| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_H__ | 5 #ifndef SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_H__ |
| 6 #define SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_H__ | 6 #define SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_H__ |
| 7 | 7 |
| 8 #include <stddef.h> | 8 #include <stddef.h> |
| 9 #include <sys/types.h> | 9 #include <sys/types.h> |
| 10 #include <sys/wait.h> | 10 #include <sys/wait.h> |
| 11 | 11 |
| 12 #include <algorithm> | 12 #include <algorithm> |
| 13 #include <limits> | 13 #include <limits> |
| 14 #include <map> | 14 #include <map> |
| 15 #include <set> | 15 #include <set> |
| 16 #include <utility> | 16 #include <utility> |
| 17 #include <vector> | 17 #include <vector> |
| 18 | 18 |
| 19 #include "base/compiler_specific.h" | 19 #include "base/compiler_specific.h" |
| 20 #include "base/memory/scoped_ptr.h" | 20 #include "base/memory/scoped_ptr.h" |
| 21 #include "sandbox/linux/seccomp-bpf/die.h" | 21 #include "sandbox/linux/seccomp-bpf/die.h" |
| 22 #include "sandbox/linux/seccomp-bpf/errorcode.h" | 22 #include "sandbox/linux/seccomp-bpf/errorcode.h" |
| 23 #include "sandbox/linux/seccomp-bpf/linux_seccomp.h" | 23 #include "sandbox/linux/seccomp-bpf/linux_seccomp.h" |
| 24 #include "sandbox/linux/seccomp-bpf/trap.h" |
| 24 #include "sandbox/sandbox_export.h" | 25 #include "sandbox/sandbox_export.h" |
| 25 | 26 |
| 26 namespace sandbox { | 27 namespace sandbox { |
| 27 | 28 |
| 28 // This must match the kernel's seccomp_data structure. | |
| 29 struct arch_seccomp_data { | |
| 30 int nr; | |
| 31 uint32_t arch; | |
| 32 uint64_t instruction_pointer; | |
| 33 uint64_t args[6]; | |
| 34 }; | |
| 35 | |
| 36 struct arch_sigsys { | |
| 37 void* ip; | |
| 38 int nr; | |
| 39 unsigned int arch; | |
| 40 }; | |
| 41 | |
| 42 class CodeGen; | 29 class CodeGen; |
| 43 class SandboxBPFPolicy; | 30 class SandboxBPFPolicy; |
| 44 class SandboxUnittestHelper; | 31 class SandboxUnittestHelper; |
| 45 struct Instruction; | 32 struct Instruction; |
| 46 | 33 |
| 47 class SANDBOX_EXPORT SandboxBPF { | 34 class SANDBOX_EXPORT SandboxBPF { |
| 48 public: | 35 public: |
| 49 enum SandboxStatus { | 36 enum SandboxStatus { |
| 50 STATUS_UNKNOWN, // Status prior to calling supportsSeccompSandbox() | 37 STATUS_UNKNOWN, // Status prior to calling supportsSeccompSandbox() |
| 51 STATUS_UNSUPPORTED, // The kernel does not appear to support sandboxing | 38 STATUS_UNSUPPORTED, // The kernel does not appear to support sandboxing |
| (...skipping 57 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 109 // Set the BPF policy as |policy|. Ownership of |policy| is transfered here | 96 // Set the BPF policy as |policy|. Ownership of |policy| is transfered here |
| 110 // to the sandbox object. | 97 // to the sandbox object. |
| 111 void SetSandboxPolicy(SandboxBPFPolicy* policy); | 98 void SetSandboxPolicy(SandboxBPFPolicy* policy); |
| 112 | 99 |
| 113 // We can use ErrorCode to request calling of a trap handler. This method | 100 // We can use ErrorCode to request calling of a trap handler. This method |
| 114 // performs the required wrapping of the callback function into an | 101 // performs the required wrapping of the callback function into an |
| 115 // ErrorCode object. | 102 // ErrorCode object. |
| 116 // The "aux" field can carry a pointer to arbitrary data. See EvaluateSyscall | 103 // The "aux" field can carry a pointer to arbitrary data. See EvaluateSyscall |
| 117 // for a description of how to pass data from SetSandboxPolicy() to a Trap() | 104 // for a description of how to pass data from SetSandboxPolicy() to a Trap() |
| 118 // handler. | 105 // handler. |
| 119 ErrorCode Trap(Trap::TrapFnc fnc, const void* aux); | 106 static ErrorCode Trap(Trap::TrapFnc fnc, const void* aux); |
| 120 | 107 |
| 121 // Calls a user-space trap handler and disables all sandboxing for system | 108 // Calls a user-space trap handler and disables all sandboxing for system |
| 122 // calls made from this trap handler. | 109 // calls made from this trap handler. |
| 123 // This feature is available only if explicitly enabled by the user having | 110 // This feature is available only if explicitly enabled by the user having |
| 124 // set the CHROME_SANDBOX_DEBUGGING environment variable. | 111 // set the CHROME_SANDBOX_DEBUGGING environment variable. |
| 125 // Returns an ET_INVALID ErrorCode, if called when not enabled. | 112 // Returns an ET_INVALID ErrorCode, if called when not enabled. |
| 126 // NOTE: This feature, by definition, disables all security features of | 113 // NOTE: This feature, by definition, disables all security features of |
| 127 // the sandbox. It should never be used in production, but it can be | 114 // the sandbox. It should never be used in production, but it can be |
| 128 // very useful to diagnose code that is incompatible with the sandbox. | 115 // very useful to diagnose code that is incompatible with the sandbox. |
| 129 // If even a single system call returns "UnsafeTrap", the security of | 116 // If even a single system call returns "UnsafeTrap", the security of |
| 130 // entire sandbox should be considered compromised. | 117 // entire sandbox should be considered compromised. |
| 131 ErrorCode UnsafeTrap(Trap::TrapFnc fnc, const void* aux); | 118 static ErrorCode UnsafeTrap(Trap::TrapFnc fnc, const void* aux); |
| 132 | 119 |
| 133 // UnsafeTraps require some syscalls to always be allowed. | 120 // UnsafeTraps require some syscalls to always be allowed. |
| 134 // This helper function returns true for these calls. | 121 // This helper function returns true for these calls. |
| 135 static bool IsRequiredForUnsafeTrap(int sysno); | 122 static bool IsRequiredForUnsafeTrap(int sysno); |
| 136 | 123 |
| 137 // From within an UnsafeTrap() it is often useful to be able to execute | 124 // From within an UnsafeTrap() it is often useful to be able to execute |
| 138 // the system call that triggered the trap. The ForwardSyscall() method | 125 // the system call that triggered the trap. The ForwardSyscall() method |
| 139 // makes this easy. It is more efficient than calling glibc's syscall() | 126 // makes this easy. It is more efficient than calling glibc's syscall() |
| 140 // function, as it avoid the extra round-trip to the signal handler. And | 127 // function, as it avoid the extra round-trip to the signal handler. And |
| 141 // it automatically does the correct thing to report kernel-style error | 128 // it automatically does the correct thing to report kernel-style error |
| (...skipping 21 matching lines...) Expand all Loading... |
| 163 // Legacy variant of CondMaskedEqual that supports a few comparison | 150 // Legacy variant of CondMaskedEqual that supports a few comparison |
| 164 // operations, which get converted into masked-equality comparisons. | 151 // operations, which get converted into masked-equality comparisons. |
| 165 ErrorCode Cond(int argno, | 152 ErrorCode Cond(int argno, |
| 166 ErrorCode::ArgType is_32bit, | 153 ErrorCode::ArgType is_32bit, |
| 167 ErrorCode::Operation op, | 154 ErrorCode::Operation op, |
| 168 uint64_t value, | 155 uint64_t value, |
| 169 const ErrorCode& passed, | 156 const ErrorCode& passed, |
| 170 const ErrorCode& failed); | 157 const ErrorCode& failed); |
| 171 | 158 |
| 172 // Kill the program and print an error message. | 159 // Kill the program and print an error message. |
| 173 ErrorCode Kill(const char* msg); | 160 static ErrorCode Kill(const char* msg); |
| 174 | 161 |
| 175 // This is the main public entry point. It finds all system calls that | 162 // This is the main public entry point. It finds all system calls that |
| 176 // need rewriting, sets up the resources needed by the sandbox, and | 163 // need rewriting, sets up the resources needed by the sandbox, and |
| 177 // enters Seccomp mode. | 164 // enters Seccomp mode. |
| 178 // The calling process must specify its current SandboxThreadState, as a way | 165 // The calling process must specify its current SandboxThreadState, as a way |
| 179 // to tell the sandbox which type of kernel support it should engage. | 166 // to tell the sandbox which type of kernel support it should engage. |
| 180 // It is possible to stack multiple sandboxes by creating separate "Sandbox" | 167 // It is possible to stack multiple sandboxes by creating separate "Sandbox" |
| 181 // objects and calling "StartSandbox()" on each of them. Please note, that | 168 // objects and calling "StartSandbox()" on each of them. Please note, that |
| 182 // this requires special care, though, as newly stacked sandboxes can never | 169 // this requires special care, though, as newly stacked sandboxes can never |
| 183 // relax restrictions imposed by earlier sandboxes. Furthermore, installing | 170 // relax restrictions imposed by earlier sandboxes. Furthermore, installing |
| 184 // a new policy requires making system calls, that might already be | 171 // a new policy requires making system calls, that might already be |
| 185 // disallowed. | 172 // disallowed. |
| 186 // Finally, stacking does add more kernel overhead than having a single | 173 // Finally, stacking does add more kernel overhead than having a single |
| 187 // combined policy. So, it should only be used if there are no alternatives. | 174 // combined policy. So, it should only be used if there are no alternatives. |
| 188 bool StartSandbox(SandboxThreadState thread_state) WARN_UNUSED_RESULT; | 175 bool StartSandbox(SandboxThreadState thread_state) WARN_UNUSED_RESULT; |
| 189 | 176 |
| 190 // Assembles a BPF filter program from the current policy. After calling this | 177 // Assembles a BPF filter program from the current policy. After calling this |
| 191 // function, you must not call any other sandboxing function. | 178 // function, you must not call any other sandboxing function. |
| 192 // Typically, AssembleFilter() is only used by unit tests and by sandbox | 179 // Typically, AssembleFilter() is only used by unit tests and by sandbox |
| 193 // internals. It should not be used by production code. | 180 // internals. It should not be used by production code. |
| 194 // For performance reasons, we normally only run the assembled BPF program | 181 // For performance reasons, we normally only run the assembled BPF program |
| 195 // through the verifier, iff the program was built in debug mode. | 182 // through the verifier, iff the program was built in debug mode. |
| 196 // But by setting "force_verification", the caller can request that the | 183 // But by setting "force_verification", the caller can request that the |
| 197 // verifier is run unconditionally. This is useful for unittests. | 184 // verifier is run unconditionally. This is useful for unittests. |
| 198 Program* AssembleFilter(bool force_verification); | 185 Program* AssembleFilter(bool force_verification); |
| 199 | 186 |
| 200 // Returns the fatal ErrorCode that is used to indicate that somebody | 187 // Returns the fatal ErrorCode that is used to indicate that somebody |
| 201 // attempted to pass a 64bit value in a 32bit system call argument. | 188 // attempted to pass a 64bit value in a 32bit system call argument. |
| 202 // This method is primarily needed for testing purposes. | 189 // This method is primarily needed for testing purposes. |
| 203 ErrorCode Unexpected64bitArgument(); | 190 static ErrorCode Unexpected64bitArgument(); |
| 204 | 191 |
| 205 private: | 192 private: |
| 206 friend class CodeGen; | 193 friend class CodeGen; |
| 207 friend class SandboxUnittestHelper; | 194 friend class SandboxUnittestHelper; |
| 208 friend class ErrorCode; | 195 friend class ErrorCode; |
| 209 | 196 |
| 210 struct Range { | 197 struct Range { |
| 211 Range(uint32_t f, uint32_t t, const ErrorCode& e) | 198 Range(uint32_t f, uint32_t t, const ErrorCode& e) |
| 212 : from(f), to(t), err(e) {} | 199 : from(f), to(t), err(e) {} |
| 213 uint32_t from, to; | 200 uint32_t from, to; |
| (...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 291 scoped_ptr<const SandboxBPFPolicy> policy_; | 278 scoped_ptr<const SandboxBPFPolicy> policy_; |
| 292 Conds* conds_; | 279 Conds* conds_; |
| 293 bool sandbox_has_started_; | 280 bool sandbox_has_started_; |
| 294 | 281 |
| 295 DISALLOW_COPY_AND_ASSIGN(SandboxBPF); | 282 DISALLOW_COPY_AND_ASSIGN(SandboxBPF); |
| 296 }; | 283 }; |
| 297 | 284 |
| 298 } // namespace sandbox | 285 } // namespace sandbox |
| 299 | 286 |
| 300 #endif // SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_H__ | 287 #endif // SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_H__ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 572753002:
Decouple Trap from ErrorCode (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master