Non-SFI mode: Remove old Non-SFI code.

components/nacl/loader/nonsfi/nonsfi_sandbox.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+

[Mark Seaborn, 2015/10/15 18:10:11]

Nit: don't add empty line here

[hidehiko, 2015/10/19 04:39:17]

Done.

 #include "components/nacl/loader/nonsfi/nonsfi_sandbox.h"
 
 #include <errno.h>
 #include <fcntl.h>
 #include <linux/net.h>
 #include <sys/mman.h>
 #include <sys/prctl.h>
 #include <sys/socket.h>
 #include <sys/syscall.h>
 #include <sys/time.h>
 
 #include "base/basictypes.h"
 #include "base/logging.h"
 #include "base/time/time.h"
 #include "build/build_config.h"
 #include "content/public/common/sandbox_init.h"
 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
 #include "sandbox/linux/system_headers/linux_futex.h"
 #include "sandbox/linux/system_headers/linux_signal.h"
 #include "sandbox/linux/system_headers/linux_syscalls.h"
 
+#if !defined(OS_NACL_NONSFI)
+#error "nonsfi_sandbox.cc must be built for nacl_helper_nonsfi."
+#endif
+
 // Chrome OS Daisy (ARM) build environment and PNaCl toolchain do not define
 // MAP_STACK.
 #if !defined(MAP_STACK)
 # if defined(ARCH_CPU_X86_FAMILY) || defined(ARCH_CPU_ARM_FAMILY)
 #  define MAP_STACK 0x20000
 # elif defined(ARCH_CPU_MIPS_FAMILY)
 #  define MAP_STACK 0x40000
 # else
 // Note that, on other architectures, MAP_STACK has different value,
 // though Non-SFI is not supported on such architectures.
@@ skipping 33 matching lines @@
   // the return value of F_GETFL, so we need to allow O_ACCMODE in
   // addition to O_NONBLOCK.
   const uint64_t kAllowedMask = O_ACCMODE | O_NONBLOCK;
   return If((cmd == F_SETFD && long_arg == FD_CLOEXEC) || cmd == F_GETFL ||
                 (cmd == F_SETFL && (long_arg & ~kAllowedMask) == 0),
             Allow()).Else(CrashSIGSYS());
 }
 
 ResultExpr RestrictClone() {
   // We allow clone only for new thread creation.
-  int clone_flags =
+  const int kCloneFlags =
       CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |
       CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS | CLONE_PARENT_SETTID;
-#if !defined(OS_NACL_NONSFI)
-  clone_flags |= CLONE_CHILD_CLEARTID;
-#endif
   const Arg<int> flags(0);
-  return If(flags == clone_flags, Allow()).Else(CrashSIGSYSClone());
+  return If(flags == kCloneFlags, Allow()).Else(CrashSIGSYSClone());
 }
 
 ResultExpr RestrictFutexOperation() {
   // TODO(hamaji): Allow only FUTEX_PRIVATE_FLAG futexes.
   const uint64_t kAllowedFutexFlags = FUTEX_PRIVATE_FLAG | FUTEX_CLOCK_REALTIME;
   const Arg<int> op(1);
   return Switch(op & ~kAllowedFutexFlags)
       .CASES((FUTEX_WAIT,
               FUTEX_WAKE,
               FUTEX_REQUEUE,
@@ skipping 10 matching lines @@
   // EPERM for it. Otherwise, we will raise SIGSYS.
   const Arg<int> option(0);
   return If(option == PR_SET_NAME, Error(EPERM)).Else(CrashSIGSYSPrctl());
 }
 
 #if defined(__i386__)
 ResultExpr RestrictSocketcall() {
   // We only allow socketpair, sendmsg, and recvmsg.
   const Arg<int> call(0);
   return If(
-#if !defined(OS_NACL_NONSFI)
-      // nacl_helper in Non-SFI mode still uses socketpair() internally
-      // via libevent.
-      // TODO(hidehiko): Remove this when the switching to nacl_helper_nonsfi
-      // is completed.
-      call == SYS_SOCKETPAIR ||
-#endif
       call == SYS_SHUTDOWN || call == SYS_SENDMSG || call == SYS_RECVMSG,
       Allow()).Else(CrashSIGSYS());
 }
 #endif
 
 ResultExpr RestrictMprotect() {
   // TODO(jln, keescook, drewry): Limit the use of mprotect by adding
   // some features to linux kernel.
   const uint64_t kAllowedMask = PROT_READ | PROT_WRITE | PROT_EXEC;
   const Arg<int> prot(2);
@@ skipping 17 matching lines @@
   // Only sending SIGUSR1 to a thread in the same process is allowed.
   return If(tgid == policy_pid &&
             // Arg does not support a greater-than operator, so two separate
             // checks are needed to ensure tid is positive.
             tid != 0 &&
             (tid & (1u << 31)) == 0 &&  // tid is non-negative.
             signum == LINUX_SIGUSR1,
             Allow()).Else(CrashSIGSYS());
 }
 
-#if !defined(OS_NACL_NONSFI) && (defined(__x86_64__) || defined(__arm__))
-ResultExpr RestrictSocketpair() {
-  // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen.
-  static_assert(AF_UNIX == PF_UNIX, "AF_UNIX must equal PF_UNIX.");
-  const Arg<int> domain(0);
-  return If(domain == AF_UNIX, Allow()).Else(CrashSIGSYS());
-}
-#endif
-
 bool IsGracefullyDenied(int sysno) {
   switch (sysno) {
     // libevent tries this first and then falls back to poll if
     // epoll_create fails.
     case __NR_epoll_create:
     // third_party/libevent uses them, but we can just return -1 from
     // them as it is just checking getuid() != geteuid() and
     // getgid() != getegid()
 #if defined(__i386__) || defined(__arm__)
     case __NR_getegid32:
     case __NR_geteuid32:
     case __NR_getgid32:
     case __NR_getuid32:
 #endif
     case __NR_getegid:
     case __NR_geteuid:
     case __NR_getgid:
     case __NR_getuid:
     // tcmalloc calls madvise in TCMalloc_SystemRelease.
     case __NR_madvise:
     // EPERM instead of SIGSYS as glibc tries to open files in /proc.
     // openat via opendir via get_nprocs_conf and open via get_nprocs.
     // TODO(hamaji): Remove this when we switch to newlib.
     case __NR_open:
     case __NR_openat:
     // For RunSandboxSanityChecks().
     case __NR_ptrace:
     // glibc uses this for its pthread implementation. If we return
     // EPERM for this, glibc will stop using this.
     // TODO(hamaji): newlib does not use this. Make this SIGTRAP once

[Mark Seaborn, 2015/10/15 18:10:11]

There are a few references to glibc and TODOs in this file.

Could you possibly address those (perhaps in a separate change)?

__NR_set_robust_list can definitely be taken out.

[hidehiko, 2015/10/19 04:39:18]

I see. Let me give it a try on another CL.

     // we have switched to newlib.
     case __NR_set_robust_list:
     // This is obsolete in ARM EABI, but x86 glibc indirectly calls
     // this in sysconf.
 #if defined(__i386__) || defined(__x86_64__)
     case __NR_time:
 #endif
       return true;
 
     default:
@@ skipping 99 matching lines @@
 
 #if defined(__i386__)
     case __NR_socketcall:
       return RestrictSocketcall();
 #endif
 #if defined(__x86_64__) || defined(__arm__)
     case __NR_recvmsg:
     case __NR_sendmsg:
     case __NR_shutdown:
       return Allow();
-#if !defined(OS_NACL_NONSFI)
-    // nacl_helper in Non-SFI mode still uses socketpair() internally
-    // via libevent.
-    // TODO(hidehiko): Remove this when the switching to nacl_helper_nonsfi
-    // is completed.
-    case __NR_socketpair:
-      return RestrictSocketpair();
-#endif
 #endif
 
     case __NR_tgkill:
       return RestrictTgkill(policy_pid_);
 
     case __NR_brk:

[Mark Seaborn, 2015/10/15 18:10:11]

We should be able to remove brk.

[hidehiko, 2015/10/19 04:39:18]

Ditto.

       // The behavior of brk on Linux is different from other system
       // calls. It does not return errno but the current break on
       // failure. glibc thinks brk failed if the return value of brk
       // is less than the requested address (i.e., brk(addr) < addr).
       // So, glibc thinks brk succeeded if we return -EPERM and we
       // need to return zero instead.
       return Error(0);
 
     default:
       if (IsGracefullyDenied(sysno))
@@ skipping 12 matching lines @@
           new nacl::nonsfi::NaClNonSfiBPFSandboxPolicy()),
       proc_fd.Pass());
   if (!sandbox_is_initialized)
     return false;
   RunSandboxSanityChecks();
   return true;
 }
 
 }  // namespace nonsfi
 }  // namespace nacl