| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/common/sandbox_linux/sandbox_seccomp_bpf_linux.h" | 5 #include "content/common/sandbox_linux/sandbox_seccomp_bpf_linux.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <fcntl.h> | 8 #include <fcntl.h> |
| 9 #include <sys/socket.h> | 9 #include <sys/socket.h> |
| 10 #include <sys/stat.h> | 10 #include <sys/stat.h> |
| (...skipping 17 matching lines...) Expand all Loading... |
| 28 #include "content/common/sandbox_linux/bpf_renderer_policy_linux.h" | 28 #include "content/common/sandbox_linux/bpf_renderer_policy_linux.h" |
| 29 #include "content/common/sandbox_linux/sandbox_bpf_base_policy_linux.h" | 29 #include "content/common/sandbox_linux/sandbox_bpf_base_policy_linux.h" |
| 30 #include "content/common/sandbox_linux/sandbox_linux.h" | 30 #include "content/common/sandbox_linux/sandbox_linux.h" |
| 31 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h" | 31 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h" |
| 32 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" | 32 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" |
| 33 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" | 33 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" |
| 34 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h" | 34 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h" |
| 35 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | 35 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
| 36 #include "sandbox/linux/services/linux_syscalls.h" | 36 #include "sandbox/linux/services/linux_syscalls.h" |
| 37 | 37 |
| 38 using namespace sandbox::bpf_dsl; |
| 38 using sandbox::BaselinePolicy; | 39 using sandbox::BaselinePolicy; |
| 39 using sandbox::SyscallSets; | 40 using sandbox::SyscallSets; |
| 40 | 41 |
| 41 #else | 42 #else |
| 42 | 43 |
| 43 // Make sure that seccomp-bpf does not get disabled by mistake. Also make sure | 44 // Make sure that seccomp-bpf does not get disabled by mistake. Also make sure |
| 44 // that we think twice about this when adding a new architecture. | 45 // that we think twice about this when adding a new architecture. |
| 45 #if !defined(ARCH_CPU_MIPS_FAMILY) | 46 #if !defined(ARCH_CPU_MIPS_FAMILY) |
| 46 #error "Seccomp-bpf disabled on supported architecture!" | 47 #error "Seccomp-bpf disabled on supported architecture!" |
| 47 #endif // !defined(ARCH_CPU_MIPS_FAMILY) | 48 #endif // !defined(ARCH_CPU_MIPS_FAMILY) |
| (...skipping 21 matching lines...) Expand all Loading... |
| 69 #else | 70 #else |
| 70 return false; | 71 return false; |
| 71 #endif | 72 #endif |
| 72 } | 73 } |
| 73 | 74 |
| 74 class BlacklistDebugAndNumaPolicy : public SandboxBPFBasePolicy { | 75 class BlacklistDebugAndNumaPolicy : public SandboxBPFBasePolicy { |
| 75 public: | 76 public: |
| 76 BlacklistDebugAndNumaPolicy() {} | 77 BlacklistDebugAndNumaPolicy() {} |
| 77 virtual ~BlacklistDebugAndNumaPolicy() {} | 78 virtual ~BlacklistDebugAndNumaPolicy() {} |
| 78 | 79 |
| 79 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, | 80 virtual ResultExpr EvaluateSyscall(int system_call_number) const OVERRIDE; |
| 80 int system_call_number) const OVERRIDE; | |
| 81 | 81 |
| 82 private: | 82 private: |
| 83 DISALLOW_COPY_AND_ASSIGN(BlacklistDebugAndNumaPolicy); | 83 DISALLOW_COPY_AND_ASSIGN(BlacklistDebugAndNumaPolicy); |
| 84 }; | 84 }; |
| 85 | 85 |
| 86 ErrorCode BlacklistDebugAndNumaPolicy::EvaluateSyscall(SandboxBPF* sandbox, | 86 ResultExpr BlacklistDebugAndNumaPolicy::EvaluateSyscall(int sysno) const { |
| 87 int sysno) const { | |
| 88 if (!SandboxBPF::IsValidSyscallNumber(sysno)) { | |
| 89 // TODO(jln) we should not have to do that in a trivial policy. | |
| 90 return ErrorCode(ENOSYS); | |
| 91 } | |
| 92 if (SyscallSets::IsDebug(sysno) || SyscallSets::IsNuma(sysno)) | 87 if (SyscallSets::IsDebug(sysno) || SyscallSets::IsNuma(sysno)) |
| 93 return sandbox->Trap(sandbox::CrashSIGSYS_Handler, NULL); | 88 return Trap(sandbox::CrashSIGSYS_Handler, NULL); |
| 94 | 89 |
| 95 return ErrorCode(ErrorCode::ERR_ALLOWED); | 90 return Allow(); |
| 96 } | 91 } |
| 97 | 92 |
| 98 class AllowAllPolicy : public SandboxBPFBasePolicy { | 93 class AllowAllPolicy : public SandboxBPFBasePolicy { |
| 99 public: | 94 public: |
| 100 AllowAllPolicy() {} | 95 AllowAllPolicy() {} |
| 101 virtual ~AllowAllPolicy() {} | 96 virtual ~AllowAllPolicy() {} |
| 102 | 97 |
| 103 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, | 98 virtual ResultExpr EvaluateSyscall(int system_call_number) const OVERRIDE; |
| 104 int system_call_number) const OVERRIDE; | |
| 105 | 99 |
| 106 private: | 100 private: |
| 107 DISALLOW_COPY_AND_ASSIGN(AllowAllPolicy); | 101 DISALLOW_COPY_AND_ASSIGN(AllowAllPolicy); |
| 108 }; | 102 }; |
| 109 | 103 |
| 110 // Allow all syscalls. | 104 // Allow all syscalls. |
| 111 // This will still deny x32 or IA32 calls in 64 bits mode or | 105 // This will still deny x32 or IA32 calls in 64 bits mode or |
| 112 // 64 bits system calls in compatibility mode. | 106 // 64 bits system calls in compatibility mode. |
| 113 ErrorCode AllowAllPolicy::EvaluateSyscall(SandboxBPF*, int sysno) const { | 107 ResultExpr AllowAllPolicy::EvaluateSyscall(int sysno) const { |
| 114 if (!SandboxBPF::IsValidSyscallNumber(sysno)) { | 108 return Allow(); |
| 115 // TODO(jln) we should not have to do that in a trivial policy. | |
| 116 return ErrorCode(ENOSYS); | |
| 117 } else { | |
| 118 return ErrorCode(ErrorCode::ERR_ALLOWED); | |
| 119 } | |
| 120 } | 109 } |
| 121 | 110 |
| 122 // If a BPF policy is engaged for |process_type|, run a few sanity checks. | 111 // If a BPF policy is engaged for |process_type|, run a few sanity checks. |
| 123 void RunSandboxSanityChecks(const std::string& process_type) { | 112 void RunSandboxSanityChecks(const std::string& process_type) { |
| 124 if (process_type == switches::kRendererProcess || | 113 if (process_type == switches::kRendererProcess || |
| 125 process_type == switches::kWorkerProcess || | 114 process_type == switches::kWorkerProcess || |
| 126 process_type == switches::kGpuProcess || | 115 process_type == switches::kGpuProcess || |
| 127 process_type == switches::kPpapiPluginProcess) { | 116 process_type == switches::kPpapiPluginProcess) { |
| 128 int syscall_ret; | 117 int syscall_ret; |
| 129 errno = 0; | 118 errno = 0; |
| (...skipping 164 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 294 scoped_ptr<sandbox::SandboxBPFPolicy> | 283 scoped_ptr<sandbox::SandboxBPFPolicy> |
| 295 SandboxSeccompBPF::GetBaselinePolicy() { | 284 SandboxSeccompBPF::GetBaselinePolicy() { |
| 296 #if defined(USE_SECCOMP_BPF) | 285 #if defined(USE_SECCOMP_BPF) |
| 297 return scoped_ptr<sandbox::SandboxBPFPolicy>(new BaselinePolicy); | 286 return scoped_ptr<sandbox::SandboxBPFPolicy>(new BaselinePolicy); |
| 298 #else | 287 #else |
| 299 return scoped_ptr<sandbox::SandboxBPFPolicy>(); | 288 return scoped_ptr<sandbox::SandboxBPFPolicy>(); |
| 300 #endif // defined(USE_SECCOMP_BPF) | 289 #endif // defined(USE_SECCOMP_BPF) |
| 301 } | 290 } |
| 302 | 291 |
| 303 } // namespace content | 292 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 299683004:
Rewrite all BPF policies to use DSL API
Base URL: svn://svn.chromium.org/chrome/trunk/src