OLD | NEW |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "mojo/runner/linux_sandbox.h" | 5 #include "mojo/runner/linux_sandbox.h" |
6 | 6 |
7 #include <fcntl.h> | 7 #include <fcntl.h> |
8 #include <sys/syscall.h> | 8 #include <sys/syscall.h> |
9 | 9 |
10 #include "base/bind.h" | 10 #include "base/bind.h" |
11 #include "base/debug/leak_annotations.h" | 11 #include "base/debug/leak_annotations.h" |
12 #include "base/posix/eintr_wrapper.h" | 12 #include "base/posix/eintr_wrapper.h" |
13 #include "base/rand_util.h" | 13 #include "base/rand_util.h" |
14 #include "base/sys_info.h" | 14 #include "base/sys_info.h" |
15 #include "sandbox/linux/bpf_dsl/policy.h" | 15 #include "sandbox/linux/bpf_dsl/policy.h" |
16 #include "sandbox/linux/bpf_dsl/trap_registry.h" | 16 #include "sandbox/linux/bpf_dsl/trap_registry.h" |
| 17 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h" |
17 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" | 18 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" |
| 19 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" |
18 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h" | 20 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h" |
19 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | 21 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
20 #include "sandbox/linux/services/credentials.h" | 22 #include "sandbox/linux/services/credentials.h" |
21 #include "sandbox/linux/services/namespace_sandbox.h" | 23 #include "sandbox/linux/services/namespace_sandbox.h" |
22 #include "sandbox/linux/services/proc_util.h" | 24 #include "sandbox/linux/services/proc_util.h" |
23 #include "sandbox/linux/services/thread_helpers.h" | 25 #include "sandbox/linux/services/thread_helpers.h" |
24 | 26 |
25 using sandbox::syscall_broker::BrokerFilePermission; | 27 using sandbox::syscall_broker::BrokerFilePermission; |
26 | 28 |
27 namespace mandoline { | 29 namespace mandoline { |
(...skipping 27 matching lines...) Expand all Loading... |
55 static_cast<int>(args.args[2])); | 57 static_cast<int>(args.args[2])); |
56 } else { | 58 } else { |
57 return -EPERM; | 59 return -EPERM; |
58 } | 60 } |
59 default: | 61 default: |
60 RAW_CHECK(false); | 62 RAW_CHECK(false); |
61 return -ENOSYS; | 63 return -ENOSYS; |
62 } | 64 } |
63 } | 65 } |
64 | 66 |
65 class SandboxPolicy : public sandbox::bpf_dsl::Policy { | 67 class SandboxPolicy : public sandbox::BaselinePolicy { |
66 public: | 68 public: |
67 explicit SandboxPolicy(sandbox::syscall_broker::BrokerProcess* broker_process) | 69 explicit SandboxPolicy(sandbox::syscall_broker::BrokerProcess* broker_process) |
68 : broker_process_(broker_process) {} | 70 : broker_process_(broker_process) {} |
69 ~SandboxPolicy() override {} | 71 ~SandboxPolicy() override {} |
70 | 72 |
71 // Overridden from sandbox::bpf_dsl::Policy: | 73 // Overridden from sandbox::bpf_dsl::Policy: |
72 sandbox::bpf_dsl::ResultExpr EvaluateSyscall(int sysno) const override { | 74 sandbox::bpf_dsl::ResultExpr EvaluateSyscall(int sysno) const override { |
73 // This policy is only advisory/for noticing FS access for the moment. | 75 // This policy is only advisory/for noticing FS access for the moment. |
74 switch (sysno) { | 76 switch (sysno) { |
75 case __NR_access: | 77 case __NR_access: |
76 case __NR_open: | 78 case __NR_open: |
77 case __NR_faccessat: | 79 case __NR_faccessat: |
78 case __NR_openat: | 80 case __NR_openat: |
79 return sandbox::bpf_dsl::Trap(SandboxSIGSYSHandler, broker_process_); | 81 return sandbox::bpf_dsl::Trap(SandboxSIGSYSHandler, broker_process_); |
| 82 case __NR_sched_getaffinity: |
| 83 return sandbox::RestrictSchedTarget(policy_pid(), sysno); |
| 84 case __NR_ftruncate: |
| 85 case __NR_getrlimit: |
| 86 case __NR_uname: |
| 87 return sandbox::bpf_dsl::Allow(); |
80 } | 88 } |
81 | 89 |
82 return sandbox::bpf_dsl::Allow(); | 90 return BaselinePolicy::EvaluateSyscall(sysno); |
83 } | 91 } |
84 | 92 |
85 private: | 93 private: |
86 // Not owned. | 94 // Not owned. |
87 const sandbox::syscall_broker::BrokerProcess* broker_process_; | 95 const sandbox::syscall_broker::BrokerProcess* broker_process_; |
88 DISALLOW_COPY_AND_ASSIGN(SandboxPolicy); | 96 DISALLOW_COPY_AND_ASSIGN(SandboxPolicy); |
89 }; | 97 }; |
90 | 98 |
91 } // namespace | 99 } // namespace |
92 | 100 |
(...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
132 // The Broker is now bound to this process and should only be destroyed when | 140 // The Broker is now bound to this process and should only be destroyed when |
133 // the process exits or is killed. | 141 // the process exits or is killed. |
134 ANNOTATE_LEAKING_OBJECT_PTR(broker_.release()); | 142 ANNOTATE_LEAKING_OBJECT_PTR(broker_.release()); |
135 } | 143 } |
136 | 144 |
137 void LinuxSandbox::Seal() { | 145 void LinuxSandbox::Seal() { |
138 proc_fd_.reset(); | 146 proc_fd_.reset(); |
139 } | 147 } |
140 | 148 |
141 } // namespace mandoline | 149 } // namespace mandoline |
OLD | NEW |