| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | 5 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
| 6 | 6 |
| 7 // Some headers on Android are missing cdefs: crbug.com/172337. | 7 // Some headers on Android are missing cdefs: crbug.com/172337. |
| 8 // (We can't use OS_ANDROID here since build_config.h is not included). | 8 // (We can't use OS_ANDROID here since build_config.h is not included). |
| 9 #if defined(ANDROID) | 9 #if defined(ANDROID) |
| 10 #include <sys/cdefs.h> | 10 #include <sys/cdefs.h> |
| 11 #endif | 11 #endif |
| 12 | 12 |
| 13 #include <errno.h> | 13 #include <errno.h> |
| 14 #include <linux/filter.h> | 14 #include <linux/filter.h> |
| 15 #include <sys/prctl.h> | 15 #include <sys/prctl.h> |
| 16 #include <sys/types.h> | 16 #include <sys/types.h> |
| 17 #include <unistd.h> | 17 #include <unistd.h> |
| 18 | 18 |
| 19 #include "base/compiler_specific.h" | 19 #include "base/compiler_specific.h" |
| 20 #include "base/files/scoped_file.h" | 20 #include "base/files/scoped_file.h" |
| 21 #include "base/logging.h" | 21 #include "base/logging.h" |
| 22 #include "base/macros.h" | 22 #include "base/macros.h" |
| 23 #include "base/memory/scoped_ptr.h" | 23 #include "base/memory/scoped_ptr.h" |
| 24 #include "base/posix/eintr_wrapper.h" | 24 #include "base/posix/eintr_wrapper.h" |
| 25 #include "base/third_party/valgrind/valgrind.h" | 25 #include "base/third_party/valgrind/valgrind.h" |
| 26 #include "sandbox/linux/bpf_dsl/codegen.h" | 26 #include "sandbox/linux/bpf_dsl/codegen.h" |
| 27 #include "sandbox/linux/bpf_dsl/dump_bpf.h" | |
| 28 #include "sandbox/linux/bpf_dsl/policy.h" | 27 #include "sandbox/linux/bpf_dsl/policy.h" |
| 29 #include "sandbox/linux/bpf_dsl/policy_compiler.h" | 28 #include "sandbox/linux/bpf_dsl/policy_compiler.h" |
| 30 #include "sandbox/linux/bpf_dsl/seccomp_macros.h" | 29 #include "sandbox/linux/bpf_dsl/seccomp_macros.h" |
| 31 #include "sandbox/linux/bpf_dsl/syscall_set.h" | 30 #include "sandbox/linux/bpf_dsl/syscall_set.h" |
| 32 #include "sandbox/linux/seccomp-bpf/die.h" | 31 #include "sandbox/linux/seccomp-bpf/die.h" |
| 33 #include "sandbox/linux/seccomp-bpf/errorcode.h" | |
| 34 #include "sandbox/linux/seccomp-bpf/syscall.h" | 32 #include "sandbox/linux/seccomp-bpf/syscall.h" |
| 35 #include "sandbox/linux/seccomp-bpf/trap.h" | 33 #include "sandbox/linux/seccomp-bpf/trap.h" |
| 36 #include "sandbox/linux/seccomp-bpf/verifier.h" | |
| 37 #include "sandbox/linux/services/proc_util.h" | 34 #include "sandbox/linux/services/proc_util.h" |
| 38 #include "sandbox/linux/services/syscall_wrappers.h" | 35 #include "sandbox/linux/services/syscall_wrappers.h" |
| 39 #include "sandbox/linux/services/thread_helpers.h" | 36 #include "sandbox/linux/services/thread_helpers.h" |
| 40 #include "sandbox/linux/system_headers/linux_seccomp.h" | 37 #include "sandbox/linux/system_headers/linux_seccomp.h" |
| 41 #include "sandbox/linux/system_headers/linux_syscalls.h" | 38 #include "sandbox/linux/system_headers/linux_syscalls.h" |
| 42 | 39 |
| 43 namespace sandbox { | 40 namespace sandbox { |
| 44 | 41 |
| 45 namespace { | 42 namespace { |
| 46 | 43 |
| (...skipping 25 matching lines...) Expand all Loading... |
| 72 if (rv == -1 && errno == EFAULT) { | 69 if (rv == -1 && errno == EFAULT) { |
| 73 return true; | 70 return true; |
| 74 } else { | 71 } else { |
| 75 // TODO(jln): turn these into DCHECK after 417888 is considered fixed. | 72 // TODO(jln): turn these into DCHECK after 417888 is considered fixed. |
| 76 CHECK_EQ(-1, rv); | 73 CHECK_EQ(-1, rv); |
| 77 CHECK(ENOSYS == errno || EINVAL == errno); | 74 CHECK(ENOSYS == errno || EINVAL == errno); |
| 78 return false; | 75 return false; |
| 79 } | 76 } |
| 80 } | 77 } |
| 81 | 78 |
| 79 uint64_t EscapePC() { |
| 80 intptr_t rv = Syscall::Call(-1); |
| 81 if (rv == -1 && errno == ENOSYS) { |
| 82 return 0; |
| 83 } |
| 84 return static_cast<uint64_t>(static_cast<uintptr_t>(rv)); |
| 85 } |
| 86 |
| 82 } // namespace | 87 } // namespace |
| 83 | 88 |
| 84 SandboxBPF::SandboxBPF(bpf_dsl::Policy* policy) | 89 SandboxBPF::SandboxBPF(bpf_dsl::Policy* policy) |
| 85 : proc_fd_(), sandbox_has_started_(false), policy_(policy) { | 90 : proc_fd_(), sandbox_has_started_(false), policy_(policy) { |
| 86 } | 91 } |
| 87 | 92 |
| 88 SandboxBPF::~SandboxBPF() { | 93 SandboxBPF::~SandboxBPF() { |
| 89 } | 94 } |
| 90 | 95 |
| 91 // static | 96 // static |
| (...skipping 85 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 177 static_cast<intptr_t>(args.args[3]), static_cast<intptr_t>(args.args[4]), | 182 static_cast<intptr_t>(args.args[3]), static_cast<intptr_t>(args.args[4]), |
| 178 static_cast<intptr_t>(args.args[5])); | 183 static_cast<intptr_t>(args.args[5])); |
| 179 } | 184 } |
| 180 | 185 |
| 181 scoped_ptr<CodeGen::Program> SandboxBPF::AssembleFilter( | 186 scoped_ptr<CodeGen::Program> SandboxBPF::AssembleFilter( |
| 182 bool force_verification) { | 187 bool force_verification) { |
| 183 #if !defined(NDEBUG) | 188 #if !defined(NDEBUG) |
| 184 force_verification = true; | 189 force_verification = true; |
| 185 #endif | 190 #endif |
| 186 DCHECK(policy_); | 191 DCHECK(policy_); |
| 192 |
| 187 bpf_dsl::PolicyCompiler compiler(policy_.get(), Trap::Registry()); | 193 bpf_dsl::PolicyCompiler compiler(policy_.get(), Trap::Registry()); |
| 188 scoped_ptr<CodeGen::Program> program = compiler.Compile(); | 194 if (Trap::SandboxDebuggingAllowedByUser()) { |
| 189 | 195 compiler.DangerousSetEscapePC(EscapePC()); |
| 190 // Make sure compilation resulted in a BPF program that executes | |
| 191 // correctly. Otherwise, there is an internal error in our BPF compiler. | |
| 192 // There is really nothing the caller can do until the bug is fixed. | |
| 193 if (force_verification) { | |
| 194 // Verification is expensive. We only perform this step, if we are | |
| 195 // compiled in debug mode, or if the caller explicitly requested | |
| 196 // verification. | |
| 197 | |
| 198 const char* err = NULL; | |
| 199 if (!Verifier::VerifyBPF(&compiler, *program, *policy_, &err)) { | |
| 200 bpf_dsl::DumpBPF::PrintProgram(*program); | |
| 201 SANDBOX_DIE(err); | |
| 202 } | |
| 203 } | 196 } |
| 204 | 197 return compiler.Compile(force_verification); |
| 205 return program.Pass(); | |
| 206 } | 198 } |
| 207 | 199 |
| 208 void SandboxBPF::InstallFilter(bool must_sync_threads) { | 200 void SandboxBPF::InstallFilter(bool must_sync_threads) { |
| 209 // We want to be very careful in not imposing any requirements on the | 201 // We want to be very careful in not imposing any requirements on the |
| 210 // policies that are set with SetSandboxPolicy(). This means, as soon as | 202 // policies that are set with SetSandboxPolicy(). This means, as soon as |
| 211 // the sandbox is active, we shouldn't be relying on libraries that could | 203 // the sandbox is active, we shouldn't be relying on libraries that could |
| 212 // be making system calls. This, for example, means we should avoid | 204 // be making system calls. This, for example, means we should avoid |
| 213 // using the heap and we should avoid using STL functions. | 205 // using the heap and we should avoid using STL functions. |
| 214 // Temporarily copy the contents of the "program" vector into a | 206 // Temporarily copy the contents of the "program" vector into a |
| 215 // stack-allocated array; and then explicitly destroy that object. | 207 // stack-allocated array; and then explicitly destroy that object. |
| (...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 247 } else { | 239 } else { |
| 248 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) { | 240 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) { |
| 249 SANDBOX_DIE("Kernel refuses to turn on BPF filters"); | 241 SANDBOX_DIE("Kernel refuses to turn on BPF filters"); |
| 250 } | 242 } |
| 251 } | 243 } |
| 252 | 244 |
| 253 sandbox_has_started_ = true; | 245 sandbox_has_started_ = true; |
| 254 } | 246 } |
| 255 | 247 |
| 256 } // namespace sandbox | 248 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1001833005:
Update from https://crrev.com/320343 (Closed)
Base URL: git@github.com:domokit/mojo.git@master