content/common/sandbox_seccomp_bpf_linux.cc - Issue 12209029: Linux sandbox: restrict clone() in renderer processes.

Side by Side Diff: content/common/sandbox_seccomp_bpf_linux.cc

Issue 12209029: Linux sandbox: restrict clone() in renderer processes. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 7 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include <asm/unistd.h>	5 #include <asm/unistd.h>

6 #include <dlfcn.h>	6 #include <dlfcn.h>

7 #include <errno.h>	7 #include <errno.h>

8 #include <fcntl.h>	8 #include <fcntl.h>

9 #include <linux/audit.h>	9 #include <linux/audit.h>

10 #include <linux/filter.h>	10 #include <linux/filter.h>

(...skipping 83 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
94 *addr = '\0';	94 *addr = '\0';

95 // In case we hit a mapped address, hit the null page with just the syscall,	95 // In case we hit a mapped address, hit the null page with just the syscall,

96 // for paranoia.	96 // for paranoia.

97 syscall &= 0xfffUL;	97 syscall &= 0xfffUL;

98 addr = reinterpret_cast<volatile char*>(syscall);	98 addr = reinterpret_cast<volatile char*>(syscall);

99 *addr = '\0';	99 *addr = '\0';

100 for (;;)	100 for (;;)

101 _exit(1);	101 _exit(1);

102 }	102 }

103	103

	104 // TODO(jln): rewrite reporting functions.

	105 intptr_t ReportCloneFailure(const struct arch_seccomp_data& args, void* aux) {

	106 // "flags" in the first argument in the kernel's clone().

	107 // Mark as volatile to be able to find the value on the stack in a minidump.

	108 volatile uint64_t clone_flags = args.args[0];

	109 volatile char* addr =

	110 reinterpret_cast<volatile char*>(clone_flags & 0xFFFFFF);
	Chris Evans 2013/02/06 03:36:11 BTW, on 32-bit systems that's a pretty big mask. M BTW, on 32-bit systems that's a pretty big mask. Might be a mapped area?
	111 *addr = '\0';

	112 // Hit the NULL page if this fails.

	113 addr = reinterpret_cast<volatile char*>(clone_flags & 0xFFF);

	114 *addr = '\0';

	115 for (;;)

	116 _exit(1);
	Chris Evans 2013/02/06 03:27:59 Is exit_group() better? Is exit_group() better? jln (very slow on Chromium) 2013/02/06 03:32:31 I can't recall I did exit and not exit group. In t Show quoted text On 2013/02/06 03:27:59, Chris Evans wrote: > Is exit_group() better? I can't recall I did exit and not exit group. In the compiler's unit test exit_group is usually used. It' similar to the one done in the crash signal handler and I would rather not touch this as part of this CL. There is an upcoming refactor of all the reporting code anyways. Chris Evans 2013/02/06 03:37:25 Ok maybe add a comment about considering exit_grou Ok maybe add a comment about considering exit_group() in the future? On 2013/02/06 03:32:31, Julien Tinnes wrote: Show quoted text > On 2013/02/06 03:27:59, Chris Evans wrote: > > Is exit_group() better? > > I can't recall I did exit and not exit group. In the compiler's unit test > exit_group is usually used. > > It' similar to the one done in the crash signal handler and I would rather not > touch this as part of this CL. > > There is an upcoming refactor of all the reporting code anyways.
	117 }

	118

104 bool IsAcceleratedVideoDecodeEnabled() {	119 bool IsAcceleratedVideoDecodeEnabled() {

105 // Accelerated video decode is currently enabled on Chrome OS,	120 // Accelerated video decode is currently enabled on Chrome OS,

106 // but not on Linux: crbug.com/137247.	121 // but not on Linux: crbug.com/137247.

107 bool is_enabled = IsChromeOS();	122 bool is_enabled = IsChromeOS();

108	123

109 const CommandLine& command_line = *CommandLine::ForCurrentProcess();	124 const CommandLine& command_line = *CommandLine::ForCurrentProcess();

110 is_enabled = is_enabled &&	125 is_enabled = is_enabled &&

111 !command_line.HasSwitch(switches::kDisableAcceleratedVideoDecode);	126 !command_line.HasSwitch(switches::kDisableAcceleratedVideoDecode);

112	127

113 return is_enabled;	128 return is_enabled;

(...skipping 1115 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1229 ErrorCode GpuBrokerProcessPolicy(int sysno, void*) {	1244 ErrorCode GpuBrokerProcessPolicy(int sysno, void*) {

1230 switch(sysno) {	1245 switch(sysno) {

1231 case __NR_open:	1246 case __NR_open:

1232 case __NR_openat:	1247 case __NR_openat:

1233 return ErrorCode(ErrorCode::ERR_ALLOWED);	1248 return ErrorCode(ErrorCode::ERR_ALLOWED);

1234 default:	1249 default:

1235 return GpuProcessPolicy(sysno, NULL);	1250 return GpuProcessPolicy(sysno, NULL);

1236 }	1251 }

1237 }	1252 }

1238	1253

	1254 ErrorCode AllowCloneForThreads() {

	1255 // Glibc's pthread.

	1256 return Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,

	1257 CLONE_VM \| CLONE_FS \| CLONE_FILES \| CLONE_SIGHAND \|

	1258 CLONE_THREAD \| CLONE_SYSVSEM \| CLONE_SETTLS \|

	1259 CLONE_PARENT_SETTID \| CLONE_CHILD_CLEARTID,
	Chris Evans 2013/02/06 03:27:59 So you permit one exact bitmask of flags. Isn't th So you permit one exact bitmask of flags. Isn't the termination signal part of that argument? SIGCHLD? I'm confused as to why it works. jln (very slow on Chromium) 2013/02/06 03:32:31 This is the mask used by pthread. For various reas Show quoted text On 2013/02/06 03:27:59, Chris Evans wrote: > So you permit one exact bitmask of flags. > Isn't the termination signal part of that argument? SIGCHLD? > > I'm confused as to why it works. This is the mask used by pthread. For various reasons, you can't really use anything else than pthread if something in your process does use it. However this is quite highly architecture dependent, I'll limit this to 64 bits x86 in the first iteration. Chris Evans 2013/02/06 03:36:11 Sounds good On 2013/02/06 03:32:31, Julien Tinnes Sounds good On 2013/02/06 03:32:31, Julien Tinnes wrote: Show quoted text > On 2013/02/06 03:27:59, Chris Evans wrote: > > So you permit one exact bitmask of flags. > > Isn't the termination signal part of that argument? SIGCHLD? > > > > I'm confused as to why it works. > > This is the mask used by pthread. For various reasons, you can't really use > anything else than pthread if something in your process does use it. > > However this is quite highly architecture dependent, I'll limit this to 64 bits > x86 in the first iteration.
	1260 ErrorCode(ErrorCode::ERR_ALLOWED),

	1261 Sandbox::Trap(ReportCloneFailure, NULL));

	1262 }

	1263

1239 ErrorCode RendererOrWorkerProcessPolicy(int sysno, void *) {	1264 ErrorCode RendererOrWorkerProcessPolicy(int sysno, void *) {

1240 switch (sysno) {	1265 switch (sysno) {

	1266 case __NR_clone:

	1267 return AllowCloneForThreads();
	Chris Evans 2013/02/06 03:27:59 Can we do it for Flash too? Flash is most likely t Can we do it for Flash too? Flash is most likely to be compromised of all process types. Let me know if you want to put some time in testing. jln (very slow on Chromium) 2013/02/06 03:32:31 Let's do them separately ? I'm happy to either fir Show quoted text On 2013/02/06 03:27:59, Chris Evans wrote: > Can we do it for Flash too? Flash is most likely to be compromised of all > process types. Let me know if you want to put some time in testing. Let's do them separately ? I'm happy to either first. Chris Evans 2013/02/06 03:36:11 Ok separately is good Show quoted text On 2013/02/06 03:32:31, Julien Tinnes wrote: > On 2013/02/06 03:27:59, Chris Evans wrote: > > Can we do it for Flash too? Flash is most likely to be compromised of all > > process types. Let me know if you want to put some time in testing. > > Let's do them separately ? I'm happy to either first. Ok separately is good
1241 case __NR_ioctl: // TODO(jln) investigate legitimate use in the renderer	1268 case __NR_ioctl: // TODO(jln) investigate legitimate use in the renderer

1242 // and see if alternatives can be used.	1269 // and see if alternatives can be used.

1243 case __NR_fdatasync:	1270 case __NR_fdatasync:

1244 case __NR_fsync:	1271 case __NR_fsync:

1245 #if defined(__i386__) \|\| defined(__x86_64__)	1272 #if defined(__i386__) \|\| defined(__x86_64__)

1246 case __NR_getrlimit:	1273 case __NR_getrlimit:

1247 #endif	1274 #endif

1248 case __NR_mremap: // See crbug.com/149834.	1275 case __NR_mremap: // See crbug.com/149834.

1249 case __NR_pread64:	1276 case __NR_pread64:

1250 case __NR_pwrite64:	1277 case __NR_pwrite64:

(...skipping 242 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1493 // should enable it, enable it or die.	1520 // should enable it, enable it or die.

1494 bool started_sandbox = StartBpfSandbox(command_line, process_type);	1521 bool started_sandbox = StartBpfSandbox(command_line, process_type);

1495 CHECK(started_sandbox);	1522 CHECK(started_sandbox);

1496 return true;	1523 return true;

1497 }	1524 }

1498 #endif	1525 #endif

1499 return false;	1526 return false;

1500 }	1527 }

1501	1528

1502 } // namespace content	1529 } // namespace content

OLD	NEW

« no previous file with comments | « no previous file | no next file » | no next file with comments »