OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "components/nacl/loader/nonsfi/nonsfi_sandbox.h" | |
6 | |
7 #include <errno.h> | |
8 #include <fcntl.h> | |
9 #include <linux/net.h> | |
10 #include <sys/prctl.h> | |
11 #include <sys/ptrace.h> | |
12 #include <sys/mman.h> | |
13 #include <sys/socket.h> | |
14 #include <sys/syscall.h> | |
15 | |
16 #include "base/basictypes.h" | |
17 #include "base/logging.h" | |
18 #include "build/build_config.h" | |
19 #include "content/public/common/sandbox_init.h" | |
20 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" | |
21 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | |
22 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h" | |
23 #include "sandbox/linux/seccomp-bpf/trap.h" | |
24 #include "sandbox/linux/services/linux_syscalls.h" | |
25 | |
26 #if defined(__arm__) && !defined(MAP_STACK) | |
27 // Chrome OS Daisy (ARM) build environment has old headers. | |
28 #define MAP_STACK 0x20000 | |
29 #endif | |
30 | |
31 using sandbox::ErrorCode; | |
32 using sandbox::SandboxBPF; | |
33 | |
34 namespace nacl { | |
35 namespace nonsfi { | |
36 namespace { | |
37 | |
38 ErrorCode RestrictFcntlCommands(SandboxBPF* sb) { | |
39 ErrorCode::ArgType mask_long_type; | |
40 if (sizeof(long) == 8) { | |
41 mask_long_type = ErrorCode::TP_64BIT; | |
42 } else if (sizeof(long) == 4) { | |
43 mask_long_type = ErrorCode::TP_32BIT; | |
44 } else { | |
45 NOTREACHED(); | |
46 } | |
47 // We allow following cases: | |
48 // 1. F_SETFD + FD_CLOEXEC: libevent's epoll_init uses this. | |
49 // 2. F_GETFL: Used by SetNonBlocking in | |
50 // message_pump_libevent.cc and Channel::ChannelImpl::CreatePipe | |
51 // in ipc_channel_posix.cc. Note that the latter does not work | |
52 // with EPERM. | |
53 // 3. F_SETFL: Used by evutil_make_socket_nonblocking in | |
54 // libevent and SetNonBlocking. As the latter mix O_NONBLOCK to | |
55 // the return value of F_GETFL, so we need to allow O_ACCMODE in | |
56 // addition to O_NONBLOCK. | |
57 const unsigned long denied_mask = ~(O_ACCMODE | O_NONBLOCK); | |
58 return sb->Cond(1, ErrorCode::TP_32BIT, | |
59 ErrorCode::OP_EQUAL, F_SETFD, | |
60 sb->Cond(2, mask_long_type, | |
61 ErrorCode::OP_EQUAL, FD_CLOEXEC, | |
62 ErrorCode(ErrorCode::ERR_ALLOWED), | |
63 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL)), | |
64 sb->Cond(1, ErrorCode::TP_32BIT, | |
65 ErrorCode::OP_EQUAL, F_GETFL, | |
66 ErrorCode(ErrorCode::ERR_ALLOWED), | |
67 sb->Cond(1, ErrorCode::TP_32BIT, | |
68 ErrorCode::OP_EQUAL, F_SETFL, | |
69 sb->Cond(2, mask_long_type, | |
70 ErrorCode::OP_HAS_ANY_BITS, denied_mask, | |
71 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL), | |
72 ErrorCode(ErrorCode::ERR_ALLOWED)), | |
73 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL)))); | |
74 } | |
75 | |
76 ErrorCode RestrictClone(SandboxBPF* sb) { | |
77 // We allow clone only for new thread creation. | |
78 return sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, | |
79 CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | | |
80 CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS | | |
81 CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID, | |
82 ErrorCode(ErrorCode::ERR_ALLOWED), | |
83 sb->Trap(sandbox::SIGSYSCloneFailure, NULL)); | |
84 } | |
85 | |
86 ErrorCode RestrictPrctl(SandboxBPF* sb) { | |
87 // base::PlatformThread::SetName() uses PR_SET_NAME so we return | |
88 // EPERM for it. Otherwise, we will raise SIGSYS. | |
89 return sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, | |
90 PR_SET_NAME, ErrorCode(EPERM), | |
91 sb->Trap(sandbox::SIGSYSPrctlFailure, NULL)); | |
92 } | |
93 | |
94 #if defined(__i386__) | |
95 ErrorCode RestrictSocketcall(SandboxBPF* sb) { | |
96 // We only allow socketpair, sendmsg, and recvmsg. | |
97 return sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, | |
98 SYS_SOCKETPAIR, | |
99 ErrorCode(ErrorCode::ERR_ALLOWED), | |
100 sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, | |
101 SYS_SENDMSG, | |
102 ErrorCode(ErrorCode::ERR_ALLOWED), | |
103 sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, | |
104 SYS_RECVMSG, | |
105 ErrorCode(ErrorCode::ERR_ALLOWED), | |
106 sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, | |
107 SYS_SHUTDOWN, | |
108 ErrorCode(ErrorCode::ERR_ALLOWED), | |
109 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL))))); | |
110 } | |
111 #endif | |
112 | |
113 ErrorCode RestrictMemoryProtection(SandboxBPF* sb, int argno) { | |
114 // TODO(jln, keescook, drewry): Limit the use of mmap/mprotect by | |
115 // adding some features to linux kernel. | |
116 const uint32_t denied_mask = ~(PROT_READ | PROT_WRITE | PROT_EXEC); | |
117 return sb->Cond(argno, ErrorCode::TP_32BIT, | |
118 ErrorCode::OP_HAS_ANY_BITS, | |
119 denied_mask, | |
120 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL), | |
121 ErrorCode(ErrorCode::ERR_ALLOWED)); | |
122 } | |
123 | |
124 ErrorCode RestrictMmap(SandboxBPF* sb) { | |
125 const uint32_t denied_flag_mask = ~(MAP_SHARED | MAP_PRIVATE | | |
126 MAP_ANONYMOUS | MAP_STACK | MAP_FIXED); | |
127 // TODO(hamaji): Disallow RWX mmap. | |
128 return sb->Cond(3, ErrorCode::TP_32BIT, | |
129 ErrorCode::OP_HAS_ANY_BITS, | |
130 denied_flag_mask, | |
131 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL), | |
132 RestrictMemoryProtection(sb, 2)); | |
133 } | |
134 | |
135 ErrorCode RestrictSocketpair(SandboxBPF* sb) { | |
136 // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen. | |
137 COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different); | |
138 return sb->Cond(0, ErrorCode::TP_32BIT, | |
139 ErrorCode::OP_EQUAL, AF_UNIX, | |
140 ErrorCode(ErrorCode::ERR_ALLOWED), | |
141 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL)); | |
142 } | |
143 | |
144 bool IsGracefullyDenied(int sysno) { | |
145 switch (sysno) { | |
146 // third_party/libevent uses them, but we can just return -1 from | |
147 // them as it is just checking getuid() != geteuid() and | |
148 // getgid() != getegid() | |
149 #if defined(__i386__) || defined(__arm__) | |
150 case __NR_getegid32: | |
151 case __NR_geteuid32: | |
152 case __NR_getgid32: | |
153 case __NR_getuid32: | |
154 #elif defined(__x86_64__) | |
155 case __NR_getegid: | |
156 case __NR_geteuid: | |
157 case __NR_getgid: | |
158 case __NR_getuid: | |
159 #endif | |
160 // tcmalloc calls madvise in TCMalloc_SystemRelease. | |
161 case __NR_madvise: | |
162 // EPERM instead of SIGSYS as glibc tries to open files in /proc. | |
163 // TODO(hamaji): Remove this when we switch to newlib. | |
164 case __NR_open: | |
165 // For RunSandboxSanityChecks(). | |
166 case __NR_ptrace: | |
167 // glibc uses this for its pthread implementation. If we return | |
168 // EPERM for this, glibc will stop using this. | |
169 // TODO(hamaji): newlib does not use this. Make this SIGTRAP once | |
170 // we have switched to newlib. | |
171 case __NR_set_robust_list: | |
172 // This is obsolete in ARM EABI, but x86 glibc indirectly calls | |
173 // this in sysconf. | |
174 #if defined(__i386__) || defined(__x86_64__) | |
175 case __NR_time: | |
176 #endif | |
177 return true; | |
178 | |
179 default: | |
180 return false; | |
181 } | |
182 } | |
183 | |
184 void RunSandboxSanityChecks() { | |
185 errno = 0; | |
186 // Make a ptrace request with an invalid PID. | |
187 long ptrace_ret = ptrace(PTRACE_PEEKUSER, -1 /* pid */, NULL, NULL); | |
188 CHECK_EQ(-1, ptrace_ret); | |
189 // Without the sandbox on, this ptrace call would ESRCH instead. | |
190 CHECK_EQ(EPERM, errno); | |
191 } | |
192 | |
193 } // namespace | |
194 | |
195 ErrorCode NaClNonSfiBPFSandboxPolicy::EvaluateSyscall( | |
196 SandboxBPF* sb, int sysno) const { | |
197 return EvaluateSyscallImpl(sb, sysno, NULL); | |
198 } | |
199 | |
200 ErrorCode NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl( | |
201 SandboxBPF* sb, int sysno, void*) { | |
202 switch (sysno) { | |
203 // Allowed syscalls. | |
204 #if defined(__i386__) || defined(__arm__) | |
205 case __NR__llseek: | |
206 #elif defined(__x86_64__) | |
207 case __NR_lseek: | |
208 #endif | |
209 case __NR_clock_getres: | |
210 // NaCl runtime exposes clock_gettime and clock_getres to untrusted code. | |
Mark Seaborn
2014/04/16 16:19:25
Nit: put above clock_getres?
hamaji
2014/04/16 17:24:16
Done.
| |
211 case __NR_clock_gettime: | |
212 case __NR_close: | |
213 case __NR_dup: | |
214 case __NR_dup2: | |
215 case __NR_epoll_create: | |
216 case __NR_epoll_ctl: | |
217 case __NR_epoll_wait: | |
218 case __NR_exit: | |
219 case __NR_exit_group: | |
220 #if defined(__i386__) || defined(__arm__) | |
221 case __NR_fstat64: | |
222 #elif defined(__x86_64__) | |
223 case __NR_fstat: | |
224 #endif | |
225 // TODO(hamaji): Allow only FUTEX_PRIVATE_FLAG. | |
226 case __NR_futex: | |
227 // TODO(hamaji): Remove the need of gettid. Currently, this is | |
228 // called from PlatformThread::CurrentId(). | |
229 case __NR_gettid: | |
230 case __NR_gettimeofday: | |
231 case __NR_munmap: | |
232 case __NR_nanosleep: | |
233 // TODO(hamaji): Remove the need of pipe. Currently, this is | |
234 // called from base::MessagePumpLibevent::Init(). | |
235 case __NR_pipe: | |
236 case __NR_pread64: | |
237 case __NR_pwrite64: | |
238 case __NR_read: | |
239 case __NR_restart_syscall: | |
240 case __NR_sched_yield: | |
241 // __NR_times needed as clock() is called by CommandBufferHelper, which is | |
242 // used by NaCl applications that use Pepper's 3D interfaces. | |
243 // See crbug.com/264856 for details. | |
244 case __NR_times: | |
245 case __NR_write: | |
246 #if defined(__arm__) | |
247 case __ARM_NR_cacheflush: | |
248 #endif | |
249 return ErrorCode(ErrorCode::ERR_ALLOWED); | |
250 | |
251 case __NR_clone: | |
252 return RestrictClone(sb); | |
253 | |
254 #if defined(__x86_64__) | |
255 case __NR_fcntl: | |
256 #endif | |
257 #if defined(__i386__) || defined(__arm__) | |
258 case __NR_fcntl64: | |
259 #endif | |
260 return RestrictFcntlCommands(sb); | |
261 | |
262 #if defined(__x86_64__) | |
263 case __NR_mmap: | |
264 #endif | |
265 #if defined(__i386__) || defined(__arm__) | |
266 case __NR_mmap2: | |
267 #endif | |
268 return RestrictMmap(sb); | |
269 case __NR_mprotect: | |
270 return RestrictMemoryProtection(sb, 2); | |
271 | |
272 case __NR_prctl: | |
273 return RestrictPrctl(sb); | |
274 | |
275 #if defined(__i386__) | |
276 case __NR_socketcall: | |
277 return RestrictSocketcall(sb); | |
278 #endif | |
279 #if defined(__x86_64__) || defined(__arm__) | |
280 case __NR_recvmsg: | |
281 case __NR_sendmsg: | |
282 case __NR_shutdown: | |
283 return ErrorCode(ErrorCode::ERR_ALLOWED); | |
284 case __NR_socketpair: | |
285 return RestrictSocketpair(sb); | |
286 #endif | |
287 | |
288 case __NR_brk: | |
289 // The behavior of brk on Linux is different from other system | |
290 // calls. It does not return errno but the current break on | |
291 // failure. glibc thinks brk failed if the return value of brk | |
292 // is less than the requested address (i.e., brk(addr) < addr). | |
293 // So, glibc thinks brk succeeded if we return -EPERM and we | |
294 // need to return zero instead. | |
295 return ErrorCode(0); | |
296 | |
297 default: | |
298 if (IsGracefullyDenied(sysno)) | |
299 return ErrorCode(EPERM); | |
300 return sb->Trap(sandbox::CrashSIGSYS_Handler, NULL); | |
301 } | |
302 } | |
303 | |
304 bool InitializeBPFSandbox() { | |
305 bool sandbox_is_initialized = content::InitializeSandbox( | |
306 scoped_ptr<sandbox::SandboxBPFPolicy>( | |
307 new nacl::nonsfi::NaClNonSfiBPFSandboxPolicy())); | |
308 if (!sandbox_is_initialized) | |
309 return false; | |
310 RunSandboxSanityChecks(); | |
311 return true; | |
312 } | |
313 | |
314 } // namespace nonsfi | |
315 } // namespace nacl | |
OLD | NEW |