Linux sandbox: restrict clone() in renderer processes.

content/common/sandbox_seccomp_bpf_linux.cc

Index: content/common/sandbox_seccomp_bpf_linux.cc
diff --git a/content/common/sandbox_seccomp_bpf_linux.cc b/content/common/sandbox_seccomp_bpf_linux.cc
index 7051acb93a65132ee1048a72682e456d9bb06231..44d1d7c9022982ea7fbdeaf0609620233897eaae 100644
--- a/content/common/sandbox_seccomp_bpf_linux.cc
+++ b/content/common/sandbox_seccomp_bpf_linux.cc
@@ -101,6 +101,21 @@ intptr_t CrashSIGSYS_Handler(const struct arch_seccomp_data& args, void* aux) {
     _exit(1);
 }
 
+// TODO(jln): rewrite reporting functions.
+intptr_t ReportCloneFailure(const struct arch_seccomp_data& args, void* aux) {
+  // "flags" in the first argument in the kernel's clone().
+  // Mark as volatile to be able to find the value on the stack in a minidump.
+  volatile uint64_t clone_flags = args.args[0];
+  volatile char* addr =
+      reinterpret_cast<volatile char*>(clone_flags & 0xFFFFFF);

[Chris Evans, 2013/02/06 03:36:11]

BTW, on 32-bit systems that's a pretty big mask. Might be a mapped area?

+  *addr = '\0';
+  // Hit the NULL page if this fails.
+  addr = reinterpret_cast<volatile char*>(clone_flags & 0xFFF);
+  *addr = '\0';
+  for (;;)
+    _exit(1);

[Chris Evans, 2013/02/06 03:27:59]

Is exit_group() better?

[jln (very slow on Chromium), 2013/02/06 03:32:31]

I can't recall I did exit and not exit group. In the compiler's unit test
exit_group is usually used.

It' similar to the one done in the crash signal handler and I would rather not
touch this as part of this CL.

There is an upcoming refactor of all the reporting code anyways.

[Chris Evans, 2013/02/06 03:37:25]

Ok maybe add a comment about considering exit_group() in the future?

On 2013/02/06 03:32:31, Julien Tinnes wrote:

+}
+
 bool IsAcceleratedVideoDecodeEnabled() {
   // Accelerated video decode is currently enabled on Chrome OS,
   // but not on Linux: crbug.com/137247.
@@ -1236,8 +1251,20 @@ ErrorCode GpuBrokerProcessPolicy(int sysno, void*) {
   }
 }
 
+ErrorCode AllowCloneForThreads() {
+  // Glibc's pthread.
+  return Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
+                       CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |
+                       CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS |
+                       CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID,

[Chris Evans, 2013/02/06 03:27:59]

So you permit one exact bitmask of flags.
Isn't the termination signal part of that argument? SIGCHLD?

I'm confused as to why it works.

[jln (very slow on Chromium), 2013/02/06 03:32:31]

This is the mask used by pthread. For various reasons, you can't really use
anything else than pthread if something in your process does use it.

However this is quite highly architecture dependent, I'll limit this to 64 bits
x86 in the first iteration.

[Chris Evans, 2013/02/06 03:36:11]

Sounds good

On 2013/02/06 03:32:31, Julien Tinnes wrote:

+                       ErrorCode(ErrorCode::ERR_ALLOWED),
+                       Sandbox::Trap(ReportCloneFailure, NULL));
+}
+
 ErrorCode RendererOrWorkerProcessPolicy(int sysno, void *) {
   switch (sysno) {
+    case __NR_clone:
+      return AllowCloneForThreads();

[Chris Evans, 2013/02/06 03:27:59]

Can we do it for Flash too? Flash is most likely to be compromised of all
process types. Let me know if you want to put some time in testing.

[jln (very slow on Chromium), 2013/02/06 03:32:31]

Let's do them separately ? I'm happy to either first.

[Chris Evans, 2013/02/06 03:36:11]

Ok separately is good

     case __NR_ioctl:  // TODO(jln) investigate legitimate use in the renderer
                       // and see if alternatives can be used.
     case __NR_fdatasync: