| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "mojo/shell/runner/host/linux_sandbox.h" | |
| 6 | |
| 7 #include <fcntl.h> | |
| 8 #include <sys/syscall.h> | |
| 9 #include <utility> | |
| 10 | |
| 11 #include "base/bind.h" | |
| 12 #include "base/debug/leak_annotations.h" | |
| 13 #include "base/macros.h" | |
| 14 #include "base/posix/eintr_wrapper.h" | |
| 15 #include "base/rand_util.h" | |
| 16 #include "base/sys_info.h" | |
| 17 #include "sandbox/linux/bpf_dsl/policy.h" | |
| 18 #include "sandbox/linux/bpf_dsl/trap_registry.h" | |
| 19 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h" | |
| 20 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" | |
| 21 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" | |
| 22 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h" | |
| 23 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | |
| 24 #include "sandbox/linux/services/credentials.h" | |
| 25 #include "sandbox/linux/services/namespace_sandbox.h" | |
| 26 #include "sandbox/linux/services/proc_util.h" | |
| 27 #include "sandbox/linux/services/thread_helpers.h" | |
| 28 | |
| 29 using sandbox::syscall_broker::BrokerFilePermission; | |
| 30 | |
| 31 namespace mojo { | |
| 32 namespace shell { | |
| 33 | |
| 34 namespace { | |
| 35 | |
| 36 intptr_t SandboxSIGSYSHandler(const struct sandbox::arch_seccomp_data& args, | |
| 37 void* aux) { | |
| 38 RAW_CHECK(aux); | |
| 39 const sandbox::syscall_broker::BrokerProcess* broker_process = | |
| 40 static_cast<const sandbox::syscall_broker::BrokerProcess*>(aux); | |
| 41 switch (args.nr) { | |
| 42 case __NR_access: | |
| 43 return broker_process->Access(reinterpret_cast<const char*>(args.args[0]), | |
| 44 static_cast<int>(args.args[1])); | |
| 45 case __NR_open: | |
| 46 return broker_process->Open(reinterpret_cast<const char*>(args.args[0]), | |
| 47 static_cast<int>(args.args[1])); | |
| 48 case __NR_faccessat: | |
| 49 if (static_cast<int>(args.args[0]) == AT_FDCWD) { | |
| 50 return broker_process->Access( | |
| 51 reinterpret_cast<const char*>(args.args[1]), | |
| 52 static_cast<int>(args.args[2])); | |
| 53 } else { | |
| 54 return -EPERM; | |
| 55 } | |
| 56 case __NR_openat: | |
| 57 // Allow using openat() as open(). | |
| 58 if (static_cast<int>(args.args[0]) == AT_FDCWD) { | |
| 59 return broker_process->Open(reinterpret_cast<const char*>(args.args[1]), | |
| 60 static_cast<int>(args.args[2])); | |
| 61 } else { | |
| 62 return -EPERM; | |
| 63 } | |
| 64 default: | |
| 65 RAW_CHECK(false); | |
| 66 return -ENOSYS; | |
| 67 } | |
| 68 } | |
| 69 | |
| 70 class SandboxPolicy : public sandbox::BaselinePolicy { | |
| 71 public: | |
| 72 explicit SandboxPolicy(sandbox::syscall_broker::BrokerProcess* broker_process) | |
| 73 : broker_process_(broker_process) {} | |
| 74 ~SandboxPolicy() override {} | |
| 75 | |
| 76 // Overridden from sandbox::bpf_dsl::Policy: | |
| 77 sandbox::bpf_dsl::ResultExpr EvaluateSyscall(int sysno) const override { | |
| 78 // This policy is only advisory/for noticing FS access for the moment. | |
| 79 switch (sysno) { | |
| 80 #if !defined(__aarch64__) | |
| 81 case __NR_access: | |
| 82 case __NR_open: | |
| 83 #endif | |
| 84 case __NR_faccessat: | |
| 85 case __NR_openat: | |
| 86 return sandbox::bpf_dsl::Trap(SandboxSIGSYSHandler, broker_process_); | |
| 87 case __NR_sched_getaffinity: | |
| 88 return sandbox::RestrictSchedTarget(policy_pid(), sysno); | |
| 89 case __NR_ftruncate: | |
| 90 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \ | |
| 91 defined(__aarch64__) | |
| 92 // Per #ifdefs in | |
| 93 // content/common/sandbox_linux/bpf_renderer_policy_linux.cc | |
| 94 case __NR_getrlimit: | |
| 95 #endif | |
| 96 #if defined(__i386__) || defined(__arm__) | |
| 97 case __NR_ugetrlimit: | |
| 98 #endif | |
| 99 case __NR_uname: | |
| 100 #if defined(__arm__) || defined(__x86_64__) || defined(__mips__) | |
| 101 case __NR_getsockopt: | |
| 102 case __NR_setsockopt: | |
| 103 #endif | |
| 104 return sandbox::bpf_dsl::Allow(); | |
| 105 } | |
| 106 | |
| 107 return BaselinePolicy::EvaluateSyscall(sysno); | |
| 108 } | |
| 109 | |
| 110 private: | |
| 111 // Not owned. | |
| 112 const sandbox::syscall_broker::BrokerProcess* broker_process_; | |
| 113 DISALLOW_COPY_AND_ASSIGN(SandboxPolicy); | |
| 114 }; | |
| 115 | |
| 116 } // namespace | |
| 117 | |
| 118 LinuxSandbox::LinuxSandbox(const std::vector<BrokerFilePermission>& permissions) | |
| 119 : broker_(new sandbox::syscall_broker::BrokerProcess(EPERM, permissions)) { | |
| 120 CHECK(broker_->Init( | |
| 121 base::Bind<bool (*)()>(&sandbox::Credentials::DropAllCapabilities))); | |
| 122 policy_.reset(new SandboxPolicy(broker_.get())); | |
| 123 } | |
| 124 | |
| 125 LinuxSandbox::~LinuxSandbox() {} | |
| 126 | |
| 127 void LinuxSandbox::Warmup() { | |
| 128 proc_fd_ = sandbox::ProcUtil::OpenProc(); | |
| 129 warmed_up_ = true; | |
| 130 | |
| 131 // Verify that we haven't started threads or grabbed directory file | |
| 132 // descriptors. | |
| 133 sandbox::ThreadHelpers::AssertSingleThreaded(proc_fd_.get()); | |
| 134 CHECK(!sandbox::ProcUtil::HasOpenDirectory(proc_fd_.get())); | |
| 135 } | |
| 136 | |
| 137 void LinuxSandbox::EngageNamespaceSandbox() { | |
| 138 CHECK(warmed_up_); | |
| 139 CHECK_EQ(1, getpid()); | |
| 140 CHECK(sandbox::NamespaceSandbox::InNewPidNamespace()); | |
| 141 CHECK(sandbox::Credentials::MoveToNewUserNS()); | |
| 142 CHECK(sandbox::Credentials::DropFileSystemAccess(proc_fd_.get())); | |
| 143 CHECK(sandbox::Credentials::DropAllCapabilities(proc_fd_.get())); | |
| 144 } | |
| 145 | |
| 146 void LinuxSandbox::EngageSeccompSandbox() { | |
| 147 CHECK(warmed_up_); | |
| 148 sandbox::SandboxBPF sandbox(policy_.release()); | |
| 149 base::ScopedFD proc_fd(HANDLE_EINTR( | |
| 150 openat(proc_fd_.get(), ".", O_RDONLY | O_DIRECTORY | O_CLOEXEC))); | |
| 151 CHECK(proc_fd.is_valid()); | |
| 152 sandbox.SetProcFd(std::move(proc_fd)); | |
| 153 CHECK( | |
| 154 sandbox.StartSandbox(sandbox::SandboxBPF::SeccompLevel::SINGLE_THREADED)) | |
| 155 << "Starting the process with a sandbox failed. Missing kernel support."; | |
| 156 | |
| 157 // The Broker is now bound to this process and should only be destroyed when | |
| 158 // the process exits or is killed. | |
| 159 sandbox::syscall_broker::BrokerProcess* leaked_broker = broker_.release(); | |
| 160 ALLOW_UNUSED_LOCAL(leaked_broker); | |
| 161 ANNOTATE_LEAKING_OBJECT_PTR(leaked_broker); | |
| 162 } | |
| 163 | |
| 164 void LinuxSandbox::Seal() { | |
| 165 proc_fd_.reset(); | |
| 166 } | |
| 167 | |
| 168 } // namespace shell | |
| 169 } // namespace mojo | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1877753003:
Move mojo\shell to services\shell (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@62scan