components/nacl/loader/nonsfi/nonsfi_sandbox.cc - Issue 196793023: Add seccomp sandbox for non-SFI NaCl

Unified Diff: components/nacl/loader/nonsfi/nonsfi_sandbox.cc

Issue 196793023: Add seccomp sandbox for non-SFI NaCl (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 6 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

« no previous file with comments | « components/nacl/loader/nonsfi/nonsfi_sandbox.h ('k') | components/nacl/loader/nonsfi/nonsfi_sandbox_unittest.cc » ('j') | components/nacl/loader/nonsfi/nonsfi_sandbox_unittest.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: components/nacl/loader/nonsfi/nonsfi_sandbox.cc

diff --git a/components/nacl/loader/nonsfi/nonsfi_sandbox.cc b/components/nacl/loader/nonsfi/nonsfi_sandbox.cc

new file mode 100644

index 0000000000000000000000000000000000000000..e8563bc3498837380f9b28545b27c02785d46743

--- /dev/null

+++ b/components/nacl/loader/nonsfi/nonsfi_sandbox.cc

@@ -0,0 +1,317 @@

+// Use of this source code is governed by a BSD-style license that can be

+// found in the LICENSE file.

+#include "components/nacl/loader/nonsfi/nonsfi_sandbox.h"

+#include <errno.h>

+#include <fcntl.h>

+#include <linux/net.h>

+#include <sys/prctl.h>

+#include <sys/ptrace.h>

+#include <sys/mman.h>

+#include <sys/socket.h>

+#include <sys/syscall.h>

+#include "base/basictypes.h"

+#include "base/logging.h"

+#include "build/build_config.h"

+#include "content/public/common/sandbox_init.h"

+#include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"

+#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"

+#include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h"

+#include "sandbox/linux/seccomp-bpf/trap.h"

+#include "sandbox/linux/services/linux_syscalls.h"

+#if defined(__arm__) && !defined(MAP_STACK)

+#define MAP_STACK 0x20000 // Daisy build environment has old headers.

+#endif

+using sandbox::ErrorCode;

+using sandbox::SandboxBPF;

+using sandbox::SandboxBPFPolicy;

+namespace nacl {

+namespace nonsfi {

+namespace {

+ErrorCode RestrictFcntlCommandsForNaClNonSfi(SandboxBPF* sb) {

+ ErrorCode::ArgType mask_long_type;

+ if (sizeof(long) == 8)

+ mask_long_type = ErrorCode::TP_64BIT;

+ else if (sizeof(long) == 4)

+ mask_long_type = ErrorCode::TP_32BIT;

+ else

+ NOTREACHED();

+ // We allow following cases:

+ // 1. F_SETFD + FD_CLOEXEC: libevent's epoll_init uses this.

+ // 2. F_GETFL: Used by SetNonBlocking in

+ // message_pump_libevent.cc and Channel::ChannelImpl::CreatePipe

+ // in ipc_channel_posix.cc. Note that the latter does not work

+ // with EPERM.

+ // 3. F_SETFL: Used by evutil_make_socket_nonblocking in

+ // libevent and SetNonBlocking. As the latter mix O_NONBLOCK to

+ // the return value of F_GETFL, so we need to allow O_ACCMODE in

+ // addition to O_NONBLOCK.

+ unsigned long denied_mask = ~(O_ACCMODE | O_NONBLOCK);

+ return sb->Cond(1, ErrorCode::TP_32BIT,

+ ErrorCode::OP_EQUAL, F_SETFD,

+ sb->Cond(2, mask_long_type,

+ ErrorCode::OP_EQUAL, FD_CLOEXEC,

+ ErrorCode(ErrorCode::ERR_ALLOWED),

+ sb->Trap(sandbox::CrashSIGSYS_Handler, NULL)),

+ sb->Cond(1, ErrorCode::TP_32BIT,

+ ErrorCode::OP_EQUAL, F_GETFL,

+ ErrorCode(ErrorCode::ERR_ALLOWED),

+ sb->Cond(1, ErrorCode::TP_32BIT,

+ ErrorCode::OP_EQUAL, F_SETFL,

+ sb->Cond(2, mask_long_type,

+ ErrorCode::OP_HAS_ANY_BITS, denied_mask,

+ sb->Trap(sandbox::CrashSIGSYS_Handler, NULL),

+ ErrorCode(ErrorCode::ERR_ALLOWED)),

+ sb->Trap(sandbox::CrashSIGSYS_Handler, NULL))));

+ErrorCode RestrictCloneForNaClNonSfi(SandboxBPF* sb) {

+ // We allow clone only for new thread creation.

+ return sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,

+ CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |

+ CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS |

+ CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID,

+ ErrorCode(ErrorCode::ERR_ALLOWED),

+ sb->Trap(sandbox::SIGSYSCloneFailure, NULL));

+ErrorCode RestrictPrctlForNaClNonSfi(SandboxBPF* sb) {

+ // base::PlatformThread::SetName() uses PR_SET_NAME so we return

+ // EPERM for it. Otherwise, we will raise SIGSYS.

+ return sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,

+ PR_SET_NAME, ErrorCode(EPERM),

+ sb->Trap(sandbox::SIGSYSPrctlFailure, NULL));

+#if defined(__i386__)

+ErrorCode RestrictSocketcallForNaClNonSfi(SandboxBPF* sb) {

+ // We only allow socketpair, sendmsg, and recvmsg.

+ return sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,

+ SYS_SOCKETPAIR,

+ ErrorCode(ErrorCode::ERR_ALLOWED),

+ sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,

+ SYS_SENDMSG,

+ ErrorCode(ErrorCode::ERR_ALLOWED),

+ sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,

+ SYS_RECVMSG,

+ ErrorCode(ErrorCode::ERR_ALLOWED),

+ sb->Trap(sandbox::CrashSIGSYS_Handler, NULL))));

+#endif

+ErrorCode RestrictMemoryProtectionForNaClNonSfi(SandboxBPF* sb, int argno) {

+ // TODO(jln, keescook, drewry): Limit the use of mmap/mprotect by

+ // adding some features to linux kernel.

+ uint32_t denied_mask = ~(PROT_READ | PROT_WRITE | PROT_EXEC);

+ return sb->Cond(argno, ErrorCode::TP_32BIT,

+ ErrorCode::OP_HAS_ANY_BITS,

+ denied_mask,

+ sb->Trap(sandbox::CrashSIGSYS_Handler, NULL),

+ ErrorCode(ErrorCode::ERR_ALLOWED));

+ErrorCode RestrictMmapForNaClNonSfi(SandboxBPF* sb) {

+ uint32_t denied_flag_mask = ~(MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS |

+ MAP_STACK | MAP_FIXED);

+ return sb->Cond(3, ErrorCode::TP_32BIT,

+ ErrorCode::OP_HAS_ANY_BITS,

+ denied_flag_mask,

+ sb->Trap(sandbox::CrashSIGSYS_Handler, NULL),

+ RestrictMemoryProtectionForNaClNonSfi(sb, 2));

+ErrorCode RestrictSocketpairForNaClNonSfi(SandboxBPF* sb) {

+ // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen.

+ COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different);

+ return sb->Cond(0, ErrorCode::TP_32BIT,

+ ErrorCode::OP_EQUAL, AF_UNIX,

+ ErrorCode(ErrorCode::ERR_ALLOWED),

+ sb->Trap(sandbox::CrashSIGSYS_Handler, NULL));

+// The seccomp sandbox policy for NaCl non-SFI mode. Note that this

+// policy must be as strong as possible, as non-SFI mode heavily

+// depends on seccomp sandbox.

+class NaClNonSfiBPFSandboxPolicy : public SandboxBPFPolicy {

+ public:

+ explicit NaClNonSfiBPFSandboxPolicy() {

+ }

+ virtual ~NaClNonSfiBPFSandboxPolicy() {}

+ virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,

+ int system_call_number) const OVERRIDE;

+ private:

+ DISALLOW_COPY_AND_ASSIGN(NaClNonSfiBPFSandboxPolicy);

+};

+ErrorCode NaClNonSfiBPFSandboxPolicy::EvaluateSyscall(

+ SandboxBPF* sb, int sysno) const {

+ switch (sysno) {

+ // Allowed syscalls.

+#if defined(__i386__) || defined(__arm__)

+ case __NR__llseek:

+#endif

+#if defined(__x86_64__)

+ case __NR_lseek:

+#endif

+ case __NR_clock_gettime:

+ case __NR_close:

+ case __NR_dup:

+ case __NR_dup2:

+ case __NR_epoll_create:

+ case __NR_epoll_ctl:

+ case __NR_epoll_wait:

+ case __NR_exit:

+ case __NR_exit_group:

+#if defined(__i386__) || defined(__arm__)

+ case __NR_fstat64:

+#endif

+#if defined(__x86_64__)

+ case __NR_fstat:

+#endif

+ case __NR_futex:

+ case __NR_gettid:

+ case __NR_gettimeofday:

+ case __NR_munmap:

+ case __NR_nanosleep:

+ case __NR_pipe:

+ case __NR_pread64:

+ case __NR_read:

+ case __NR_restart_syscall:

+ case __NR_sched_yield:

+ case __NR_sigaltstack:

+ case __NR_write:

+#if defined(__arm__)

+ case __ARM_NR_cacheflush:

+#endif

+ return ErrorCode(ErrorCode::ERR_ALLOWED);

+ // __NR_times needed as clock() is called by CommandBufferHelper, which is

+ // used by NaCl applications that use Pepper's 3D interfaces.

+ // See crbug.com/264856 for details.

+ case __NR_times:

+ // NaCl runtime exposes clock_getres to untrusted code.

+ case __NR_clock_getres:

+ return ErrorCode(ErrorCode::ERR_ALLOWED);

+ // It is allowed to call the following syscalls, but they just

+ // return EPERM.

+ case __NR_ptrace:

+ // For RunSandboxSanityChecks().

+ return ErrorCode(EPERM);

+ case __NR_set_robust_list:

+ // glibc uses this for its pthread implementation. If we return

+ // EPERM for this, glibc will stop using this.

+ // TODO(hamaji): newlib does not use this. Make this SIGTRAP once

+ // we have switched to newlib.

+ return ErrorCode(EPERM);

jln (very slow on Chromium) 2014/04/08 00:51:10 Do you want to group all the EPERM into a separate

hamaji 2014/04/09 21:09:09 Done.

+#if defined(__i386__) || defined(__arm__)

+ case __NR_getegid32:

+ case __NR_geteuid32:

+ case __NR_getgid32:

+ case __NR_getuid32:

+#endif

+#if defined(__x86_64__)

+ case __NR_getegid:

+ case __NR_geteuid:

+ case __NR_getgid:

+ case __NR_getuid:

+#endif

+ // third_party/libevent uses them, but we can just return -1 from

+ // them as it is just checking getuid() != geteuid() and

+ // getgid() != getegid()

+ return ErrorCode(EPERM);

+#if defined(__i386__) || defined(__x86_64__)

+ case __NR_time:

+ // This is obsolete in ARM EABI, but x86 glibc indirectly calls

+ // this in sysconf.

+ return ErrorCode(EPERM);

+#endif

+ case __NR_open:

+ // EPERM instead of SIGSYS as glibc tries to open files in /proc.

+ // TODO(hamaji): Remove this when we switch to newlib.

+ return ErrorCode(EPERM);

+ case __NR_brk:

+ // The behavior of brk on Linux is different from other system

+ // calls. It does not return errno but the current break on

+ // failure. glibc thinks brk failed the return value of brk

+ // is lesser than the requested address (i.e., brk(addr) < addr)

+ // So, glibc thinks brk succeeded if we return -EPERM and we

+ // need to return zero instead.

+ return ErrorCode(0);

+ case __NR_madvise:

+ // tcmalloc calls madvise in TCMalloc_SystemRelease.

+ return ErrorCode(EPERM);

+ case __NR_clone:

+ return RestrictCloneForNaClNonSfi(sb);

+ case __NR_prctl:

+ return RestrictPrctlForNaClNonSfi(sb);

+#if defined(__i386__)

+ case __NR_socketcall:

+ return RestrictSocketcallForNaClNonSfi(sb);

+#endif

+#if defined(__x86_64__) || defined(__arm__)

+ case __NR_recvmsg:

jln (very slow on Chromium) 2014/04/08 00:51:10 These guys are pretty problematic :(

hamaji 2014/04/09 21:09:09 One of my naive question: isn't it possible to add

+ case __NR_sendmsg:

+ return ErrorCode(ErrorCode::ERR_ALLOWED);

+ case __NR_socketpair:

+ return RestrictSocketpairForNaClNonSfi(sb);

+#endif

+#if defined(__x86_64__)

+ case __NR_fcntl:

+#endif

+#if defined(__i386__) || defined(__arm__)

+ case __NR_fcntl64:

+#endif

+ return RestrictFcntlCommandsForNaClNonSfi(sb);

+#if defined(__x86_64__)

+ case __NR_mmap:

+#endif

+#if defined(__i386__) || defined(__arm__)

+ case __NR_mmap2:

+#endif

+ return RestrictMmapForNaClNonSfi(sb);

+ case __NR_mprotect:

+ return RestrictMemoryProtectionForNaClNonSfi(sb, 2);

+ default:

+ return sb->Trap(sandbox::CrashSIGSYS_Handler, NULL);

+ }

+void RunSandboxSanityChecks() {

+ errno = 0;

+ // Make a ptrace request with an invalid PID.

+ long ptrace_ret = ptrace(PTRACE_PEEKUSER, -1 /* pid */, NULL, NULL);

+ CHECK_EQ(-1, ptrace_ret);

+ // Without the sandbox on, this ptrace call would ESRCH instead.

+ CHECK_EQ(EPERM, errno);

+} // namespace

+void InitializeBPFSandbox() {

+ bool sandbox_is_initialized = content::InitializeSandbox(

+ scoped_ptr<SandboxBPFPolicy>(new NaClNonSfiBPFSandboxPolicy()));

+ CHECK(sandbox_is_initialized)

+ << "InitializeBPFSandbox for non-SFI NaCl failed";

+ RunSandboxSanityChecks();

+} // namespace nonsfi

+} // namespace nacl