| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/seccomp-bpf/trap.h" | 5 #include "sandbox/linux/seccomp-bpf/trap.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <signal.h> | 8 #include <signal.h> |
| 9 #include <string.h> | 9 #include <string.h> |
| 10 #include <sys/prctl.h> | 10 #include <sys/prctl.h> |
| (...skipping 150 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 161 // the sigSys() handler. | 161 // the sigSys() handler. |
| 162 RAW_SANDBOX_DIE("Sanity checks are failing after receiving SIGSYS."); | 162 RAW_SANDBOX_DIE("Sanity checks are failing after receiving SIGSYS."); |
| 163 } | 163 } |
| 164 | 164 |
| 165 intptr_t rc; | 165 intptr_t rc; |
| 166 if (has_unsafe_traps_ && GetIsInSigHandler(ctx)) { | 166 if (has_unsafe_traps_ && GetIsInSigHandler(ctx)) { |
| 167 errno = old_errno; | 167 errno = old_errno; |
| 168 if (sigsys.nr == __NR_clone) { | 168 if (sigsys.nr == __NR_clone) { |
| 169 RAW_SANDBOX_DIE("Cannot call clone() from an UnsafeTrap() handler."); | 169 RAW_SANDBOX_DIE("Cannot call clone() from an UnsafeTrap() handler."); |
| 170 } | 170 } |
| 171 rc = SandboxSyscall(sigsys.nr, | 171 rc = Syscall::Call(sigsys.nr, |
| 172 SECCOMP_PARM1(ctx), | 172 SECCOMP_PARM1(ctx), |
| 173 SECCOMP_PARM2(ctx), | 173 SECCOMP_PARM2(ctx), |
| 174 SECCOMP_PARM3(ctx), | 174 SECCOMP_PARM3(ctx), |
| 175 SECCOMP_PARM4(ctx), | 175 SECCOMP_PARM4(ctx), |
| 176 SECCOMP_PARM5(ctx), | 176 SECCOMP_PARM5(ctx), |
| 177 SECCOMP_PARM6(ctx)); | 177 SECCOMP_PARM6(ctx)); |
| 178 } else { | 178 } else { |
| 179 const ErrorCode& err = trap_array_[info->si_errno - 1]; | 179 const ErrorCode& err = trap_array_[info->si_errno - 1]; |
| 180 if (!err.safe_) { | 180 if (!err.safe_) { |
| 181 SetIsInSigHandler(); | 181 SetIsInSigHandler(); |
| 182 } | 182 } |
| 183 | 183 |
| 184 // Copy the seccomp-specific data into a arch_seccomp_data structure. This | 184 // Copy the seccomp-specific data into a arch_seccomp_data structure. This |
| 185 // is what we are showing to TrapFnc callbacks that the system call | 185 // is what we are showing to TrapFnc callbacks that the system call |
| 186 // evaluator registered with the sandbox. | 186 // evaluator registered with the sandbox. |
| 187 struct arch_seccomp_data data = { | 187 struct arch_seccomp_data data = { |
| (...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 220 ErrorCode Trap::MakeTrap(TrapFnc fnc, const void* aux, bool safe) { | 220 ErrorCode Trap::MakeTrap(TrapFnc fnc, const void* aux, bool safe) { |
| 221 return GetInstance()->MakeTrapImpl(fnc, aux, safe); | 221 return GetInstance()->MakeTrapImpl(fnc, aux, safe); |
| 222 } | 222 } |
| 223 | 223 |
| 224 ErrorCode Trap::MakeTrapImpl(TrapFnc fnc, const void* aux, bool safe) { | 224 ErrorCode Trap::MakeTrapImpl(TrapFnc fnc, const void* aux, bool safe) { |
| 225 if (!safe && !SandboxDebuggingAllowedByUser()) { | 225 if (!safe && !SandboxDebuggingAllowedByUser()) { |
| 226 // Unless the user set the CHROME_SANDBOX_DEBUGGING environment variable, | 226 // Unless the user set the CHROME_SANDBOX_DEBUGGING environment variable, |
| 227 // we never return an ErrorCode that is marked as "unsafe". This also | 227 // we never return an ErrorCode that is marked as "unsafe". This also |
| 228 // means, the BPF compiler will never emit code that allow unsafe system | 228 // means, the BPF compiler will never emit code that allow unsafe system |
| 229 // calls to by-pass the filter (because they use the magic return address | 229 // calls to by-pass the filter (because they use the magic return address |
| 230 // from SandboxSyscall(-1)). | 230 // from Syscall::Call(-1)). |
| 231 | 231 |
| 232 // This SANDBOX_DIE() can optionally be removed. It won't break security, | 232 // This SANDBOX_DIE() can optionally be removed. It won't break security, |
| 233 // but it might make error messages from the BPF compiler a little harder | 233 // but it might make error messages from the BPF compiler a little harder |
| 234 // to understand. Removing the SANDBOX_DIE() allows callers to easyly check | 234 // to understand. Removing the SANDBOX_DIE() allows callers to easyly check |
| 235 // whether unsafe traps are supported (by checking whether the returned | 235 // whether unsafe traps are supported (by checking whether the returned |
| 236 // ErrorCode is ET_INVALID). | 236 // ErrorCode is ET_INVALID). |
| 237 SANDBOX_DIE( | 237 SANDBOX_DIE( |
| 238 "Cannot use unsafe traps unless CHROME_SANDBOX_DEBUGGING " | 238 "Cannot use unsafe traps unless CHROME_SANDBOX_DEBUGGING " |
| 239 "is enabled"); | 239 "is enabled"); |
| 240 | 240 |
| (...skipping 107 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 348 if (global_trap_ && id > 0 && id <= global_trap_->trap_array_size_) { | 348 if (global_trap_ && id > 0 && id <= global_trap_->trap_array_size_) { |
| 349 return global_trap_->trap_array_[id - 1]; | 349 return global_trap_->trap_array_[id - 1]; |
| 350 } else { | 350 } else { |
| 351 return ErrorCode(); | 351 return ErrorCode(); |
| 352 } | 352 } |
| 353 } | 353 } |
| 354 | 354 |
| 355 Trap* Trap::global_trap_; | 355 Trap* Trap::global_trap_; |
| 356 | 356 |
| 357 } // namespace sandbox | 357 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 330723003:
Clean-up the SandboxSyscall interface (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src