| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "components/nacl/loader/nonsfi/nonsfi_sandbox.h" |
| 6 |
| 7 #include <errno.h> |
| 8 #include <fcntl.h> |
| 9 #include <linux/net.h> |
| 10 #include <sys/prctl.h> |
| 11 #include <sys/ptrace.h> |
| 12 #include <sys/mman.h> |
| 13 #include <sys/socket.h> |
| 14 #include <sys/syscall.h> |
| 15 |
| 16 #include "base/basictypes.h" |
| 17 #include "base/logging.h" |
| 18 #include "build/build_config.h" |
| 19 #include "content/public/common/sandbox_init.h" |
| 20 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" |
| 21 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
| 22 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h" |
| 23 #include "sandbox/linux/seccomp-bpf/trap.h" |
| 24 #include "sandbox/linux/services/linux_syscalls.h" |
| 25 |
| 26 #if defined(__arm__) && !defined(MAP_STACK) |
| 27 // Chrome OS Daisy (ARM) build environment has old headers. |
| 28 #define MAP_STACK 0x20000 |
| 29 #endif |
| 30 |
| 31 using sandbox::ErrorCode; |
| 32 using sandbox::SandboxBPF; |
| 33 |
| 34 namespace nacl { |
| 35 namespace nonsfi { |
| 36 namespace { |
| 37 |
| 38 ErrorCode RestrictFcntlCommands(SandboxBPF* sb) { |
| 39 ErrorCode::ArgType mask_long_type; |
| 40 if (sizeof(long) == 8) { |
| 41 mask_long_type = ErrorCode::TP_64BIT; |
| 42 } else if (sizeof(long) == 4) { |
| 43 mask_long_type = ErrorCode::TP_32BIT; |
| 44 } else { |
| 45 NOTREACHED(); |
| 46 } |
| 47 // We allow following cases: |
| 48 // 1. F_SETFD + FD_CLOEXEC: libevent's epoll_init uses this. |
| 49 // 2. F_GETFL: Used by SetNonBlocking in |
| 50 // message_pump_libevent.cc and Channel::ChannelImpl::CreatePipe |
| 51 // in ipc_channel_posix.cc. Note that the latter does not work |
| 52 // with EPERM. |
| 53 // 3. F_SETFL: Used by evutil_make_socket_nonblocking in |
| 54 // libevent and SetNonBlocking. As the latter mix O_NONBLOCK to |
| 55 // the return value of F_GETFL, so we need to allow O_ACCMODE in |
| 56 // addition to O_NONBLOCK. |
| 57 const unsigned long denied_mask = ~(O_ACCMODE | O_NONBLOCK); |
| 58 return sb->Cond(1, ErrorCode::TP_32BIT, |
| 59 ErrorCode::OP_EQUAL, F_SETFD, |
| 60 sb->Cond(2, mask_long_type, |
| 61 ErrorCode::OP_EQUAL, FD_CLOEXEC, |
| 62 ErrorCode(ErrorCode::ERR_ALLOWED), |
| 63 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL)), |
| 64 sb->Cond(1, ErrorCode::TP_32BIT, |
| 65 ErrorCode::OP_EQUAL, F_GETFL, |
| 66 ErrorCode(ErrorCode::ERR_ALLOWED), |
| 67 sb->Cond(1, ErrorCode::TP_32BIT, |
| 68 ErrorCode::OP_EQUAL, F_SETFL, |
| 69 sb->Cond(2, mask_long_type, |
| 70 ErrorCode::OP_HAS_ANY_BITS, denied_mask, |
| 71 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL), |
| 72 ErrorCode(ErrorCode::ERR_ALLOWED)), |
| 73 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL)))); |
| 74 } |
| 75 |
| 76 ErrorCode RestrictClone(SandboxBPF* sb) { |
| 77 // We allow clone only for new thread creation. |
| 78 return sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
| 79 CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | |
| 80 CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS | |
| 81 CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID, |
| 82 ErrorCode(ErrorCode::ERR_ALLOWED), |
| 83 sb->Trap(sandbox::SIGSYSCloneFailure, NULL)); |
| 84 } |
| 85 |
| 86 ErrorCode RestrictPrctl(SandboxBPF* sb) { |
| 87 // base::PlatformThread::SetName() uses PR_SET_NAME so we return |
| 88 // EPERM for it. Otherwise, we will raise SIGSYS. |
| 89 return sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
| 90 PR_SET_NAME, ErrorCode(EPERM), |
| 91 sb->Trap(sandbox::SIGSYSPrctlFailure, NULL)); |
| 92 } |
| 93 |
| 94 #if defined(__i386__) |
| 95 ErrorCode RestrictSocketcall(SandboxBPF* sb) { |
| 96 // We only allow socketpair, sendmsg, and recvmsg. |
| 97 return sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
| 98 SYS_SOCKETPAIR, |
| 99 ErrorCode(ErrorCode::ERR_ALLOWED), |
| 100 sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
| 101 SYS_SENDMSG, |
| 102 ErrorCode(ErrorCode::ERR_ALLOWED), |
| 103 sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
| 104 SYS_RECVMSG, |
| 105 ErrorCode(ErrorCode::ERR_ALLOWED), |
| 106 sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
| 107 SYS_SHUTDOWN, |
| 108 ErrorCode(ErrorCode::ERR_ALLOWED), |
| 109 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL))))); |
| 110 } |
| 111 #endif |
| 112 |
| 113 ErrorCode RestrictMemoryProtection(SandboxBPF* sb, int argno) { |
| 114 // TODO(jln, keescook, drewry): Limit the use of mmap/mprotect by |
| 115 // adding some features to linux kernel. |
| 116 const uint32_t denied_mask = ~(PROT_READ | PROT_WRITE | PROT_EXEC); |
| 117 return sb->Cond(argno, ErrorCode::TP_32BIT, |
| 118 ErrorCode::OP_HAS_ANY_BITS, |
| 119 denied_mask, |
| 120 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL), |
| 121 ErrorCode(ErrorCode::ERR_ALLOWED)); |
| 122 } |
| 123 |
| 124 ErrorCode RestrictMmap(SandboxBPF* sb) { |
| 125 const uint32_t denied_flag_mask = ~(MAP_SHARED | MAP_PRIVATE | |
| 126 MAP_ANONYMOUS | MAP_STACK | MAP_FIXED); |
| 127 // TODO(hamaji): Disallow RWX mmap. |
| 128 return sb->Cond(3, ErrorCode::TP_32BIT, |
| 129 ErrorCode::OP_HAS_ANY_BITS, |
| 130 denied_flag_mask, |
| 131 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL), |
| 132 RestrictMemoryProtection(sb, 2)); |
| 133 } |
| 134 |
| 135 ErrorCode RestrictSocketpair(SandboxBPF* sb) { |
| 136 // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen. |
| 137 COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different); |
| 138 return sb->Cond(0, ErrorCode::TP_32BIT, |
| 139 ErrorCode::OP_EQUAL, AF_UNIX, |
| 140 ErrorCode(ErrorCode::ERR_ALLOWED), |
| 141 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL)); |
| 142 } |
| 143 |
| 144 bool IsGracefullyDenied(int sysno) { |
| 145 switch (sysno) { |
| 146 // third_party/libevent uses them, but we can just return -1 from |
| 147 // them as it is just checking getuid() != geteuid() and |
| 148 // getgid() != getegid() |
| 149 #if defined(__i386__) || defined(__arm__) |
| 150 case __NR_getegid32: |
| 151 case __NR_geteuid32: |
| 152 case __NR_getgid32: |
| 153 case __NR_getuid32: |
| 154 #elif defined(__x86_64__) |
| 155 case __NR_getegid: |
| 156 case __NR_geteuid: |
| 157 case __NR_getgid: |
| 158 case __NR_getuid: |
| 159 #endif |
| 160 // tcmalloc calls madvise in TCMalloc_SystemRelease. |
| 161 case __NR_madvise: |
| 162 // EPERM instead of SIGSYS as glibc tries to open files in /proc. |
| 163 // TODO(hamaji): Remove this when we switch to newlib. |
| 164 case __NR_open: |
| 165 // For RunSandboxSanityChecks(). |
| 166 case __NR_ptrace: |
| 167 // glibc uses this for its pthread implementation. If we return |
| 168 // EPERM for this, glibc will stop using this. |
| 169 // TODO(hamaji): newlib does not use this. Make this SIGTRAP once |
| 170 // we have switched to newlib. |
| 171 case __NR_set_robust_list: |
| 172 // This is obsolete in ARM EABI, but x86 glibc indirectly calls |
| 173 // this in sysconf. |
| 174 #if defined(__i386__) || defined(__x86_64__) |
| 175 case __NR_time: |
| 176 #endif |
| 177 return true; |
| 178 |
| 179 default: |
| 180 return false; |
| 181 } |
| 182 } |
| 183 |
| 184 void RunSandboxSanityChecks() { |
| 185 errno = 0; |
| 186 // Make a ptrace request with an invalid PID. |
| 187 long ptrace_ret = ptrace(PTRACE_PEEKUSER, -1 /* pid */, NULL, NULL); |
| 188 CHECK_EQ(-1, ptrace_ret); |
| 189 // Without the sandbox on, this ptrace call would ESRCH instead. |
| 190 CHECK_EQ(EPERM, errno); |
| 191 } |
| 192 |
| 193 } // namespace |
| 194 |
| 195 ErrorCode NaClNonSfiBPFSandboxPolicy::EvaluateSyscall( |
| 196 SandboxBPF* sb, int sysno) const { |
| 197 return EvaluateSyscallImpl(sb, sysno, NULL); |
| 198 } |
| 199 |
| 200 ErrorCode NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl( |
| 201 SandboxBPF* sb, int sysno, void*) { |
| 202 switch (sysno) { |
| 203 // Allowed syscalls. |
| 204 #if defined(__i386__) || defined(__arm__) |
| 205 case __NR__llseek: |
| 206 #elif defined(__x86_64__) |
| 207 case __NR_lseek: |
| 208 #endif |
| 209 // NaCl runtime exposes clock_gettime and clock_getres to untrusted code. |
| 210 case __NR_clock_getres: |
| 211 case __NR_clock_gettime: |
| 212 case __NR_close: |
| 213 case __NR_dup: |
| 214 case __NR_dup2: |
| 215 case __NR_epoll_create: |
| 216 case __NR_epoll_ctl: |
| 217 case __NR_epoll_wait: |
| 218 case __NR_exit: |
| 219 case __NR_exit_group: |
| 220 #if defined(__i386__) || defined(__arm__) |
| 221 case __NR_fstat64: |
| 222 #elif defined(__x86_64__) |
| 223 case __NR_fstat: |
| 224 #endif |
| 225 // TODO(hamaji): Allow only FUTEX_PRIVATE_FLAG. |
| 226 case __NR_futex: |
| 227 // TODO(hamaji): Remove the need of gettid. Currently, this is |
| 228 // called from PlatformThread::CurrentId(). |
| 229 case __NR_gettid: |
| 230 case __NR_gettimeofday: |
| 231 case __NR_munmap: |
| 232 case __NR_nanosleep: |
| 233 // TODO(hamaji): Remove the need of pipe. Currently, this is |
| 234 // called from base::MessagePumpLibevent::Init(). |
| 235 case __NR_pipe: |
| 236 case __NR_pread64: |
| 237 case __NR_pwrite64: |
| 238 case __NR_read: |
| 239 case __NR_restart_syscall: |
| 240 case __NR_sched_yield: |
| 241 // __NR_times needed as clock() is called by CommandBufferHelper, which is |
| 242 // used by NaCl applications that use Pepper's 3D interfaces. |
| 243 // See crbug.com/264856 for details. |
| 244 case __NR_times: |
| 245 case __NR_write: |
| 246 #if defined(__arm__) |
| 247 case __ARM_NR_cacheflush: |
| 248 #endif |
| 249 return ErrorCode(ErrorCode::ERR_ALLOWED); |
| 250 |
| 251 case __NR_clone: |
| 252 return RestrictClone(sb); |
| 253 |
| 254 #if defined(__x86_64__) |
| 255 case __NR_fcntl: |
| 256 #endif |
| 257 #if defined(__i386__) || defined(__arm__) |
| 258 case __NR_fcntl64: |
| 259 #endif |
| 260 return RestrictFcntlCommands(sb); |
| 261 |
| 262 #if defined(__x86_64__) |
| 263 case __NR_mmap: |
| 264 #endif |
| 265 #if defined(__i386__) || defined(__arm__) |
| 266 case __NR_mmap2: |
| 267 #endif |
| 268 return RestrictMmap(sb); |
| 269 case __NR_mprotect: |
| 270 return RestrictMemoryProtection(sb, 2); |
| 271 |
| 272 case __NR_prctl: |
| 273 return RestrictPrctl(sb); |
| 274 |
| 275 #if defined(__i386__) |
| 276 case __NR_socketcall: |
| 277 return RestrictSocketcall(sb); |
| 278 #endif |
| 279 #if defined(__x86_64__) || defined(__arm__) |
| 280 case __NR_recvmsg: |
| 281 case __NR_sendmsg: |
| 282 case __NR_shutdown: |
| 283 return ErrorCode(ErrorCode::ERR_ALLOWED); |
| 284 case __NR_socketpair: |
| 285 return RestrictSocketpair(sb); |
| 286 #endif |
| 287 |
| 288 case __NR_brk: |
| 289 // The behavior of brk on Linux is different from other system |
| 290 // calls. It does not return errno but the current break on |
| 291 // failure. glibc thinks brk failed if the return value of brk |
| 292 // is less than the requested address (i.e., brk(addr) < addr). |
| 293 // So, glibc thinks brk succeeded if we return -EPERM and we |
| 294 // need to return zero instead. |
| 295 return ErrorCode(0); |
| 296 |
| 297 default: |
| 298 if (IsGracefullyDenied(sysno)) |
| 299 return ErrorCode(EPERM); |
| 300 return sb->Trap(sandbox::CrashSIGSYS_Handler, NULL); |
| 301 } |
| 302 } |
| 303 |
| 304 bool InitializeBPFSandbox() { |
| 305 bool sandbox_is_initialized = content::InitializeSandbox( |
| 306 scoped_ptr<sandbox::SandboxBPFPolicy>( |
| 307 new nacl::nonsfi::NaClNonSfiBPFSandboxPolicy())); |
| 308 if (!sandbox_is_initialized) |
| 309 return false; |
| 310 RunSandboxSanityChecks(); |
| 311 return true; |
| 312 } |
| 313 |
| 314 } // namespace nonsfi |
| 315 } // namespace nacl |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 196793023:
Add seccomp sandbox for non-SFI NaCl (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src