| OLD | NEW |
|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" | 5 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <fcntl.h> | 8 #include <fcntl.h> |
| 9 #include <fcntl.h> | 9 #include <fcntl.h> |
| 10 #include <linux/futex.h> | |
| 11 #include <linux/net.h> | |
| 12 #include <sched.h> | 10 #include <sched.h> |
| 13 #include <signal.h> | 11 #include <signal.h> |
| 14 #include <sys/ioctl.h> | |
| 15 #include <sys/mman.h> | 12 #include <sys/mman.h> |
| 16 #include <sys/prctl.h> | 13 #include <sys/prctl.h> |
| 17 #include <sys/resource.h> | 14 #include <sys/resource.h> |
| 18 #include <sys/stat.h> | 15 #include <sys/stat.h> |
| 19 #include <sys/time.h> | 16 #include <sys/time.h> |
| 20 #include <sys/types.h> | 17 #include <sys/types.h> |
| 21 #include <time.h> | 18 #include <time.h> |
| 22 #include <unistd.h> | 19 #include <unistd.h> |
| 23 | 20 |
| 24 #include "base/basictypes.h" | 21 #include "base/basictypes.h" |
| 25 #include "base/logging.h" | 22 #include "base/logging.h" |
| 26 #include "base/macros.h" | 23 #include "base/macros.h" |
| 27 #include "base/time/time.h" | 24 #include "base/time/time.h" |
| 28 #include "build/build_config.h" | 25 #include "build/build_config.h" |
| 29 #include "sandbox/linux/bpf_dsl/bpf_dsl.h" | 26 #include "sandbox/linux/bpf_dsl/bpf_dsl.h" |
| 30 #include "sandbox/linux/bpf_dsl/seccomp_macros.h" | |
| 31 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" | 27 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" |
| 32 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | 28 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
| 33 #include "sandbox/linux/system_headers/linux_syscalls.h" | 29 #include "sandbox/linux/system_headers/linux_syscalls.h" |
| 34 | 30 |
| 31 #if !defined(OS_NACL_NONSFI) |
| 32 // TODO |
| 33 #include <linux/futex.h> |
| 34 #include <linux/net.h> |
| 35 #include <sys/ioctl.h> |
| 36 #include "sandbox/linux/bpf_dsl/seccomp_macros.h" |
| 37 #endif |
| 38 |
| 35 #if defined(OS_ANDROID) | 39 #if defined(OS_ANDROID) |
| 36 | 40 |
| 37 #include "sandbox/linux/system_headers/android_futex.h" | 41 #include "sandbox/linux/system_headers/android_futex.h" |
| 38 | 42 |
| 39 #if !defined(F_DUPFD_CLOEXEC) | 43 #if !defined(F_DUPFD_CLOEXEC) |
| 40 #define F_DUPFD_CLOEXEC (F_LINUX_SPECIFIC_BASE + 6) | 44 #define F_DUPFD_CLOEXEC (F_LINUX_SPECIFIC_BASE + 6) |
| 41 #endif | 45 #endif |
| 42 | 46 |
| 43 // https://android.googlesource.com/platform/bionic/+/lollipop-release/libc/priv
ate/bionic_prctl.h | 47 // https://android.googlesource.com/platform/bionic/+/lollipop-release/libc/priv
ate/bionic_prctl.h |
| 44 #if !defined(PR_SET_VMA) | 48 #if !defined(PR_SET_VMA) |
| 45 #define PR_SET_VMA 0x53564d41 | 49 #define PR_SET_VMA 0x53564d41 |
| 46 #endif | 50 #endif |
| 47 | 51 |
| 48 // https://android.googlesource.com/platform/system/core/+/lollipop-release/libc
utils/sched_policy.c | 52 // https://android.googlesource.com/platform/system/core/+/lollipop-release/libc
utils/sched_policy.c |
| 49 #if !defined(PR_SET_TIMERSLACK_PID) | 53 #if !defined(PR_SET_TIMERSLACK_PID) |
| 50 #define PR_SET_TIMERSLACK_PID 41 | 54 #define PR_SET_TIMERSLACK_PID 41 |
| 51 #endif | 55 #endif |
| 52 | 56 |
| 53 #endif // defined(OS_ANDROID) | 57 #endif // defined(OS_ANDROID) |
| 54 | 58 |
| 59 #if !defined(PR_SET_NAME) |
| 60 // TODO |
| 61 #define PR_SET_NAME 15 |
| 62 #endif |
| 63 |
| 55 #if defined(__arm__) && !defined(MAP_STACK) | 64 #if defined(__arm__) && !defined(MAP_STACK) |
| 56 #define MAP_STACK 0x20000 // Daisy build environment has old headers. | 65 #define MAP_STACK 0x20000 // Daisy build environment has old headers. |
| 57 #endif | 66 #endif |
| 58 | 67 |
| 59 #if defined(__mips__) && !defined(MAP_STACK) | 68 #if defined(__mips__) && !defined(MAP_STACK) |
| 60 #define MAP_STACK 0x40000 | 69 #define MAP_STACK 0x40000 |
| 61 #endif | 70 #endif |
| 62 namespace { | 71 namespace { |
| 63 | 72 |
| 64 inline bool IsArchitectureX86_64() { | 73 inline bool IsArchitectureX86_64() { |
| (...skipping 73 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 138 const Arg<int> option(0); | 147 const Arg<int> option(0); |
| 139 return Switch(option) | 148 return Switch(option) |
| 140 .CASES((PR_GET_NAME, PR_SET_NAME, PR_GET_DUMPABLE, PR_SET_DUMPABLE), | 149 .CASES((PR_GET_NAME, PR_SET_NAME, PR_GET_DUMPABLE, PR_SET_DUMPABLE), |
| 141 Allow()) | 150 Allow()) |
| 142 #if defined(OS_ANDROID) | 151 #if defined(OS_ANDROID) |
| 143 .CASES((PR_SET_VMA, PR_SET_TIMERSLACK_PID), Allow()) | 152 .CASES((PR_SET_VMA, PR_SET_TIMERSLACK_PID), Allow()) |
| 144 #endif | 153 #endif |
| 145 .Default(CrashSIGSYSPrctl()); | 154 .Default(CrashSIGSYSPrctl()); |
| 146 } | 155 } |
| 147 | 156 |
| 157 #if !defined(OS_NACL_NONSFI) |
| 148 ResultExpr RestrictIoctl() { | 158 ResultExpr RestrictIoctl() { |
| 149 const Arg<int> request(1); | 159 const Arg<int> request(1); |
| 150 return Switch(request).CASES((TCGETS, FIONREAD), Allow()).Default( | 160 return Switch(request).CASES((TCGETS, FIONREAD), Allow()).Default( |
| 151 CrashSIGSYSIoctl()); | 161 CrashSIGSYSIoctl()); |
| 152 } | 162 } |
| 153 | 163 |
| 154 ResultExpr RestrictMmapFlags() { | 164 ResultExpr RestrictMmapFlags() { |
| 155 // The flags you see are actually the allowed ones, and the variable is a | 165 // The flags you see are actually the allowed ones, and the variable is a |
| 156 // "denied" mask because of the negation operator. | 166 // "denied" mask because of the negation operator. |
| 157 // Significantly, we don't permit MAP_HUGETLB, or the newer flags such as | 167 // Significantly, we don't permit MAP_HUGETLB, or the newer flags such as |
| 158 // MAP_POPULATE. | 168 // MAP_POPULATE. |
| 159 // TODO(davidung), remove MAP_DENYWRITE with updated Tegra libraries. | 169 // TODO(davidung), remove MAP_DENYWRITE with updated Tegra libraries. |
| 160 const uint64_t kAllowedMask = MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS | | 170 const uint64_t kAllowedMask = MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS | |
| 161 MAP_STACK | MAP_NORESERVE | MAP_FIXED | | 171 MAP_STACK | MAP_NORESERVE | MAP_FIXED | |
| 162 MAP_DENYWRITE; | 172 MAP_DENYWRITE; |
| 163 const Arg<int> flags(3); | 173 const Arg<int> flags(3); |
| 164 return If((flags & ~kAllowedMask) == 0, Allow()).Else(CrashSIGSYS()); | 174 return If((flags & ~kAllowedMask) == 0, Allow()).Else(CrashSIGSYS()); |
| 165 } | 175 } |
| 176 #endif |
| 166 | 177 |
| 167 ResultExpr RestrictMprotectFlags() { | 178 ResultExpr RestrictMprotectFlags() { |
| 168 // The flags you see are actually the allowed ones, and the variable is a | 179 // The flags you see are actually the allowed ones, and the variable is a |
| 169 // "denied" mask because of the negation operator. | 180 // "denied" mask because of the negation operator. |
| 170 // Significantly, we don't permit weird undocumented flags such as | 181 // Significantly, we don't permit weird undocumented flags such as |
| 171 // PROT_GROWSDOWN. | 182 // PROT_GROWSDOWN. |
| 172 const uint64_t kAllowedMask = PROT_READ | PROT_WRITE | PROT_EXEC; | 183 const uint64_t kAllowedMask = PROT_READ | PROT_WRITE | PROT_EXEC; |
| 173 const Arg<int> prot(2); | 184 const Arg<int> prot(2); |
| 174 return If((prot & ~kAllowedMask) == 0, Allow()).Else(CrashSIGSYS()); | 185 return If((prot & ~kAllowedMask) == 0, Allow()).Else(CrashSIGSYS()); |
| 175 } | 186 } |
| 176 | 187 |
| 188 #if !defined(OS_NACL_NONSFI) |
| 177 ResultExpr RestrictFcntlCommands() { | 189 ResultExpr RestrictFcntlCommands() { |
| 178 // We also restrict the flags in F_SETFL. We don't want to permit flags with | 190 // We also restrict the flags in F_SETFL. We don't want to permit flags with |
| 179 // a history of trouble such as O_DIRECT. The flags you see are actually the | 191 // a history of trouble such as O_DIRECT. The flags you see are actually the |
| 180 // allowed ones, and the variable is a "denied" mask because of the negation | 192 // allowed ones, and the variable is a "denied" mask because of the negation |
| 181 // operator. | 193 // operator. |
| 182 // Glibc overrides the kernel's O_LARGEFILE value. Account for this. | 194 // Glibc overrides the kernel's O_LARGEFILE value. Account for this. |
| 183 uint64_t kOLargeFileFlag = O_LARGEFILE; | 195 uint64_t kOLargeFileFlag = O_LARGEFILE; |
| 184 if (IsArchitectureX86_64() || IsArchitectureI386() || IsArchitectureMips()) | 196 if (IsArchitectureX86_64() || IsArchitectureI386() || IsArchitectureMips()) |
| 185 kOLargeFileFlag = 0100000; | 197 kOLargeFileFlag = 0100000; |
| 186 | 198 |
| 187 const Arg<int> cmd(1); | 199 const Arg<int> cmd(1); |
| 188 const Arg<long> long_arg(2); | 200 const Arg<long> long_arg(2); |
| 189 | 201 |
| 190 const uint64_t kAllowedMask = O_ACCMODE | O_APPEND | O_NONBLOCK | O_SYNC | | 202 const uint64_t kAllowedMask = O_ACCMODE | O_APPEND | O_NONBLOCK | O_SYNC | |
| 191 kOLargeFileFlag | O_CLOEXEC | O_NOATIME; | 203 kOLargeFileFlag | O_CLOEXEC | O_NOATIME; |
| 192 return Switch(cmd) | 204 return Switch(cmd) |
| 193 .CASES((F_GETFL, | 205 .CASES((F_GETFL, |
| 194 F_GETFD, | 206 F_GETFD, |
| 195 F_SETFD, | 207 F_SETFD, |
| 196 F_SETLK, | 208 F_SETLK, |
| 197 F_SETLKW, | 209 F_SETLKW, |
| 198 F_GETLK, | 210 F_GETLK, |
| 199 F_DUPFD, | 211 F_DUPFD, |
| 200 F_DUPFD_CLOEXEC), | 212 F_DUPFD_CLOEXEC), |
| 201 Allow()) | 213 Allow()) |
| 202 .Case(F_SETFL, | 214 .Case(F_SETFL, |
| 203 If((long_arg & ~kAllowedMask) == 0, Allow()).Else(CrashSIGSYS())) | 215 If((long_arg & ~kAllowedMask) == 0, Allow()).Else(CrashSIGSYS())) |
| 204 .Default(CrashSIGSYS()); | 216 .Default(CrashSIGSYS()); |
| 205 } | 217 } |
| 218 #endif |
| 206 | 219 |
| 207 #if defined(__i386__) || defined(__mips__) | 220 #if defined(__i386__) || defined(__mips__) |
| 221 #if !defined(OS_NACL_NONSFI) |
| 208 ResultExpr RestrictSocketcallCommand() { | 222 ResultExpr RestrictSocketcallCommand() { |
| 209 // Unfortunately, we are unable to restrict the first parameter to | 223 // Unfortunately, we are unable to restrict the first parameter to |
| 210 // socketpair(2). Whilst initially sounding bad, it's noteworthy that very | 224 // socketpair(2). Whilst initially sounding bad, it's noteworthy that very |
| 211 // few protocols actually support socketpair(2). The scary call that we're | 225 // few protocols actually support socketpair(2). The scary call that we're |
| 212 // worried about, socket(2), remains blocked. | 226 // worried about, socket(2), remains blocked. |
| 213 const Arg<int> call(0); | 227 const Arg<int> call(0); |
| 214 return Switch(call) | 228 return Switch(call) |
| 215 .CASES((SYS_SOCKETPAIR, | 229 .CASES((SYS_SOCKETPAIR, |
| 216 SYS_SHUTDOWN, | 230 SYS_SHUTDOWN, |
| 217 SYS_RECV, | 231 SYS_RECV, |
| 218 SYS_SEND, | 232 SYS_SEND, |
| 219 SYS_RECVFROM, | 233 SYS_RECVFROM, |
| 220 SYS_SENDTO, | 234 SYS_SENDTO, |
| 221 SYS_RECVMSG, | 235 SYS_RECVMSG, |
| 222 SYS_SENDMSG), | 236 SYS_SENDMSG), |
| 223 Allow()) | 237 Allow()) |
| 224 .Default(Error(EPERM)); | 238 .Default(Error(EPERM)); |
| 225 } | 239 } |
| 226 #endif | 240 #endif |
| 241 #endif |
| 227 | 242 |
| 228 ResultExpr RestrictKillTarget(pid_t target_pid, int sysno) { | 243 ResultExpr RestrictKillTarget(pid_t target_pid, int sysno) { |
| 229 switch (sysno) { | 244 switch (sysno) { |
| 230 case __NR_kill: | 245 case __NR_kill: |
| 231 case __NR_tgkill: { | 246 case __NR_tgkill: { |
| 232 const Arg<pid_t> pid(0); | 247 const Arg<pid_t> pid(0); |
| 233 return If(pid == target_pid, Allow()).Else(CrashSIGSYSKill()); | 248 return If(pid == target_pid, Allow()).Else(CrashSIGSYSKill()); |
| 234 } | 249 } |
| 235 case __NR_tkill: | 250 case __NR_tkill: |
| 236 return CrashSIGSYSKill(); | 251 return CrashSIGSYSKill(); |
| 237 default: | 252 default: |
| 238 NOTREACHED(); | 253 NOTREACHED(); |
| 239 return CrashSIGSYS(); | 254 return CrashSIGSYS(); |
| 240 } | 255 } |
| 241 } | 256 } |
| 242 | 257 |
| 258 #if !defined(OS_NACL_NONSFI) |
| 259 // TODO |
| 243 ResultExpr RestrictFutex() { | 260 ResultExpr RestrictFutex() { |
| 244 const uint64_t kAllowedFutexFlags = FUTEX_PRIVATE_FLAG | FUTEX_CLOCK_REALTIME; | 261 const uint64_t kAllowedFutexFlags = FUTEX_PRIVATE_FLAG | FUTEX_CLOCK_REALTIME; |
| 245 const Arg<int> op(1); | 262 const Arg<int> op(1); |
| 246 return Switch(op & ~kAllowedFutexFlags) | 263 return Switch(op & ~kAllowedFutexFlags) |
| 247 .CASES((FUTEX_WAIT, | 264 .CASES((FUTEX_WAIT, |
| 248 FUTEX_WAKE, | 265 FUTEX_WAKE, |
| 249 FUTEX_REQUEUE, | 266 FUTEX_REQUEUE, |
| 250 FUTEX_CMP_REQUEUE, | 267 FUTEX_CMP_REQUEUE, |
| 251 FUTEX_WAKE_OP, | 268 FUTEX_WAKE_OP, |
| 252 FUTEX_WAIT_BITSET, | 269 FUTEX_WAIT_BITSET, |
| 253 FUTEX_WAKE_BITSET), | 270 FUTEX_WAKE_BITSET), |
| 254 Allow()) | 271 Allow()) |
| 255 .Default(CrashSIGSYSFutex()); | 272 .Default(CrashSIGSYSFutex()); |
| 256 } | 273 } |
| 274 #endif |
| 257 | 275 |
| 276 #if !defined(OS_NACL_NONSFI) |
| 258 ResultExpr RestrictGetSetpriority(pid_t target_pid) { | 277 ResultExpr RestrictGetSetpriority(pid_t target_pid) { |
| 259 const Arg<int> which(0); | 278 const Arg<int> which(0); |
| 260 const Arg<int> who(1); | 279 const Arg<int> who(1); |
| 261 return If(which == PRIO_PROCESS, | 280 return If(which == PRIO_PROCESS, |
| 262 If(who == 0 || who == target_pid, Allow()).Else(Error(EPERM))) | 281 If(who == 0 || who == target_pid, Allow()).Else(Error(EPERM))) |
| 263 .Else(CrashSIGSYS()); | 282 .Else(CrashSIGSYS()); |
| 264 } | 283 } |
| 284 #endif |
| 265 | 285 |
| 266 ResultExpr RestrictClockID() { | 286 ResultExpr RestrictClockID() { |
| 267 static_assert(4 == sizeof(clockid_t), "clockid_t is not 32bit"); | 287 static_assert(4 == sizeof(clockid_t), "clockid_t is not 32bit"); |
| 268 const Arg<clockid_t> clockid(0); | 288 const Arg<clockid_t> clockid(0); |
| 269 return If( | 289 return If( |
| 270 #if defined(OS_CHROMEOS) | 290 #if defined(OS_CHROMEOS) |
| 271 // Allow the special clock for Chrome OS used by Chrome tracing. | 291 // Allow the special clock for Chrome OS used by Chrome tracing. |
| 272 clockid == base::TimeTicks::kClockSystemTrace || | 292 clockid == base::TimeTicks::kClockSystemTrace || |
| 273 #endif | 293 #endif |
| 274 clockid == CLOCK_MONOTONIC || | 294 clockid == CLOCK_MONOTONIC || |
| (...skipping 28 matching lines...) Expand all Loading... |
| 303 const Arg<pid_t> pid(0); | 323 const Arg<pid_t> pid(0); |
| 304 return If(pid == 0 || pid == target_pid, Allow()).Else(CrashSIGSYS()); | 324 return If(pid == 0 || pid == target_pid, Allow()).Else(CrashSIGSYS()); |
| 305 } | 325 } |
| 306 | 326 |
| 307 ResultExpr RestrictGetrusage() { | 327 ResultExpr RestrictGetrusage() { |
| 308 const Arg<int> who(0); | 328 const Arg<int> who(0); |
| 309 return If(who == RUSAGE_SELF, Allow()).Else(CrashSIGSYS()); | 329 return If(who == RUSAGE_SELF, Allow()).Else(CrashSIGSYS()); |
| 310 } | 330 } |
| 311 | 331 |
| 312 } // namespace sandbox. | 332 } // namespace sandbox. |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1029283003:
WIP: Implement seccomp-bpf sandbox for nacl_helper_nonsfi.
Base URL: https://chromium.googlesource.com/chromium/src.git@master