Linux sandbox: always restrict clone() in baseline policy.

Linux sandbox: always restrict clone() in baseline policy.

Always restrict clone() to thread creation in the baseline policy.

This CL does the following
- Extend RestrictCloneToThreadsAndEPERMFork to support Android.
- Always EPERM anything that looks like fork()
- Add unit tests to the baseline policy related to clone() and fork().

This CL also modifies any other BPF policy so that if clone() was not
restricted before, it remains so. That is, only renderers and PPAPI
processes have clone() restrictions applied to them, as before.

BUG=367986
R=jorgelo@chromium.org, mdempsky@chromium.org

Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=269114

[jln (very slow on Chromium), 2014-05-08 21:18:05]

Matthew, could you please take a look?

This changes the baseline policy to make clone restrictions the default, but it
also change all existing policies to make sure that clone is still unrestricted
when it was before.

[mdempsky, 2014-05-08 21:42:42]

lgtm

https://chromiumcodereview.appspot.com/270613008/diff/20001/sandbox/linux/sec...
File sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc (right):

https://chromiumcodereview.appspot.com/270613008/diff/20001/sandbox/linux/sec...
sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc:33: PCHECK(pid ==
HANDLE_EINTR(waitpid(pid, &status, 0)));
Could additionally check
  CHECK(WIFEXITED(status));
  CHECK_EQ(1, WIFEXITSTATUS(status));

https://chromiumcodereview.appspot.com/270613008/diff/20001/sandbox/linux/sec...
sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc:61: BPF_ASSERT(-1
== pid);
Use BPF_ASSERT_EQ (here and below) like in FchmodErrno?

https://chromiumcodereview.appspot.com/270613008/diff/20001/sandbox/linux/sec...
File sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
(right):

https://chromiumcodereview.appspot.com/270613008/diff/20001/sandbox/linux/sec...
sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc:80:
sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
This fallback case is shared between !Android and Android.  Maybe worth pulling
out as

  const ErrorCode fallback =
      sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
                    CLONE_VM | CLONE_THREAD,
                    sandbox->Trap(SIGSYSCloneFailure, NULL),
                    ErrorCode(EPERM)));

and then referencing that in both cases?

Not sure if this is any better, or even if it will work.  At your discretion.

[jln (very slow on Chromium), 2014-05-08 21:52:03]

Thanks Matthew.

https://chromiumcodereview.appspot.com/270613008/diff/20001/sandbox/linux/sec...
File sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc (right):

https://chromiumcodereview.appspot.com/270613008/diff/20001/sandbox/linux/sec...
sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc:33: PCHECK(pid ==
HANDLE_EINTR(waitpid(pid, &status, 0)));
On 2014/05/08 21:42:42, mdempsky wrote:
> Could additionally check
>   CHECK(WIFEXITED(status));
>   CHECK_EQ(1, WIFEXITSTATUS(status));

Done.

https://chromiumcodereview.appspot.com/270613008/diff/20001/sandbox/linux/sec...
sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc:61: BPF_ASSERT(-1
== pid);
On 2014/05/08 21:42:42, mdempsky wrote:
> Use BPF_ASSERT_EQ (here and below) like in FchmodErrno?

Done.

https://chromiumcodereview.appspot.com/270613008/diff/20001/sandbox/linux/sec...
File sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
(right):

https://chromiumcodereview.appspot.com/270613008/diff/20001/sandbox/linux/sec...
sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc:80:
sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
On 2014/05/08 21:42:42, mdempsky wrote:
> Not sure if this is any better, or even if it will work.  At your discretion.

I'll punt for now as we've not done that before and I'm not 100% sure it's
tested (even though I can't imagine why it wouldn't work).

[jln (very slow on Chromium), 2014-05-08 21:52:28]

Jorge: do you mind stamping this please?

[mdempsky, 2014-05-08 21:53:55]

https://chromiumcodereview.appspot.com/270613008/diff/60001/sandbox/linux/sec...
File sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc (right):

https://chromiumcodereview.appspot.com/270613008/diff/60001/sandbox/linux/sec...
sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc:78: BPF_ASSERT(-1
== pid);
Sorry, should have been clear that by "and below" I meant throughout the rest of
the file, not just within that one test case. :)

[Jorge Lucangeli Obes, 2014-05-08 21:54:25]

lgtm

[jln (very slow on Chromium), 2014-05-08 21:57:08]

https://chromiumcodereview.appspot.com/270613008/diff/60001/sandbox/linux/sec...
File sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc (right):

https://chromiumcodereview.appspot.com/270613008/diff/60001/sandbox/linux/sec...
sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc:78: BPF_ASSERT(-1
== pid);
On 2014/05/08 21:53:55, mdempsky wrote:
> Sorry, should have been clear that by "and below" I meant throughout the rest
of
> the file, not just within that one test case. :)

Ohh wow, sorry. Done for realz this time.

[mdempsky, 2014-05-08 21:57:49]

On 2014/05/08 21:57:08, jln wrote:
> Ohh wow, sorry. Done for realz this time.

No problem. LGTM :)

[jln (very slow on Chromium), 2014-05-09 00:04:40]

Committed patchset #5 manually as r269114 (presubmit successful).