Chromium Code Reviews Chromium Code Reviews
Issue 296703007:
Linux Sandbox: run all BaselinePolicy tests with sanitizers. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h" | 5 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <sys/mman.h> | 8 #include <sys/mman.h> |
| 9 #include <sys/socket.h> | 9 #include <sys/socket.h> |
| 10 #include <sys/syscall.h> | 10 #include <sys/syscall.h> |
| (...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 79 SyscallSets::IsArmPciConfig(sysno) || | 79 SyscallSets::IsArmPciConfig(sysno) || |
| 80 #endif | 80 #endif |
| 81 SyscallSets::IsTimer(sysno); | 81 SyscallSets::IsTimer(sysno); |
| 82 } | 82 } |
| 83 | 83 |
| 84 // |fs_denied_errno| is the errno return for denied filesystem access. | 84 // |fs_denied_errno| is the errno return for denied filesystem access. |
| 85 ErrorCode EvaluateSyscallImpl(int fs_denied_errno, | 85 ErrorCode EvaluateSyscallImpl(int fs_denied_errno, |
| 86 pid_t current_pid, | 86 pid_t current_pid, |
| 87 SandboxBPF* sandbox, | 87 SandboxBPF* sandbox, |
| 88 int sysno) { | 88 int sysno) { |
| 89 #if defined(ADDRESS_SANITIZER) | 89 #if defined(ADDRESS_SANITIZER) || defined(THREAD_SANITIZER) || \ |
| 90 defined(MEMORY_SANITIZER) | |
| 91 // TCGETS is required by the sanitizers on failure. | |
| 92 if (sysno == __NR_ioctl) { | |
| 93 return RestrictIoctl(sandbox); | |
| 94 } | |
| 95 | |
| 96 if (sysno == __NR_sched_getaffinity) { | |
| 97 return ErrorCode(ErrorCode::ERR_ALLOWED); | |
| 98 } | |
| 99 | |
| 90 if (sysno == __NR_sigaltstack) { | 100 if (sysno == __NR_sigaltstack) { |
| 91 // Required for better stack overflow detection in ASan. Disallowed in | 101 // Required for better stack overflow detection in ASan. Disallowed in |
|
mdempsky
2014/05/21 00:11:13
Is this needed for tsan/msan too? If so, update t
jln (very slow on Chromium)
2014/05/21 00:14:41
It's (afaik) not a strict requirement for TSAN/MSA
| |
| 92 // non-ASan builds. | 102 // non-ASan builds. |
| 93 return ErrorCode(ErrorCode::ERR_ALLOWED); | 103 return ErrorCode(ErrorCode::ERR_ALLOWED); |
| 94 } | 104 } |
| 95 #endif | 105 #endif // defined(ADDRESS_SANITIZER) || defined(THREAD_SANITIZER) || |
| 106 // defined(MEMORY_SANITIZER) | |
| 107 | |
| 96 if (IsBaselinePolicyAllowed(sysno)) { | 108 if (IsBaselinePolicyAllowed(sysno)) { |
| 97 return ErrorCode(ErrorCode::ERR_ALLOWED); | 109 return ErrorCode(ErrorCode::ERR_ALLOWED); |
| 98 } | 110 } |
| 99 | 111 |
| 100 if (sysno == __NR_clone) { | 112 if (sysno == __NR_clone) { |
| 101 return RestrictCloneToThreadsAndEPERMFork(sandbox); | 113 return RestrictCloneToThreadsAndEPERMFork(sandbox); |
| 102 } | 114 } |
| 103 | 115 |
| 104 #if defined(__x86_64__) || defined(__arm__) | 116 if (sysno == __NR_fcntl) |
| 105 if (sysno == __NR_socketpair) { | 117 return RestrictFcntlCommands(sandbox); |
| 106 // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen. | 118 |
| 107 COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different); | 119 #if defined(__i386__) || defined(__arm__) |
| 108 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, AF_UNIX, | 120 if (sysno == __NR_fcntl64) |
| 109 ErrorCode(ErrorCode::ERR_ALLOWED), | 121 return RestrictFcntlCommands(sandbox); |
| 110 sandbox->Trap(CrashSIGSYS_Handler, NULL)); | |
| 111 } | |
| 112 #endif | 122 #endif |
| 113 | 123 |
| 114 if (sysno == __NR_madvise) { | 124 if (sysno == __NR_madvise) { |
| 115 // Only allow MADV_DONTNEED (aka MADV_FREE). | 125 // Only allow MADV_DONTNEED (aka MADV_FREE). |
| 116 return sandbox->Cond(2, ErrorCode::TP_32BIT, | 126 return sandbox->Cond(2, ErrorCode::TP_32BIT, |
| 117 ErrorCode::OP_EQUAL, MADV_DONTNEED, | 127 ErrorCode::OP_EQUAL, MADV_DONTNEED, |
| 118 ErrorCode(ErrorCode::ERR_ALLOWED), | 128 ErrorCode(ErrorCode::ERR_ALLOWED), |
| 119 ErrorCode(EPERM)); | 129 ErrorCode(EPERM)); |
| 120 } | 130 } |
| 121 | 131 |
| 122 #if defined(__i386__) || defined(__x86_64__) | 132 #if defined(__i386__) || defined(__x86_64__) |
| 123 if (sysno == __NR_mmap) | 133 if (sysno == __NR_mmap) |
| 124 return RestrictMmapFlags(sandbox); | 134 return RestrictMmapFlags(sandbox); |
| 125 #endif | 135 #endif |
| 126 | 136 |
| 127 #if defined(__i386__) || defined(__arm__) | 137 #if defined(__i386__) || defined(__arm__) |
| 128 if (sysno == __NR_mmap2) | 138 if (sysno == __NR_mmap2) |
| 129 return RestrictMmapFlags(sandbox); | 139 return RestrictMmapFlags(sandbox); |
| 130 #endif | 140 #endif |
| 131 | 141 |
| 132 if (sysno == __NR_mprotect) | 142 if (sysno == __NR_mprotect) |
| 133 return RestrictMprotectFlags(sandbox); | 143 return RestrictMprotectFlags(sandbox); |
| 134 | 144 |
| 135 if (sysno == __NR_fcntl) | 145 #if defined(__x86_64__) || defined(__arm__) |
| 136 return RestrictFcntlCommands(sandbox); | 146 if (sysno == __NR_socketpair) { |
| 137 | 147 // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen. |
| 138 #if defined(__i386__) || defined(__arm__) | 148 COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different); |
| 139 if (sysno == __NR_fcntl64) | 149 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, AF_UNIX, |
| 140 return RestrictFcntlCommands(sandbox); | 150 ErrorCode(ErrorCode::ERR_ALLOWED), |
| 151 sandbox->Trap(CrashSIGSYS_Handler, NULL)); | |
| 152 } | |
| 141 #endif | 153 #endif |
| 142 | 154 |
| 143 if (SyscallSets::IsKill(sysno)) { | 155 if (SyscallSets::IsKill(sysno)) { |
| 144 return RestrictKillTarget(current_pid, sandbox, sysno); | 156 return RestrictKillTarget(current_pid, sandbox, sysno); |
| 145 } | 157 } |
| 146 | 158 |
| 147 if (SyscallSets::IsFileSystem(sysno) || | 159 if (SyscallSets::IsFileSystem(sysno) || |
| 148 SyscallSets::IsCurrentDirectory(sysno)) { | 160 SyscallSets::IsCurrentDirectory(sysno)) { |
| 149 return ErrorCode(fs_denied_errno); | 161 return ErrorCode(fs_denied_errno); |
| 150 } | 162 } |
| (...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 194 ErrorCode BaselinePolicy::EvaluateSyscall(SandboxBPF* sandbox, | 206 ErrorCode BaselinePolicy::EvaluateSyscall(SandboxBPF* sandbox, |
| 195 int sysno) const { | 207 int sysno) const { |
| 196 // Make sure that this policy is used in the creating process. | 208 // Make sure that this policy is used in the creating process. |
| 197 if (1 == sysno) { | 209 if (1 == sysno) { |
| 198 DCHECK_EQ(syscall(__NR_getpid), current_pid_); | 210 DCHECK_EQ(syscall(__NR_getpid), current_pid_); |
| 199 } | 211 } |
| 200 return EvaluateSyscallImpl(fs_denied_errno_, current_pid_, sandbox, sysno); | 212 return EvaluateSyscallImpl(fs_denied_errno_, current_pid_, sandbox, sysno); |
| 201 } | 213 } |
| 202 | 214 |
| 203 } // namespace sandbox. | 215 } // namespace sandbox. |
| OLD | NEW |
