Linux Sandbox: whitelist arm64 syscalls

sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
 
 #include "build/build_config.h"
 #include "sandbox/linux/system_headers/linux_syscalls.h"
 
 namespace sandbox {
@@ skipping 396 matching lines @@
       return false;
   }
 }
 
 bool SyscallSets::IsAllowedEpoll(int sysno) {
   switch (sysno) {
 #if !defined(__aarch64__)
     case __NR_epoll_create:
     case __NR_epoll_wait:
 #endif
+    case __NR_epoll_pwait:

[jln (very slow on Chromium), 2016/01/27 00:19:17]

Why does ARM64 influence this?

[Riku Voipio, 2016/01/27 15:37:27]

The glibc function epoll_wait() will call epoll_pwait() syscall on arm64 since
epoll_wait is a legacy syscall that doesn't exist on arm64.

     case __NR_epoll_create1:
     case __NR_epoll_ctl:
       return true;
     default:
 #if defined(__x86_64__)
     case __NR_epoll_ctl_old:
 #endif
-    case __NR_epoll_pwait:
 #if defined(__x86_64__)
     case __NR_epoll_wait_old:
 #endif
       return false;
   }
 }
 
 bool SyscallSets::IsAllowedGetOrModifySocket(int sysno) {
   switch (sysno) {
 #if !defined(__aarch64__)
@@ skipping 164 matching lines @@
     default:
       return false;
   }
 }
 
 bool SyscallSets::IsAllowedBasicScheduler(int sysno) {
   switch (sysno) {
     case __NR_sched_yield:
 #if !defined(__aarch64__)
     case __NR_pause:
+#else
+    case __NR_getrlimit:

[jln (very slow on Chromium), 2016/01/27 00:19:17]

getrlimit is already somewhere else in this file. The general policy is that
this file splits system calls into disjoint sets.

If one really decides to allow getrlimit, this should be a baseline policy
change.

[Riku Voipio, 2016/01/27 15:37:27]

Thanks, this was the part of my patches I was most uncomfortable with.

Following the backtrace in previous mail, does it warrant a change in baseline
policy?

Further tests show that even on arm64/linux chromium works sandboxed without
calling getrlimit(), if the opengl stack is available. If it isn't - due to
using X via ssh -X or because vendor opengl driver are crap, chromium will crash
on the seccomp error on start.

[Robert Sesek, 2016/01/27 16:52:31]

An alternative if we wanted to keep restricting getrlimit would be to cache the
result of base::GetMaxFds() (or base::SharedMemory::GetHandleLimit() which is
calling that function), and then ensure the value is cached as part of sandbox
warmup.

 #endif
     case __NR_nanosleep:
       return true;
     case __NR_getpriority:
 #if defined(__i386__) || defined(__arm__) || defined(__mips__)
     case __NR_nice:
 #endif
     case __NR_setpriority:
     default:
       return false;
@@ skipping 87 matching lines @@
     case __NR_mq_unlink:
       return true;
     default:
       return false;
   }
 }
 
 bool SyscallSets::IsGlobalProcessEnvironment(int sysno) {
   switch (sysno) {
     case __NR_acct:  // Privileged.
-#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
-    defined(__aarch64__)
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
     case __NR_getrlimit:
 #endif
 #if defined(__i386__) || defined(__arm__)
     case __NR_ugetrlimit:
 #endif
 #if defined(__i386__) || defined(__mips__)
     case __NR_ulimit:
 #endif
     case __NR_getrusage:
     case __NR_personality:  // Can change its personality as well.
@@ skipping 323 matching lines @@
   switch (sysno) {
     case __NR_sysmips:
     case __NR_unused150:
       return true;
     default:
       return false;
   }
 }
 #endif  // defined(__mips__)
 }  // namespace sandbox.