OLD | NEW |
| (Empty) |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "chrome/nacl/nacl_sandbox_linux.h" | |
6 | |
7 #include <signal.h> | |
8 #include <sys/ptrace.h> | |
9 | |
10 #include "base/callback.h" | |
11 #include "base/compiler_specific.h" | |
12 #include "base/logging.h" | |
13 #include "content/public/common/sandbox_init.h" | |
14 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | |
15 #include "sandbox/linux/services/linux_syscalls.h" | |
16 | |
17 using playground2::ErrorCode; | |
18 using playground2::Sandbox; | |
19 | |
20 namespace { | |
21 | |
22 // This policy does very little: | |
23 // - Any invalid system call for the current architecture is handled by | |
24 // the baseline policy. | |
25 // - ptrace() is denied. | |
26 // - Anything else is allowed. | |
27 // Note that the seccomp-bpf sandbox always prevents cross-architecture | |
28 // system calls (on x86, long/compatibility/x32). | |
29 // So even this trivial policy has a security benefit. | |
30 ErrorCode NaClBpfSandboxPolicy( | |
31 playground2::Sandbox* sb, int sysnum, void* aux) { | |
32 const playground2::BpfSandboxPolicyCallback baseline_policy = | |
33 content::GetBpfSandboxBaselinePolicy(); | |
34 if (!playground2::Sandbox::IsValidSyscallNumber(sysnum)) { | |
35 return baseline_policy.Run(sb, sysnum, aux); | |
36 } | |
37 switch (sysnum) { | |
38 case __NR_ptrace: | |
39 return ErrorCode(EPERM); | |
40 default: | |
41 return ErrorCode(ErrorCode::ERR_ALLOWED); | |
42 } | |
43 NOTREACHED(); | |
44 // GCC wants this. | |
45 return ErrorCode(EPERM); | |
46 } | |
47 | |
48 void RunSandboxSanityChecks() { | |
49 errno = 0; | |
50 // Make a ptrace request with an invalid PID. | |
51 long ptrace_ret = ptrace(PTRACE_PEEKUSER, -1 /* pid */, NULL, NULL); | |
52 CHECK_EQ(-1, ptrace_ret); | |
53 // Without the sandbox on, this ptrace call would ESRCH instead. | |
54 CHECK_EQ(EPERM, errno); | |
55 } | |
56 | |
57 } // namespace | |
58 | |
59 bool InitializeBpfSandbox() { | |
60 bool sandbox_is_initialized = | |
61 content::InitializeSandbox(NaClBpfSandboxPolicy); | |
62 RunSandboxSanityChecks(); | |
63 if (sandbox_is_initialized) { | |
64 // TODO(jln): Find a way to fix this. | |
65 // The sandbox' SIGSYS handler trips NaCl, so we disable it. | |
66 // If SIGSYS is triggered it'll now execute the default action | |
67 // (CORE). This will make it hard to track down bugs and sandbox violations. | |
68 CHECK(signal(SIGSYS, SIG_DFL) != SIG_ERR); | |
69 return true; | |
70 } | |
71 return false; | |
72 } | |
OLD | NEW |