_thread_id = -1;
 
-  switch (strategy_decider_->ChooseStrategy(
+  switch (
-      client_sock, multiple_clients, *client_credentials)) {
+      strategy_decider_->ChooseStrategy(client_sock, multiple_clients, creds)) {
     case PtraceStrategyDecider::Strategy::kError:
       if (multiple_clients) {
         SendSIGCONT(client_process_id, requesting_thread_id);

handler/linux/exception_handler_server.h

@@ -170,7 +170,7 @@ class ExceptionHandlerServer {
   bool UninstallClientSocket(Event* event);
   bool ReceiveClientMessage(Event* event);
   bool HandleCrashDumpRequest(
-      const msghdr& msg,
+      const ucred& creds,
       const ExceptionHandlerProtocol::ClientInformation& client_info,
       VMAddress requesting_thread_stack_address,
       int client_sock,

util/BUILD.gn

@@ -310,6 +310,8 @@ static_library("util") {
       "linux/scoped_pr_set_ptracer.h",
       "linux/scoped_ptrace_attach.cc",
       "linux/scoped_ptrace_attach.h",
+      "linux/socket.cc",
+      "linux/socket.h",
       "linux/thread_info.cc",
       "linux/thread_info.h",
       "linux/traits.h",
@@ -472,6 +474,10 @@ static_library("util") {
   if (crashpad_is_fuchsia) {
     public_deps += [ "../third_party/fuchsia" ]
   }
+
+  if (crashpad_is_android || crashpad_is_linux) {
+    deps += [ "../third_party/lss" ]
+  }
 }
 
 if (crashpad_use_boringssl_for_http_transport_socket) {
@@ -626,6 +632,7 @@ source_set("util_test") {
       "linux/ptrace_broker_test.cc",
       "linux/ptracer_test.cc",
       "linux/scoped_ptrace_attach_test.cc",
+      "linux/socket_test.cc",
       "misc/capture_context_test_util_linux.cc",
     ]
   }

util/linux/exception_handler_client.cc

@@ -17,7 +17,6 @@
 #include <errno.h>
 #include <signal.h>
 #include <sys/prctl.h>
-#include <sys/socket.h>
 #include <sys/wait.h>
 #include <unistd.h>
 
@@ -26,6 +25,7 @@
 #include "build/build_config.h"
 #include "util/file/file_io.h"
 #include "util/linux/ptrace_broker.h"
+#include "util/linux/socket.h"
 #include "util/misc/from_pointer_cast.h"
 #include "util/posix/signals.h"
 
@@ -142,38 +142,7 @@ int ExceptionHandlerClient::SendCrashDumpRequest(
       ExceptionHandlerProtocol::ClientToServerMessage::kCrashDumpRequest;
   message.requesting_thread_stack_address = stack_pointer;
   message.client_info = info;
-
+  return UnixCredentialSocket::SendMsg(server_sock_, &message, sizeof(message));
-  iovec iov;
-  iov.iov_base = &message;
-  iov.iov_len = sizeof(message);
-
-  msghdr msg;
-  msg.msg_name = nullptr;
-  msg.msg_namelen = 0;
-  msg.msg_iov = &iov;
-  msg.msg_iovlen = 1;
-
-  ucred creds;
-  creds.pid = getpid();
-  creds.uid = geteuid();
-  creds.gid = getegid();
-
-  char cmsg_buf[CMSG_SPACE(sizeof(creds))];
-  msg.msg_control = cmsg_buf;
-  msg.msg_controllen = sizeof(cmsg_buf);
-
-  cmsghdr* cmsg = CMSG_FIRSTHDR(&msg);
-  cmsg->cmsg_level = SOL_SOCKET;
-  cmsg->cmsg_type = SCM_CREDENTIALS;
-  cmsg->cmsg_len = CMSG_LEN(sizeof(creds));
-  *reinterpret_cast<ucred*>(CMSG_DATA(cmsg)) = creds;
-
-  if (HANDLE_EINTR(sendmsg(server_sock_, &msg, MSG_NOSIGNAL)) < 0) {
-    PLOG(ERROR) << "sendmsg";
-    return errno;
-  }
-
-  return 0;
 }
 
 int ExceptionHandlerClient::WaitForCrashDumpComplete() {

util/linux/socket.cc

@@ -0,0 +1,192 @@
+// Copyright 2019 The Crashpad Authors. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "util/linux/socket.h"
+
+#include <unistd.h>
+
+#include "base/logging.h"
+#include "base/posix/eintr_wrapper.h"
+#include "third_party/lss/lss.h"
+
+namespace crashpad {
+
+// static
+bool UnixCredentialSocket::CreateCredentialSocketpair(ScopedFileHandle* sock1,
+                                                      ScopedFileHandle* sock2) {
+  int socks[2];
+  if (socketpair(AF_UNIX, SOCK_SEQPACKET, 0, socks) != 0) {
+    PLOG(ERROR) << "socketpair";
+    return false;
+  }
+  ScopedFileHandle local_sock1(socks[0]);
+  ScopedFileHandle local_sock2(socks[1]);
+
+  int optval = 1;
+  socklen_t optlen = sizeof(optval);
+  if (setsockopt(local_sock1.get(), SOL_SOCKET, SO_PASSCRED, &optval, optlen) !=
+          0 ||
+      setsockopt(local_sock2.get(), SOL_SOCKET, SO_PASSCRED, &optval, optlen) !=
+          0) {
+    PLOG(ERROR) << "setsockopt";
+    return false;
+  }
+
+  sock1->swap(local_sock1);
+  sock2->swap(local_sock2);
+  return true;
+}
+
+constexpr size_t UnixCredentialSocket::kMaxSendRecvMsgFDs = 4;
+
+// static
+int UnixCredentialSocket::SendMsg(int fd,
+                                  const void* buf,
+                                  size_t buf_size,
+                                  const int* fds,
+                                  size_t fd_count) {
+  // This function is intended to be used after a crash. fds is an integer
+  // array instead of a vector to avoid forcing callers to provide a vector,
+  // which they would have to create prior to the crash.
+  if (fds && fd_count > kMaxSendRecvMsgFDs) {
+    DLOG(ERROR) << "too many fds " << fd_count;
+    return EINVAL;
+  }
+
+  iovec iov;
+  iov.iov_base = const_cast<void*>(buf);
+  iov.iov_len = buf_size;
+
+  msghdr msg = {};
+  msg.msg_iov = &iov;
+  msg.msg_iovlen = 1;
+
+  char cmsg_buf[CMSG_SPACE(sizeof(int) * kMaxSendRecvMsgFDs)];
+  if (fds) {
+    msg.msg_control = cmsg_buf;
+    msg.msg_controllen = CMSG_SPACE(sizeof(int) * fd_count);
+
+    cmsghdr* cmsg = CMSG_FIRSTHDR(&msg);
+    DCHECK(cmsg);
+
+    cmsg->cmsg_level = SOL_SOCKET;
+    cmsg->cmsg_type = SCM_RIGHTS;
+    cmsg->cmsg_len = CMSG_LEN(sizeof(int) * fd_count);
+    memcpy(CMSG_DATA(cmsg), fds, sizeof(int) * fd_count);
+  }
+
+  // TODO(jperaza): Use sys_sendmsg when lss has macros for maniuplating control
+  // messages. https://crbug.com/crashpad/265
+  if (HANDLE_EINTR(sendmsg(fd, &msg, MSG_NOSIGNAL)) < 0) {
+    DPLOG(ERROR) << "sendmsg";
+    return errno;
+  }
+  return 0;
+}
+
+// static
+bool UnixCredentialSocket::RecvMsg(int fd,
+                                   void* buf,
+                                   size_t buf_size,
+                                   ucred* creds,
+                                   std::vector<ScopedFileHandle>* fds) {
+  iovec iov;
+  iov.iov_base = buf;
+  iov.iov_len = buf_size;
+
+  msghdr msg = {};
+  msg.msg_iov = &iov;
+  msg.msg_iovlen = 1;
+
+  char cmsg_buf[CMSG_SPACE(sizeof(ucred)) +
+                CMSG_SPACE(sizeof(int) * kMaxSendRecvMsgFDs)];
+  msg.msg_control = cmsg_buf;
+  msg.msg_controllen = sizeof(cmsg_buf);
+
+  int res = HANDLE_EINTR(recvmsg(fd, &msg, 0));
+  if (res < 0) {
+    PLOG(ERROR) << "recvmsg";
+    return false;
+  }
+
+  ucred* local_creds = nullptr;
+  std::vector<ScopedFileHandle> local_fds;
+  bool unhandled_cmsgs = false;
+
+  for (cmsghdr* cmsg = CMSG_FIRSTHDR(&msg);
+       cmsg;
+       cmsg = CMSG_NXTHDR(&msg, cmsg)) {
+    if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS) {
+      int* fdp = reinterpret_cast<int*>(CMSG_DATA(cmsg));
+      size_t fd_count = (reinterpret_cast<char*>(cmsg) + cmsg->cmsg_len -
+                         reinterpret_cast<char*>(fdp)) /
+                        sizeof(int);
+      DCHECK_LE(fd_count, kMaxSendRecvMsgFDs);
+      for (size_t index = 0; index < fd_count; ++index) {
+        if (fds) {
+          local_fds.emplace_back(fdp[index]);
+        } else if (IGNORE_EINTR(close(fdp[index])) != 0) {
+          PLOG(ERROR) << "close";
+        }
+      }
+      continue;
+    }
+
+    if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_CREDENTIALS) {
+      DCHECK(!local_creds);
+      local_creds = reinterpret_cast<ucred*>(CMSG_DATA(cmsg));
+      continue;
+    }
+
+    LOG(ERROR) << "unhandled cmsg " << cmsg->cmsg_level << ", "
+               << cmsg->cmsg_type;
+    unhandled_cmsgs = true;
+  }
+
+  if (unhandled_cmsgs) {
+    return false;
+  }
+
+  if (msg.msg_name != nullptr || msg.msg_namelen != 0) {
+    LOG(ERROR) << "unexpected msg name";
+    return false;
+  }
+
+  if (msg.msg_flags & MSG_TRUNC || msg.msg_flags & MSG_CTRUNC) {
+    LOG(ERROR) << "truncated msg";
+    return false;
+  }
+
+  if (!local_creds) {
+    LOG(ERROR) << "missing credentials";
+    return false;
+  }
+
+  // res == 0 may also indicate that the sending socket disconnected, but in
+  // that case, the message will also have missing or invalid credentials.
+  if (static_cast<size_t>(res) != buf_size) {
+    if (res != 0 || (local_creds && local_creds->pid != 0)) {
+      LOG(ERROR) << "incorrect payload size " << res;
+    }
+    return false;
+  }
+
+  *creds = *local_creds;
+  if (fds) {
+    fds->swap(local_fds);
+  }
+  return true;
+}
+
+}  // namespace crashpad

util/linux/socket.h

@@ -0,0 +1,92 @@
+// Copyright 2019 The Crashpad Authors. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef CRASHPAD_UTIL_LINUX_SOCKET_H_
+#define CRASHPAD_UTIL_LINUX_SOCKET_H_
+
+#include <sys/socket.h>
+#include <sys/types.h>
+
+#include <vector>
+
+#include "base/macros.h"
+#include "util/file/file_io.h"
+
+namespace crashpad {
+
+//! \brief Utilities for communicating over `SO_PASSCRED` enabled `AF_UNIX`
+//!     sockets.
+class UnixCredentialSocket {
+ public:
+  //! \brief Creates an `AF_UNIX` family socket pair with `SO_PASSCRED` set on
+  //!     each socket.
+  //!
+  //! \param[out] s1 One end of the connected pair.
+  //! \param[out] s2 The other end of the connected pair.
+  //! \return `true` on success. Otherwise, `false` with a message logged.
+  static bool CreateCredentialSocketpair(ScopedFileHandle* s1,
+                                         ScopedFileHandle* s2);
+
+  //! \brief The maximum number of file descriptors that may be sent/received
+  //!     with `SendMsg()` or `RecvMsg()`.
+  static const size_t kMaxSendRecvMsgFDs;
+
+  //! \brief Wraps `sendmsg()` to send a message with file descriptors.
+  //!
+  //! This function is intended for use with `AF_UNIX` family sockets and
+  //! passes file descriptors with `SCM_RIGHTS`.
+  //!
+  //! This function may be used in a compromised context.
+  //!
+  //! \param[in] fd The file descriptor to write the message to.
+  //! \param[in] buf The buffer containing the message.
+  //! \param[in] buf_size The size of the message.
+  //! \param[in] fds An array of at most `kMaxSendRecvMsgFDs` file descriptors.
+  //!     Optional.
+  //! \param[in] fd_count The number of file descriptors in \a fds. Required
+  //!     only if \a fds was set.
+  //! \return 0 on success or an error code on failure.
+  static int SendMsg(int fd,
+                     const void* buf,
+                     size_t buf_size,
+                     const int* fds = nullptr,
+                     size_t fd_count = 0);
+
+  //! \brief Wraps `recvmsg()` to receive a message with file descriptors and
+  //!     credentials.
+  //!
+  //! This function is intended to be used with `AF_UNIX` family sockets. Up to
+  //! `kMaxSendRecvMsgFDs` file descriptors may be received (via `SCM_RIGHTS`).
+  //! The socket must have `SO_PASSCRED` set.
+  //!
+  //! \param[in] fd The file descriptor to receive the message on.
+  //! \param[out] buf The buffer to fill with the message.
+  //! \param[in] buf_size The size of the message.
+  //! \param[out] creds The credentials of the sender.
+  //! \param[out] fds The recieved file descriptors. Optional. If `nullptr`, all
+  //!     received file descriptors will be closed.
+  //! \return `true` on success. Otherwise, `false`, with a message logged.
+  static bool RecvMsg(int fd,
+                      void* buf,
+                      size_t buf_size,
+                      ucred* creds,
+                      std::vector<ScopedFileHandle>* fds = nullptr);
+
+ private:
+  DISALLOW_IMPLICIT_CONSTRUCTORS(UnixCredentialSocket);
+};
+
+}  // namespace crashpad
+
+#endif  // CRASHPAD_UTIL_LINUX_SOCKET_H_

util/linux/socket_test.cc

@@ -0,0 +1,139 @@
+// Copyright 2019 The Crashpad Authors. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "util/linux/socket.h"
+
+#include "base/logging.h"
+#include "base/macros.h"
+#include "base/posix/eintr_wrapper.h"
+#include "gtest/gtest.h"
+#include "util/linux/socket.h"
+
+namespace crashpad {
+namespace test {
+namespace {
+
+TEST(Socket, Credentials) {
+  ScopedFileHandle send_sock, recv_sock;
+  ASSERT_TRUE(
+      UnixCredentialSocket::CreateCredentialSocketpair(&send_sock, &recv_sock));
+
+  char msg = 42;
+  ASSERT_EQ(UnixCredentialSocket::SendMsg(send_sock.get(), &msg, sizeof(msg)),
+            0);
+
+  char recv_msg = 0;
+  ucred creds;
+  ASSERT_TRUE(UnixCredentialSocket::RecvMsg(
+      recv_sock.get(), &recv_msg, sizeof(recv_msg), &creds));
+  EXPECT_EQ(recv_msg, msg);
+  EXPECT_EQ(creds.pid, getpid());
+  EXPECT_EQ(creds.uid, geteuid());
+  EXPECT_EQ(creds.gid, getegid());
+}
+
+TEST(Socket, EmptyMessages) {
+  ScopedFileHandle send_sock, recv_sock;
+  ASSERT_TRUE(
+      UnixCredentialSocket::CreateCredentialSocketpair(&send_sock, &recv_sock));
+
+  ASSERT_EQ(UnixCredentialSocket::SendMsg(send_sock.get(), nullptr, 0), 0);
+
+  ucred creds;
+  ASSERT_TRUE(
+      UnixCredentialSocket::RecvMsg(recv_sock.get(), nullptr, 0, &creds));
+  EXPECT_EQ(creds.pid, getpid());
+  EXPECT_EQ(creds.uid, geteuid());
+  EXPECT_EQ(creds.gid, getegid());
+}
+
+TEST(Socket, Hangup) {
+  ScopedFileHandle send_sock, recv_sock;
+  ASSERT_TRUE(
+      UnixCredentialSocket::CreateCredentialSocketpair(&send_sock, &recv_sock));
+
+  send_sock.reset();
+
+  char recv_msg = 0;
+  ucred creds;
+  EXPECT_FALSE(UnixCredentialSocket::RecvMsg(
+      recv_sock.get(), &recv_msg, sizeof(recv_msg), &creds));
+}
+
+TEST(Socket, FileDescriptors) {
+  ScopedFileHandle send_sock, recv_sock;
+  ASSERT_TRUE(
+      UnixCredentialSocket::CreateCredentialSocketpair(&send_sock, &recv_sock));
+
+  ScopedFileHandle test_fd1, test_fd2;
+  ASSERT_TRUE(
+      UnixCredentialSocket::CreateCredentialSocketpair(&test_fd1, &test_fd2));
+
+  char msg = 42;
+  ASSERT_EQ(UnixCredentialSocket::SendMsg(
+                send_sock.get(), &msg, sizeof(msg), &test_fd1.get(), 1),
+            0);
+
+  char recv_msg = 0;
+  ucred creds;
+  std::vector<ScopedFileHandle> fds;
+  ASSERT_TRUE(UnixCredentialSocket::RecvMsg(
+      recv_sock.get(), &recv_msg, sizeof(recv_msg), &creds, &fds));
+  ASSERT_EQ(fds.size(), 1u);
+}
+
+TEST(Socket, RecvClosesFileDescriptors) {
+  ScopedFileHandle send_sock, recv_sock;
+  ASSERT_TRUE(
+      UnixCredentialSocket::CreateCredentialSocketpair(&send_sock, &recv_sock));
+
+  ScopedFileHandle send_fds[UnixCredentialSocket::kMaxSendRecvMsgFDs];
+  ScopedFileHandle recv_fds[UnixCredentialSocket::kMaxSendRecvMsgFDs];
+  int raw_recv_fds[UnixCredentialSocket::kMaxSendRecvMsgFDs];
+  for (size_t index = 0; index < UnixCredentialSocket::kMaxSendRecvMsgFDs;
+       ++index) {
+    ASSERT_TRUE(UnixCredentialSocket::CreateCredentialSocketpair(
+        &send_fds[index], &recv_fds[index]));
+    raw_recv_fds[index] = recv_fds[index].get();
+  }
+
+  char msg = 42;
+  ASSERT_EQ(
+      UnixCredentialSocket::SendMsg(send_sock.get(),
+                                    &msg,
+                                    sizeof(msg),
+                                    raw_recv_fds,
+                                    UnixCredentialSocket::kMaxSendRecvMsgFDs),
+      0);
+
+  char recv_msg = 0;
+  ucred creds;
+  ASSERT_TRUE(UnixCredentialSocket::RecvMsg(
+      recv_sock.get(), &recv_msg, sizeof(recv_msg), &creds));
+  EXPECT_EQ(creds.pid, getpid());
+
+  for (size_t index = 0; index < UnixCredentialSocket::kMaxSendRecvMsgFDs;
+       ++index) {
+    recv_fds[index].reset();
+    char c;
+    EXPECT_EQ(
+        HANDLE_EINTR(send(send_fds[index].get(), &c, sizeof(c), MSG_NOSIGNAL)),
+        -1);
+    EXPECT_EQ(errno, EPIPE);
+  }
+}
+
+}  // namespace
+}  // namespace test
+}  // namespace crashpad

util/util.gyp

@@ -24,6 +24,7 @@
         '../compat/compat.gyp:crashpad_compat',
         '../third_party/mini_chromium/mini_chromium.gyp:base',
         '../third_party/zlib/zlib.gyp:zlib',
+        '../third_party/lss/lss.gyp:lss',
       ],
       'include_dirs': [
         '..',
@@ -82,6 +83,8 @@
         'linux/scoped_pr_set_ptracer.h',
         'linux/scoped_ptrace_attach.cc',
         'linux/scoped_ptrace_attach.h',
+        'linux/socket.cc',
+        'linux/socket.h',
         'linux/thread_info.cc',
         'linux/thread_info.h',
         'linux/traits.h',

util/util_test.gyp

@@ -49,6 +49,7 @@
         'linux/ptrace_broker_test.cc',
         'linux/ptracer_test.cc',
         'linux/scoped_ptrace_attach_test.cc',
+        'linux/socket_test.cc',
         'mac/launchd_test.mm',
         'mac/mac_util_test.mm',
         'mac/service_management_test.mm',