Chromium Code Reviews Chromium Code Reviews
Issue 1705243002:
[Android] Permit sched_getparam(), pwrite64(), and getsockopt() under Seccomp. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h " | 5 #include "content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h " |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <fcntl.h> | 8 #include <fcntl.h> |
| 9 #include <linux/net.h> | 9 #include <linux/net.h> |
| 10 #include <sys/socket.h> | 10 #include <sys/socket.h> |
| (...skipping 64 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 75 // File system access cannot be restricted with seccomp-bpf on Android, | 75 // File system access cannot be restricted with seccomp-bpf on Android, |
| 76 // since the JVM classloader and other Framework features require file | 76 // since the JVM classloader and other Framework features require file |
| 77 // access. It may be possible to restrict the filesystem with SELinux. | 77 // access. It may be possible to restrict the filesystem with SELinux. |
| 78 // Currently we rely on the app/service UID isolation to create a | 78 // Currently we rely on the app/service UID isolation to create a |
| 79 // filesystem "sandbox". | 79 // filesystem "sandbox". |
| 80 #if !defined(ARCH_CPU_ARM64) | 80 #if !defined(ARCH_CPU_ARM64) |
| 81 case __NR_open: | 81 case __NR_open: |
| 82 #endif | 82 #endif |
| 83 case __NR_openat: | 83 case __NR_openat: |
| 84 case __NR_pread64: | 84 case __NR_pread64: |
| 85 case __NR_pwrite64: | |
| 85 case __NR_rt_sigtimedwait: | 86 case __NR_rt_sigtimedwait: |
| 87 case __NR_sched_getparam: | |
|
mdempsky
2016/02/17 21:54:52
It is possible/reasonable to restrict which pids c
Robert Sesek
2016/02/17 22:50:11
No, because Bionic passes a TID to this in its pth
| |
| 86 case __NR_setpriority: | 88 case __NR_setpriority: |
| 87 case __NR_set_tid_address: | 89 case __NR_set_tid_address: |
| 88 case __NR_sigaltstack: | 90 case __NR_sigaltstack: |
| 89 #if defined(__i386__) || defined(__arm__) | 91 #if defined(__i386__) || defined(__arm__) |
| 90 case __NR_ugetrlimit: | 92 case __NR_ugetrlimit: |
| 91 #else | 93 #else |
| 92 case __NR_getrlimit: | 94 case __NR_getrlimit: |
| 93 #endif | 95 #endif |
| 94 case __NR_uname: | 96 case __NR_uname: |
| 95 | 97 |
| 96 // Permit socket operations so that renderers can connect to logd and | 98 // Permit socket operations so that renderers can connect to logd and |
| 97 // debuggerd. The arguments to socket() are further restricted below. | 99 // debuggerd. The arguments to socket() are further restricted below. |
| 98 // Note that on i386, both of these calls map to __NR_socketcall, which | 100 // Note that on i386, both of these calls map to __NR_socketcall, which |
| 99 // is demultiplexed below. | 101 // is demultiplexed below. |
| 100 #if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) || \ | 102 #if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) || \ |
| 101 defined(__mips__) | 103 defined(__mips__) |
| 104 case __NR_getsockopt: | |
| 105 case __NR_connect: | |
| 102 case __NR_socket: | 106 case __NR_socket: |
| 103 case __NR_connect: | |
| 104 #endif | 107 #endif |
| 105 | 108 |
| 106 // Ptrace is allowed so the Breakpad Microdumper can fork in a renderer | 109 // Ptrace is allowed so the Breakpad Microdumper can fork in a renderer |
| 107 // and then ptrace the parent. | 110 // and then ptrace the parent. |
| 108 case __NR_ptrace: | 111 case __NR_ptrace: |
| 109 override_and_allow = true; | 112 override_and_allow = true; |
| 110 break; | 113 break; |
| 111 } | 114 } |
| 112 | 115 |
| 113 #if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) || \ | 116 #if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) || \ |
| 114 defined(__mips__) | 117 defined(__mips__) |
| 115 if (sysno == __NR_socket) { | 118 if (sysno == __NR_socket) { |
| 116 const Arg<int> domain(0); | 119 const Arg<int> domain(0); |
| 117 const Arg<int> type(1); | 120 const Arg<int> type(1); |
| 118 const Arg<int> protocol(2); | 121 const Arg<int> protocol(2); |
| 119 return If(RestrictSocketArguments(domain, type, protocol), Allow()) | 122 return If(RestrictSocketArguments(domain, type, protocol), Allow()) |
| 120 .Else(Error(EPERM)); | 123 .Else(Error(EPERM)); |
| 121 } | 124 } |
| 122 #elif defined(__i386__) | 125 #elif defined(__i386__) |
| 123 if (sysno == __NR_socketcall) { | 126 if (sysno == __NR_socketcall) { |
| 124 const Arg<int> socketcall(0); | 127 const Arg<int> socketcall(0); |
| 125 const Arg<int> domain(1); | 128 const Arg<int> domain(1); |
| 126 const Arg<int> type(2); | 129 const Arg<int> type(2); |
| 127 const Arg<int> protocol(3); | 130 const Arg<int> protocol(3); |
| 128 return If(socketcall == SYS_CONNECT, Allow()) | 131 return If(socketcall == SYS_CONNECT, Allow()) |
| 129 .ElseIf(AllOf(socketcall == SYS_SOCKET, | 132 .ElseIf(AllOf(socketcall == SYS_SOCKET, |
| 130 RestrictSocketArguments(domain, type, protocol)), | 133 RestrictSocketArguments(domain, type, protocol)), |
| 131 Allow()) | 134 Allow()) |
| 135 .ElseIf(socketcall == SYS_GETSOCKOPT, Allow()) | |
| 132 .Else(Error(EPERM)); | 136 .Else(Error(EPERM)); |
| 133 } | 137 } |
| 134 #endif | 138 #endif |
| 135 | 139 |
| 136 if (override_and_allow) | 140 if (override_and_allow) |
| 137 return Allow(); | 141 return Allow(); |
| 138 | 142 |
| 139 return SandboxBPFBasePolicy::EvaluateSyscall(sysno); | 143 return SandboxBPFBasePolicy::EvaluateSyscall(sysno); |
| 140 } | 144 } |
| 141 | 145 |
| 142 } // namespace content | 146 } // namespace content |
| OLD | NEW |
