components/nacl/loader/nonsfi/nonsfi_sandbox.cc - Issue 286363003: Non-SFI NaCl: Disallow fancy clock IDs

Side by Side Diff: components/nacl/loader/nonsfi/nonsfi_sandbox.cc

Issue 286363003: Non-SFI NaCl: Disallow fancy clock IDs (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Fix test name Created 6 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright 2014 The Chromium Authors. All rights reserved.	1 // Copyright 2014 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "components/nacl/loader/nonsfi/nonsfi_sandbox.h"	5 #include "components/nacl/loader/nonsfi/nonsfi_sandbox.h"

6	6

7 #include <errno.h>	7 #include <errno.h>

8 #include <fcntl.h>	8 #include <fcntl.h>

9 #include <linux/net.h>	9 #include <linux/net.h>

10 #include <sys/prctl.h>	10 #include <sys/prctl.h>

(...skipping 55 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
66 ErrorCode(ErrorCode::ERR_ALLOWED),	66 ErrorCode(ErrorCode::ERR_ALLOWED),

67 sb->Cond(1, ErrorCode::TP_32BIT,	67 sb->Cond(1, ErrorCode::TP_32BIT,

68 ErrorCode::OP_EQUAL, F_SETFL,	68 ErrorCode::OP_EQUAL, F_SETFL,

69 sb->Cond(2, mask_long_type,	69 sb->Cond(2, mask_long_type,

70 ErrorCode::OP_HAS_ANY_BITS, denied_mask,	70 ErrorCode::OP_HAS_ANY_BITS, denied_mask,

71 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL),	71 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL),

72 ErrorCode(ErrorCode::ERR_ALLOWED)),	72 ErrorCode(ErrorCode::ERR_ALLOWED)),

73 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL))));	73 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL))));

74 }	74 }

75	75

	76 ErrorCode RestrictClockID(SandboxBPF* sb) {

	77 // We allow accessing only CLOCK_MONOTONIC, CLOCK_PROCESS_CPUTIME_ID,

	78 // CLOCK_REALTIME, and CLOCK_THREAD_CPUTIME_ID.
	Mark Seaborn 2014/05/20 21:21:30 Maybe also say: "Don't allow reading the clocks of Maybe also say: "Don't allow reading the clocks of other processes by specifying their PIDs." It's not obvious the syscalls allow that. I don't think there are even any #defines for that in the kernel headers. (glibc has sysdeps/unix/sysv/linux/kernel-posix-cpu-timers.h, which #defines MAKE_PROCESS_CPUCLOCK and CPUCLOCK_.) mdempsky* 2014/05/20 23:02:51 Done. Show quoted text On 2014/05/20 21:21:30, Mark Seaborn wrote: > Maybe also say: "Don't allow reading the clocks of other processes by specifying > their PIDs." > > It's not obvious the syscalls allow that. I don't think there are even any > #defines for that in the kernel headers. (glibc has > sysdeps/unix/sysv/linux/kernel-posix-cpu-timers.h, which #defines > MAKE_PROCESS_CPUCLOCK and CPUCLOCK_*.) Done.
	79 COMPILE_ASSERT(4 == sizeof(clockid_t), clockid_is_not_32bit);

	80 return sb->Cond(0, ErrorCode::TP_32BIT,

	81 ErrorCode::OP_EQUAL, CLOCK_MONOTONIC,

	82 ErrorCode(ErrorCode::ERR_ALLOWED),

	83 sb->Cond(0, ErrorCode::TP_32BIT,

	84 ErrorCode::OP_EQUAL, CLOCK_PROCESS_CPUTIME_ID,

	85 ErrorCode(ErrorCode::ERR_ALLOWED),

	86 sb->Cond(0, ErrorCode::TP_32BIT,

	87 ErrorCode::OP_EQUAL, CLOCK_REALTIME,

	88 ErrorCode(ErrorCode::ERR_ALLOWED),

	89 sb->Cond(0, ErrorCode::TP_32BIT,

	90 ErrorCode::OP_EQUAL, CLOCK_THREAD_CPUTIME_ID,

	91 ErrorCode(ErrorCode::ERR_ALLOWED),

	92 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL)))));

	93 }

	94

76 ErrorCode RestrictClone(SandboxBPF* sb) {	95 ErrorCode RestrictClone(SandboxBPF* sb) {

77 // We allow clone only for new thread creation.	96 // We allow clone only for new thread creation.

78 return sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,	97 return sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,

79 CLONE_VM \| CLONE_FS \| CLONE_FILES \| CLONE_SIGHAND \|	98 CLONE_VM \| CLONE_FS \| CLONE_FILES \| CLONE_SIGHAND \|

80 CLONE_THREAD \| CLONE_SYSVSEM \| CLONE_SETTLS \|	99 CLONE_THREAD \| CLONE_SYSVSEM \| CLONE_SETTLS \|

81 CLONE_PARENT_SETTID \| CLONE_CHILD_CLEARTID,	100 CLONE_PARENT_SETTID \| CLONE_CHILD_CLEARTID,

82 ErrorCode(ErrorCode::ERR_ALLOWED),	101 ErrorCode(ErrorCode::ERR_ALLOWED),

83 sb->Trap(sandbox::SIGSYSCloneFailure, NULL));	102 sb->Trap(sandbox::SIGSYSCloneFailure, NULL));

84 }	103 }

85	104

(...skipping 119 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
205	224

206 ErrorCode NaClNonSfiBPFSandboxPolicy::EvaluateSyscall(SandboxBPF* sb,	225 ErrorCode NaClNonSfiBPFSandboxPolicy::EvaluateSyscall(SandboxBPF* sb,

207 int sysno) const {	226 int sysno) const {

208 switch (sysno) {	227 switch (sysno) {

209 // Allowed syscalls.	228 // Allowed syscalls.

210 #if defined(__i386__) \|\| defined(__arm__)	229 #if defined(__i386__) \|\| defined(__arm__)

211 case __NR__llseek:	230 case __NR__llseek:

212 #elif defined(__x86_64__)	231 #elif defined(__x86_64__)

213 case __NR_lseek:	232 case __NR_lseek:

214 #endif	233 #endif

215 // NaCl runtime exposes clock_gettime and clock_getres to untrusted code.

216 case __NR_clock_getres:

217 case __NR_clock_gettime:

218 case __NR_close:	234 case __NR_close:

219 case __NR_dup:	235 case __NR_dup:

220 case __NR_dup2:	236 case __NR_dup2:

221 case __NR_exit:	237 case __NR_exit:

222 case __NR_exit_group:	238 case __NR_exit_group:

223 #if defined(__i386__) \|\| defined(__arm__)	239 #if defined(__i386__) \|\| defined(__arm__)

224 case __NR_fstat64:	240 case __NR_fstat64:

225 #elif defined(__x86_64__)	241 #elif defined(__x86_64__)

226 case __NR_fstat:	242 case __NR_fstat:

227 #endif	243 #endif

(...skipping 17 matching lines...) Expand all Loading...
245 // __NR_times needed as clock() is called by CommandBufferHelper, which is	261 // __NR_times needed as clock() is called by CommandBufferHelper, which is

246 // used by NaCl applications that use Pepper's 3D interfaces.	262 // used by NaCl applications that use Pepper's 3D interfaces.

247 // See crbug.com/264856 for details.	263 // See crbug.com/264856 for details.

248 case __NR_times:	264 case __NR_times:

249 case __NR_write:	265 case __NR_write:

250 #if defined(__arm__)	266 #if defined(__arm__)

251 case __ARM_NR_cacheflush:	267 case __ARM_NR_cacheflush:

252 #endif	268 #endif

253 return ErrorCode(ErrorCode::ERR_ALLOWED);	269 return ErrorCode(ErrorCode::ERR_ALLOWED);

254	270

	271 case __NR_clock_getres:

	272 case __NR_clock_gettime:

	273 return RestrictClockID(sb);

	274

255 case __NR_clone:	275 case __NR_clone:

256 return RestrictClone(sb);	276 return RestrictClone(sb);

257	277

258 #if defined(__x86_64__)	278 #if defined(__x86_64__)

259 case __NR_fcntl:	279 case __NR_fcntl:

260 #endif	280 #endif

261 #if defined(__i386__) \|\| defined(__arm__)	281 #if defined(__i386__) \|\| defined(__arm__)

262 case __NR_fcntl64:	282 case __NR_fcntl64:

263 #endif	283 #endif

264 return RestrictFcntlCommands(sb);	284 return RestrictFcntlCommands(sb);

(...skipping 45 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
310 scoped_ptr<sandbox::SandboxBPFPolicy>(	330 scoped_ptr<sandbox::SandboxBPFPolicy>(

311 new nacl::nonsfi::NaClNonSfiBPFSandboxPolicy()));	331 new nacl::nonsfi::NaClNonSfiBPFSandboxPolicy()));

312 if (!sandbox_is_initialized)	332 if (!sandbox_is_initialized)

313 return false;	333 return false;

314 RunSandboxSanityChecks();	334 RunSandboxSanityChecks();

315 return true;	335 return true;

316 }	336 }

317	337

318 } // namespace nonsfi	338 } // namespace nonsfi

319 } // namespace nacl	339 } // namespace nacl

OLD	NEW

« no previous file with comments | « no previous file | components/nacl/loader/nonsfi/nonsfi_sandbox_unittest.cc » ('j') | components/nacl/loader/nonsfi/nonsfi_sandbox_unittest.cc » ('J')