| OLD | NEW |
|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_ | 5 #ifndef SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_ |
| 6 #define SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_ | 6 #define SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_ |
| 7 | 7 |
| 8 #include <unistd.h> | 8 #include <unistd.h> |
| 9 | 9 |
| 10 #include "build/build_config.h" | 10 #include "build/build_config.h" |
| 11 #include "sandbox/linux/seccomp-bpf-helpers/bpf_dsl.h" |
| 11 #include "sandbox/sandbox_export.h" | 12 #include "sandbox/sandbox_export.h" |
| 12 | 13 |
| 13 // These are helpers to build seccomp-bpf policies, i.e. policies for a | 14 // These are helpers to build seccomp-bpf policies, i.e. policies for a |
| 14 // sandbox that reduces the Linux kernel's attack surface. They return an | 15 // sandbox that reduces the Linux kernel's attack surface. They return an |
| 15 // SANDBOX_EXPORT ErrorCode suitable to restrict certain system call parameters. | 16 // SANDBOX_EXPORT ErrorCode suitable to restrict certain system call parameters. |
| 16 | 17 |
| 17 namespace sandbox { | 18 namespace sandbox { |
| 18 | 19 |
| 19 class ErrorCode; | |
| 20 class SandboxBPF; | |
| 21 | |
| 22 // Allow clone(2) for threads. | 20 // Allow clone(2) for threads. |
| 23 // Reject fork(2) attempts with EPERM. | 21 // Reject fork(2) attempts with EPERM. |
| 24 // Don't restrict on ASAN. | 22 // Don't restrict on ASAN. |
| 25 // Crash if anything else is attempted. | 23 // Crash if anything else is attempted. |
| 26 SANDBOX_EXPORT ErrorCode | 24 SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictCloneToThreadsAndEPERMFork(); |
| 27 RestrictCloneToThreadsAndEPERMFork(SandboxBPF* sandbox); | |
| 28 | 25 |
| 29 // Allow PR_SET_NAME, PR_SET_DUMPABLE, PR_GET_DUMPABLE. | 26 // Allow PR_SET_NAME, PR_SET_DUMPABLE, PR_GET_DUMPABLE. |
| 30 // Crash if anything else is attempted. | 27 // Crash if anything else is attempted. |
| 31 SANDBOX_EXPORT ErrorCode RestrictPrctl(SandboxBPF* sandbox); | 28 SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictPrctl(); |
| 32 | 29 |
| 33 // Allow TCGETS and FIONREAD. | 30 // Allow TCGETS and FIONREAD. |
| 34 // Crash if anything else is attempted. | 31 // Crash if anything else is attempted. |
| 35 SANDBOX_EXPORT ErrorCode RestrictIoctl(SandboxBPF* sandbox); | 32 SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictIoctl(); |
| 36 | 33 |
| 37 // Restrict the flags argument in mmap(2). | 34 // Restrict the flags argument in mmap(2). |
| 38 // Only allow: MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS | | 35 // Only allow: MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS | |
| 39 // MAP_STACK | MAP_NORESERVE | MAP_FIXED | MAP_DENYWRITE. | 36 // MAP_STACK | MAP_NORESERVE | MAP_FIXED | MAP_DENYWRITE. |
| 40 // Crash if any other flag is used. | 37 // Crash if any other flag is used. |
| 41 SANDBOX_EXPORT ErrorCode RestrictMmapFlags(SandboxBPF* sandbox); | 38 SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictMmapFlags(); |
| 42 | 39 |
| 43 // Restrict the prot argument in mprotect(2). | 40 // Restrict the prot argument in mprotect(2). |
| 44 // Only allow: PROT_READ | PROT_WRITE | PROT_EXEC. | 41 // Only allow: PROT_READ | PROT_WRITE | PROT_EXEC. |
| 45 SANDBOX_EXPORT ErrorCode RestrictMprotectFlags(SandboxBPF* sandbox); | 42 SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictMprotectFlags(); |
| 46 | 43 |
| 47 // Restrict fcntl(2) cmd argument to: | 44 // Restrict fcntl(2) cmd argument to: |
| 48 // We allow F_GETFL, F_SETFL, F_GETFD, F_SETFD, F_DUPFD, F_DUPFD_CLOEXEC, | 45 // We allow F_GETFL, F_SETFL, F_GETFD, F_SETFD, F_DUPFD, F_DUPFD_CLOEXEC, |
| 49 // F_SETLK, F_SETLKW and F_GETLK. | 46 // F_SETLK, F_SETLKW and F_GETLK. |
| 50 // Also, in F_SETFL, restrict the allowed flags to: O_ACCMODE | O_APPEND | | 47 // Also, in F_SETFL, restrict the allowed flags to: O_ACCMODE | O_APPEND | |
| 51 // O_NONBLOCK | O_SYNC | O_LARGEFILE | O_CLOEXEC | O_NOATIME. | 48 // O_NONBLOCK | O_SYNC | O_LARGEFILE | O_CLOEXEC | O_NOATIME. |
| 52 SANDBOX_EXPORT ErrorCode RestrictFcntlCommands(SandboxBPF* sandbox); | 49 SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictFcntlCommands(); |
| 53 | 50 |
| 54 #if defined(__i386__) | 51 #if defined(__i386__) |
| 55 // Restrict socketcall(2) to only allow socketpair(2), send(2), recv(2), | 52 // Restrict socketcall(2) to only allow socketpair(2), send(2), recv(2), |
| 56 // sendto(2), recvfrom(2), shutdown(2), sendmsg(2) and recvmsg(2). | 53 // sendto(2), recvfrom(2), shutdown(2), sendmsg(2) and recvmsg(2). |
| 57 SANDBOX_EXPORT ErrorCode RestrictSocketcallCommand(SandboxBPF* sandbox); | 54 SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictSocketcallCommand(); |
| 58 #endif | 55 #endif |
| 59 | 56 |
| 60 // Restrict |sysno| (which must be kill, tkill or tgkill) by allowing tgkill or | 57 // Restrict |sysno| (which must be kill, tkill or tgkill) by allowing tgkill or |
| 61 // kill iff the first parameter is |target_pid|, crashing otherwise or if | 58 // kill iff the first parameter is |target_pid|, crashing otherwise or if |
| 62 // |sysno| is tkill. | 59 // |sysno| is tkill. |
| 63 ErrorCode RestrictKillTarget(pid_t target_pid, SandboxBPF* sandbox, int sysno); | 60 SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictKillTarget(pid_t target_pid, |
| 61 int sysno); |
| 64 | 62 |
| 65 } // namespace sandbox. | 63 } // namespace sandbox. |
| 66 | 64 |
| 67 #endif // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_ | 65 #endif // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 299683004:
Rewrite all BPF policies to use DSL API
Base URL: svn://svn.chromium.org/chrome/trunk/src