Chromium Code Reviews Chromium Code Reviews
Issue 15112008:
Restrict mmap(2) and mprotect(2) flags for x64. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/| Index: content/common/sandbox_seccomp_bpf_linux.cc |
| =================================================================== |
| --- content/common/sandbox_seccomp_bpf_linux.cc (revision 200372) |
| +++ content/common/sandbox_seccomp_bpf_linux.cc (working copy) |
| @@ -658,13 +658,6 @@ |
| switch (sysno) { |
| case __NR_brk: |
| case __NR_mlock: |
| -#if defined(__i386__) || defined(__x86_64__) |
| - case __NR_mmap: // TODO(jln): to restrict flags. |
| -#endif |
| -#if defined(__i386__) || defined(__arm__) |
| - case __NR_mmap2: |
| -#endif |
| - case __NR_mprotect: |
| case __NR_munlock: |
| case __NR_munmap: |
| return true; |
| @@ -672,8 +665,15 @@ |
| case __NR_mincore: |
| case __NR_mlockall: |
| #if defined(__i386__) || defined(__x86_64__) |
| + case __NR_mmap: |
| +#endif |
| +#if defined(__i386__) || defined(__arm__) |
| + case __NR_mmap2: |
| +#endif |
| +#if defined(__i386__) || defined(__x86_64__) |
| case __NR_modify_ldt: |
| #endif |
| + case __NR_mprotect: |
| case __NR_mremap: |
| case __NR_msync: |
| case __NR_munlockall: |
| @@ -1236,7 +1236,43 @@ |
| } |
| } |
| +ErrorCode RestrictMmapFlags(Sandbox *sandbox) { |
| + // The flags you see are actually the allowed ones, and the variable is a |
| + // "denied" mask because of the negation operator. |
| + // Significantly, we don't permit MAP_HUGETLB, or the newer flags such as |
| + // MAP_POPULATE. |
| + uint32_t denied_mask = ~(MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS | |
| + MAP_STACK | MAP_NORESERVE | MAP_FIXED); |
| + return sandbox->Cond(3, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS, |
| + denied_mask, |
| + sandbox->Trap(CrashSIGSYS_Handler, NULL), |
| + ErrorCode(ErrorCode::ERR_ALLOWED)); |
| +} |
| + |
| +ErrorCode RestrictMprotectFlags(Sandbox *sandbox) { |
| + // The flags you see are actually the allowed ones, and the variable is a |
| + // "denied" mask because of the negation operator. |
| + // Significantly, we don't permit weird undocumented flags such as |
| + // PROT_GROWSDOWN. |
| + uint32_t denied_mask = ~(PROT_READ | PROT_WRITE | PROT_EXEC); |
| + return sandbox->Cond(2, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS, |
| + denied_mask, |
| + sandbox->Trap(CrashSIGSYS_Handler, NULL), |
| + ErrorCode(ErrorCode::ERR_ALLOWED)); |
| +} |
| + |
| ErrorCode BaselinePolicy(Sandbox *sandbox, int sysno) { |
| + if (IsBaselinePolicyAllowed(sysno)) { |
| + return ErrorCode(ErrorCode::ERR_ALLOWED); |
| + } |
| + |
| +#if defined(__i386__) |
| + // socketcall(2) should be tightened. |
| + if (IsSocketCall(sysno)) { |
| + return ErrorCode(ErrorCode::ERR_ALLOWED); |
| + } |
| +#endif |
| + |
| #if defined(__x86_64__) || defined(__arm__) |
| if (sysno == __NR_socketpair) { |
|
jln (DO NOT USE THIS)
2013/05/15 23:26:25
I had the memory that socketpair was allowed in Is
|
| // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen. |
| @@ -1246,6 +1282,7 @@ |
| sandbox->Trap(CrashSIGSYS_Handler, NULL)); |
| } |
| #endif |
| + |
| if (sysno == __NR_madvise) { |
| // Only allow MADV_DONTNEED (aka MADV_FREE). |
| return sandbox->Cond(2, ErrorCode::TP_32BIT, |
| @@ -1254,17 +1291,28 @@ |
| ErrorCode(EPERM)); |
| } |
| - if (IsBaselinePolicyAllowed(sysno)) { |
| - return ErrorCode(ErrorCode::ERR_ALLOWED); |
| +#if defined(__i386__) || defined(__x86_64__) |
| + if (sysno == __NR_mmap) { |
| + if (IsArchitectureX86_64()) |
| + return RestrictMmapFlags(sandbox); |
| + else |
| + return ErrorCode(ErrorCode::ERR_ALLOWED); |
| } |
| +#endif |
| -#if defined(__i386__) |
| - // socketcall(2) should be tightened. |
| - if (IsSocketCall(sysno)) { |
| +#if defined(__i386__) || defined(__arm__) |
| + if (sysno == __NR_mmap2) { |
| return ErrorCode(ErrorCode::ERR_ALLOWED); |
| } |
| #endif |
| + if (sysno == __NR_mprotect) { |
| + if (IsArchitectureX86_64()) |
| + return RestrictMprotectFlags(sandbox); |
| + else |
| + return ErrorCode(ErrorCode::ERR_ALLOWED); |
| + } |
| + |
| // TODO(jln): some system calls in those sets are not supposed to |
| // return ENOENT. Return the appropriate error. |
| if (IsFileSystem(sysno) || IsCurrentDirectory(sysno)) { |
