Restrict mmap(2) and mprotect(2) flags for x64.

content/common/sandbox_seccomp_bpf_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <asm/unistd.h>
 #include <dlfcn.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <linux/audit.h>
 #include <linux/filter.h>
@@ skipping 640 matching lines @@
     default:
       return false;
   }
 }
 #endif
 
 bool IsAllowedAddressSpaceAccess(int sysno) {
   switch (sysno) {
     case __NR_brk:
     case __NR_mlock:
-#if defined(__i386__) || defined(__x86_64__)
-    case __NR_mmap:   // TODO(jln): to restrict flags.
-#endif
-#if defined(__i386__) || defined(__arm__)
-    case __NR_mmap2:
-#endif
-    case __NR_mprotect:
     case __NR_munlock:
     case __NR_munmap:
       return true;
     case __NR_madvise:
     case __NR_mincore:
     case __NR_mlockall:
 #if defined(__i386__) || defined(__x86_64__)
+    case __NR_mmap:
+#endif
+#if defined(__i386__) || defined(__arm__)
+    case __NR_mmap2:
+#endif
+#if defined(__i386__) || defined(__x86_64__)
     case __NR_modify_ldt:
 #endif
+    case __NR_mprotect:
     case __NR_mremap:
     case __NR_msync:
     case __NR_munlockall:
     case __NR_readahead:
     case __NR_remap_file_pages:
 #if defined(__i386__)
     case __NR_vm86:
     case __NR_vm86old:
 #endif
     default:
@@ skipping 542 matching lines @@
 #if defined(__arm__)
       IsArmPciConfig(sysno) ||
 #endif
       IsTimer(sysno)) {
     return true;
   } else {
     return false;
   }
 }
 
+ErrorCode RestrictMmapFlags(Sandbox *sandbox) {
+  // The flags you see are actually the allowed ones, and the variable is a
+  // "denied" mask because of the negation operator.
+  // Significantly, we don't permit MAP_HUGETLB, or the newer flags such as
+  // MAP_POPULATE.
+  uint32_t denied_mask = ~(MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS |
+                           MAP_STACK | MAP_NORESERVE | MAP_FIXED);
+  return sandbox->Cond(3, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
+                       denied_mask,
+                       sandbox->Trap(CrashSIGSYS_Handler, NULL),
+                       ErrorCode(ErrorCode::ERR_ALLOWED));
+}
+
+ErrorCode RestrictMprotectFlags(Sandbox *sandbox) {
+  // The flags you see are actually the allowed ones, and the variable is a
+  // "denied" mask because of the negation operator.
+  // Significantly, we don't permit weird undocumented flags such as
+  // PROT_GROWSDOWN.
+  uint32_t denied_mask = ~(PROT_READ | PROT_WRITE | PROT_EXEC);
+  return sandbox->Cond(2, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
+                       denied_mask,
+                       sandbox->Trap(CrashSIGSYS_Handler, NULL),
+                       ErrorCode(ErrorCode::ERR_ALLOWED));
+}
+
 ErrorCode BaselinePolicy(Sandbox *sandbox, int sysno) {
+  if (IsBaselinePolicyAllowed(sysno)) {
+    return ErrorCode(ErrorCode::ERR_ALLOWED);
+  }
+
+#if defined(__i386__)
+  // socketcall(2) should be tightened.
+  if (IsSocketCall(sysno)) {
+    return ErrorCode(ErrorCode::ERR_ALLOWED);
+  }
+#endif
+
 #if defined(__x86_64__) || defined(__arm__)
   if (sysno == __NR_socketpair) {

[jln (DO NOT USE THIS), 2013/05/15 23:26:25]

I had the memory that socketpair was allowed in IsBaselinePolicyAllowed (and
that this should be kept to the top of this function), but after a quick look
here, I think I'm wrong.

     // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen.
     COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different);
     return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, AF_UNIX,
                          ErrorCode(ErrorCode::ERR_ALLOWED),
                          sandbox->Trap(CrashSIGSYS_Handler, NULL));
   }
 #endif
+
   if (sysno == __NR_madvise) {
     // Only allow MADV_DONTNEED (aka MADV_FREE).
     return sandbox->Cond(2, ErrorCode::TP_32BIT,
                          ErrorCode::OP_EQUAL, MADV_DONTNEED,
                          ErrorCode(ErrorCode::ERR_ALLOWED),
                          ErrorCode(EPERM));
   }
 
-  if (IsBaselinePolicyAllowed(sysno)) {
-    return ErrorCode(ErrorCode::ERR_ALLOWED);
+#if defined(__i386__) || defined(__x86_64__)
+  if (sysno == __NR_mmap) {
+    if (IsArchitectureX86_64())
+      return RestrictMmapFlags(sandbox);
+    else
+      return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
+#endif
 
-#if defined(__i386__)
-  // socketcall(2) should be tightened.
-  if (IsSocketCall(sysno)) {
+#if defined(__i386__) || defined(__arm__)
+  if (sysno == __NR_mmap2) {
     return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
 #endif
 
+  if (sysno == __NR_mprotect) {
+    if (IsArchitectureX86_64())
+      return RestrictMprotectFlags(sandbox);
+    else
+      return ErrorCode(ErrorCode::ERR_ALLOWED);
+  }
+
   // TODO(jln): some system calls in those sets are not supposed to
   // return ENOENT. Return the appropriate error.
   if (IsFileSystem(sysno) || IsCurrentDirectory(sysno)) {
     return ErrorCode(ENOENT);
   }
 
   if (IsUmask(sysno) || IsDeniedFileSystemAccessViaFd(sysno) ||
       IsDeniedGetOrModifySocket(sysno)) {
     return ErrorCode(EPERM);
   }
@@ skipping 460 matching lines @@
     // should enable it, enable it or die.
     bool started_sandbox = StartBpfSandbox(command_line, process_type);
     CHECK(started_sandbox);
     return true;
   }
 #endif
   return false;
 }
 
 }  // namespace content