OLD | NEW |
---|---|
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" | 5 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" |
6 | 6 |
7 #include <errno.h> | 7 #include <errno.h> |
8 #include <fcntl.h> | 8 #include <fcntl.h> |
9 #include <fcntl.h> | 9 #include <fcntl.h> |
10 #include <linux/futex.h> | 10 #include <linux/futex.h> |
(...skipping 14 matching lines...) Expand all Loading... | |
25 #include "base/logging.h" | 25 #include "base/logging.h" |
26 #include "base/macros.h" | 26 #include "base/macros.h" |
27 #include "base/time/time.h" | 27 #include "base/time/time.h" |
28 #include "build/build_config.h" | 28 #include "build/build_config.h" |
29 #include "sandbox/linux/bpf_dsl/bpf_dsl.h" | 29 #include "sandbox/linux/bpf_dsl/bpf_dsl.h" |
30 #include "sandbox/linux/bpf_dsl/seccomp_macros.h" | 30 #include "sandbox/linux/bpf_dsl/seccomp_macros.h" |
31 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" | 31 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" |
32 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | 32 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
33 #include "sandbox/linux/system_headers/linux_syscalls.h" | 33 #include "sandbox/linux/system_headers/linux_syscalls.h" |
34 | 34 |
35 #if defined(USE_OZONE_GBM_INTEL) | |
36 #include <libdrm/i915_drm.h> | |
37 #endif | |
38 | |
35 #if defined(OS_ANDROID) | 39 #if defined(OS_ANDROID) |
36 | 40 |
37 #include "sandbox/linux/system_headers/android_futex.h" | 41 #include "sandbox/linux/system_headers/android_futex.h" |
38 | 42 |
39 #if !defined(F_DUPFD_CLOEXEC) | 43 #if !defined(F_DUPFD_CLOEXEC) |
40 #define F_DUPFD_CLOEXEC (F_LINUX_SPECIFIC_BASE + 6) | 44 #define F_DUPFD_CLOEXEC (F_LINUX_SPECIFIC_BASE + 6) |
41 #endif | 45 #endif |
42 | 46 |
43 // https://android.googlesource.com/platform/bionic/+/lollipop-release/libc/priv ate/bionic_prctl.h | 47 // https://android.googlesource.com/platform/bionic/+/lollipop-release/libc/priv ate/bionic_prctl.h |
44 #if !defined(PR_SET_VMA) | 48 #if !defined(PR_SET_VMA) |
(...skipping 94 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
139 return Switch(option) | 143 return Switch(option) |
140 .CASES((PR_GET_NAME, PR_SET_NAME, PR_GET_DUMPABLE, PR_SET_DUMPABLE), | 144 .CASES((PR_GET_NAME, PR_SET_NAME, PR_GET_DUMPABLE, PR_SET_DUMPABLE), |
141 Allow()) | 145 Allow()) |
142 #if defined(OS_ANDROID) | 146 #if defined(OS_ANDROID) |
143 .CASES((PR_SET_VMA, PR_SET_TIMERSLACK_PID), Allow()) | 147 .CASES((PR_SET_VMA, PR_SET_TIMERSLACK_PID), Allow()) |
144 #endif | 148 #endif |
145 .Default(CrashSIGSYSPrctl()); | 149 .Default(CrashSIGSYSPrctl()); |
146 } | 150 } |
147 | 151 |
148 ResultExpr RestrictIoctl() { | 152 ResultExpr RestrictIoctl() { |
149 const Arg<int> request(1); | 153 // The type of DRM_IOCTL_XXX macro is long unsigned int. |
150 return Switch(request).CASES((TCGETS, FIONREAD), Allow()).Default( | 154 #if defined(USE_OZONE_GBM_INTEL) |
151 CrashSIGSYSIoctl()); | 155 auto reference_type = DRM_IOCTL_I915_GEM_MMAP; |
156 #else | |
157 auto reference_type = TCGETS; | |
158 #endif | |
159 const Arg<decltype(reference_type)> request(1); | |
160 return Switch(request) | |
161 .CASES(((decltype(reference_type))TCGETS, FIONREAD), Allow()) | |
162 #if defined(USE_OZONE_GBM_INTEL) | |
163 .CASES((DRM_IOCTL_GEM_CLOSE, DRM_IOCTL_I915_GEM_GET_APERTURE, | |
164 DRM_IOCTL_I915_GEM_GET_TILING, DRM_IOCTL_I915_GEM_MMAP, | |
165 DRM_IOCTL_I915_GEM_SET_DOMAIN, DRM_IOCTL_I915_GEM_SW_FINISH, | |
166 DRM_IOCTL_I915_GEM_USERPTR, DRM_IOCTL_I915_GETPARAM, | |
167 DRM_IOCTL_PRIME_FD_TO_HANDLE), | |
168 Allow()) | |
dshwang
2015/04/09 19:12:26
Render process requires additional ioctl calls. It
reveman
2015/04/13 00:46:13
This has unacceptable security implications, which
dshwang
2015/04/14 13:15:55
Even if we use vgem, we need some ioctl call in re
| |
169 #endif | |
170 .Default(CrashSIGSYSIoctl()); | |
152 } | 171 } |
153 | 172 |
154 ResultExpr RestrictMmapFlags() { | 173 ResultExpr RestrictMmapFlags() { |
155 // The flags you see are actually the allowed ones, and the variable is a | 174 // The flags you see are actually the allowed ones, and the variable is a |
156 // "denied" mask because of the negation operator. | 175 // "denied" mask because of the negation operator. |
157 // Significantly, we don't permit MAP_HUGETLB, or the newer flags such as | 176 // Significantly, we don't permit MAP_HUGETLB, or the newer flags such as |
158 // MAP_POPULATE. | 177 // MAP_POPULATE. |
159 // TODO(davidung), remove MAP_DENYWRITE with updated Tegra libraries. | 178 // TODO(davidung), remove MAP_DENYWRITE with updated Tegra libraries. |
160 const uint64_t kAllowedMask = MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS | | 179 const uint64_t kAllowedMask = MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS | |
161 MAP_STACK | MAP_NORESERVE | MAP_FIXED | | 180 MAP_STACK | MAP_NORESERVE | MAP_FIXED | |
(...skipping 141 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
303 const Arg<pid_t> pid(0); | 322 const Arg<pid_t> pid(0); |
304 return If(pid == 0 || pid == target_pid, Allow()).Else(CrashSIGSYS()); | 323 return If(pid == 0 || pid == target_pid, Allow()).Else(CrashSIGSYS()); |
305 } | 324 } |
306 | 325 |
307 ResultExpr RestrictGetrusage() { | 326 ResultExpr RestrictGetrusage() { |
308 const Arg<int> who(0); | 327 const Arg<int> who(0); |
309 return If(who == RUSAGE_SELF, Allow()).Else(CrashSIGSYS()); | 328 return If(who == RUSAGE_SELF, Allow()).Else(CrashSIGSYS()); |
310 } | 329 } |
311 | 330 |
312 } // namespace sandbox. | 331 } // namespace sandbox. |
OLD | NEW |