Add seccomp sandbox for non-SFI NaCl

components/nacl/loader/nacl_sandbox_linux.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/nacl/loader/nacl_sandbox_linux.h"
 
 #include <errno.h>
+#include <fcntl.h>
+#include <linux/net.h>
 #include <signal.h>
+#include <sys/prctl.h>
 #include <sys/ptrace.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/syscall.h>
 
 #include "base/basictypes.h"
 #include "base/callback.h"
 #include "base/compiler_specific.h"
 #include "base/logging.h"
 #include "build/build_config.h"
 
 #if defined(USE_SECCOMP_BPF)
 #include "content/public/common/sandbox_init.h"
+#include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h"
+#include "sandbox/linux/seccomp-bpf/trap.h"
 #include "sandbox/linux/services/linux_syscalls.h"
 
+#if defined(__arm__) && !defined(MAP_STACK)
+#define MAP_STACK 0x20000  // Daisy build environment has old headers.
+#endif
+
 using sandbox::ErrorCode;
 using sandbox::SandboxBPF;
 using sandbox::SandboxBPFPolicy;
 
 namespace {
 
 // On ARM and x86_64, System V shared memory calls have each their own system
 // call, while on i386 they are multiplexed.
 #if defined(__x86_64__) || defined(__arm__)
 bool IsSystemVSharedMemory(int sysno) {
@@ skipping 82 matching lines @@
     case __NR_sched_setscheduler:
     case __NR_setpriority:
     case __NR_sysinfo:
     // __NR_times needed as clock() is called by CommandBufferHelper, which is
     // used by NaCl applications that use Pepper's 3D interfaces.
     // See crbug.com/264856 for details.
     case __NR_times:
     case __NR_uname:
       return ErrorCode(ErrorCode::ERR_ALLOWED);
     case __NR_ptrace:
+      // For RunSandboxSanityChecks().
       return ErrorCode(EPERM);
     default:
       // TODO(jln): look into getting rid of System V shared memory:
       // platform_qualify/linux/sysv_shm_and_mmap.c makes it a requirement, but
       // it may not be needed in all cases. Chromium renderers don't need
       // System V shared memory on Aura.
 #if defined(__x86_64__) || defined(__arm__)
       if (IsSystemVSharedMemory(sysno))
         return ErrorCode(ErrorCode::ERR_ALLOWED);
 #elif defined(__i386__)
       if (IsSystemVIpc(sysno))
         return ErrorCode(ErrorCode::ERR_ALLOWED);
 #endif
       return baseline_policy_->EvaluateSyscall(sb, sysno);
   }
   NOTREACHED();
   // GCC wants this.
   return ErrorCode(EPERM);
 }
 
+ErrorCode RestrictFcntlCommandsForNonSfiNaCl(SandboxBPF* sb) {
+  ErrorCode::ArgType mask_long_type;
+  if (sizeof(long) == 8)
+    mask_long_type = ErrorCode::TP_64BIT;
+  else if (sizeof(long) == 4)
+    mask_long_type = ErrorCode::TP_32BIT;
+  else
+    NOTREACHED();
+  // We allow following cases:
+  // 1. F_SETFD + FD_CLOEXEC: libevent's epoll_init uses this.
+  // 2. F_GETFL: Used by SetNonBlocking in
+  // message_pump_libevent.cc and Channel::ChannelImpl::CreatePipe
+  // in ipc_channel_posix.cc. Note that the latter does not work
+  // with EPERM.
+  // 3. F_SETFL: Used by evutil_make_socket_nonblocking in
+  // libevent and SetNonBlocking. As the latter mix O_NONBLOCK to
+  // the return value of F_GETFL, so we need to allow O_ACCMODE in
+  // addition to O_NONBLOCK.
+  unsigned long denied_mask = ~(O_ACCMODE | O_NONBLOCK);
+  return sb->Cond(1, ErrorCode::TP_32BIT,
+                  ErrorCode::OP_EQUAL, F_SETFD,
+                  sb->Cond(2, mask_long_type,
+                           ErrorCode::OP_EQUAL, FD_CLOEXEC,
+                           ErrorCode(ErrorCode::ERR_ALLOWED),
+                           sb->Trap(sandbox::CrashSIGSYS_Handler, NULL)),
+         sb->Cond(1, ErrorCode::TP_32BIT,
+                  ErrorCode::OP_EQUAL, F_GETFL,
+                  ErrorCode(ErrorCode::ERR_ALLOWED),
+         sb->Cond(1, ErrorCode::TP_32BIT,
+                  ErrorCode::OP_EQUAL, F_SETFL,
+                  sb->Cond(2, mask_long_type,
+                           ErrorCode::OP_HAS_ANY_BITS, denied_mask,
+                           sb->Trap(sandbox::CrashSIGSYS_Handler, NULL),
+                           ErrorCode(ErrorCode::ERR_ALLOWED)),
+         sb->Trap(sandbox::CrashSIGSYS_Handler, NULL))));
+}
+
+// The seccomp sandbox policy for NaCl non-SFI mode. Note that this
+// policy must be as strong as possible, as non-SFI mode heavily
+// depends on seccomp sandbox.
+class NonSfiNaClBPFSandboxPolicy : public SandboxBPFPolicy {

[Mark Seaborn, 2014/03/28 01:38:25]

Can we put the Non-SFI Mode sandbox policy in a separate file, for clarity,
since it's so much more security critical than the SFI Mode sandbox policy? 
(Julien and I talked about this today.)

The new file can go under components/nacl/loader/nonsfi.

[hamaji, 2014/03/28 12:06:10]

Thanks, will do!

+ public:
+  explicit NonSfiNaClBPFSandboxPolicy() {
+  }
+  virtual ~NonSfiNaClBPFSandboxPolicy() {}
+
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
+                                    int system_call_number) const OVERRIDE;
+
+ private:
+  DISALLOW_COPY_AND_ASSIGN(NonSfiNaClBPFSandboxPolicy);
+};
+
+ErrorCode NonSfiNaClBPFSandboxPolicy::EvaluateSyscall(
+    sandbox::SandboxBPF* sb, int sysno) const {
+  ErrorCode ret = sb->Trap(sandbox::CrashSIGSYS_Handler, NULL);
+  switch (sysno) {
+    // Allowed syscalls.

[hamaji, 2014/03/24 15:56:37]

I have a question about sigaction and sigaltstack. I guess breakpad uses them. I
didn't check when they can be initialized. If we cannot initialize breakpad's
signal handlers before the initialization of the sandbox, we might need to allow
sigaction/sigaltstack. I don't know if it's are OK with allowing them.

+    case __NR__llseek:
+    case __NR_clock_gettime:
+    case __NR_close:
+    case __NR_dup:
+    case __NR_dup2:
+    case __NR_epoll_create:
+    case __NR_epoll_ctl:

[hamaji, 2014/03/24 15:56:37]

Would it be better to check the operation type is ADD or MOD or DEL?

+    case __NR_epoll_wait:
+    case __NR_exit:
+    case __NR_exit_group:
+    case __NR_fstat64:
+    case __NR_futex:

[hamaji, 2014/03/24 16:25:43]

Maybe better to restrict the operation of futex?

+    case __NR_gettid:
+    case __NR_gettimeofday:
+    case __NR_munmap:
+    case __NR_nanosleep:
+    case __NR_pipe:
+    case __NR_read:
+    case __NR_restart_syscall:
+    case __NR_sched_yield:
+    case __NR_write:
+#if defined(__arm__)
+    case __ARM_NR_cacheflush:
+#endif
+      ret = ErrorCode(ErrorCode::ERR_ALLOWED);
+      break;
+
+    // __NR_times needed as clock() is called by CommandBufferHelper, which is
+    // used by NaCl applications that use Pepper's 3D interfaces.
+    // See crbug.com/264856 for details.
+    case __NR_times:
+    // NaCl runtime exposes clock_getres to untrusted code.
+    case __NR_clock_getres:

[hamaji, 2014/03/24 16:25:43]

Do we need to restrict clk_id for gettime and getres?

+      ret = ErrorCode(ErrorCode::ERR_ALLOWED);
+      break;
+
+    // Conditionally allowed syscalls:
+    case __NR_clone: {
+      // We allow clone only for new thread creation.
+      ret = sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
+                     CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |
+                     CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS |
+                     CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID,
+                     ErrorCode(ErrorCode::ERR_ALLOWED),
+            sb->Trap(sandbox::SIGSYSCloneFailure, NULL));
+      break;
+    }
+    case __NR_prctl:
+      // base::PlatformThread::SetName() uses PR_SET_NAME so we return
+      // EPERM for it. Otherwise, we will raise SIGSYS.
+      ret = sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
+                     PR_SET_NAME, ErrorCode(EPERM),
+            sb->Trap(sandbox::SIGSYSPrctlFailure, NULL));
+
+#if defined(__i386__)
+    case __NR_socketcall: {
+      // We only allow socketpair, sendmsg, and recvmsg.
+      ret = sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
+                     SYS_SOCKETPAIR, ErrorCode(ErrorCode::ERR_ALLOWED),
+            sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
+                     SYS_SENDMSG, ErrorCode(ErrorCode::ERR_ALLOWED),
+            sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
+                     SYS_RECVMSG, ErrorCode(ErrorCode::ERR_ALLOWED),
+                     ErrorCode(EPERM))));
+      break;
+    }
+#endif
+#if defined(__x86_64__) || defined(__arm__)
+    case __NR_recvmsg:
+    case __NR_sendmsg:
+      ret = ErrorCode(ErrorCode::ERR_ALLOWED);
+      break;
+
+    case __NR_socketpair:
+      // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen.
+      COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different);
+      return sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, AF_UNIX,
+                      ErrorCode(ErrorCode::ERR_ALLOWED),
+                      sb->Trap(sandbox::CrashSIGSYS_Handler, NULL));
+      break;
+#endif
+
+    // It is allowed to call the following syscalls, but they just
+    // return EPERM.
+    case __NR_ptrace:
+      // For RunSandboxSanityChecks().
+      ret = ErrorCode(EPERM);
+      break;
+    case __NR_set_robust_list:
+      // glibc uses this for its pthread implementation. If we return
+      // EPERM for this, glibc will stop using this.
+      // TODO(hamaji): newlib does not use this. Make this SIGTRAP once
+      // we have switched to newlib.
+      ret = ErrorCode(EPERM);
+      break;
+#if !defined(__x86_64__)
+    case __NR_getegid32:
+    case __NR_geteuid32:
+    case __NR_getgid32:
+    case __NR_getuid32:
+#endif
+      // third_party/libevent uses them, but we can just return -1 from
+      // them as it is just checking getuid() != geteuid() and
+      // getgid() != getegid()
+      ret = ErrorCode(EPERM);
+      break;
+#if defined(__i386__) || defined(__x86_64__)
+    case __NR_time:
+      // This is obsolete in ARM EABI, but x86 glibc indirectly calls
+      // this in sysconf.
+      ret = ErrorCode(EPERM);
+      break;
+#endif
+
+#if defined(__x86_64__)
+    case __NR_fcntl:
+#endif
+#if defined(__i386__) || defined(__arm__)
+    case __NR_fcntl64:
+#endif
+      ret = RestrictFcntlCommandsForNonSfiNaCl(sb);
+      break;
+
+#if defined(__x86_64__)
+    case __NR_mmap:
+#endif
+#if defined(__i386__) || defined(__arm__)
+    case __NR_mmap2:
+#endif
+    {
+      uint32_t denied_flag_mask = ~(MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS |
+                                    MAP_STACK | MAP_FIXED);
+      // switch to newlib. Currently, it is used by glibc's pthread_create.
+      // TODO(jln, keescook, drewry): Limit the use of mmap by adding
+      // some features to linux kernel.
+      uint32_t denied_prot_mask = ~(PROT_READ | PROT_WRITE | PROT_EXEC);
+      return sb->Cond(3, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
+                      denied_flag_mask,
+                      sb->Trap(sandbox::CrashSIGSYS_Handler, NULL),
+             sb->Cond(2, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
+                      denied_prot_mask,
+                      sb->Trap(sandbox::CrashSIGSYS_Handler, NULL),
+                      ErrorCode(ErrorCode::ERR_ALLOWED)));
+      break;
+    }
+
+    case __NR_mprotect: {
+      // TODO(jln, keescook, drewry): Limit the use of mmap by adding
+      // some features to linux kernel.
+      uint32_t denied_mask = ~(PROT_READ | PROT_WRITE | PROT_EXEC);
+      return sb->Cond(2, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
+                      denied_mask,
+                      sb->Trap(sandbox::CrashSIGSYS_Handler, NULL),
+                      ErrorCode(ErrorCode::ERR_ALLOWED));
+      break;
+    }
+
+    case __NR_open:
+      // EPERM instead of SIGSYS as glibc tries to open files in /proc.
+      // TODO(hamaji): Remove this when we switch to newlib.
+      ret = ErrorCode(EPERM);
+      break;
+
+    case __NR_brk:
+      // tcmalloc uses brk because HAVE_SBRK is set in
+      // third_party/tcmalloc/chromium/src/config_linux.h
+      // TODO(hamaji): We can get rid of this when we stop using
+      // tcmalloc for non-SFI nacl_helper.
+      ret = ErrorCode(ErrorCode::ERR_ALLOWED);
+      break;
+
+    case __NR_madvise:
+      // tcmalloc calls madvise in TCMalloc_SystemRelease.
+      // TODO(hamaji): We can get rid of this when we stop using
+      // tcmalloc for non-SFI nacl_helper.
+      ret = ErrorCode(EPERM);
+      break;
+
+    default:
+      ret = sb->Trap(sandbox::CrashSIGSYS_Handler, NULL);
+      break;
+  }
+  return ret;
+}
+
 void RunSandboxSanityChecks() {
   errno = 0;
   // Make a ptrace request with an invalid PID.
   long ptrace_ret = ptrace(PTRACE_PEEKUSER, -1 /* pid */, NULL, NULL);
   CHECK_EQ(-1, ptrace_ret);
   // Without the sandbox on, this ptrace call would ESRCH instead.
   CHECK_EQ(EPERM, errno);
 }
 
 }  // namespace
@@ skipping 10 matching lines @@
 #if defined(USE_SECCOMP_BPF)
   bool sandbox_is_initialized = content::InitializeSandbox(
       scoped_ptr<SandboxBPFPolicy>(new NaClBPFSandboxPolicy()));
   if (sandbox_is_initialized) {
     RunSandboxSanityChecks();
     return true;
   }
 #endif  // defined(USE_SECCOMP_BPF)
   return false;
 }
+
+bool InitializeBPFSandboxForNonSfi() {
+#if defined(USE_SECCOMP_BPF)
+  bool sandbox_is_initialized = content::InitializeSandbox(
+      scoped_ptr<SandboxBPFPolicy>(new NonSfiNaClBPFSandboxPolicy()));
+  if (sandbox_is_initialized) {
+    RunSandboxSanityChecks();
+    return true;
+  }
+#endif  // defined(USE_SECCOMP_BPF)
+  LOG(FATAL) << "InitializeBPFSandboxForNonSfi failed";
+  return false;
+}