| OLD | NEW |
|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h" | 5 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <sys/mman.h> | 8 #include <sys/mman.h> |
| 9 #include <sys/socket.h> | 9 #include <sys/socket.h> |
| 10 #include <sys/syscall.h> | 10 #include <sys/syscall.h> |
| 11 #include <sys/types.h> | 11 #include <sys/types.h> |
| 12 #include <unistd.h> | 12 #include <unistd.h> |
| 13 | 13 |
| 14 #include "base/logging.h" | 14 #include "base/logging.h" |
| 15 #include "build/build_config.h" | 15 #include "build/build_config.h" |
| 16 #include "sandbox/linux/seccomp-bpf-helpers/bpf_dsl.h" |
| 16 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" | 17 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" |
| 17 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" | 18 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" |
| 18 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h" | 19 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h" |
| 19 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | 20 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
| 20 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h" | 21 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h" |
| 21 #include "sandbox/linux/services/linux_syscalls.h" | 22 #include "sandbox/linux/services/linux_syscalls.h" |
| 22 | 23 |
| 23 // Changing this implementation will have an effect on *all* policies. | 24 // Changing this implementation will have an effect on *all* policies. |
| 24 // Currently this means: Renderer/Worker, GPU, Flash and NaCl. | 25 // Currently this means: Renderer/Worker, GPU, Flash and NaCl. |
| 25 | 26 |
| 27 using namespace sandbox::bpf_dsl; |
| 28 |
| 26 namespace sandbox { | 29 namespace sandbox { |
| 27 | 30 |
| 28 namespace { | 31 namespace { |
| 29 | 32 |
| 30 bool IsBaselinePolicyAllowed(int sysno) { | 33 bool IsBaselinePolicyAllowed(int sysno) { |
| 31 return SyscallSets::IsAllowedAddressSpaceAccess(sysno) || | 34 return SyscallSets::IsAllowedAddressSpaceAccess(sysno) || |
| 32 SyscallSets::IsAllowedBasicScheduler(sysno) || | 35 SyscallSets::IsAllowedBasicScheduler(sysno) || |
| 33 SyscallSets::IsAllowedEpoll(sysno) || | 36 SyscallSets::IsAllowedEpoll(sysno) || |
| 34 SyscallSets::IsAllowedFileSystemAccessViaFd(sysno) || | 37 SyscallSets::IsAllowedFileSystemAccessViaFd(sysno) || |
| 35 SyscallSets::IsAllowedGeneralIo(sysno) || | 38 SyscallSets::IsAllowedGeneralIo(sysno) || |
| (...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 75 #if defined(__i386__) | 78 #if defined(__i386__) |
| 76 SyscallSets::IsSocketCall(sysno) || | 79 SyscallSets::IsSocketCall(sysno) || |
| 77 #endif | 80 #endif |
| 78 #if defined(__arm__) | 81 #if defined(__arm__) |
| 79 SyscallSets::IsArmPciConfig(sysno) || | 82 SyscallSets::IsArmPciConfig(sysno) || |
| 80 #endif | 83 #endif |
| 81 SyscallSets::IsTimer(sysno); | 84 SyscallSets::IsTimer(sysno); |
| 82 } | 85 } |
| 83 | 86 |
| 84 // |fs_denied_errno| is the errno return for denied filesystem access. | 87 // |fs_denied_errno| is the errno return for denied filesystem access. |
| 85 ErrorCode EvaluateSyscallImpl(int fs_denied_errno, | 88 ResultExpr EvaluateSyscallImpl(int fs_denied_errno, |
| 86 pid_t current_pid, | 89 pid_t current_pid, |
| 87 SandboxBPF* sandbox, | 90 int sysno) { |
| 88 int sysno) { | |
| 89 #if defined(ADDRESS_SANITIZER) | 91 #if defined(ADDRESS_SANITIZER) |
| 90 if (sysno == __NR_sigaltstack) { | 92 if (sysno == __NR_sigaltstack) { |
| 91 // Required for better stack overflow detection in ASan. Disallowed in | 93 // Required for better stack overflow detection in ASan. Disallowed in |
| 92 // non-ASan builds. | 94 // non-ASan builds. |
| 93 return ErrorCode(ErrorCode::ERR_ALLOWED); | 95 return Allow(); |
| 94 } | 96 } |
| 95 #endif | 97 #endif |
| 96 if (IsBaselinePolicyAllowed(sysno)) { | 98 if (IsBaselinePolicyAllowed(sysno)) { |
| 97 return ErrorCode(ErrorCode::ERR_ALLOWED); | 99 return Allow(); |
| 98 } | 100 } |
| 99 | 101 |
| 100 if (sysno == __NR_clone) { | 102 if (sysno == __NR_clone) { |
| 101 return RestrictCloneToThreadsAndEPERMFork(sandbox); | 103 return RestrictCloneToThreadsAndEPERMFork(); |
| 102 } | 104 } |
| 103 | 105 |
| 104 #if defined(__x86_64__) || defined(__arm__) | 106 #if defined(__x86_64__) || defined(__arm__) |
| 105 if (sysno == __NR_socketpair) { | 107 if (sysno == __NR_socketpair) { |
| 106 // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen. | 108 // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen. |
| 107 COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different); | 109 COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different); |
| 108 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, AF_UNIX, | 110 const Arg<int> domain_arg(0); |
| 109 ErrorCode(ErrorCode::ERR_ALLOWED), | 111 return If(domain_arg == AF_UNIX).Then( |
| 110 sandbox->Trap(CrashSIGSYS_Handler, NULL)); | 112 Allow() |
| 113 ).Else( |
| 114 bpf_dsl::Trap(CrashSIGSYS_Handler, NULL) |
| 115 ); |
| 111 } | 116 } |
| 112 #endif | 117 #endif |
| 113 | 118 |
| 114 if (sysno == __NR_madvise) { | 119 if (sysno == __NR_madvise) { |
| 115 // Only allow MADV_DONTNEED (aka MADV_FREE). | 120 // Only allow MADV_DONTNEED (aka MADV_FREE). |
| 116 return sandbox->Cond(2, ErrorCode::TP_32BIT, | 121 const Arg<int> advice_arg(2); |
| 117 ErrorCode::OP_EQUAL, MADV_DONTNEED, | 122 return If(advice_arg == MADV_DONTNEED).Then( |
| 118 ErrorCode(ErrorCode::ERR_ALLOWED), | 123 Allow() |
| 119 ErrorCode(EPERM)); | 124 ).Else( |
| 125 Error(EPERM) |
| 126 ); |
| 120 } | 127 } |
| 121 | 128 |
| 122 #if defined(__i386__) || defined(__x86_64__) | 129 #if defined(__i386__) || defined(__x86_64__) |
| 123 if (sysno == __NR_mmap) | 130 if (sysno == __NR_mmap) |
| 124 return RestrictMmapFlags(sandbox); | 131 return RestrictMmapFlags(); |
| 125 #endif | 132 #endif |
| 126 | 133 |
| 127 #if defined(__i386__) || defined(__arm__) | 134 #if defined(__i386__) || defined(__arm__) |
| 128 if (sysno == __NR_mmap2) | 135 if (sysno == __NR_mmap2) |
| 129 return RestrictMmapFlags(sandbox); | 136 return RestrictMmapFlags(); |
| 130 #endif | 137 #endif |
| 131 | 138 |
| 132 if (sysno == __NR_mprotect) | 139 if (sysno == __NR_mprotect) |
| 133 return RestrictMprotectFlags(sandbox); | 140 return RestrictMprotectFlags(); |
| 134 | 141 |
| 135 if (sysno == __NR_fcntl) | 142 if (sysno == __NR_fcntl) |
| 136 return RestrictFcntlCommands(sandbox); | 143 return RestrictFcntlCommands(); |
| 137 | 144 |
| 138 #if defined(__i386__) || defined(__arm__) | 145 #if defined(__i386__) || defined(__arm__) |
| 139 if (sysno == __NR_fcntl64) | 146 if (sysno == __NR_fcntl64) |
| 140 return RestrictFcntlCommands(sandbox); | 147 return RestrictFcntlCommands(); |
| 141 #endif | 148 #endif |
| 142 | 149 |
| 143 if (SyscallSets::IsKill(sysno)) { | 150 if (SyscallSets::IsKill(sysno)) { |
| 144 return RestrictKillTarget(current_pid, sandbox, sysno); | 151 return RestrictKillTarget(current_pid, sysno); |
| 145 } | 152 } |
| 146 | 153 |
| 147 if (SyscallSets::IsFileSystem(sysno) || | 154 if (SyscallSets::IsFileSystem(sysno) || |
| 148 SyscallSets::IsCurrentDirectory(sysno)) { | 155 SyscallSets::IsCurrentDirectory(sysno)) { |
| 149 return ErrorCode(fs_denied_errno); | 156 return Error(fs_denied_errno); |
| 150 } | 157 } |
| 151 | 158 |
| 152 if (SyscallSets::IsAnySystemV(sysno)) { | 159 if (SyscallSets::IsAnySystemV(sysno)) { |
| 153 return ErrorCode(EPERM); | 160 return Error(EPERM); |
| 154 } | 161 } |
| 155 | 162 |
| 156 if (SyscallSets::IsUmask(sysno) || | 163 if (SyscallSets::IsUmask(sysno) || |
| 157 SyscallSets::IsDeniedFileSystemAccessViaFd(sysno) || | 164 SyscallSets::IsDeniedFileSystemAccessViaFd(sysno) || |
| 158 SyscallSets::IsDeniedGetOrModifySocket(sysno) || | 165 SyscallSets::IsDeniedGetOrModifySocket(sysno) || |
| 159 SyscallSets::IsProcessPrivilegeChange(sysno)) { | 166 SyscallSets::IsProcessPrivilegeChange(sysno)) { |
| 160 return ErrorCode(EPERM); | 167 return Error(EPERM); |
| 161 } | 168 } |
| 162 | 169 |
| 163 #if defined(__i386__) | 170 #if defined(__i386__) |
| 164 if (SyscallSets::IsSocketCall(sysno)) | 171 if (SyscallSets::IsSocketCall(sysno)) |
| 165 return RestrictSocketcallCommand(sandbox); | 172 return RestrictSocketcallCommand(); |
| 166 #endif | 173 #endif |
| 167 | 174 |
| 168 if (IsBaselinePolicyWatched(sysno)) { | 175 if (IsBaselinePolicyWatched(sysno)) { |
| 169 // Previously unseen syscalls. TODO(jln): some of these should | 176 // Previously unseen syscalls. TODO(jln): some of these should |
| 170 // be denied gracefully right away. | 177 // be denied gracefully right away. |
| 171 return sandbox->Trap(CrashSIGSYS_Handler, NULL); | 178 return bpf_dsl::Trap(CrashSIGSYS_Handler, NULL); |
| 172 } | 179 } |
| 173 | 180 |
| 174 // In any other case crash the program with our SIGSYS handler. | 181 // In any other case crash the program with our SIGSYS handler. |
| 175 return sandbox->Trap(CrashSIGSYS_Handler, NULL); | 182 return bpf_dsl::Trap(CrashSIGSYS_Handler, NULL); |
| 176 } | 183 } |
| 177 | 184 |
| 178 } // namespace. | 185 } // namespace. |
| 179 | 186 |
| 180 // Unfortunately C++03 doesn't allow delegated constructors. | 187 // Unfortunately C++03 doesn't allow delegated constructors. |
| 181 // Call other constructor when C++11 lands. | 188 // Call other constructor when C++11 lands. |
| 182 BaselinePolicy::BaselinePolicy() | 189 BaselinePolicy::BaselinePolicy() |
| 183 : fs_denied_errno_(EPERM), current_pid_(syscall(__NR_getpid)) {} | 190 : fs_denied_errno_(EPERM), current_pid_(syscall(__NR_getpid)) {} |
| 184 | 191 |
| 185 BaselinePolicy::BaselinePolicy(int fs_denied_errno) | 192 BaselinePolicy::BaselinePolicy(int fs_denied_errno) |
| 186 : fs_denied_errno_(fs_denied_errno), current_pid_(syscall(__NR_getpid)) {} | 193 : fs_denied_errno_(fs_denied_errno), current_pid_(syscall(__NR_getpid)) {} |
| 187 | 194 |
| 188 BaselinePolicy::~BaselinePolicy() { | 195 BaselinePolicy::~BaselinePolicy() { |
| 189 // Make sure that this policy is created, used and destroyed by a single | 196 // Make sure that this policy is created, used and destroyed by a single |
| 190 // process. | 197 // process. |
| 191 DCHECK_EQ(syscall(__NR_getpid), current_pid_); | 198 DCHECK_EQ(syscall(__NR_getpid), current_pid_); |
| 192 } | 199 } |
| 193 | 200 |
| 194 ErrorCode BaselinePolicy::EvaluateSyscall(SandboxBPF* sandbox, | 201 ResultExpr BaselinePolicy::EvaluateSyscall(int sysno) const { |
| 195 int sysno) const { | |
| 196 // Make sure that this policy is used in the creating process. | 202 // Make sure that this policy is used in the creating process. |
| 197 if (1 == sysno) { | 203 if (1 == sysno) { |
| 198 DCHECK_EQ(syscall(__NR_getpid), current_pid_); | 204 DCHECK_EQ(syscall(__NR_getpid), current_pid_); |
| 199 } | 205 } |
| 200 return EvaluateSyscallImpl(fs_denied_errno_, current_pid_, sandbox, sysno); | 206 return EvaluateSyscallImpl(fs_denied_errno_, current_pid_, sysno); |
| 201 } | 207 } |
| 202 | 208 |
| 203 } // namespace sandbox. | 209 } // namespace sandbox. |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 299683004:
Rewrite all BPF policies to use DSL API
Base URL: svn://svn.chromium.org/chrome/trunk/src