| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/seccomp-bpf/trap.h" | 5 #include "sandbox/linux/seccomp-bpf/trap.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <signal.h> | 8 #include <signal.h> |
| 9 #include <string.h> | 9 #include <string.h> |
| 10 #include <sys/syscall.h> | 10 #include <sys/syscall.h> |
| (...skipping 233 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 244 bool Trap::TrapKey::operator<(const TrapKey& o) const { | 244 bool Trap::TrapKey::operator<(const TrapKey& o) const { |
| 245 if (fnc != o.fnc) { | 245 if (fnc != o.fnc) { |
| 246 return fnc < o.fnc; | 246 return fnc < o.fnc; |
| 247 } else if (aux != o.aux) { | 247 } else if (aux != o.aux) { |
| 248 return aux < o.aux; | 248 return aux < o.aux; |
| 249 } else { | 249 } else { |
| 250 return safe < o.safe; | 250 return safe < o.safe; |
| 251 } | 251 } |
| 252 } | 252 } |
| 253 | 253 |
| 254 uint16_t Trap::MakeTrap(TrapFnc fnc, const void* aux, bool safe) { | |
| 255 return Registry()->Add(fnc, aux, safe); | |
| 256 } | |
| 257 | |
| 258 uint16_t Trap::Add(TrapFnc fnc, const void* aux, bool safe) { | 254 uint16_t Trap::Add(TrapFnc fnc, const void* aux, bool safe) { |
| 259 if (!safe && !SandboxDebuggingAllowedByUser()) { | 255 if (!safe && !SandboxDebuggingAllowedByUser()) { |
| 260 // Unless the user set the CHROME_SANDBOX_DEBUGGING environment variable, | 256 // Unless the user set the CHROME_SANDBOX_DEBUGGING environment variable, |
| 261 // we never return an ErrorCode that is marked as "unsafe". This also | 257 // we never return an ErrorCode that is marked as "unsafe". This also |
| 262 // means, the BPF compiler will never emit code that allow unsafe system | 258 // means, the BPF compiler will never emit code that allow unsafe system |
| 263 // calls to by-pass the filter (because they use the magic return address | 259 // calls to by-pass the filter (because they use the magic return address |
| 264 // from Syscall::Call(-1)). | 260 // from Syscall::Call(-1)). |
| 265 | 261 |
| 266 // This SANDBOX_DIE() can optionally be removed. It won't break security, | 262 // This SANDBOX_DIE() can optionally be removed. It won't break security, |
| 267 // but it might make error messages from the BPF compiler a little harder | 263 // but it might make error messages from the BPF compiler a little harder |
| (...skipping 78 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 346 delete[] old_trap_array; | 342 delete[] old_trap_array; |
| 347 } | 343 } |
| 348 | 344 |
| 349 uint16_t id = trap_array_size_ + 1; | 345 uint16_t id = trap_array_size_ + 1; |
| 350 trap_ids_[key] = id; | 346 trap_ids_[key] = id; |
| 351 trap_array_[trap_array_size_] = key; | 347 trap_array_[trap_array_size_] = key; |
| 352 trap_array_size_++; | 348 trap_array_size_++; |
| 353 return id; | 349 return id; |
| 354 } | 350 } |
| 355 | 351 |
| 356 bool Trap::SandboxDebuggingAllowedByUser() const { | 352 bool Trap::SandboxDebuggingAllowedByUser() { |
| 357 const char* debug_flag = getenv(kSandboxDebuggingEnv); | 353 const char* debug_flag = getenv(kSandboxDebuggingEnv); |
| 358 return debug_flag && *debug_flag; | 354 return debug_flag && *debug_flag; |
| 359 } | 355 } |
| 360 | 356 |
| 361 bool Trap::EnableUnsafeTrapsInSigSysHandler() { | |
| 362 return Registry()->EnableUnsafeTraps(); | |
| 363 } | |
| 364 | |
| 365 bool Trap::EnableUnsafeTraps() { | 357 bool Trap::EnableUnsafeTraps() { |
| 366 if (!has_unsafe_traps_) { | 358 if (!has_unsafe_traps_) { |
| 367 // Unsafe traps are a one-way fuse. Once enabled, they can never be turned | 359 // Unsafe traps are a one-way fuse. Once enabled, they can never be turned |
| 368 // off again. | 360 // off again. |
| 369 // We only allow enabling unsafe traps, if the user explicitly set an | 361 // We only allow enabling unsafe traps, if the user explicitly set an |
| 370 // appropriate environment variable. This prevents bugs that accidentally | 362 // appropriate environment variable. This prevents bugs that accidentally |
| 371 // disable all sandboxing for all users. | 363 // disable all sandboxing for all users. |
| 372 if (SandboxDebuggingAllowedByUser()) { | 364 if (SandboxDebuggingAllowedByUser()) { |
| 373 // We only ever print this message once, when we enable unsafe traps the | 365 // We only ever print this message once, when we enable unsafe traps the |
| 374 // first time. | 366 // first time. |
| 375 SANDBOX_INFO("WARNING! Disabling sandbox for debugging purposes"); | 367 SANDBOX_INFO("WARNING! Disabling sandbox for debugging purposes"); |
| 376 has_unsafe_traps_ = true; | 368 has_unsafe_traps_ = true; |
| 377 } else { | 369 } else { |
| 378 SANDBOX_INFO( | 370 SANDBOX_INFO( |
| 379 "Cannot disable sandbox and use unsafe traps unless " | 371 "Cannot disable sandbox and use unsafe traps unless " |
| 380 "CHROME_SANDBOX_DEBUGGING is turned on first"); | 372 "CHROME_SANDBOX_DEBUGGING is turned on first"); |
| 381 } | 373 } |
| 382 } | 374 } |
| 383 // Returns the, possibly updated, value of has_unsafe_traps_. | 375 // Returns the, possibly updated, value of has_unsafe_traps_. |
| 384 return has_unsafe_traps_; | 376 return has_unsafe_traps_; |
| 385 } | 377 } |
| 386 | 378 |
| 387 Trap* Trap::global_trap_; | 379 Trap* Trap::global_trap_; |
| 388 | 380 |
| 389 } // namespace sandbox | 381 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1001833005:
Update from https://crrev.com/320343 (Closed)
Base URL: git@github.com:domokit/mojo.git@master