OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "sandbox/linux/seccomp-bpf/trap.h" | 5 #include "sandbox/linux/seccomp-bpf/trap.h" |
6 | 6 |
7 #include <errno.h> | 7 #include <errno.h> |
8 #include <signal.h> | 8 #include <signal.h> |
9 #include <string.h> | 9 #include <string.h> |
10 #include <sys/prctl.h> | 10 #include <sys/prctl.h> |
(...skipping 150 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
161 // the sigSys() handler. | 161 // the sigSys() handler. |
162 RAW_SANDBOX_DIE("Sanity checks are failing after receiving SIGSYS."); | 162 RAW_SANDBOX_DIE("Sanity checks are failing after receiving SIGSYS."); |
163 } | 163 } |
164 | 164 |
165 intptr_t rc; | 165 intptr_t rc; |
166 if (has_unsafe_traps_ && GetIsInSigHandler(ctx)) { | 166 if (has_unsafe_traps_ && GetIsInSigHandler(ctx)) { |
167 errno = old_errno; | 167 errno = old_errno; |
168 if (sigsys.nr == __NR_clone) { | 168 if (sigsys.nr == __NR_clone) { |
169 RAW_SANDBOX_DIE("Cannot call clone() from an UnsafeTrap() handler."); | 169 RAW_SANDBOX_DIE("Cannot call clone() from an UnsafeTrap() handler."); |
170 } | 170 } |
171 rc = SandboxSyscall(sigsys.nr, | 171 rc = Syscall::Call(sigsys.nr, |
172 SECCOMP_PARM1(ctx), | 172 SECCOMP_PARM1(ctx), |
173 SECCOMP_PARM2(ctx), | 173 SECCOMP_PARM2(ctx), |
174 SECCOMP_PARM3(ctx), | 174 SECCOMP_PARM3(ctx), |
175 SECCOMP_PARM4(ctx), | 175 SECCOMP_PARM4(ctx), |
176 SECCOMP_PARM5(ctx), | 176 SECCOMP_PARM5(ctx), |
177 SECCOMP_PARM6(ctx)); | 177 SECCOMP_PARM6(ctx)); |
178 } else { | 178 } else { |
179 const ErrorCode& err = trap_array_[info->si_errno - 1]; | 179 const ErrorCode& err = trap_array_[info->si_errno - 1]; |
180 if (!err.safe_) { | 180 if (!err.safe_) { |
181 SetIsInSigHandler(); | 181 SetIsInSigHandler(); |
182 } | 182 } |
183 | 183 |
184 // Copy the seccomp-specific data into a arch_seccomp_data structure. This | 184 // Copy the seccomp-specific data into a arch_seccomp_data structure. This |
185 // is what we are showing to TrapFnc callbacks that the system call | 185 // is what we are showing to TrapFnc callbacks that the system call |
186 // evaluator registered with the sandbox. | 186 // evaluator registered with the sandbox. |
187 struct arch_seccomp_data data = { | 187 struct arch_seccomp_data data = { |
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
220 ErrorCode Trap::MakeTrap(TrapFnc fnc, const void* aux, bool safe) { | 220 ErrorCode Trap::MakeTrap(TrapFnc fnc, const void* aux, bool safe) { |
221 return GetInstance()->MakeTrapImpl(fnc, aux, safe); | 221 return GetInstance()->MakeTrapImpl(fnc, aux, safe); |
222 } | 222 } |
223 | 223 |
224 ErrorCode Trap::MakeTrapImpl(TrapFnc fnc, const void* aux, bool safe) { | 224 ErrorCode Trap::MakeTrapImpl(TrapFnc fnc, const void* aux, bool safe) { |
225 if (!safe && !SandboxDebuggingAllowedByUser()) { | 225 if (!safe && !SandboxDebuggingAllowedByUser()) { |
226 // Unless the user set the CHROME_SANDBOX_DEBUGGING environment variable, | 226 // Unless the user set the CHROME_SANDBOX_DEBUGGING environment variable, |
227 // we never return an ErrorCode that is marked as "unsafe". This also | 227 // we never return an ErrorCode that is marked as "unsafe". This also |
228 // means, the BPF compiler will never emit code that allow unsafe system | 228 // means, the BPF compiler will never emit code that allow unsafe system |
229 // calls to by-pass the filter (because they use the magic return address | 229 // calls to by-pass the filter (because they use the magic return address |
230 // from SandboxSyscall(-1)). | 230 // from Syscall::Call(-1)). |
231 | 231 |
232 // This SANDBOX_DIE() can optionally be removed. It won't break security, | 232 // This SANDBOX_DIE() can optionally be removed. It won't break security, |
233 // but it might make error messages from the BPF compiler a little harder | 233 // but it might make error messages from the BPF compiler a little harder |
234 // to understand. Removing the SANDBOX_DIE() allows callers to easyly check | 234 // to understand. Removing the SANDBOX_DIE() allows callers to easyly check |
235 // whether unsafe traps are supported (by checking whether the returned | 235 // whether unsafe traps are supported (by checking whether the returned |
236 // ErrorCode is ET_INVALID). | 236 // ErrorCode is ET_INVALID). |
237 SANDBOX_DIE( | 237 SANDBOX_DIE( |
238 "Cannot use unsafe traps unless CHROME_SANDBOX_DEBUGGING " | 238 "Cannot use unsafe traps unless CHROME_SANDBOX_DEBUGGING " |
239 "is enabled"); | 239 "is enabled"); |
240 | 240 |
(...skipping 107 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
348 if (global_trap_ && id > 0 && id <= global_trap_->trap_array_size_) { | 348 if (global_trap_ && id > 0 && id <= global_trap_->trap_array_size_) { |
349 return global_trap_->trap_array_[id - 1]; | 349 return global_trap_->trap_array_[id - 1]; |
350 } else { | 350 } else { |
351 return ErrorCode(); | 351 return ErrorCode(); |
352 } | 352 } |
353 } | 353 } |
354 | 354 |
355 Trap* Trap::global_trap_; | 355 Trap* Trap::global_trap_; |
356 | 356 |
357 } // namespace sandbox | 357 } // namespace sandbox |
OLD | NEW |