Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(3)

Side by Side Diff: components/nacl/loader/nonsfi/nonsfi_sandbox.cc

Issue 196793023: Add seccomp sandbox for non-SFI NaCl (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Created 6 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
OLDNEW
(Empty)
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "components/nacl/loader/nonsfi/nonsfi_sandbox.h"
6
7 #include <errno.h>
8 #include <fcntl.h>
9 #include <linux/net.h>
10 #include <sys/prctl.h>
11 #include <sys/ptrace.h>
12 #include <sys/mman.h>
13 #include <sys/socket.h>
14 #include <sys/syscall.h>
15
16 #include "base/basictypes.h"
17 #include "base/logging.h"
18 #include "build/build_config.h"
19 #include "content/public/common/sandbox_init.h"
20 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
21 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
22 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h"
23 #include "sandbox/linux/seccomp-bpf/trap.h"
24 #include "sandbox/linux/services/linux_syscalls.h"
25
26 #if defined(__arm__) && !defined(MAP_STACK)
27 #define MAP_STACK 0x20000 // Daisy build environment has old headers.
28 #endif
29
30 using sandbox::ErrorCode;
31 using sandbox::SandboxBPF;
32 using sandbox::SandboxBPFPolicy;
33
34 namespace nacl {
35 namespace nonsfi {
36 namespace {
37
38 ErrorCode RestrictFcntlCommandsForNaClNonSfi(SandboxBPF* sb) {
39 ErrorCode::ArgType mask_long_type;
40 if (sizeof(long) == 8)
41 mask_long_type = ErrorCode::TP_64BIT;
42 else if (sizeof(long) == 4)
43 mask_long_type = ErrorCode::TP_32BIT;
44 else
45 NOTREACHED();
46 // We allow following cases:
47 // 1. F_SETFD + FD_CLOEXEC: libevent's epoll_init uses this.
48 // 2. F_GETFL: Used by SetNonBlocking in
49 // message_pump_libevent.cc and Channel::ChannelImpl::CreatePipe
50 // in ipc_channel_posix.cc. Note that the latter does not work
51 // with EPERM.
52 // 3. F_SETFL: Used by evutil_make_socket_nonblocking in
53 // libevent and SetNonBlocking. As the latter mix O_NONBLOCK to
54 // the return value of F_GETFL, so we need to allow O_ACCMODE in
55 // addition to O_NONBLOCK.
56 unsigned long denied_mask = ~(O_ACCMODE | O_NONBLOCK);
57 return sb->Cond(1, ErrorCode::TP_32BIT,
58 ErrorCode::OP_EQUAL, F_SETFD,
59 sb->Cond(2, mask_long_type,
60 ErrorCode::OP_EQUAL, FD_CLOEXEC,
61 ErrorCode(ErrorCode::ERR_ALLOWED),
62 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL)),
63 sb->Cond(1, ErrorCode::TP_32BIT,
64 ErrorCode::OP_EQUAL, F_GETFL,
65 ErrorCode(ErrorCode::ERR_ALLOWED),
66 sb->Cond(1, ErrorCode::TP_32BIT,
67 ErrorCode::OP_EQUAL, F_SETFL,
68 sb->Cond(2, mask_long_type,
69 ErrorCode::OP_HAS_ANY_BITS, denied_mask,
70 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL),
71 ErrorCode(ErrorCode::ERR_ALLOWED)),
72 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL))));
73 }
74
75 ErrorCode RestrictCloneForNaClNonSfi(SandboxBPF* sb) {
76 // We allow clone only for new thread creation.
77 return sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
78 CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |
79 CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS |
80 CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID,
81 ErrorCode(ErrorCode::ERR_ALLOWED),
82 sb->Trap(sandbox::SIGSYSCloneFailure, NULL));
83 }
84
85 ErrorCode RestrictPrctlForNaClNonSfi(SandboxBPF* sb) {
86 // base::PlatformThread::SetName() uses PR_SET_NAME so we return
87 // EPERM for it. Otherwise, we will raise SIGSYS.
88 return sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
89 PR_SET_NAME, ErrorCode(EPERM),
90 sb->Trap(sandbox::SIGSYSPrctlFailure, NULL));
91 }
92
93 #if defined(__i386__)
94 ErrorCode RestrictSocketcallForNaClNonSfi(SandboxBPF* sb) {
95 // We only allow socketpair, sendmsg, and recvmsg.
96 return sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
97 SYS_SOCKETPAIR,
98 ErrorCode(ErrorCode::ERR_ALLOWED),
99 sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
100 SYS_SENDMSG,
101 ErrorCode(ErrorCode::ERR_ALLOWED),
102 sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
103 SYS_RECVMSG,
104 ErrorCode(ErrorCode::ERR_ALLOWED),
105 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL))));
106 }
107 #endif
108
109 ErrorCode RestrictMemoryProtectionForNaClNonSfi(SandboxBPF* sb, int argno) {
110 // TODO(jln, keescook, drewry): Limit the use of mmap/mprotect by
111 // adding some features to linux kernel.
112 uint32_t denied_mask = ~(PROT_READ | PROT_WRITE | PROT_EXEC);
113 return sb->Cond(argno, ErrorCode::TP_32BIT,
114 ErrorCode::OP_HAS_ANY_BITS,
115 denied_mask,
116 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL),
117 ErrorCode(ErrorCode::ERR_ALLOWED));
118 }
119
120 ErrorCode RestrictMmapForNaClNonSfi(SandboxBPF* sb) {
121 uint32_t denied_flag_mask = ~(MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS |
122 MAP_STACK | MAP_FIXED);
123 return sb->Cond(3, ErrorCode::TP_32BIT,
124 ErrorCode::OP_HAS_ANY_BITS,
125 denied_flag_mask,
126 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL),
127 RestrictMemoryProtectionForNaClNonSfi(sb, 2));
128 }
129
130 ErrorCode RestrictSocketpairForNaClNonSfi(SandboxBPF* sb) {
131 // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen.
132 COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different);
133 return sb->Cond(0, ErrorCode::TP_32BIT,
134 ErrorCode::OP_EQUAL, AF_UNIX,
135 ErrorCode(ErrorCode::ERR_ALLOWED),
136 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL));
137 }
138
139 // The seccomp sandbox policy for NaCl non-SFI mode. Note that this
140 // policy must be as strong as possible, as non-SFI mode heavily
141 // depends on seccomp sandbox.
142 class NaClNonSfiBPFSandboxPolicy : public SandboxBPFPolicy {
143 public:
144 explicit NaClNonSfiBPFSandboxPolicy() {
145 }
146 virtual ~NaClNonSfiBPFSandboxPolicy() {}
147
148 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
149 int system_call_number) const OVERRIDE;
150
151 private:
152 DISALLOW_COPY_AND_ASSIGN(NaClNonSfiBPFSandboxPolicy);
153 };
154
155 ErrorCode NaClNonSfiBPFSandboxPolicy::EvaluateSyscall(
156 SandboxBPF* sb, int sysno) const {
157 switch (sysno) {
158 // Allowed syscalls.
159 #if defined(__i386__) || defined(__arm__)
160 case __NR__llseek:
161 #endif
162 #if defined(__x86_64__)
163 case __NR_lseek:
164 #endif
165 case __NR_clock_gettime:
166 case __NR_close:
167 case __NR_dup:
168 case __NR_dup2:
169 case __NR_epoll_create:
170 case __NR_epoll_ctl:
171 case __NR_epoll_wait:
172 case __NR_exit:
173 case __NR_exit_group:
174 #if defined(__i386__) || defined(__arm__)
175 case __NR_fstat64:
176 #endif
177 #if defined(__x86_64__)
178 case __NR_fstat:
179 #endif
180 case __NR_futex:
181 case __NR_gettid:
182 case __NR_gettimeofday:
183 case __NR_munmap:
184 case __NR_nanosleep:
185 case __NR_pipe:
186 case __NR_pread64:
187 case __NR_read:
188 case __NR_restart_syscall:
189 case __NR_sched_yield:
190 case __NR_sigaltstack:
191 case __NR_write:
192 #if defined(__arm__)
193 case __ARM_NR_cacheflush:
194 #endif
195 return ErrorCode(ErrorCode::ERR_ALLOWED);
196 // __NR_times needed as clock() is called by CommandBufferHelper, which is
197 // used by NaCl applications that use Pepper's 3D interfaces.
198 // See crbug.com/264856 for details.
199 case __NR_times:
200 // NaCl runtime exposes clock_getres to untrusted code.
201 case __NR_clock_getres:
202 return ErrorCode(ErrorCode::ERR_ALLOWED);
203
204 // It is allowed to call the following syscalls, but they just
205 // return EPERM.
206 case __NR_ptrace:
207 // For RunSandboxSanityChecks().
208 return ErrorCode(EPERM);
209 case __NR_set_robust_list:
210 // glibc uses this for its pthread implementation. If we return
211 // EPERM for this, glibc will stop using this.
212 // TODO(hamaji): newlib does not use this. Make this SIGTRAP once
213 // we have switched to newlib.
214 return ErrorCode(EPERM);
jln (very slow on Chromium) 2014/04/08 00:51:10 Do you want to group all the EPERM into a separate
hamaji 2014/04/09 21:09:09 Done.
215 #if defined(__i386__) || defined(__arm__)
216 case __NR_getegid32:
217 case __NR_geteuid32:
218 case __NR_getgid32:
219 case __NR_getuid32:
220 #endif
221 #if defined(__x86_64__)
222 case __NR_getegid:
223 case __NR_geteuid:
224 case __NR_getgid:
225 case __NR_getuid:
226 #endif
227 // third_party/libevent uses them, but we can just return -1 from
228 // them as it is just checking getuid() != geteuid() and
229 // getgid() != getegid()
230 return ErrorCode(EPERM);
231 #if defined(__i386__) || defined(__x86_64__)
232 case __NR_time:
233 // This is obsolete in ARM EABI, but x86 glibc indirectly calls
234 // this in sysconf.
235 return ErrorCode(EPERM);
236 #endif
237 case __NR_open:
238 // EPERM instead of SIGSYS as glibc tries to open files in /proc.
239 // TODO(hamaji): Remove this when we switch to newlib.
240 return ErrorCode(EPERM);
241
242 case __NR_brk:
243 // The behavior of brk on Linux is different from other system
244 // calls. It does not return errno but the current break on
245 // failure. glibc thinks brk failed the return value of brk
246 // is lesser than the requested address (i.e., brk(addr) < addr)
247 // So, glibc thinks brk succeeded if we return -EPERM and we
248 // need to return zero instead.
249 return ErrorCode(0);
250
251 case __NR_madvise:
252 // tcmalloc calls madvise in TCMalloc_SystemRelease.
253 return ErrorCode(EPERM);
254
255 case __NR_clone:
256 return RestrictCloneForNaClNonSfi(sb);
257 case __NR_prctl:
258 return RestrictPrctlForNaClNonSfi(sb);
259
260 #if defined(__i386__)
261 case __NR_socketcall:
262 return RestrictSocketcallForNaClNonSfi(sb);
263 #endif
264 #if defined(__x86_64__) || defined(__arm__)
265 case __NR_recvmsg:
jln (very slow on Chromium) 2014/04/08 00:51:10 These guys are pretty problematic :(
hamaji 2014/04/09 21:09:09 One of my naive question: isn't it possible to add
266 case __NR_sendmsg:
267 return ErrorCode(ErrorCode::ERR_ALLOWED);
268
269 case __NR_socketpair:
270 return RestrictSocketpairForNaClNonSfi(sb);
271 #endif
272
273 #if defined(__x86_64__)
274 case __NR_fcntl:
275 #endif
276 #if defined(__i386__) || defined(__arm__)
277 case __NR_fcntl64:
278 #endif
279 return RestrictFcntlCommandsForNaClNonSfi(sb);
280
281 #if defined(__x86_64__)
282 case __NR_mmap:
283 #endif
284 #if defined(__i386__) || defined(__arm__)
285 case __NR_mmap2:
286 #endif
287 return RestrictMmapForNaClNonSfi(sb);
288
289 case __NR_mprotect:
290 return RestrictMemoryProtectionForNaClNonSfi(sb, 2);
291
292 default:
293 return sb->Trap(sandbox::CrashSIGSYS_Handler, NULL);
294 }
295 }
296
297 void RunSandboxSanityChecks() {
298 errno = 0;
299 // Make a ptrace request with an invalid PID.
300 long ptrace_ret = ptrace(PTRACE_PEEKUSER, -1 /* pid */, NULL, NULL);
301 CHECK_EQ(-1, ptrace_ret);
302 // Without the sandbox on, this ptrace call would ESRCH instead.
303 CHECK_EQ(EPERM, errno);
304 }
305
306 } // namespace
307
308 void InitializeBPFSandbox() {
309 bool sandbox_is_initialized = content::InitializeSandbox(
310 scoped_ptr<SandboxBPFPolicy>(new NaClNonSfiBPFSandboxPolicy()));
311 CHECK(sandbox_is_initialized)
312 << "InitializeBPFSandbox for non-SFI NaCl failed";
313 RunSandboxSanityChecks();
314 }
315
316 } // namespace nonsfi
317 } // namespace nacl
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698