Linux sandbox: restrict clone() in renderer processes.

content/common/sandbox_seccomp_bpf_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <asm/unistd.h>
 #include <dlfcn.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <linux/audit.h>
 #include <linux/filter.h>
@@ skipping 83 matching lines @@
   *addr = '\0';
   // In case we hit a mapped address, hit the null page with just the syscall,
   // for paranoia.
   syscall &= 0xfffUL;
   addr = reinterpret_cast<volatile char*>(syscall);
   *addr = '\0';
   for (;;)
     _exit(1);
 }
 
+// TODO(jln): rewrite reporting functions.
+intptr_t ReportCloneFailure(const struct arch_seccomp_data& args, void* aux) {
+  // "flags" in the first argument in the kernel's clone().
+  // Mark as volatile to be able to find the value on the stack in a minidump.
+  volatile uint64_t clone_flags = args.args[0];
+  volatile char* addr =
+      reinterpret_cast<volatile char*>(clone_flags & 0xFFFFFF);
+  *addr = '\0';
+  // Hit the NULL page if this fails.

[Chris Evans, 2013/02/06 03:44:54]

Nit: "fails to fault"?

[jln (very slow on Chromium), 2013/02/06 04:00:51]

Done.

+  addr = reinterpret_cast<volatile char*>(clone_flags & 0xFFF);
+  *addr = '\0';
+  for (;;)
+    _exit(1);
+}
+
 bool IsAcceleratedVideoDecodeEnabled() {
   // Accelerated video decode is currently enabled on Chrome OS,
   // but not on Linux: crbug.com/137247.
   bool is_enabled = IsChromeOS();
 
   const CommandLine& command_line = *CommandLine::ForCurrentProcess();
   is_enabled = is_enabled &&
       !command_line.HasSwitch(switches::kDisableAcceleratedVideoDecode);
 
   return is_enabled;
@@ skipping 1115 matching lines @@
 ErrorCode GpuBrokerProcessPolicy(int sysno, void*) {
   switch(sysno) {
     case __NR_open:
     case __NR_openat:
       return ErrorCode(ErrorCode::ERR_ALLOWED);
     default:
       return GpuProcessPolicy(sysno, NULL);
   }
 }
 
+// Allow clone for threads, crash if anything else is attempted.
+ErrorCode RestrictCloneToThreads() {
+  // Glibc's pthread.
+  return Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
+                       CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |
+                       CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS |
+                       CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID,
+                       ErrorCode(ErrorCode::ERR_ALLOWED),
+                       Sandbox::Trap(ReportCloneFailure, NULL));
+}
+
 ErrorCode RendererOrWorkerProcessPolicy(int sysno, void *) {
   switch (sysno) {
+    case __NR_clone:
+#if defined(__x86_64__)

[Chris Evans, 2013/02/06 03:44:54]

Nit: add TODO(jln) for other platforms?

+      return RestrictCloneToThreads();
+#endif
     case __NR_ioctl:  // TODO(jln) investigate legitimate use in the renderer
                       // and see if alternatives can be used.
     case __NR_fdatasync:
     case __NR_fsync:
 #if defined(__i386__) || defined(__x86_64__)
     case __NR_getrlimit:
 #endif
     case __NR_mremap:   // See crbug.com/149834.
     case __NR_pread64:
     case __NR_pwrite64:
@@ skipping 242 matching lines @@
     // should enable it, enable it or die.
     bool started_sandbox = StartBpfSandbox(command_line, process_type);
     CHECK(started_sandbox);
     return true;
   }
 #endif
   return false;
 }
 
 }  // namespace content