Restrict mmap(2) flags for x64.

content/common/sandbox_seccomp_bpf_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <asm/unistd.h>
 #include <dlfcn.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <linux/audit.h>
 #include <linux/filter.h>
@@ skipping 640 matching lines @@
     default:
       return false;
   }
 }
 #endif
 
 bool IsAllowedAddressSpaceAccess(int sysno) {
   switch (sysno) {
     case __NR_brk:
     case __NR_mlock:
+    case __NR_mprotect:
+    case __NR_munlock:
+    case __NR_munmap:
+      return true;
 #if defined(__i386__) || defined(__x86_64__)
-    case __NR_mmap:   // TODO(jln): to restrict flags.
+    case __NR_mmap:
 #endif
 #if defined(__i386__) || defined(__arm__)
     case __NR_mmap2:
 #endif
-    case __NR_mprotect:
-    case __NR_munlock:
-    case __NR_munmap:
-      return true;
     case __NR_madvise:
     case __NR_mincore:
     case __NR_mlockall:
 #if defined(__i386__) || defined(__x86_64__)
     case __NR_modify_ldt:
 #endif
     case __NR_mremap:
     case __NR_msync:
     case __NR_munlockall:
     case __NR_readahead:
@@ skipping 548 matching lines @@
 #if defined(__arm__)
       IsArmPciConfig(sysno) ||
 #endif
       IsTimer(sysno)) {
     return true;
   } else {
     return false;
   }
 }
 
+ErrorCode RestrictMmapFlags(Sandbox *sandbox) {
+  // These flags are allowed. Significantly, we don't permit MAP_HUGETLB, or
+  // the newer flags such as MAP_POPULATE.
+  uint32_t mask = ~(MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS | MAP_STACK |
+                    MAP_NORESERVE | MAP_FIXED);
+  return sandbox->Cond(3, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
+                       mask, sandbox->Trap(CrashSIGSYS_Handler, NULL),
+                       ErrorCode(ErrorCode::ERR_ALLOWED));
+}
+
 ErrorCode BaselinePolicy(Sandbox *sandbox, int sysno) {
 #if defined(__x86_64__) || defined(__arm__)
   if (sysno == __NR_socketpair) {
     // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen.
     COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different);
     return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, AF_UNIX,
                          ErrorCode(ErrorCode::ERR_ALLOWED),
                          sandbox->Trap(CrashSIGSYS_Handler, NULL));
   }
 #endif
-  if (sysno == __NR_madvise) {
+  switch (sysno) {
+  case __NR_madvise:
     // Only allow MADV_DONTNEED (aka MADV_FREE).
     return sandbox->Cond(2, ErrorCode::TP_32BIT,
                          ErrorCode::OP_EQUAL, MADV_DONTNEED,
                          ErrorCode(ErrorCode::ERR_ALLOWED),
                          ErrorCode(EPERM));
+#if defined(__x86_64__)

[jln (very slow on Chromium), 2013/05/15 20:03:52]

Arg, had missed one important nit:

#ifdef are really only used in this file for when things can't compile. Not to
define the policy. Use IsArchitectureArm() etc to define the policy instead.

Currently, this is very confusing!

+  case __NR_mmap:
+    return RestrictMmapFlags(sandbox);
+#elif defined(__i386__)
+  case __NR_mmap:
+    return ErrorCode(ErrorCode::ERR_ALLOWED);
+#endif
+#if defined(__i386__) || defined(__arm__)
+  case __NR_mmap2:
+    return ErrorCode(ErrorCode::ERR_ALLOWED);
+#endif
   }
 
   if (IsBaselinePolicyAllowed(sysno)) {
     return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
 
 #if defined(__i386__)
   // socketcall(2) should be tightened.
   if (IsSocketCall(sysno)) {
     return ErrorCode(ErrorCode::ERR_ALLOWED);
@@ skipping 489 matching lines @@
     // should enable it, enable it or die.
     bool started_sandbox = StartBpfSandbox(command_line, process_type);
     CHECK(started_sandbox);
     return true;
   }
 #endif
   return false;
 }
 
 }  // namespace content