content/common/sandbox_seccomp_bpf_linux.cc - Issue 12209029: Linux sandbox: restrict clone() in renderer processes.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: content/common/sandbox_seccomp_bpf_linux.cc

Issue 12209029: Linux sandbox: restrict clone() in renderer processes. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Add crashing message in Debug builds. Created 7 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: content/common/sandbox_seccomp_bpf_linux.cc

diff --git a/content/common/sandbox_seccomp_bpf_linux.cc b/content/common/sandbox_seccomp_bpf_linux.cc

index 7051acb93a65132ee1048a72682e456d9bb06231..748f07edee27fb8bc315a5e752814d43d268e599 100644

--- a/content/common/sandbox_seccomp_bpf_linux.cc

+++ b/content/common/sandbox_seccomp_bpf_linux.cc

@@ -101,6 +101,24 @@ intptr_t CrashSIGSYS_Handler(const struct arch_seccomp_data& args, void* aux) {

_exit(1);

}

+// TODO(jln): rewrite reporting functions.

+intptr_t ReportCloneFailure(const struct arch_seccomp_data& args, void* aux) {

+ // "flags" in the first argument in the kernel's clone().

+ // Mark as volatile to be able to find the value on the stack in a minidump.

+#if !defined(NDEBUG)

+ RAW_LOG(ERROR, __FILE__":**CRASHING**:clone() failure\n");

+#endif

+ volatile uint64_t clone_flags = args.args[0];

+ volatile char* addr =

+ reinterpret_cast<volatile char*>(clone_flags & 0xFFFFFF);

+ *addr = '\0';

+ // Hit the NULL page if this fails to fault.

+ addr = reinterpret_cast<volatile char*>(clone_flags & 0xFFF);

+ *addr = '\0';

+ for (;;)

+ _exit(1);

bool IsAcceleratedVideoDecodeEnabled() {

// Accelerated video decode is currently enabled on Chrome OS,

// but not on Linux: crbug.com/137247.

@@ -1236,8 +1254,24 @@ ErrorCode GpuBrokerProcessPolicy(int sysno, void*) {

}

+// Allow clone for threads, crash if anything else is attempted.

+ErrorCode RestrictCloneToThreads() {

+ // Glibc's pthread.

+ return Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,

+ CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |

+ CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS |

+ CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID,

+ ErrorCode(ErrorCode::ERR_ALLOWED),

+ Sandbox::Trap(ReportCloneFailure, NULL));

ErrorCode RendererOrWorkerProcessPolicy(int sysno, void *) {

switch (sysno) {

+ case __NR_clone:

+#if defined(__x86_64__) && defined(OS_LINUX)

+ // TODO(jln): extend to other architectures.

+ return RestrictCloneToThreads();

+#endif

case __NR_ioctl: // TODO(jln) investigate legitimate use in the renderer

// and see if alternatives can be used.

case __NR_fdatasync:

« no previous file with comments | « no previous file | no next file » | no next file with comments »