[Android] Define a baseline seccomp-bpf sandbox policy.

content/common/android/sandbox_bpf_base_policy_android.cc

Index: content/common/android/sandbox_bpf_base_policy_android.cc
diff --git a/content/common/android/sandbox_bpf_base_policy_android.cc b/content/common/android/sandbox_bpf_base_policy_android.cc
new file mode 100644
index 0000000000000000000000000000000000000000..3294e687c54687f4c174e323879a58119d5d1004
--- /dev/null
+++ b/content/common/android/sandbox_bpf_base_policy_android.cc
@@ -0,0 +1,48 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "content/common/android/sandbox_bpf_base_policy_android.h"
+
+#include <sys/types.h>
+
+#include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
+#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
+
+namespace content {
+
+SandboxBPFBasePolicyAndroid::SandboxBPFBasePolicyAndroid()
+    : SandboxBPFBasePolicy() {}
+
+SandboxBPFBasePolicyAndroid::~SandboxBPFBasePolicyAndroid() {}
+
+sandbox::ErrorCode SandboxBPFBasePolicyAndroid::EvaluateSyscall(
+    sandbox::SandboxBPF* sandbox,
+    int sysno) const {
+  bool allowed = false;
+
+  switch (sysno) {
+    case __NR_open:

[jln (very slow on Chromium), 2014/03/31 22:57:43]

libc have tended in the past to deprecate open in favor of openat. You could add
openat already, for future compatibility. Also FYI, ARM64 doesn't have open()
anymore.

Could you also add a comment to NR_open specifically. It breaks our traditional
model, so explain that we expect uid separation to restrict file access and that
this policy can only retrict the kernel's attack surface.

Maybe even put it in a "section" of its own to make this extra clear.

Also I'm a bit surprised that stat() / access() are not required, but that's not
bad news :)

[Robert Sesek, 2014/04/08 20:33:45]

Added __NR_openat and put __NR_open behind __aarch64__.
Done.
I initially had it in sections (c.f. "Why the extra space?"), but I've collapsed
it all.
Me too *shrug*.

+

[jln (very slow on Chromium), 2014/03/31 22:57:43]

Why the extra space?

[Robert Sesek, 2014/04/08 20:33:45]

Done.

+    case __NR_uname:
+
+    case __NR_flock:

[jln (very slow on Chromium), 2014/03/31 22:57:43]

Please, sort these in alphabetical order

[Robert Sesek, 2014/04/08 20:33:45]

Done.

+    case __NR_sigaltstack:
+    case __NR_rt_sigtimedwait:
+    case __NR_mremap:
+    case __NR_ioctl:
+    case __NR_pread64:
+    case __NR_getpriority:
+    case __NR_setpriority:
+    case __NR_ugetrlimit:
+      allowed = true;
+      break;
+  }
+
+  if (allowed)

[jln (very slow on Chromium), 2014/03/31 22:57:43]

Nit: I find the construct a bit misleading, because one could be tempted to
disallow a system call by setting allow = false.

Maybe rename "allowed" with "override_and_allow"?

[Robert Sesek, 2014/04/08 20:33:45]

Done.

+    return sandbox::ErrorCode(sandbox::ErrorCode::ERR_ALLOWED);
+
+  return SandboxBPFBasePolicy::EvaluateSyscall(sandbox, sysno);
+}
+
+}  // namespace content