| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <errno.h> | 5 #include <errno.h> |
| 6 #include <pthread.h> | 6 #include <pthread.h> |
| 7 #include <sched.h> | 7 #include <sched.h> |
| 8 #include <signal.h> | 8 #include <signal.h> |
| 9 #include <sys/prctl.h> | 9 #include <sys/prctl.h> |
| 10 #include <sys/ptrace.h> | 10 #include <sys/ptrace.h> |
| (...skipping 486 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 497 } | 497 } |
| 498 | 498 |
| 499 ErrorCode GreyListedPolicy(SandboxBPF* sandbox, int sysno, int* aux) { | 499 ErrorCode GreyListedPolicy(SandboxBPF* sandbox, int sysno, int* aux) { |
| 500 // Set the global environment for unsafe traps once. | 500 // Set the global environment for unsafe traps once. |
| 501 if (sysno == MIN_SYSCALL) { | 501 if (sysno == MIN_SYSCALL) { |
| 502 EnableUnsafeTraps(); | 502 EnableUnsafeTraps(); |
| 503 } | 503 } |
| 504 | 504 |
| 505 // Some system calls must always be allowed, if our policy wants to make | 505 // Some system calls must always be allowed, if our policy wants to make |
| 506 // use of UnsafeTrap() | 506 // use of UnsafeTrap() |
| 507 if (sysno == __NR_rt_sigprocmask || sysno == __NR_rt_sigreturn | 507 if (SandboxBPF::IsRequiredForUnsafeTrap(sysno)) { |
| 508 #if defined(__NR_sigprocmask) | |
| 509 || | |
| 510 sysno == __NR_sigprocmask | |
| 511 #endif | |
| 512 #if defined(__NR_sigreturn) | |
| 513 || | |
| 514 sysno == __NR_sigreturn | |
| 515 #endif | |
| 516 ) { | |
| 517 return ErrorCode(ErrorCode::ERR_ALLOWED); | 508 return ErrorCode(ErrorCode::ERR_ALLOWED); |
| 518 } else if (sysno == __NR_getpid) { | 509 } else if (sysno == __NR_getpid) { |
| 519 // Disallow getpid() | 510 // Disallow getpid() |
| 520 return ErrorCode(EPERM); | 511 return ErrorCode(EPERM); |
| 521 } else if (SandboxBPF::IsValidSyscallNumber(sysno)) { | 512 } else if (SandboxBPF::IsValidSyscallNumber(sysno)) { |
| 522 // Allow (and count) all other system calls. | 513 // Allow (and count) all other system calls. |
| 523 return sandbox->UnsafeTrap(CountSyscalls, aux); | 514 return sandbox->UnsafeTrap(CountSyscalls, aux); |
| 524 } else { | 515 } else { |
| 525 return ErrorCode(ENOSYS); | 516 return ErrorCode(ENOSYS); |
| 526 } | 517 } |
| (...skipping 103 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 630 }; | 621 }; |
| 631 | 622 |
| 632 ErrorCode RedirectAllSyscallsPolicy::EvaluateSyscall(SandboxBPF* sandbox, | 623 ErrorCode RedirectAllSyscallsPolicy::EvaluateSyscall(SandboxBPF* sandbox, |
| 633 int sysno) const { | 624 int sysno) const { |
| 634 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno)); | 625 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno)); |
| 635 setenv(kSandboxDebuggingEnv, "t", 0); | 626 setenv(kSandboxDebuggingEnv, "t", 0); |
| 636 Die::SuppressInfoMessages(true); | 627 Die::SuppressInfoMessages(true); |
| 637 | 628 |
| 638 // Some system calls must always be allowed, if our policy wants to make | 629 // Some system calls must always be allowed, if our policy wants to make |
| 639 // use of UnsafeTrap() | 630 // use of UnsafeTrap() |
| 640 if (sysno == __NR_rt_sigprocmask || sysno == __NR_rt_sigreturn | 631 if (SandboxBPF::IsRequiredForUnsafeTrap(sysno)) |
| 641 #if defined(__NR_sigprocmask) | |
| 642 || | |
| 643 sysno == __NR_sigprocmask | |
| 644 #endif | |
| 645 #if defined(__NR_sigreturn) | |
| 646 || | |
| 647 sysno == __NR_sigreturn | |
| 648 #endif | |
| 649 ) { | |
| 650 return ErrorCode(ErrorCode::ERR_ALLOWED); | 632 return ErrorCode(ErrorCode::ERR_ALLOWED); |
| 651 } | |
| 652 return sandbox->UnsafeTrap(AllowRedirectedSyscall, NULL); | 633 return sandbox->UnsafeTrap(AllowRedirectedSyscall, NULL); |
| 653 } | 634 } |
| 654 | 635 |
| 655 int bus_handler_fd_ = -1; | 636 int bus_handler_fd_ = -1; |
| 656 | 637 |
| 657 void SigBusHandler(int, siginfo_t* info, void* void_context) { | 638 void SigBusHandler(int, siginfo_t* info, void* void_context) { |
| 658 BPF_ASSERT(write(bus_handler_fd_, "\x55", 1) == 1); | 639 BPF_ASSERT(write(bus_handler_fd_, "\x55", 1) == 1); |
| 659 } | 640 } |
| 660 | 641 |
| 661 BPF_TEST_C(SandboxBPF, SigBus, RedirectAllSyscallsPolicy) { | 642 BPF_TEST_C(SandboxBPF, SigBus, RedirectAllSyscallsPolicy) { |
| (...skipping 1592 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2254 #if !defined(THREAD_SANITIZER) | 2235 #if !defined(THREAD_SANITIZER) |
| 2255 SANDBOX_DEATH_TEST(SandboxBPF, StartSingleThreadedAsMultiThreaded, | 2236 SANDBOX_DEATH_TEST(SandboxBPF, StartSingleThreadedAsMultiThreaded, |
| 2256 DEATH_MESSAGE("Cannot start sandbox; process may be single-threaded when " | 2237 DEATH_MESSAGE("Cannot start sandbox; process may be single-threaded when " |
| 2257 "reported as not")) { | 2238 "reported as not")) { |
| 2258 SandboxBPF sandbox; | 2239 SandboxBPF sandbox; |
| 2259 sandbox.SetSandboxPolicy(new AllowAllPolicy()); | 2240 sandbox.SetSandboxPolicy(new AllowAllPolicy()); |
| 2260 BPF_ASSERT(!sandbox.StartSandbox(SandboxBPF::PROCESS_MULTI_THREADED)); | 2241 BPF_ASSERT(!sandbox.StartSandbox(SandboxBPF::PROCESS_MULTI_THREADED)); |
| 2261 } | 2242 } |
| 2262 #endif // !defined(THREAD_SANITIZER) | 2243 #endif // !defined(THREAD_SANITIZER) |
| 2263 | 2244 |
| 2245 // A stub handler for the UnsafeTrap. Never called. |
| 2246 intptr_t NoOpHandler(const struct arch_seccomp_data& args, void*) { |
| 2247 return -1; |
| 2248 } |
| 2249 |
| 2250 class UnsafeTrapWithCondPolicy : public SandboxBPFPolicy { |
| 2251 public: |
| 2252 UnsafeTrapWithCondPolicy() {} |
| 2253 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox, |
| 2254 int sysno) const OVERRIDE { |
| 2255 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno)); |
| 2256 setenv(kSandboxDebuggingEnv, "t", 0); |
| 2257 Die::SuppressInfoMessages(true); |
| 2258 |
| 2259 if (SandboxBPF::IsRequiredForUnsafeTrap(sysno)) |
| 2260 return ErrorCode(ErrorCode::ERR_ALLOWED); |
| 2261 |
| 2262 switch (sysno) { |
| 2263 case __NR_uname: |
| 2264 return sandbox->Cond(0, |
| 2265 ErrorCode::TP_32BIT, |
| 2266 ErrorCode::OP_EQUAL, |
| 2267 0, |
| 2268 ErrorCode(ErrorCode::ERR_ALLOWED), |
| 2269 ErrorCode(EPERM)); |
| 2270 case __NR_setgid: |
| 2271 return sandbox->Cond(0, |
| 2272 ErrorCode::TP_32BIT, |
| 2273 ErrorCode::OP_EQUAL, |
| 2274 100, |
| 2275 ErrorCode(ErrorCode(ENOMEM)), |
| 2276 sandbox->Cond(0, |
| 2277 ErrorCode::TP_32BIT, |
| 2278 ErrorCode::OP_EQUAL, |
| 2279 200, |
| 2280 ErrorCode(ENOSYS), |
| 2281 ErrorCode(EPERM))); |
| 2282 case __NR_close: |
| 2283 case __NR_exit_group: |
| 2284 case __NR_write: |
| 2285 return ErrorCode(ErrorCode::ERR_ALLOWED); |
| 2286 case __NR_getppid: |
| 2287 return sandbox->UnsafeTrap(NoOpHandler, NULL); |
| 2288 default: |
| 2289 return ErrorCode(EPERM); |
| 2290 } |
| 2291 } |
| 2292 |
| 2293 private: |
| 2294 DISALLOW_COPY_AND_ASSIGN(UnsafeTrapWithCondPolicy); |
| 2295 }; |
| 2296 |
| 2297 BPF_TEST_C(SandboxBPF, UnsafeTrapWithCond, UnsafeTrapWithCondPolicy) { |
| 2298 BPF_ASSERT_EQ(-1, syscall(__NR_uname, 0)); |
| 2299 BPF_ASSERT_EQ(EFAULT, errno); |
| 2300 |
| 2301 BPF_ASSERT_EQ(-1, syscall(__NR_uname, 1)); |
| 2302 BPF_ASSERT_EQ(EPERM, errno); |
| 2303 |
| 2304 BPF_ASSERT_EQ(-1, syscall(__NR_setgid, 100)); |
| 2305 BPF_ASSERT_EQ(ENOMEM, errno); |
| 2306 |
| 2307 BPF_ASSERT_EQ(-1, syscall(__NR_setgid, 200)); |
| 2308 BPF_ASSERT_EQ(ENOSYS, errno); |
| 2309 |
| 2310 BPF_ASSERT_EQ(-1, syscall(__NR_setgid, 300)); |
| 2311 BPF_ASSERT_EQ(EPERM, errno); |
| 2312 } |
| 2313 |
| 2264 } // namespace | 2314 } // namespace |
| 2265 | 2315 |
| 2266 } // namespace sandbox | 2316 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 524603002:
sandbox: Fix RedirectToUserSpacePolicyWrapper (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master