OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <asm/unistd.h> | 5 #include <asm/unistd.h> |
6 #include <dlfcn.h> | 6 #include <dlfcn.h> |
7 #include <errno.h> | 7 #include <errno.h> |
8 #include <fcntl.h> | 8 #include <fcntl.h> |
9 #include <linux/audit.h> | 9 #include <linux/audit.h> |
10 #include <linux/filter.h> | 10 #include <linux/filter.h> |
(...skipping 30 matching lines...) Expand all Loading... |
41 namespace { | 41 namespace { |
42 | 42 |
43 inline bool IsChromeOS() { | 43 inline bool IsChromeOS() { |
44 #if defined(OS_CHROMEOS) | 44 #if defined(OS_CHROMEOS) |
45 return true; | 45 return true; |
46 #else | 46 #else |
47 return false; | 47 return false; |
48 #endif | 48 #endif |
49 } | 49 } |
50 | 50 |
51 inline bool IsArchitectureI386() { | |
52 #if defined(__i386__) | |
53 return true; | |
54 #else | |
55 return false; | |
56 #endif | |
57 } | |
58 | |
59 inline bool IsArchitectureArm() { | 51 inline bool IsArchitectureArm() { |
60 #if defined(__arm__) | 52 #if defined(__arm__) |
61 return true; | 53 return true; |
62 #else | 54 #else |
63 return false; | 55 return false; |
64 #endif | 56 #endif |
65 } | 57 } |
66 | 58 |
67 intptr_t CrashSIGSYS_Handler(const struct arch_seccomp_data& args, void* aux) { | 59 intptr_t CrashSIGSYS_Handler(const struct arch_seccomp_data& args, void* aux) { |
68 int syscall = args.nr; | 60 int syscall = args.nr; |
(...skipping 1125 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1194 #if defined(__arm__) | 1186 #if defined(__arm__) |
1195 IsArmPciConfig(sysno) || | 1187 IsArmPciConfig(sysno) || |
1196 #endif | 1188 #endif |
1197 IsTimer(sysno)) { | 1189 IsTimer(sysno)) { |
1198 return true; | 1190 return true; |
1199 } else { | 1191 } else { |
1200 return false; | 1192 return false; |
1201 } | 1193 } |
1202 } | 1194 } |
1203 | 1195 |
| 1196 // x86_64 and ARM for now. Needs to be adapted and tested for i386. |
1204 ErrorCode BaselinePolicy(int sysno) { | 1197 ErrorCode BaselinePolicy(int sysno) { |
1205 if (IsBaselinePolicyAllowed(sysno)) { | 1198 if (IsBaselinePolicyAllowed(sysno)) { |
1206 return ErrorCode(ErrorCode::ERR_ALLOWED); | 1199 return ErrorCode(ErrorCode::ERR_ALLOWED); |
1207 } | 1200 } |
1208 | |
1209 #if defined(__i386__) | |
1210 // socketcall(2) should be tightened. | |
1211 if (IsSocketCall(sysno)) { | |
1212 return ErrorCode(ErrorCode::ERR_ALLOWED); | |
1213 } | |
1214 #endif | |
1215 | |
1216 // TODO(jln): some system calls in those sets are not supposed to | 1201 // TODO(jln): some system calls in those sets are not supposed to |
1217 // return ENOENT. Return the appropriate error. | 1202 // return ENOENT. Return the appropriate error. |
1218 if (IsFileSystem(sysno) || IsCurrentDirectory(sysno)) { | 1203 if (IsFileSystem(sysno) || IsCurrentDirectory(sysno)) { |
1219 return ErrorCode(ENOENT); | 1204 return ErrorCode(ENOENT); |
1220 } | 1205 } |
1221 | 1206 |
1222 if (IsUmask(sysno) || IsDeniedFileSystemAccessViaFd(sysno) || | 1207 if (IsUmask(sysno) || IsDeniedFileSystemAccessViaFd(sysno) || |
1223 IsDeniedGetOrModifySocket(sysno)) { | 1208 IsDeniedGetOrModifySocket(sysno)) { |
1224 return ErrorCode(EPERM); | 1209 return ErrorCode(EPERM); |
1225 } | 1210 } |
(...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1280 case __NR_sched_getscheduler: | 1265 case __NR_sched_getscheduler: |
1281 case __NR_sched_setscheduler: | 1266 case __NR_sched_setscheduler: |
1282 case __NR_setpriority: | 1267 case __NR_setpriority: |
1283 case __NR_sysinfo: | 1268 case __NR_sysinfo: |
1284 case __NR_times: | 1269 case __NR_times: |
1285 case __NR_uname: | 1270 case __NR_uname: |
1286 return ErrorCode(ErrorCode::ERR_ALLOWED); | 1271 return ErrorCode(ErrorCode::ERR_ALLOWED); |
1287 case __NR_prlimit64: | 1272 case __NR_prlimit64: |
1288 return ErrorCode(EPERM); // See crbug.com/160157. | 1273 return ErrorCode(EPERM); // See crbug.com/160157. |
1289 default: | 1274 default: |
1290 // These need further tightening. | |
1291 #if defined(__x86_64__) || defined(__arm__) | 1275 #if defined(__x86_64__) || defined(__arm__) |
1292 if (IsSystemVSharedMemory(sysno)) | 1276 if (IsSystemVSharedMemory(sysno)) |
1293 return ErrorCode(ErrorCode::ERR_ALLOWED); | 1277 return ErrorCode(ErrorCode::ERR_ALLOWED); |
1294 #endif | 1278 #endif |
1295 #if defined(__i386__) | |
1296 if (IsSystemVIpc(sysno)) | |
1297 return ErrorCode(ErrorCode::ERR_ALLOWED); | |
1298 #endif | |
1299 | 1279 |
1300 // Default on the baseline policy. | 1280 // Default on the baseline policy. |
1301 return BaselinePolicy(sysno); | 1281 return BaselinePolicy(sysno); |
1302 } | 1282 } |
1303 } | 1283 } |
1304 | 1284 |
| 1285 // x86_64 and ARM for now. Needs to be adapted and tested for i386. |
1305 ErrorCode FlashProcessPolicy(int sysno, void *) { | 1286 ErrorCode FlashProcessPolicy(int sysno, void *) { |
1306 switch (sysno) { | 1287 switch (sysno) { |
1307 case __NR_sched_getaffinity: | 1288 case __NR_sched_getaffinity: |
1308 case __NR_sched_setscheduler: | 1289 case __NR_sched_setscheduler: |
1309 case __NR_times: | 1290 case __NR_times: |
1310 return ErrorCode(ErrorCode::ERR_ALLOWED); | 1291 return ErrorCode(ErrorCode::ERR_ALLOWED); |
1311 case __NR_ioctl: | 1292 case __NR_ioctl: |
1312 return ErrorCode(ENOTTY); // Flash Access. | 1293 return ErrorCode(ENOTTY); // Flash Access. |
1313 default: | 1294 default: |
1314 // These need further tightening. | |
1315 #if defined(__x86_64__) || defined(__arm__) | 1295 #if defined(__x86_64__) || defined(__arm__) |
| 1296 // These are under investigation, and hopefully not here for the long |
| 1297 // term. |
1316 if (IsSystemVSharedMemory(sysno)) | 1298 if (IsSystemVSharedMemory(sysno)) |
1317 return ErrorCode(ErrorCode::ERR_ALLOWED); | 1299 return ErrorCode(ErrorCode::ERR_ALLOWED); |
1318 #endif | 1300 #endif |
1319 #if defined(__i386__) | |
1320 if (IsSystemVIpc(sysno)) | |
1321 return ErrorCode(ErrorCode::ERR_ALLOWED); | |
1322 #endif | |
1323 | 1301 |
1324 // Default on the baseline policy. | 1302 // Default on the baseline policy. |
1325 return BaselinePolicy(sysno); | 1303 return BaselinePolicy(sysno); |
1326 } | 1304 } |
1327 } | 1305 } |
1328 | 1306 |
1329 ErrorCode BlacklistDebugAndNumaPolicy(int sysno, void *) { | 1307 ErrorCode BlacklistDebugAndNumaPolicy(int sysno, void *) { |
1330 if (!Sandbox::isValidSyscallNumber(sysno)) { | 1308 if (!Sandbox::isValidSyscallNumber(sysno)) { |
1331 // TODO(jln) we should not have to do that in a trivial policy. | 1309 // TODO(jln) we should not have to do that in a trivial policy. |
1332 return ErrorCode(ENOSYS); | 1310 return ErrorCode(ENOSYS); |
(...skipping 30 matching lines...) Expand all Loading... |
1363 "/usr/lib64/va/drivers/i965_drv_video.so"; | 1341 "/usr/lib64/va/drivers/i965_drv_video.so"; |
1364 dlopen(kI965DrvVideoPath_64, RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); | 1342 dlopen(kI965DrvVideoPath_64, RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); |
1365 } | 1343 } |
1366 } | 1344 } |
1367 #endif | 1345 #endif |
1368 } | 1346 } |
1369 | 1347 |
1370 Sandbox::EvaluateSyscall GetProcessSyscallPolicy( | 1348 Sandbox::EvaluateSyscall GetProcessSyscallPolicy( |
1371 const CommandLine& command_line, | 1349 const CommandLine& command_line, |
1372 const std::string& process_type) { | 1350 const std::string& process_type) { |
| 1351 #if defined(__x86_64__) || defined(__arm__) |
1373 if (process_type == switches::kGpuProcess) { | 1352 if (process_type == switches::kGpuProcess) { |
1374 // On Chrome OS, --enable-gpu-sandbox enables the more restrictive policy. | 1353 // On Chrome OS, --enable-gpu-sandbox enables the more restrictive policy. |
1375 // However, we don't yet enable the more restrictive GPU process policy | 1354 // However, we never enable the more restrictive GPU process policy on ARM. |
1376 // on i386 or ARM. | 1355 if (IsArchitectureArm() || |
1377 if (IsArchitectureI386() || IsArchitectureArm() || | |
1378 (IsChromeOS() && !command_line.HasSwitch(switches::kEnableGpuSandbox))) | 1356 (IsChromeOS() && !command_line.HasSwitch(switches::kEnableGpuSandbox))) |
1379 return BlacklistDebugAndNumaPolicy; | 1357 return BlacklistDebugAndNumaPolicy; |
1380 else | 1358 else |
1381 return GpuProcessPolicy_x86_64; | 1359 return GpuProcessPolicy_x86_64; |
1382 } | 1360 } |
1383 | 1361 |
1384 if (process_type == switches::kPpapiPluginProcess) { | 1362 if (process_type == switches::kPpapiPluginProcess) { |
1385 // TODO(jln): figure out what to do with non-Flash PPAPI | 1363 // TODO(jln): figure out what to do with non-Flash PPAPI |
1386 // out-of-process plug-ins. | 1364 // out-of-process plug-ins. |
1387 return FlashProcessPolicy; | 1365 return FlashProcessPolicy; |
1388 } | 1366 } |
1389 | 1367 |
1390 if (process_type == switches::kRendererProcess || | 1368 if (process_type == switches::kRendererProcess || |
1391 process_type == switches::kWorkerProcess) { | 1369 process_type == switches::kWorkerProcess) { |
1392 return RendererOrWorkerProcessPolicy; | 1370 return RendererOrWorkerProcessPolicy; |
1393 } | 1371 } |
1394 | 1372 |
1395 if (process_type == switches::kUtilityProcess) { | 1373 if (process_type == switches::kUtilityProcess) { |
1396 return BlacklistDebugAndNumaPolicy; | 1374 return BlacklistDebugAndNumaPolicy; |
1397 } | 1375 } |
1398 | 1376 |
1399 NOTREACHED(); | 1377 NOTREACHED(); |
1400 // This will be our default if we need one. | 1378 // This will be our default if we need one. |
1401 return AllowAllPolicy; | 1379 return AllowAllPolicy; |
| 1380 #else |
| 1381 // On other architectures (currently IA32), |
| 1382 // we only have a small blacklist at the moment. |
| 1383 (void) process_type; |
| 1384 return BlacklistDebugAndNumaPolicy; |
| 1385 #endif // __x86_64__ || __arm__ |
1402 } | 1386 } |
1403 | 1387 |
1404 // Initialize the seccomp-bpf sandbox. | 1388 // Initialize the seccomp-bpf sandbox. |
1405 bool StartBpfSandbox(const CommandLine& command_line, | 1389 bool StartBpfSandbox(const CommandLine& command_line, |
1406 const std::string& process_type) { | 1390 const std::string& process_type) { |
1407 Sandbox::EvaluateSyscall SyscallPolicy = | 1391 Sandbox::EvaluateSyscall SyscallPolicy = |
1408 GetProcessSyscallPolicy(command_line, process_type); | 1392 GetProcessSyscallPolicy(command_line, process_type); |
1409 | 1393 |
1410 // Warms up resources needed by the policy we're about to enable. | 1394 // Warms up resources needed by the policy we're about to enable. |
1411 WarmupPolicy(SyscallPolicy); | 1395 WarmupPolicy(SyscallPolicy); |
(...skipping 53 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1465 // Process-specific policy. | 1449 // Process-specific policy. |
1466 ShouldEnableSeccompBpf(process_type) && | 1450 ShouldEnableSeccompBpf(process_type) && |
1467 SupportsSandbox()) { | 1451 SupportsSandbox()) { |
1468 return StartBpfSandbox(command_line, process_type); | 1452 return StartBpfSandbox(command_line, process_type); |
1469 } | 1453 } |
1470 #endif | 1454 #endif |
1471 return false; | 1455 return false; |
1472 } | 1456 } |
1473 | 1457 |
1474 } // namespace content | 1458 } // namespace content |
OLD | NEW |