content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc - Issue 2313393003: [Android] Allow __NR_rt_tgsigqueueinfo under seccomp.

Side by Side Diff: content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc

Issue 2313393003: [Android] Allow __NR_rt_tgsigqueueinfo under seccomp. (Closed)

Patch Set: Created 4 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright 2014 The Chromium Authors. All rights reserved.	1 // Copyright 2014 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h "	5 #include "content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h "

6	6

7 #include <errno.h>	7 #include <errno.h>

8 #include <fcntl.h>	8 #include <fcntl.h>

9 #include <linux/net.h>	9 #include <linux/net.h>

10 #include <sys/socket.h>	10 #include <sys/socket.h>

(...skipping 98 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
109 // Note that on i386, both of these calls map to __NR_socketcall, which	109 // Note that on i386, both of these calls map to __NR_socketcall, which

110 // is demultiplexed below.	110 // is demultiplexed below.

111 #if defined(__x86_64__) \|\| defined(__arm__) \|\| defined(__aarch64__) \|\| \	111 #if defined(__x86_64__) \|\| defined(__arm__) \|\| defined(__aarch64__) \|\| \

112 defined(__mips__)	112 defined(__mips__)

113 case __NR_getsockopt:	113 case __NR_getsockopt:

114 case __NR_connect:	114 case __NR_connect:

115 case __NR_socket:	115 case __NR_socket:

116 #endif	116 #endif

117	117

118 // Ptrace is allowed so the Breakpad Microdumper can fork in a renderer	118 // Ptrace is allowed so the Breakpad Microdumper can fork in a renderer

119 // and then ptrace the parent.	119 // and then ptrace the parent.
	jln (very slow on Chromium) 2016/09/07 23:22:05 Drive-by: do we have any plans to move away from t Drive-by: do we have any plans to move away from this? Are we confident that there is no process with the same gid that is not subject to this seccomp policy? It's a risk to the "consistency" of the policy. Robert Sesek 2016/09/08 18:33:02 Yes, because we only apply this to isolatedProcess Show quoted text On 2016/09/07 23:22:05, jln (very slow on Chromium) wrote: > Drive-by: do we have any plans to move away from this? Are we confident that > there is no process with the same gid that is not subject to this seccomp > policy? It's a risk to the "consistency" of the policy. Yes, because we only apply this to isolatedProcess services, we know that the UID and GID are the same and from the ephemeral isolated UID pool.
120 case __NR_ptrace:	120 case __NR_ptrace:

121 override_and_allow = true;	121 override_and_allow = true;

122 break;	122 break;

123 }	123 }

124	124

	125 // https://crbug.com/644759

	126 if (sysno == __NR_rt_tgsigqueueinfo) {

	127 const Arg<pid_t> tgid(0);

	128 return If(tgid == getpid(), Allow())
	jln (very slow on Chromium) 2016/09/07 23:22:05 Do you want to just capture the current pid as a m Do you want to just capture the current pid as a member variable of the policy (see policy_pid_ in baseline_policy.h). It's good practice to make the condition of If() as "constant" as possible. Note: the uinfo argument of this syscall sadly allows to spoof the sender PIDs, which has been a security issue in the past. Fixing this with seccomp is very convoluted, so I don't think we want to go there. (I fixed it in Linux in http://www.openwall.com/lists/oss-security/2011/03/22/13, but it regressed later). Robert Sesek 2016/09/08 18:33:02 Done. Show quoted text On 2016/09/07 23:22:05, jln (very slow on Chromium) wrote: > Do you want to just capture the current pid as a member variable of the policy > (see policy_pid_ in baseline_policy.h). It's good practice to make the condition > of If() as "constant" as possible. Done. Show quoted text > Note: the uinfo argument of this syscall sadly allows to spoof the sender PIDs, > which has been a security issue in the past. Fixing this with seccomp is very > convoluted, so I don't think we want to go there. > (I fixed it in Linux in > http://www.openwall.com/lists/oss-security/2011/03/22/13, but it regressed > later). That is unfortunate. However I think the risk is minimal here, given that we at worst we would signal ourselves.
	129 .Else(Error(EPERM));

	130 }

	131

125 #if defined(__x86_64__) \|\| defined(__arm__) \|\| defined(__aarch64__) \|\| \	132 #if defined(__x86_64__) \|\| defined(__arm__) \|\| defined(__aarch64__) \|\| \

126 defined(__mips__)	133 defined(__mips__)

127 if (sysno == __NR_socket) {	134 if (sysno == __NR_socket) {

128 const Arg<int> domain(0);	135 const Arg<int> domain(0);

129 const Arg<int> type(1);	136 const Arg<int> type(1);

130 const Arg<int> protocol(2);	137 const Arg<int> protocol(2);

131 return If(RestrictSocketArguments(domain, type, protocol), Allow())	138 return If(RestrictSocketArguments(domain, type, protocol), Allow())

132 .Else(Error(EPERM));	139 .Else(Error(EPERM));

133 }	140 }

134 #elif defined(__i386__)	141 #elif defined(__i386__)

(...skipping 11 matching lines...) Expand all Loading...
146 }	153 }

147 #endif	154 #endif

148	155

149 if (override_and_allow)	156 if (override_and_allow)

150 return Allow();	157 return Allow();

151	158

152 return SandboxBPFBasePolicy::EvaluateSyscall(sysno);	159 return SandboxBPFBasePolicy::EvaluateSyscall(sysno);

153 }	160 }

154	161

155 } // namespace content	162 } // namespace content

OLD	NEW

« no previous file with comments | « no previous file | no next file » | no next file with comments »