| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "components/nacl/loader/nonsfi/nonsfi_sandbox.h" | 5 #include "components/nacl/loader/nonsfi/nonsfi_sandbox.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <fcntl.h> | 8 #include <fcntl.h> |
| 9 #include <linux/net.h> | 9 #include <linux/net.h> |
| 10 #include <sys/prctl.h> | 10 #include <sys/prctl.h> |
| (...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 66 ErrorCode(ErrorCode::ERR_ALLOWED), | 66 ErrorCode(ErrorCode::ERR_ALLOWED), |
| 67 sb->Cond(1, ErrorCode::TP_32BIT, | 67 sb->Cond(1, ErrorCode::TP_32BIT, |
| 68 ErrorCode::OP_EQUAL, F_SETFL, | 68 ErrorCode::OP_EQUAL, F_SETFL, |
| 69 sb->Cond(2, mask_long_type, | 69 sb->Cond(2, mask_long_type, |
| 70 ErrorCode::OP_HAS_ANY_BITS, denied_mask, | 70 ErrorCode::OP_HAS_ANY_BITS, denied_mask, |
| 71 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL), | 71 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL), |
| 72 ErrorCode(ErrorCode::ERR_ALLOWED)), | 72 ErrorCode(ErrorCode::ERR_ALLOWED)), |
| 73 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL)))); | 73 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL)))); |
| 74 } | 74 } |
| 75 | 75 |
| 76 ErrorCode RestrictClockID(SandboxBPF* sb) { |
| 77 // We allow accessing only CLOCK_MONOTONIC, CLOCK_PROCESS_CPUTIME_ID, |
| 78 // CLOCK_REALTIME, and CLOCK_THREAD_CPUTIME_ID. In particular, this disallows |
| 79 // access to arbitrary per-{process,thread} CPU-time clock IDs (such as those |
| 80 // returned by {clock,pthread}_getcpuclockid), which can leak information |
| 81 // about the state of the host OS. |
| 82 COMPILE_ASSERT(4 == sizeof(clockid_t), clockid_is_not_32bit); |
| 83 return sb->Cond(0, ErrorCode::TP_32BIT, |
| 84 ErrorCode::OP_EQUAL, CLOCK_MONOTONIC, |
| 85 ErrorCode(ErrorCode::ERR_ALLOWED), |
| 86 sb->Cond(0, ErrorCode::TP_32BIT, |
| 87 ErrorCode::OP_EQUAL, CLOCK_PROCESS_CPUTIME_ID, |
| 88 ErrorCode(ErrorCode::ERR_ALLOWED), |
| 89 sb->Cond(0, ErrorCode::TP_32BIT, |
| 90 ErrorCode::OP_EQUAL, CLOCK_REALTIME, |
| 91 ErrorCode(ErrorCode::ERR_ALLOWED), |
| 92 sb->Cond(0, ErrorCode::TP_32BIT, |
| 93 ErrorCode::OP_EQUAL, CLOCK_THREAD_CPUTIME_ID, |
| 94 ErrorCode(ErrorCode::ERR_ALLOWED), |
| 95 sb->Trap(sandbox::CrashSIGSYS_Handler, NULL))))); |
| 96 } |
| 97 |
| 76 ErrorCode RestrictClone(SandboxBPF* sb) { | 98 ErrorCode RestrictClone(SandboxBPF* sb) { |
| 77 // We allow clone only for new thread creation. | 99 // We allow clone only for new thread creation. |
| 78 return sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, | 100 return sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
| 79 CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | | 101 CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | |
| 80 CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS | | 102 CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS | |
| 81 CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID, | 103 CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID, |
| 82 ErrorCode(ErrorCode::ERR_ALLOWED), | 104 ErrorCode(ErrorCode::ERR_ALLOWED), |
| 83 sb->Trap(sandbox::SIGSYSCloneFailure, NULL)); | 105 sb->Trap(sandbox::SIGSYSCloneFailure, NULL)); |
| 84 } | 106 } |
| 85 | 107 |
| (...skipping 119 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 205 | 227 |
| 206 ErrorCode NaClNonSfiBPFSandboxPolicy::EvaluateSyscall(SandboxBPF* sb, | 228 ErrorCode NaClNonSfiBPFSandboxPolicy::EvaluateSyscall(SandboxBPF* sb, |
| 207 int sysno) const { | 229 int sysno) const { |
| 208 switch (sysno) { | 230 switch (sysno) { |
| 209 // Allowed syscalls. | 231 // Allowed syscalls. |
| 210 #if defined(__i386__) || defined(__arm__) | 232 #if defined(__i386__) || defined(__arm__) |
| 211 case __NR__llseek: | 233 case __NR__llseek: |
| 212 #elif defined(__x86_64__) | 234 #elif defined(__x86_64__) |
| 213 case __NR_lseek: | 235 case __NR_lseek: |
| 214 #endif | 236 #endif |
| 215 // NaCl runtime exposes clock_gettime and clock_getres to untrusted code. | |
| 216 case __NR_clock_getres: | |
| 217 case __NR_clock_gettime: | |
| 218 case __NR_close: | 237 case __NR_close: |
| 219 case __NR_dup: | 238 case __NR_dup: |
| 220 case __NR_dup2: | 239 case __NR_dup2: |
| 221 case __NR_exit: | 240 case __NR_exit: |
| 222 case __NR_exit_group: | 241 case __NR_exit_group: |
| 223 #if defined(__i386__) || defined(__arm__) | 242 #if defined(__i386__) || defined(__arm__) |
| 224 case __NR_fstat64: | 243 case __NR_fstat64: |
| 225 #elif defined(__x86_64__) | 244 #elif defined(__x86_64__) |
| 226 case __NR_fstat: | 245 case __NR_fstat: |
| 227 #endif | 246 #endif |
| (...skipping 17 matching lines...) Expand all Loading... |
| 245 // __NR_times needed as clock() is called by CommandBufferHelper, which is | 264 // __NR_times needed as clock() is called by CommandBufferHelper, which is |
| 246 // used by NaCl applications that use Pepper's 3D interfaces. | 265 // used by NaCl applications that use Pepper's 3D interfaces. |
| 247 // See crbug.com/264856 for details. | 266 // See crbug.com/264856 for details. |
| 248 case __NR_times: | 267 case __NR_times: |
| 249 case __NR_write: | 268 case __NR_write: |
| 250 #if defined(__arm__) | 269 #if defined(__arm__) |
| 251 case __ARM_NR_cacheflush: | 270 case __ARM_NR_cacheflush: |
| 252 #endif | 271 #endif |
| 253 return ErrorCode(ErrorCode::ERR_ALLOWED); | 272 return ErrorCode(ErrorCode::ERR_ALLOWED); |
| 254 | 273 |
| 274 case __NR_clock_getres: |
| 275 case __NR_clock_gettime: |
| 276 return RestrictClockID(sb); |
| 277 |
| 255 case __NR_clone: | 278 case __NR_clone: |
| 256 return RestrictClone(sb); | 279 return RestrictClone(sb); |
| 257 | 280 |
| 258 #if defined(__x86_64__) | 281 #if defined(__x86_64__) |
| 259 case __NR_fcntl: | 282 case __NR_fcntl: |
| 260 #endif | 283 #endif |
| 261 #if defined(__i386__) || defined(__arm__) | 284 #if defined(__i386__) || defined(__arm__) |
| 262 case __NR_fcntl64: | 285 case __NR_fcntl64: |
| 263 #endif | 286 #endif |
| 264 return RestrictFcntlCommands(sb); | 287 return RestrictFcntlCommands(sb); |
| (...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 310 scoped_ptr<sandbox::SandboxBPFPolicy>( | 333 scoped_ptr<sandbox::SandboxBPFPolicy>( |
| 311 new nacl::nonsfi::NaClNonSfiBPFSandboxPolicy())); | 334 new nacl::nonsfi::NaClNonSfiBPFSandboxPolicy())); |
| 312 if (!sandbox_is_initialized) | 335 if (!sandbox_is_initialized) |
| 313 return false; | 336 return false; |
| 314 RunSandboxSanityChecks(); | 337 RunSandboxSanityChecks(); |
| 315 return true; | 338 return true; |
| 316 } | 339 } |
| 317 | 340 |
| 318 } // namespace nonsfi | 341 } // namespace nonsfi |
| 319 } // namespace nacl | 342 } // namespace nacl |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 286363003:
Non-SFI NaCl: Disallow fancy clock IDs (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src