OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <errno.h> | 5 #include <errno.h> |
6 #include <pthread.h> | 6 #include <pthread.h> |
7 #include <sched.h> | 7 #include <sched.h> |
8 #include <sys/prctl.h> | 8 #include <sys/prctl.h> |
9 #include <sys/syscall.h> | 9 #include <sys/syscall.h> |
10 #include <sys/time.h> | 10 #include <sys/time.h> |
(...skipping 195 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
206 | 206 |
207 // A simple test that verifies we can return arbitrary errno values. | 207 // A simple test that verifies we can return arbitrary errno values. |
208 | 208 |
209 ErrorCode ErrnoTestPolicy(SandboxBPF*, int sysno, void*) { | 209 ErrorCode ErrnoTestPolicy(SandboxBPF*, int sysno, void*) { |
210 if (!SandboxBPF::IsValidSyscallNumber(sysno)) { | 210 if (!SandboxBPF::IsValidSyscallNumber(sysno)) { |
211 // FIXME: we should really not have to do that in a trivial policy | 211 // FIXME: we should really not have to do that in a trivial policy |
212 return ErrorCode(ENOSYS); | 212 return ErrorCode(ENOSYS); |
213 } | 213 } |
214 | 214 |
215 switch (sysno) { | 215 switch (sysno) { |
| 216 #if defined(ANDROID) |
| 217 case __NR_dup3: // dup2 is a wrapper of dup3 in android |
| 218 #else |
216 case __NR_dup2: | 219 case __NR_dup2: |
| 220 #endif |
217 // Pretend that dup2() worked, but don't actually do anything. | 221 // Pretend that dup2() worked, but don't actually do anything. |
218 return ErrorCode(0); | 222 return ErrorCode(0); |
219 case __NR_setuid: | 223 case __NR_setuid: |
220 #if defined(__NR_setuid32) | 224 #if defined(__NR_setuid32) |
221 case __NR_setuid32: | 225 case __NR_setuid32: |
222 #endif | 226 #endif |
223 // Return errno = 1. | 227 // Return errno = 1. |
224 return ErrorCode(1); | 228 return ErrorCode(1); |
225 case __NR_setgid: | 229 case __NR_setgid: |
226 #if defined(__NR_setgid32) | 230 #if defined(__NR_setgid32) |
(...skipping 469 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
696 bool initialized_; | 700 bool initialized_; |
697 scoped_ptr<class BrokerProcess> broker_process_; | 701 scoped_ptr<class BrokerProcess> broker_process_; |
698 DISALLOW_COPY_AND_ASSIGN(InitializedOpenBroker); | 702 DISALLOW_COPY_AND_ASSIGN(InitializedOpenBroker); |
699 }; | 703 }; |
700 | 704 |
701 intptr_t BrokerOpenTrapHandler(const struct arch_seccomp_data& args, | 705 intptr_t BrokerOpenTrapHandler(const struct arch_seccomp_data& args, |
702 void* aux) { | 706 void* aux) { |
703 BPF_ASSERT(aux); | 707 BPF_ASSERT(aux); |
704 BrokerProcess* broker_process = static_cast<BrokerProcess*>(aux); | 708 BrokerProcess* broker_process = static_cast<BrokerProcess*>(aux); |
705 switch (args.nr) { | 709 switch (args.nr) { |
| 710 #if defined(ANDROID) |
| 711 case __NR_faccessat: // access is a wrapper of faccessat in android |
| 712 return broker_process->Access(reinterpret_cast<const char*>(args.args[1]), |
| 713 static_cast<int>(args.args[2])); |
| 714 #else |
706 case __NR_access: | 715 case __NR_access: |
707 return broker_process->Access(reinterpret_cast<const char*>(args.args[0]), | 716 return broker_process->Access(reinterpret_cast<const char*>(args.args[0]), |
708 static_cast<int>(args.args[1])); | 717 static_cast<int>(args.args[1])); |
| 718 #endif |
709 case __NR_open: | 719 case __NR_open: |
710 return broker_process->Open(reinterpret_cast<const char*>(args.args[0]), | 720 return broker_process->Open(reinterpret_cast<const char*>(args.args[0]), |
711 static_cast<int>(args.args[1])); | 721 static_cast<int>(args.args[1])); |
712 case __NR_openat: | 722 case __NR_openat: |
713 // We only call open() so if we arrive here, it's because glibc uses | 723 // We only call open() so if we arrive here, it's because glibc uses |
714 // the openat() system call. | 724 // the openat() system call. |
715 BPF_ASSERT(static_cast<int>(args.args[0]) == AT_FDCWD); | 725 BPF_ASSERT(static_cast<int>(args.args[0]) == AT_FDCWD); |
716 return broker_process->Open(reinterpret_cast<const char*>(args.args[1]), | 726 return broker_process->Open(reinterpret_cast<const char*>(args.args[1]), |
717 static_cast<int>(args.args[2])); | 727 static_cast<int>(args.args[2])); |
718 default: | 728 default: |
719 BPF_ASSERT(false); | 729 BPF_ASSERT(false); |
720 return -ENOSYS; | 730 return -ENOSYS; |
721 } | 731 } |
722 } | 732 } |
723 | 733 |
724 ErrorCode DenyOpenPolicy(SandboxBPF* sandbox, int sysno, void* aux) { | 734 ErrorCode DenyOpenPolicy(SandboxBPF* sandbox, int sysno, void* aux) { |
725 InitializedOpenBroker* iob = static_cast<InitializedOpenBroker*>(aux); | 735 InitializedOpenBroker* iob = static_cast<InitializedOpenBroker*>(aux); |
726 if (!SandboxBPF::IsValidSyscallNumber(sysno)) { | 736 if (!SandboxBPF::IsValidSyscallNumber(sysno)) { |
727 return ErrorCode(ENOSYS); | 737 return ErrorCode(ENOSYS); |
728 } | 738 } |
729 | 739 |
730 switch (sysno) { | 740 switch (sysno) { |
| 741 #if defined(ANDROID) |
| 742 case __NR_faccessat: |
| 743 #else |
731 case __NR_access: | 744 case __NR_access: |
| 745 #endif |
732 case __NR_open: | 746 case __NR_open: |
733 case __NR_openat: | 747 case __NR_openat: |
734 // We get a InitializedOpenBroker class, but our trap handler wants | 748 // We get a InitializedOpenBroker class, but our trap handler wants |
735 // the BrokerProcess object. | 749 // the BrokerProcess object. |
736 return ErrorCode( | 750 return ErrorCode( |
737 sandbox->Trap(BrokerOpenTrapHandler, iob->broker_process())); | 751 sandbox->Trap(BrokerOpenTrapHandler, iob->broker_process())); |
738 default: | 752 default: |
739 return ErrorCode(ErrorCode::ERR_ALLOWED); | 753 return ErrorCode(ErrorCode::ERR_ALLOWED); |
740 } | 754 } |
741 } | 755 } |
(...skipping 50 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
792 ErrorCode SimpleCondTestPolicy(SandboxBPF* sandbox, int sysno, void*) { | 806 ErrorCode SimpleCondTestPolicy(SandboxBPF* sandbox, int sysno, void*) { |
793 if (!SandboxBPF::IsValidSyscallNumber(sysno)) { | 807 if (!SandboxBPF::IsValidSyscallNumber(sysno)) { |
794 // FIXME: we should really not have to do that in a trivial policy | 808 // FIXME: we should really not have to do that in a trivial policy |
795 return ErrorCode(ENOSYS); | 809 return ErrorCode(ENOSYS); |
796 } | 810 } |
797 | 811 |
798 // We deliberately return unusual errno values upon failure, so that we | 812 // We deliberately return unusual errno values upon failure, so that we |
799 // can uniquely test for these values. In a "real" policy, you would want | 813 // can uniquely test for these values. In a "real" policy, you would want |
800 // to return more traditional values. | 814 // to return more traditional values. |
801 switch (sysno) { | 815 switch (sysno) { |
| 816 #if defined(ANDROID) |
| 817 case __NR_openat: // open is a wrapper of openat in android |
| 818 // Allow opening files for reading, but don't allow writing. |
| 819 COMPILE_ASSERT(O_RDONLY == 0, O_RDONLY_must_be_all_zero_bits); |
| 820 return sandbox->Cond(2, |
| 821 ErrorCode::TP_32BIT, |
| 822 ErrorCode::OP_HAS_ANY_BITS, |
| 823 O_ACCMODE /* 0x3 */, |
| 824 ErrorCode(EROFS), |
| 825 ErrorCode(ErrorCode::ERR_ALLOWED)); |
| 826 #else |
802 case __NR_open: | 827 case __NR_open: |
803 // Allow opening files for reading, but don't allow writing. | 828 // Allow opening files for reading, but don't allow writing. |
804 COMPILE_ASSERT(O_RDONLY == 0, O_RDONLY_must_be_all_zero_bits); | 829 COMPILE_ASSERT(O_RDONLY == 0, O_RDONLY_must_be_all_zero_bits); |
805 return sandbox->Cond(1, | 830 return sandbox->Cond(1, |
806 ErrorCode::TP_32BIT, | 831 ErrorCode::TP_32BIT, |
807 ErrorCode::OP_HAS_ANY_BITS, | 832 ErrorCode::OP_HAS_ANY_BITS, |
808 O_ACCMODE /* 0x3 */, | 833 O_ACCMODE /* 0x3 */, |
809 ErrorCode(EROFS), | 834 ErrorCode(EROFS), |
810 ErrorCode(ErrorCode::ERR_ALLOWED)); | 835 ErrorCode(ErrorCode::ERR_ALLOWED)); |
| 836 #endif |
811 case __NR_prctl: | 837 case __NR_prctl: |
812 // Allow prctl(PR_SET_DUMPABLE) and prctl(PR_GET_DUMPABLE), but | 838 // Allow prctl(PR_SET_DUMPABLE) and prctl(PR_GET_DUMPABLE), but |
813 // disallow everything else. | 839 // disallow everything else. |
814 return sandbox->Cond(0, | 840 return sandbox->Cond(0, |
815 ErrorCode::TP_32BIT, | 841 ErrorCode::TP_32BIT, |
816 ErrorCode::OP_EQUAL, | 842 ErrorCode::OP_EQUAL, |
817 PR_SET_DUMPABLE, | 843 PR_SET_DUMPABLE, |
818 ErrorCode(ErrorCode::ERR_ALLOWED), | 844 ErrorCode(ErrorCode::ERR_ALLOWED), |
819 sandbox->Cond(0, | 845 sandbox->Cond(0, |
820 ErrorCode::TP_32BIT, | 846 ErrorCode::TP_32BIT, |
(...skipping 956 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1777 &pid) == -EPERM); | 1803 &pid) == -EPERM); |
1778 } | 1804 } |
1779 | 1805 |
1780 BPF_TEST(SandboxBPF, PthreadEquality, PthreadPolicyEquality) { PthreadTest(); } | 1806 BPF_TEST(SandboxBPF, PthreadEquality, PthreadPolicyEquality) { PthreadTest(); } |
1781 | 1807 |
1782 BPF_TEST(SandboxBPF, PthreadBitMask, PthreadPolicyBitMask) { PthreadTest(); } | 1808 BPF_TEST(SandboxBPF, PthreadBitMask, PthreadPolicyBitMask) { PthreadTest(); } |
1783 | 1809 |
1784 } // namespace | 1810 } // namespace |
1785 | 1811 |
1786 } // namespace sandbox | 1812 } // namespace sandbox |
OLD | NEW |