| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "components/nacl/loader/nonsfi/nonsfi_sandbox.h" |
| 6 |
| 7 #include <errno.h> |
| 8 #include <fcntl.h> |
| 9 #include <linux/net.h> |
| 10 #include <sys/prctl.h> |
| 11 #include <sys/ptrace.h> |
| 12 #include <sys/mman.h> |
| 13 #include <sys/socket.h> |
| 14 #include <sys/syscall.h> |
| 15 |
| 16 #include "base/basictypes.h" |
| 17 #include "base/logging.h" |
| 18 #include "build/build_config.h" |
| 19 #include "content/public/common/sandbox_init.h" |
| 20 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" |
| 21 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
| 22 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h" |
| 23 #include "sandbox/linux/seccomp-bpf/trap.h" |
| 24 #include "sandbox/linux/services/linux_syscalls.h" |
| 25 |
| 26 #if defined(__arm__) && !defined(MAP_STACK) |
| 27 // Chrome OS Daisy (ARM) build environment has old headers. |
| 28 #define MAP_STACK 0x20000 |
| 29 #endif |
| 30 |
| 31 using sandbox::ErrorCode; |
| 32 using sandbox::SandboxBPF; |
| 33 |
| 34 namespace nacl { |
| 35 namespace nonsfi { |
| 36 namespace { |
| 37 |
| 38 ErrorCode RestrictFcntlCommands(SandboxBPF* sb) { |
| 39 ErrorCode::ArgType mask_long_type; |
| 40 if (sizeof(long) == 8) { |
| 41 mask_long_type = ErrorCode::TP_64BIT; |
| 42 } else if (sizeof(long) == 4) { |
| 43 mask_long_type = ErrorCode::TP_32BIT; |
| 44 } else { |
| 45 NOTREACHED(); |
| 46 } |
| 47 // We allow following cases: |
| 48 // 1. F_SETFD + FD_CLOEXEC: libevent's epoll_init uses this. |
| 49 // 2. F_GETFL: Used by SetNonBlocking in |
| 50 // message_pump_libevent.cc and Channel::ChannelImpl::CreatePipe |
| 51 // in ipc_channel_posix.cc. Note that the latter does not work |
| 52 // with EPERM. |
| 53 // 3. F_SETFL: Used by evutil_make_socket_nonblocking in |
| 54 // libevent and SetNonBlocking. As the latter mix O_NONBLOCK to |
| 55 // the return value of F_GETFL, so we need to allow O_ACCMODE in |
| 56 // addition to O_NONBLOCK. |
| 57 const unsigned long denied_mask = ~(O_ACCMODE | O_NONBLOCK); |
| 58 return sb->Cond(1, ErrorCode::TP_32BIT, |
| 59 ErrorCode::OP_EQUAL, F_SETFD, |
| 60 sb->Cond(2, mask_long_type, |
| 61 ErrorCode::OP_EQUAL, FD_CLOEXEC, |
| 62 ErrorCode(ErrorCode::ERR_ALLOWED), |
| 63 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL)), |
| 64 sb->Cond(1, ErrorCode::TP_32BIT, |
| 65 ErrorCode::OP_EQUAL, F_GETFL, |
| 66 ErrorCode(ErrorCode::ERR_ALLOWED), |
| 67 sb->Cond(1, ErrorCode::TP_32BIT, |
| 68 ErrorCode::OP_EQUAL, F_SETFL, |
| 69 sb->Cond(2, mask_long_type, |
| 70 ErrorCode::OP_HAS_ANY_BITS, denied_mask, |
| 71 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL), |
| 72 ErrorCode(ErrorCode::ERR_ALLOWED)), |
| 73 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL)))); |
| 74 } |
| 75 |
| 76 ErrorCode RestrictClone(SandboxBPF* sb) { |
| 77 // We allow clone only for new thread creation. |
| 78 return sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
| 79 CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | |
| 80 CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS | |
| 81 CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID, |
| 82 ErrorCode(ErrorCode::ERR_ALLOWED), |
| 83 sb->Trap(sandbox::SIGSYSCloneFailure, NULL)); |
| 84 } |
| 85 |
| 86 ErrorCode RestrictPrctl(SandboxBPF* sb) { |
| 87 // base::PlatformThread::SetName() uses PR_SET_NAME so we return |
| 88 // EPERM for it. Otherwise, we will raise SIGSYS. |
| 89 return sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
| 90 PR_SET_NAME, ErrorCode(EPERM), |
| 91 sb->Trap(sandbox::SIGSYSPrctlFailure, NULL)); |
| 92 } |
| 93 |
| 94 #if defined(__i386__) |
| 95 ErrorCode RestrictSocketcall(SandboxBPF* sb) { |
| 96 // We only allow socketpair, sendmsg, and recvmsg. |
| 97 return sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
| 98 SYS_SOCKETPAIR, |
| 99 ErrorCode(ErrorCode::ERR_ALLOWED), |
| 100 sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
| 101 SYS_SENDMSG, |
| 102 ErrorCode(ErrorCode::ERR_ALLOWED), |
| 103 sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
| 104 SYS_RECVMSG, |
| 105 ErrorCode(ErrorCode::ERR_ALLOWED), |
| 106 sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
| 107 SYS_SHUTDOWN, |
| 108 ErrorCode(ErrorCode::ERR_ALLOWED), |
| 109 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL))))); |
| 110 } |
| 111 #endif |
| 112 |
| 113 ErrorCode RestrictMemoryProtection(SandboxBPF* sb, int argno) { |
| 114 // TODO(jln, keescook, drewry): Limit the use of mmap/mprotect by |
| 115 // adding some features to linux kernel. |
| 116 const uint32_t denied_mask = ~(PROT_READ | PROT_WRITE | PROT_EXEC); |
| 117 return sb->Cond(argno, ErrorCode::TP_32BIT, |
| 118 ErrorCode::OP_HAS_ANY_BITS, |
| 119 denied_mask, |
| 120 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL), |
| 121 ErrorCode(ErrorCode::ERR_ALLOWED)); |
| 122 } |
| 123 |
| 124 ErrorCode RestrictMmap(SandboxBPF* sb) { |
| 125 const uint32_t denied_flag_mask = ~(MAP_SHARED | MAP_PRIVATE | |
| 126 MAP_ANONYMOUS | MAP_STACK | MAP_FIXED); |
| 127 // TODO(hamaji): Disallow RWX mmap. |
| 128 return sb->Cond(3, ErrorCode::TP_32BIT, |
| 129 ErrorCode::OP_HAS_ANY_BITS, |
| 130 denied_flag_mask, |
| 131 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL), |
| 132 RestrictMemoryProtection(sb, 2)); |
| 133 } |
| 134 |
| 135 ErrorCode RestrictSocketpair(SandboxBPF* sb) { |
| 136 // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen. |
| 137 COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different); |
| 138 return sb->Cond(0, ErrorCode::TP_32BIT, |
| 139 ErrorCode::OP_EQUAL, AF_UNIX, |
| 140 ErrorCode(ErrorCode::ERR_ALLOWED), |
| 141 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL)); |
| 142 } |
| 143 |
| 144 bool IsGracefullyDenied(int sysno) { |
| 145 switch (sysno) { |
| 146 // third_party/libevent uses them, but we can just return -1 from |
| 147 // them as it is just checking getuid() != geteuid() and |
| 148 // getgid() != getegid() |
| 149 #if defined(__i386__) || defined(__arm__) |
| 150 case __NR_getegid32: |
| 151 case __NR_geteuid32: |
| 152 case __NR_getgid32: |
| 153 case __NR_getuid32: |
| 154 #elif defined(__x86_64__) |
| 155 case __NR_getegid: |
| 156 case __NR_geteuid: |
| 157 case __NR_getgid: |
| 158 case __NR_getuid: |
| 159 #endif |
| 160 // ASan internally uses getpid, ioctl, and readlink. |
| 161 case __NR_getpid: |
| 162 case __NR_ioctl: |
| 163 case __NR_readlink: |
| 164 // tcmalloc calls madvise in TCMalloc_SystemRelease. |
| 165 case __NR_madvise: |
| 166 // EPERM instead of SIGSYS as glibc tries to open files in /proc. |
| 167 // TODO(hamaji): Remove this when we switch to newlib. |
| 168 case __NR_open: |
| 169 // For RunSandboxSanityChecks(). |
| 170 case __NR_ptrace: |
| 171 // glibc uses this for its pthread implementation. If we return |
| 172 // EPERM for this, glibc will stop using this. |
| 173 // TODO(hamaji): newlib does not use this. Make this SIGTRAP once |
| 174 // we have switched to newlib. |
| 175 case __NR_set_robust_list: |
| 176 // This is obsolete in ARM EABI, but x86 glibc indirectly calls |
| 177 // this in sysconf. |
| 178 #if defined(__i386__) || defined(__x86_64__) |
| 179 case __NR_time: |
| 180 #endif |
| 181 return true; |
| 182 |
| 183 default: |
| 184 return false; |
| 185 } |
| 186 } |
| 187 |
| 188 void RunSandboxSanityChecks() { |
| 189 errno = 0; |
| 190 // Make a ptrace request with an invalid PID. |
| 191 long ptrace_ret = ptrace(PTRACE_PEEKUSER, -1 /* pid */, NULL, NULL); |
| 192 CHECK_EQ(-1, ptrace_ret); |
| 193 // Without the sandbox on, this ptrace call would ESRCH instead. |
| 194 CHECK_EQ(EPERM, errno); |
| 195 } |
| 196 |
| 197 } // namespace |
| 198 |
| 199 ErrorCode NaClNonSfiBPFSandboxPolicy::EvaluateSyscall( |
| 200 SandboxBPF* sb, int sysno) const { |
| 201 return EvaluateSyscallImpl(sb, sysno, NULL); |
| 202 } |
| 203 |
| 204 ErrorCode NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl( |
| 205 SandboxBPF* sb, int sysno, void*) { |
| 206 switch (sysno) { |
| 207 // Allowed syscalls. |
| 208 #if defined(__i386__) || defined(__arm__) |
| 209 case __NR__llseek: |
| 210 #elif defined(__x86_64__) |
| 211 case __NR_lseek: |
| 212 #endif |
| 213 // NaCl runtime exposes clock_gettime and clock_getres to untrusted code. |
| 214 case __NR_clock_getres: |
| 215 case __NR_clock_gettime: |
| 216 case __NR_close: |
| 217 case __NR_dup: |
| 218 case __NR_dup2: |
| 219 case __NR_epoll_create: |
| 220 case __NR_epoll_ctl: |
| 221 case __NR_epoll_wait: |
| 222 case __NR_exit: |
| 223 case __NR_exit_group: |
| 224 #if defined(__i386__) || defined(__arm__) |
| 225 case __NR_fstat64: |
| 226 #elif defined(__x86_64__) |
| 227 case __NR_fstat: |
| 228 #endif |
| 229 // TODO(hamaji): Allow only FUTEX_PRIVATE_FLAG. |
| 230 case __NR_futex: |
| 231 // TODO(hamaji): Remove the need of gettid. Currently, this is |
| 232 // called from PlatformThread::CurrentId(). |
| 233 case __NR_gettid: |
| 234 case __NR_gettimeofday: |
| 235 case __NR_munmap: |
| 236 case __NR_nanosleep: |
| 237 // TODO(hamaji): Remove the need of pipe. Currently, this is |
| 238 // called from base::MessagePumpLibevent::Init(). |
| 239 case __NR_pipe: |
| 240 case __NR_pread64: |
| 241 case __NR_pwrite64: |
| 242 case __NR_read: |
| 243 case __NR_restart_syscall: |
| 244 case __NR_sched_yield: |
| 245 // __NR_times needed as clock() is called by CommandBufferHelper, which is |
| 246 // used by NaCl applications that use Pepper's 3D interfaces. |
| 247 // See crbug.com/264856 for details. |
| 248 case __NR_times: |
| 249 case __NR_write: |
| 250 #if defined(__arm__) |
| 251 case __ARM_NR_cacheflush: |
| 252 #endif |
| 253 return ErrorCode(ErrorCode::ERR_ALLOWED); |
| 254 |
| 255 case __NR_clone: |
| 256 return RestrictClone(sb); |
| 257 |
| 258 #if defined(__x86_64__) |
| 259 case __NR_fcntl: |
| 260 #endif |
| 261 #if defined(__i386__) || defined(__arm__) |
| 262 case __NR_fcntl64: |
| 263 #endif |
| 264 return RestrictFcntlCommands(sb); |
| 265 |
| 266 #if defined(__x86_64__) |
| 267 case __NR_mmap: |
| 268 #endif |
| 269 #if defined(__i386__) || defined(__arm__) |
| 270 case __NR_mmap2: |
| 271 #endif |
| 272 return RestrictMmap(sb); |
| 273 case __NR_mprotect: |
| 274 return RestrictMemoryProtection(sb, 2); |
| 275 |
| 276 case __NR_prctl: |
| 277 return RestrictPrctl(sb); |
| 278 |
| 279 #if defined(__i386__) |
| 280 case __NR_socketcall: |
| 281 return RestrictSocketcall(sb); |
| 282 #endif |
| 283 #if defined(__x86_64__) || defined(__arm__) |
| 284 case __NR_recvmsg: |
| 285 case __NR_sendmsg: |
| 286 case __NR_shutdown: |
| 287 return ErrorCode(ErrorCode::ERR_ALLOWED); |
| 288 case __NR_socketpair: |
| 289 return RestrictSocketpair(sb); |
| 290 #endif |
| 291 |
| 292 case __NR_brk: |
| 293 // The behavior of brk on Linux is different from other system |
| 294 // calls. It does not return errno but the current break on |
| 295 // failure. glibc thinks brk failed if the return value of brk |
| 296 // is less than the requested address (i.e., brk(addr) < addr). |
| 297 // So, glibc thinks brk succeeded if we return -EPERM and we |
| 298 // need to return zero instead. |
| 299 return ErrorCode(0); |
| 300 |
| 301 default: |
| 302 if (IsGracefullyDenied(sysno)) |
| 303 return ErrorCode(EPERM); |
| 304 return sb->Trap(sandbox::CrashSIGSYS_Handler, NULL); |
| 305 } |
| 306 } |
| 307 |
| 308 bool InitializeBPFSandbox() { |
| 309 bool sandbox_is_initialized = content::InitializeSandbox( |
| 310 scoped_ptr<sandbox::SandboxBPFPolicy>( |
| 311 new nacl::nonsfi::NaClNonSfiBPFSandboxPolicy())); |
| 312 if (!sandbox_is_initialized) |
| 313 return false; |
| 314 RunSandboxSanityChecks(); |
| 315 return true; |
| 316 } |
| 317 |
| 318 } // namespace nonsfi |
| 319 } // namespace nacl |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 239703011:
Reland: Add seccomp sandbox for non-SFI NaCl (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master