| OLD | NEW |
|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h" | 5 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <sys/mman.h> | 8 #include <sys/mman.h> |
| 9 #include <sys/socket.h> | 9 #include <sys/socket.h> |
| 10 #include <sys/syscall.h> | 10 #include <sys/syscall.h> |
| (...skipping 25 matching lines...) Expand all Loading... |
| 36 SyscallSets::IsAllowedGeneralIo(sysno) || | 36 SyscallSets::IsAllowedGeneralIo(sysno) || |
| 37 SyscallSets::IsAllowedGetOrModifySocket(sysno) || | 37 SyscallSets::IsAllowedGetOrModifySocket(sysno) || |
| 38 SyscallSets::IsAllowedGettime(sysno) || | 38 SyscallSets::IsAllowedGettime(sysno) || |
| 39 SyscallSets::IsAllowedProcessStartOrDeath(sysno) || | 39 SyscallSets::IsAllowedProcessStartOrDeath(sysno) || |
| 40 SyscallSets::IsAllowedSignalHandling(sysno) || | 40 SyscallSets::IsAllowedSignalHandling(sysno) || |
| 41 SyscallSets::IsGetSimpleId(sysno) || | 41 SyscallSets::IsGetSimpleId(sysno) || |
| 42 SyscallSets::IsKernelInternalApi(sysno) || | 42 SyscallSets::IsKernelInternalApi(sysno) || |
| 43 #if defined(__arm__) | 43 #if defined(__arm__) |
| 44 SyscallSets::IsArmPrivate(sysno) || | 44 SyscallSets::IsArmPrivate(sysno) || |
| 45 #endif | 45 #endif |
| 46 #if defined(__mips__) |
| 47 SyscallSets::IsMipsPrivate(sysno) || |
| 48 #endif |
| 46 SyscallSets::IsAllowedOperationOnFd(sysno); | 49 SyscallSets::IsAllowedOperationOnFd(sysno); |
| 47 } | 50 } |
| 48 | 51 |
| 49 // System calls that will trigger the crashing SIGSYS handler. | 52 // System calls that will trigger the crashing SIGSYS handler. |
| 50 bool IsBaselinePolicyWatched(int sysno) { | 53 bool IsBaselinePolicyWatched(int sysno) { |
| 51 return SyscallSets::IsAdminOperation(sysno) || | 54 return SyscallSets::IsAdminOperation(sysno) || |
| 52 SyscallSets::IsAdvancedScheduler(sysno) || | 55 SyscallSets::IsAdvancedScheduler(sysno) || |
| 53 SyscallSets::IsAdvancedTimer(sysno) || | 56 SyscallSets::IsAdvancedTimer(sysno) || |
| 54 SyscallSets::IsAsyncIo(sysno) || | 57 SyscallSets::IsAsyncIo(sysno) || |
| 55 SyscallSets::IsDebug(sysno) || | 58 SyscallSets::IsDebug(sysno) || |
| 56 SyscallSets::IsEventFd(sysno) || | 59 SyscallSets::IsEventFd(sysno) || |
| 57 SyscallSets::IsExtendedAttributes(sysno) || | 60 SyscallSets::IsExtendedAttributes(sysno) || |
| 58 SyscallSets::IsFaNotify(sysno) || | 61 SyscallSets::IsFaNotify(sysno) || |
| 59 SyscallSets::IsFsControl(sysno) || | 62 SyscallSets::IsFsControl(sysno) || |
| 60 SyscallSets::IsGlobalFSViewChange(sysno) || | 63 SyscallSets::IsGlobalFSViewChange(sysno) || |
| 61 SyscallSets::IsGlobalProcessEnvironment(sysno) || | 64 SyscallSets::IsGlobalProcessEnvironment(sysno) || |
| 62 SyscallSets::IsGlobalSystemStatus(sysno) || | 65 SyscallSets::IsGlobalSystemStatus(sysno) || |
| 63 SyscallSets::IsInotify(sysno) || | 66 SyscallSets::IsInotify(sysno) || |
| 64 SyscallSets::IsKernelModule(sysno) || | 67 SyscallSets::IsKernelModule(sysno) || |
| 65 SyscallSets::IsKeyManagement(sysno) || | 68 SyscallSets::IsKeyManagement(sysno) || |
| 66 SyscallSets::IsKill(sysno) || | 69 SyscallSets::IsKill(sysno) || |
| 67 SyscallSets::IsMessageQueue(sysno) || | 70 SyscallSets::IsMessageQueue(sysno) || |
| 68 SyscallSets::IsMisc(sysno) || | 71 SyscallSets::IsMisc(sysno) || |
| 69 #if defined(__x86_64__) | 72 #if defined(__x86_64__) |
| 70 SyscallSets::IsNetworkSocketInformation(sysno) || | 73 SyscallSets::IsNetworkSocketInformation(sysno) || |
| 71 #endif | 74 #endif |
| 72 SyscallSets::IsNuma(sysno) || | 75 SyscallSets::IsNuma(sysno) || |
| 73 SyscallSets::IsPrctl(sysno) || | 76 SyscallSets::IsPrctl(sysno) || |
| 74 SyscallSets::IsProcessGroupOrSession(sysno) || | 77 SyscallSets::IsProcessGroupOrSession(sysno) || |
| 75 #if defined(__i386__) | 78 #if defined(__i386__) || defined(__mips__) |
| 76 SyscallSets::IsSocketCall(sysno) || | 79 SyscallSets::IsSocketCall(sysno) || |
| 77 #endif | 80 #endif |
| 78 #if defined(__arm__) | 81 #if defined(__arm__) |
| 79 SyscallSets::IsArmPciConfig(sysno) || | 82 SyscallSets::IsArmPciConfig(sysno) || |
| 80 #endif | 83 #endif |
| 84 #if defined(__mips__) |
| 85 SyscallSets::IsMipsMisc(sysno) || |
| 86 #endif |
| 81 SyscallSets::IsTimer(sysno); | 87 SyscallSets::IsTimer(sysno); |
| 82 } | 88 } |
| 83 | 89 |
| 84 // |fs_denied_errno| is the errno return for denied filesystem access. | 90 // |fs_denied_errno| is the errno return for denied filesystem access. |
| 85 ErrorCode EvaluateSyscallImpl(int fs_denied_errno, | 91 ErrorCode EvaluateSyscallImpl(int fs_denied_errno, |
| 86 pid_t current_pid, | 92 pid_t current_pid, |
| 87 SandboxBPF* sandbox, | 93 SandboxBPF* sandbox, |
| 88 int sysno) { | 94 int sysno) { |
| 89 #if defined(ADDRESS_SANITIZER) || defined(THREAD_SANITIZER) || \ | 95 #if defined(ADDRESS_SANITIZER) || defined(THREAD_SANITIZER) || \ |
| 90 defined(MEMORY_SANITIZER) | 96 defined(MEMORY_SANITIZER) |
| (...skipping 18 matching lines...) Expand all Loading... |
| 109 return ErrorCode(ErrorCode::ERR_ALLOWED); | 115 return ErrorCode(ErrorCode::ERR_ALLOWED); |
| 110 } | 116 } |
| 111 | 117 |
| 112 if (sysno == __NR_clone) { | 118 if (sysno == __NR_clone) { |
| 113 return RestrictCloneToThreadsAndEPERMFork(sandbox); | 119 return RestrictCloneToThreadsAndEPERMFork(sandbox); |
| 114 } | 120 } |
| 115 | 121 |
| 116 if (sysno == __NR_fcntl) | 122 if (sysno == __NR_fcntl) |
| 117 return RestrictFcntlCommands(sandbox); | 123 return RestrictFcntlCommands(sandbox); |
| 118 | 124 |
| 119 #if defined(__i386__) || defined(__arm__) | 125 #if defined(__i386__) || defined(__arm__) || defined(__mips__) |
| 120 if (sysno == __NR_fcntl64) | 126 if (sysno == __NR_fcntl64) |
| 121 return RestrictFcntlCommands(sandbox); | 127 return RestrictFcntlCommands(sandbox); |
| 122 #endif | 128 #endif |
| 123 | 129 |
| 124 if (sysno == __NR_futex) | 130 if (sysno == __NR_futex) |
| 125 return RestrictFutex(sandbox); | 131 return RestrictFutex(sandbox); |
| 126 | 132 |
| 127 if (sysno == __NR_madvise) { | 133 if (sysno == __NR_madvise) { |
| 128 // Only allow MADV_DONTNEED (aka MADV_FREE). | 134 // Only allow MADV_DONTNEED (aka MADV_FREE). |
| 129 return sandbox->Cond(2, ErrorCode::TP_32BIT, | 135 return sandbox->Cond(2, ErrorCode::TP_32BIT, |
| 130 ErrorCode::OP_EQUAL, MADV_DONTNEED, | 136 ErrorCode::OP_EQUAL, MADV_DONTNEED, |
| 131 ErrorCode(ErrorCode::ERR_ALLOWED), | 137 ErrorCode(ErrorCode::ERR_ALLOWED), |
| 132 ErrorCode(EPERM)); | 138 ErrorCode(EPERM)); |
| 133 } | 139 } |
| 134 | 140 |
| 135 #if defined(__i386__) || defined(__x86_64__) | 141 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__) |
| 136 if (sysno == __NR_mmap) | 142 if (sysno == __NR_mmap) |
| 137 return RestrictMmapFlags(sandbox); | 143 return RestrictMmapFlags(sandbox); |
| 138 #endif | 144 #endif |
| 139 | 145 |
| 140 #if defined(__i386__) || defined(__arm__) | 146 #if defined(__i386__) || defined(__arm__) || defined(__mips__) |
| 141 if (sysno == __NR_mmap2) | 147 if (sysno == __NR_mmap2) |
| 142 return RestrictMmapFlags(sandbox); | 148 return RestrictMmapFlags(sandbox); |
| 143 #endif | 149 #endif |
| 144 | 150 |
| 145 if (sysno == __NR_mprotect) | 151 if (sysno == __NR_mprotect) |
| 146 return RestrictMprotectFlags(sandbox); | 152 return RestrictMprotectFlags(sandbox); |
| 147 | 153 |
| 148 if (sysno == __NR_prctl) | 154 if (sysno == __NR_prctl) |
| 149 return sandbox::RestrictPrctl(sandbox); | 155 return sandbox::RestrictPrctl(sandbox); |
| 150 | 156 |
| 151 #if defined(__x86_64__) || defined(__arm__) | 157 #if defined(__x86_64__) || defined(__arm__) || defined(__mips__) |
| 152 if (sysno == __NR_socketpair) { | 158 if (sysno == __NR_socketpair) { |
| 153 // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen. | 159 // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen. |
| 154 COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different); | 160 COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different); |
| 155 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, AF_UNIX, | 161 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, AF_UNIX, |
| 156 ErrorCode(ErrorCode::ERR_ALLOWED), | 162 ErrorCode(ErrorCode::ERR_ALLOWED), |
| 157 sandbox->Trap(CrashSIGSYS_Handler, NULL)); | 163 sandbox->Trap(CrashSIGSYS_Handler, NULL)); |
| 158 } | 164 } |
| 159 #endif | 165 #endif |
| 160 | 166 |
| 161 if (SyscallSets::IsKill(sysno)) { | 167 if (SyscallSets::IsKill(sysno)) { |
| 162 return RestrictKillTarget(current_pid, sandbox, sysno); | 168 return RestrictKillTarget(current_pid, sandbox, sysno); |
| 163 } | 169 } |
| 164 | 170 |
| 165 if (SyscallSets::IsFileSystem(sysno) || | 171 if (SyscallSets::IsFileSystem(sysno) || |
| 166 SyscallSets::IsCurrentDirectory(sysno)) { | 172 SyscallSets::IsCurrentDirectory(sysno)) { |
| 167 return ErrorCode(fs_denied_errno); | 173 return ErrorCode(fs_denied_errno); |
| 168 } | 174 } |
| 169 | 175 |
| 170 if (SyscallSets::IsAnySystemV(sysno)) { | 176 if (SyscallSets::IsAnySystemV(sysno)) { |
| 171 return ErrorCode(EPERM); | 177 return ErrorCode(EPERM); |
| 172 } | 178 } |
| 173 | 179 |
| 174 if (SyscallSets::IsUmask(sysno) || | 180 if (SyscallSets::IsUmask(sysno) || |
| 175 SyscallSets::IsDeniedFileSystemAccessViaFd(sysno) || | 181 SyscallSets::IsDeniedFileSystemAccessViaFd(sysno) || |
| 176 SyscallSets::IsDeniedGetOrModifySocket(sysno) || | 182 SyscallSets::IsDeniedGetOrModifySocket(sysno) || |
| 177 SyscallSets::IsProcessPrivilegeChange(sysno)) { | 183 SyscallSets::IsProcessPrivilegeChange(sysno)) { |
| 178 return ErrorCode(EPERM); | 184 return ErrorCode(EPERM); |
| 179 } | 185 } |
| 180 | 186 |
| 181 #if defined(__i386__) | 187 #if defined(__i386__) || defined(__mips__) |
| 182 if (SyscallSets::IsSocketCall(sysno)) | 188 if (SyscallSets::IsSocketCall(sysno)) |
| 183 return RestrictSocketcallCommand(sandbox); | 189 return RestrictSocketcallCommand(sandbox); |
| 184 #endif | 190 #endif |
| 185 | 191 |
| 186 if (IsBaselinePolicyWatched(sysno)) { | 192 if (IsBaselinePolicyWatched(sysno)) { |
| 187 // Previously unseen syscalls. TODO(jln): some of these should | 193 // Previously unseen syscalls. TODO(jln): some of these should |
| 188 // be denied gracefully right away. | 194 // be denied gracefully right away. |
| 189 return sandbox->Trap(CrashSIGSYS_Handler, NULL); | 195 return sandbox->Trap(CrashSIGSYS_Handler, NULL); |
| 190 } | 196 } |
| 191 | 197 |
| (...skipping 20 matching lines...) Expand all Loading... |
| 212 ErrorCode BaselinePolicy::EvaluateSyscall(SandboxBPF* sandbox, | 218 ErrorCode BaselinePolicy::EvaluateSyscall(SandboxBPF* sandbox, |
| 213 int sysno) const { | 219 int sysno) const { |
| 214 // Make sure that this policy is used in the creating process. | 220 // Make sure that this policy is used in the creating process. |
| 215 if (1 == sysno) { | 221 if (1 == sysno) { |
| 216 DCHECK_EQ(syscall(__NR_getpid), current_pid_); | 222 DCHECK_EQ(syscall(__NR_getpid), current_pid_); |
| 217 } | 223 } |
| 218 return EvaluateSyscallImpl(fs_denied_errno_, current_pid_, sandbox, sysno); | 224 return EvaluateSyscallImpl(fs_denied_errno_, current_pid_, sandbox, sysno); |
| 219 } | 225 } |
| 220 | 226 |
| 221 } // namespace sandbox. | 227 } // namespace sandbox. |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 260793003:
[MIPS] Add seccomp bpf support (Closed)
Base URL: https://git.chromium.org/git/chromium/src.git@master