sandbox: Add Arm64 support for seccomp-BPF

sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
 
 #include "build/build_config.h"
 #include "sandbox/linux/services/linux_syscalls.h"
 
 namespace sandbox {
@@ skipping 58 matching lines @@
       return false;
   }
 }
 
 // System calls that directly access the file system. They might acquire
 // a new file descriptor or otherwise perform an operation directly
 // via a path.
 // Both EPERM and ENOENT are valid errno unless otherwise noted in comment.
 bool SyscallSets::IsFileSystem(int sysno) {
   switch (sysno) {
+#if !defined(__aarch64__)

[jln (very slow on Chromium), 2014/08/21 19:04:53]

Alphabetical order is important.

But I also understand that having 20 "#if !defined()" would look awful.

How about making two different "sections", separated with a blank line, but
every section would be sorted properly?

[leecam, 2014/08/22 10:44:17]

Done

     case __NR_access:  // EPERM not a valid errno.
     case __NR_chmod:
     case __NR_chown:
 #if defined(__i386__) || defined(__arm__)
     case __NR_chown32:
 #endif
     case __NR_creat:
+    case __NR_futimesat:  // Should be called utimesat ?
+    case __NR_lchown:
+    case __NR_link:
+    case __NR_lstat:  // EPERM not a valid errno.
+    case __NR_mkdir:
+    case __NR_mknod:
+    case __NR_open:
+    case __NR_readlink:  // EPERM not a valid errno.
+    case __NR_rename:
+    case __NR_rmdir:
+    case __NR_stat:  // EPERM not a valid errno.
+    case __NR_symlink:
+    case __NR_unlink:
+    case __NR_uselib:  // Neither EPERM, nor ENOENT are valid errno.
+    case __NR_ustat:   // Same as above. Deprecated.
+    case __NR_utimes:
+#endif
     case __NR_execve:
     case __NR_faccessat:  // EPERM not a valid errno.
     case __NR_fchmodat:
     case __NR_fchownat:  // Should be called chownat ?
-#if defined(__x86_64__)
+#if defined(__x86_64__) || defined(__aarch64__)
     case __NR_newfstatat:  // fstatat(). EPERM not a valid errno.
 #elif defined(__i386__) || defined(__arm__) || defined(__mips__)
     case __NR_fstatat64:
 #endif
-    case __NR_futimesat:  // Should be called utimesat ?
-    case __NR_lchown:
 #if defined(__i386__) || defined(__arm__)
     case __NR_lchown32:
 #endif
-    case __NR_link:
     case __NR_linkat:
     case __NR_lookup_dcookie:  // ENOENT not a valid errno.
-    case __NR_lstat:           // EPERM not a valid errno.
 #if defined(__i386__)
     case __NR_oldlstat:
 #endif
 #if defined(__i386__) || defined(__arm__) || defined(__mips__)
     case __NR_lstat64:
 #endif
-    case __NR_mkdir:
     case __NR_mkdirat:
-    case __NR_mknod:
     case __NR_mknodat:
-    case __NR_open:
     case __NR_openat:
-    case __NR_readlink:  // EPERM not a valid errno.
     case __NR_readlinkat:
-    case __NR_rename:
     case __NR_renameat:
-    case __NR_rmdir:
-    case __NR_stat:  // EPERM not a valid errno.
 #if defined(__i386__)
     case __NR_oldstat:
 #endif
 #if defined(__i386__) || defined(__arm__) || defined(__mips__)
     case __NR_stat64:
 #endif
     case __NR_statfs:  // EPERM not a valid errno.
 #if defined(__i386__) || defined(__arm__) || defined(__mips__)
     case __NR_statfs64:
 #endif
-    case __NR_symlink:
     case __NR_symlinkat:
     case __NR_truncate:
 #if defined(__i386__) || defined(__arm__) || defined(__mips__)
     case __NR_truncate64:
 #endif
-    case __NR_unlink:
     case __NR_unlinkat:
-    case __NR_uselib:  // Neither EPERM, nor ENOENT are valid errno.
-    case __NR_ustat:   // Same as above. Deprecated.
 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
     case __NR_utime:
 #endif
     case __NR_utimensat:  // New.
-    case __NR_utimes:
+
       return true;
     default:
       return false;
   }
 }
 
 bool SyscallSets::IsAllowedFileSystemAccessViaFd(int sysno) {
   switch (sysno) {
     case __NR_fstat:
 #if defined(__i386__) || defined(__arm__) || defined(__mips__)
@@ skipping 13 matching lines @@
     case __NR_fdatasync:  // EPERM not a valid errno.
     case __NR_flock:      // EPERM not a valid errno.
     case __NR_fstatfs:    // Give information about the whole filesystem.
 #if defined(__i386__) || defined(__arm__) || defined(__mips__)
     case __NR_fstatfs64:
 #endif
     case __NR_fsync:  // EPERM not a valid errno.
 #if defined(__i386__)
     case __NR_oldfstat:
 #endif
-#if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+    defined(__aarch64__)
     case __NR_sync_file_range:  // EPERM not a valid errno.
 #elif defined(__arm__)
     case __NR_arm_sync_file_range:  // EPERM not a valid errno.
 #endif
     default:
       return false;
   }
 }
 
 // EPERM is a good errno for any of these.
 bool SyscallSets::IsDeniedFileSystemAccessViaFd(int sysno) {
   switch (sysno) {
     case __NR_fallocate:
     case __NR_fchmod:
     case __NR_fchown:
     case __NR_ftruncate:
 #if defined(__i386__) || defined(__arm__)
     case __NR_fchown32:
 #endif
 #if defined(__i386__) || defined(__arm__) || defined(__mips__)
     case __NR_ftruncate64:
 #endif
+#if !defined(__aarch64__)
     case __NR_getdents:    // EPERM not a valid errno.
+#endif
     case __NR_getdents64:  // EPERM not a valid errno.
 #if defined(__i386__) || defined(__mips__)
     case __NR_readdir:
 #endif
       return true;
     default:
       return false;
   }
 }
 
@@ skipping 55 matching lines @@
 #endif
       return true;
     default:
       return false;
   }
 }
 
 bool SyscallSets::IsProcessGroupOrSession(int sysno) {
   switch (sysno) {
     case __NR_setpgid:
+#if !defined(__aarch64__)
     case __NR_getpgrp:
+#endif
     case __NR_setsid:
     case __NR_getpgid:
       return true;
     default:
       return false;
   }
 }
 
 bool SyscallSets::IsAllowedSignalHandling(int sysno) {
   switch (sysno) {
     case __NR_rt_sigaction:
     case __NR_rt_sigprocmask:
     case __NR_rt_sigreturn:
 #if defined(__i386__) || defined(__arm__) || defined(__mips__)
     case __NR_sigaction:
     case __NR_sigprocmask:
     case __NR_sigreturn:
 #endif
       return true;
     case __NR_rt_sigpending:
     case __NR_rt_sigqueueinfo:
     case __NR_rt_sigsuspend:
     case __NR_rt_sigtimedwait:
     case __NR_rt_tgsigqueueinfo:
     case __NR_sigaltstack:
+#if !defined(__aarch64__)
     case __NR_signalfd:
+#endif
     case __NR_signalfd4:
 #if defined(__i386__) || defined(__arm__) || defined(__mips__)
     case __NR_sigpending:
     case __NR_sigsuspend:
 #endif
 #if defined(__i386__) || defined(__mips__)
     case __NR_signal:
     case __NR_sgetmask:  // Obsolete.
     case __NR_ssetmask:
 #endif
     default:
       return false;
   }
 }
 
 bool SyscallSets::IsAllowedOperationOnFd(int sysno) {
   switch (sysno) {
     case __NR_close:
     case __NR_dup:
+#if !defined(__aarch64__)
     case __NR_dup2:
+#endif
     case __NR_dup3:
-#if defined(__x86_64__) || defined(__arm__) || defined(__mips__)
+#if defined(__x86_64__) || defined(__arm__) || defined(__mips__) || \
+    defined(__aarch64__)
     case __NR_shutdown:
 #endif
       return true;
     case __NR_fcntl:
 #if defined(__i386__) || defined(__arm__) || defined(__mips__)
     case __NR_fcntl64:
 #endif
     default:
       return false;
   }
@@ skipping 17 matching lines @@
     case __NR_exit:
     case __NR_exit_group:
     case __NR_wait4:
     case __NR_waitid:
 #if defined(__i386__)
     case __NR_waitpid:
 #endif
       return true;
     case __NR_clone:  // Should be parameter-restricted.
     case __NR_setns:  // Privileged.
+#if !defined(__aarch64__)
     case __NR_fork:
+#endif
 #if defined(__i386__) || defined(__x86_64__)
     case __NR_get_thread_area:
 #endif
 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
     case __NR_set_thread_area:
 #endif
     case __NR_set_tid_address:
     case __NR_unshare:
-#if !defined(__mips__)
+#if !defined(__mips__) && !defined(__aarch64__)
     case __NR_vfork:
 #endif
     default:
       return false;
   }
 }
 
 // It's difficult to restrict those, but there is attack surface here.
 bool SyscallSets::IsAllowedFutex(int sysno) {
   switch (sysno) {
     case __NR_get_robust_list:
     case __NR_set_robust_list:
       return true;
     case __NR_futex:
     default:
       return false;
   }
 }
 
 bool SyscallSets::IsAllowedEpoll(int sysno) {
   switch (sysno) {
+#if !defined(__aarch64__)
     case __NR_epoll_create:
+    case __NR_epoll_wait:
+#endif
     case __NR_epoll_create1:
     case __NR_epoll_ctl:
-    case __NR_epoll_wait:
       return true;
     default:
 #if defined(__x86_64__)
     case __NR_epoll_ctl_old:
 #endif
     case __NR_epoll_pwait:
 #if defined(__x86_64__)
     case __NR_epoll_wait_old:
 #endif
       return false;
   }
 }
 
 bool SyscallSets::IsAllowedGetOrModifySocket(int sysno) {
   switch (sysno) {
+#if !defined(__aarch64__)
     case __NR_pipe:
+#endif
     case __NR_pipe2:
       return true;
     default:
-#if defined(__x86_64__) || defined(__arm__) || defined(__mips__)
+#if defined(__x86_64__) || defined(__arm__) || defined(__mips__) || \
+    defined(__aarch64__)
     case __NR_socketpair:  // We will want to inspect its argument.
 #endif
       return false;
   }
 }
 
 bool SyscallSets::IsDeniedGetOrModifySocket(int sysno) {
   switch (sysno) {
-#if defined(__x86_64__) || defined(__arm__) || defined(__mips__)
+#if defined(__x86_64__) || defined(__arm__) || defined(__mips__) || \
+    defined(__aarch64__)
     case __NR_accept:
     case __NR_accept4:
     case __NR_bind:
     case __NR_connect:
     case __NR_socket:
     case __NR_listen:
       return true;
 #endif
     default:
       return false;
@@ skipping 29 matching lines @@
 bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) {
   switch (sysno) {
     case __NR_brk:
     case __NR_mlock:
     case __NR_munlock:
     case __NR_munmap:
       return true;
     case __NR_madvise:
     case __NR_mincore:
     case __NR_mlockall:
-#if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+    defined(__aarch64__)
     case __NR_mmap:
 #endif
 #if defined(__i386__) || defined(__arm__) || defined(__mips__)
     case __NR_mmap2:
 #endif
 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
     case __NR_modify_ldt:
 #endif
     case __NR_mprotect:
     case __NR_mremap:
     case __NR_msync:
     case __NR_munlockall:
     case __NR_readahead:
     case __NR_remap_file_pages:
 #if defined(__i386__)
     case __NR_vm86:
     case __NR_vm86old:
 #endif
     default:
       return false;
   }
 }
 
 bool SyscallSets::IsAllowedGeneralIo(int sysno) {
   switch (sysno) {
     case __NR_lseek:
 #if defined(__i386__) || defined(__arm__) || defined(__mips__)
     case __NR__llseek:
 #endif
+#if !defined(__aarch64__)
     case __NR_poll:
+#endif
     case __NR_ppoll:
     case __NR_pselect6:
     case __NR_read:
     case __NR_readv:
 #if defined(__arm__) || defined(__mips__)
     case __NR_recv:
 #endif
-#if defined(__x86_64__) || defined(__arm__) || defined(__mips__)
+#if defined(__x86_64__) || defined(__arm__) || defined(__mips__) || \
+    defined(__aarch64__)
     case __NR_recvfrom:  // Could specify source.
     case __NR_recvmsg:   // Could specify source.
 #endif
 #if defined(__i386__) || defined(__x86_64__)
     case __NR_select:
 #endif
 #if defined(__i386__) || defined(__arm__) || defined(__mips__)
     case __NR__newselect:
 #endif
 #if defined(__arm__)
     case __NR_send:
 #endif
-#if defined(__x86_64__) || defined(__arm__) || defined(__mips__)
+#if defined(__x86_64__) || defined(__arm__) || defined(__mips__) || \
+    defined(__aarch64__)
     case __NR_sendmsg:  // Could specify destination.
     case __NR_sendto:   // Could specify destination.
 #endif
     case __NR_write:
     case __NR_writev:
       return true;
     case __NR_ioctl:  // Can be very powerful.
     case __NR_pread64:
     case __NR_preadv:
     case __NR_pwrite64:
@@ skipping 17 matching lines @@
 #if defined(__x86_64__)
     case __NR_arch_prctl:
 #endif
     case __NR_prctl:
       return true;
     default:
       return false;
   }
 }
 
+bool SyscallSets::IsSeccomp(int sysno) {

[jln (very slow on Chromium), 2014/08/21 19:04:53]

I don't think we need this for now, right?

If we "complete" the system call sets, we should also add the 4-5 system calls
that have been added since I last maintained these files and the addition of
seccomp. Let's do that in another CL instead?

[leecam, 2014/08/22 10:44:17]

Moved to another CL

+  switch (sysno) {
+#if defined(__NR_seccomp) && defined(__aarch64__)
+    case __NR_seccomp:
+      return true;
+#endif
+    default:
+      return false;
+  }
+}
+
 bool SyscallSets::IsAllowedBasicScheduler(int sysno) {
   switch (sysno) {
     case __NR_sched_yield:
+#if !defined(__aarch64__)
     case __NR_pause:

[jln (very slow on Chromium), 2014/08/21 19:04:53]

I didn't realize that pause() was deprecated. Is it wrapped around
 sigsuspend() in glibc?

[leecam, 2014/08/22 10:44:17]

Yeah glibc just calls sigsuspend(). 

+#endif
     case __NR_nanosleep:
       return true;
     case __NR_getpriority:
 #if defined(__i386__) || defined(__arm__) || defined(__mips__)
     case __NR_nice:
 #endif
     case __NR_setpriority:
     default:
       return false;
   }
@@ skipping 17 matching lines @@
 
 bool SyscallSets::IsKernelModule(int sysno) {
   switch (sysno) {
 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
     case __NR_create_module:
     case __NR_get_kernel_syms:  // Should ENOSYS.
     case __NR_query_module:
 #endif
     case __NR_delete_module:
     case __NR_init_module:
+#if defined(__aarch64__)
+    case __NR_finit_module:

[jln (very slow on Chromium), 2014/08/21 19:04:53]

This is not AARCH64 specific. Maybe add any missing syscalls in another CL?

[leecam, 2014/08/22 10:44:17]

Moved to another CL

+#endif
       return true;
     default:
       return false;
   }
 }
 
 bool SyscallSets::IsGlobalFSViewChange(int sysno) {
   switch (sysno) {
     case __NR_pivot_root:
     case __NR_chroot:
@@ skipping 19 matching lines @@
     default:
       return false;
   }
 }
 
 bool SyscallSets::IsNuma(int sysno) {
   switch (sysno) {
     case __NR_get_mempolicy:
     case __NR_getcpu:
     case __NR_mbind:
-#if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+    defined(__aarch64__)
     case __NR_migrate_pages:
 #endif
     case __NR_move_pages:
     case __NR_set_mempolicy:
       return true;
     default:
       return false;
   }
 }
 
 bool SyscallSets::IsMessageQueue(int sysno) {
   switch (sysno) {
     case __NR_mq_getsetattr:
     case __NR_mq_notify:
     case __NR_mq_open:
     case __NR_mq_timedreceive:
     case __NR_mq_timedsend:
     case __NR_mq_unlink:
       return true;
     default:
       return false;
   }
 }
 
 bool SyscallSets::IsGlobalProcessEnvironment(int sysno) {
   switch (sysno) {
     case __NR_acct:  // Privileged.
-#if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+    defined(__aarch64__)
     case __NR_getrlimit:
 #endif
 #if defined(__i386__) || defined(__arm__)
     case __NR_ugetrlimit:
 #endif
 #if defined(__i386__) || defined(__mips__)
     case __NR_ulimit:
 #endif
     case __NR_getrusage:
     case __NR_personality:  // Can change its personality as well.
     case __NR_prlimit64:    // Like setrlimit / getrlimit.
     case __NR_setrlimit:
     case __NR_times:
       return true;
     default:
       return false;
   }
 }
 
 bool SyscallSets::IsDebug(int sysno) {
   switch (sysno) {
     case __NR_ptrace:
     case __NR_process_vm_readv:
     case __NR_process_vm_writev:
-#if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+    defined(__aarch64__)
     case __NR_kcmp:
 #endif
       return true;
     default:
       return false;
   }
 }
 
 bool SyscallSets::IsGlobalSystemStatus(int sysno) {
   switch (sysno) {
+#if !defined(__aarch64__)
     case __NR__sysctl:
     case __NR_sysfs:
+#endif
     case __NR_sysinfo:
     case __NR_uname:
 #if defined(__i386__)
     case __NR_olduname:
     case __NR_oldolduname:
 #endif
       return true;
     default:
       return false;
   }
 }
 
 bool SyscallSets::IsEventFd(int sysno) {
   switch (sysno) {
+#if !defined(__aarch64__)
     case __NR_eventfd:
+#endif
     case __NR_eventfd2:
       return true;
     default:
       return false;
   }
 }
 
 // Asynchronous I/O API.
 bool SyscallSets::IsAsyncIo(int sysno) {
   switch (sysno) {
@@ skipping 12 matching lines @@
   switch (sysno) {
     case __NR_add_key:
     case __NR_keyctl:
     case __NR_request_key:
       return true;
     default:
       return false;
   }
 }
 
-#if defined(__x86_64__) || defined(__arm__)
+#if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__)
 bool SyscallSets::IsSystemVSemaphores(int sysno) {
   switch (sysno) {
     case __NR_semctl:
     case __NR_semget:
     case __NR_semop:
     case __NR_semtimedop:
       return true;
     default:
       return false;
   }
 }
 #endif
 
-#if defined(__x86_64__) || defined(__arm__)
+#if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__)
 // These give a lot of ambient authority and bypass the setuid sandbox.
 bool SyscallSets::IsSystemVSharedMemory(int sysno) {
   switch (sysno) {
     case __NR_shmat:
     case __NR_shmctl:
     case __NR_shmdt:
     case __NR_shmget:
       return true;
     default:
       return false;
   }
 }
 #endif
 
-#if defined(__x86_64__) || defined(__arm__)
+#if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__)
 bool SyscallSets::IsSystemVMessageQueue(int sysno) {
   switch (sysno) {
     case __NR_msgctl:
     case __NR_msgget:
     case __NR_msgrcv:
     case __NR_msgsnd:
       return true;
     default:
       return false;
   }
 }
 #endif
 
 #if defined(__i386__) || defined(__mips__)
 // Big system V multiplexing system call.
 bool SyscallSets::IsSystemVIpc(int sysno) {
   switch (sysno) {
     case __NR_ipc:
       return true;
     default:
       return false;
   }
 }
 #endif
 
 bool SyscallSets::IsAnySystemV(int sysno) {
-#if defined(__x86_64__) || defined(__arm__)
+#if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__)
   return IsSystemVMessageQueue(sysno) || IsSystemVSemaphores(sysno) ||
          IsSystemVSharedMemory(sysno);
 #elif defined(__i386__) || defined(__mips__)
   return IsSystemVIpc(sysno);
 #endif
 }
 
 bool SyscallSets::IsAdvancedScheduler(int sysno) {
   switch (sysno) {
     case __NR_ioprio_get:  // IO scheduler.
     case __NR_ioprio_set:
     case __NR_sched_get_priority_max:
     case __NR_sched_get_priority_min:
     case __NR_sched_getaffinity:
     case __NR_sched_getparam:
     case __NR_sched_getscheduler:
     case __NR_sched_rr_get_interval:
     case __NR_sched_setaffinity:
     case __NR_sched_setparam:
     case __NR_sched_setscheduler:
       return true;
     default:
       return false;
   }
 }
 
 bool SyscallSets::IsInotify(int sysno) {
   switch (sysno) {
     case __NR_inotify_add_watch:
+#if !defined(__aarch64__)
     case __NR_inotify_init:
+#endif
     case __NR_inotify_init1:
     case __NR_inotify_rm_watch:
       return true;
     default:
       return false;
   }
 }
 
 bool SyscallSets::IsFaNotify(int sysno) {
   switch (sysno) {
@@ skipping 86 matching lines @@
 #endif
 #if defined(__x86_64__)
     case __NR_security:
 #endif
 #if defined(__i386__) || defined(__mips__)
     case __NR_stty:
 #endif
 #if defined(__x86_64__)
     case __NR_tuxcall:
 #endif
+#if !defined(__aarch64__)
     case __NR_vserver:
+#endif
       return true;
     default:
       return false;
   }
 }
 
 #if defined(__arm__)
 bool SyscallSets::IsArmPciConfig(int sysno) {
   switch (sysno) {
     case __NR_pciconfig_iobase:
@@ skipping 34 matching lines @@
   switch (sysno) {
     case __NR_sysmips:
     case __NR_unused150:
       return true;
     default:
       return false;
   }
 }
 #endif  // defined(__mips__)
 }  // namespace sandbox.