Linux sandbox: Allow restricting sched_* on other processes.

sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // Note: any code in this file MUST be async-signal safe.
 
 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
 
 #include <unistd.h>
 
 #include "base/basictypes.h"
 #include "base/posix/eintr_wrapper.h"
 #include "build/build_config.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
+#include "sandbox/linux/services/linux_syscalls.h"
 
 #if defined(__mips__)
 // __NR_Linux, is defined in <asm/unistd.h>.
 #include <asm/unistd.h>
 #endif
 
 #define SECCOMP_MESSAGE_COMMON_CONTENT "seccomp-bpf failure"
 #define SECCOMP_MESSAGE_CLONE_CONTENT "clone() failure"
 #define SECCOMP_MESSAGE_PRCTL_CONTENT "prctl() failure"
 #define SECCOMP_MESSAGE_IOCTL_CONTENT "ioctl() failure"
@@ skipping 174 matching lines @@
   static const char kSeccompFutexError[] =
       __FILE__ ":**CRASHING**:" SECCOMP_MESSAGE_FUTEX_CONTENT "\n";
   WriteToStdErr(kSeccompFutexError, sizeof(kSeccompFutexError) - 1);
   volatile int futex_op = args.args[1];
   volatile char* addr = reinterpret_cast<volatile char*>(futex_op & 0xFFF);
   *addr = '\0';
   for (;;)
     _exit(1);
 }
 
+intptr_t SIGSYSSchedHandler(const struct arch_seccomp_data& args,
+                            void* aux) {
+  pid_t tid = syscall(__NR_gettid);

[jln (very slow on Chromium), 2014/09/22 21:56:44]

const

[rickyz (no longer on Chrome), 2014/09/23 06:03:20]

Done.

+  if (args.args[0] == (uint64_t) tid) {

[jln (very slow on Chromium), 2014/09/22 21:56:44]

A nit (feel free to ignore), but I find it a tad awkward to check the first
argument before checking for the system call.

Unless we have a bug in our policies we know that the syscall will be one of the
syscalls below, but it feels more natural to me to: 1. check if the syscall is
sched_something, then inspect its first argument. (And in case either fail,
crash).

[jln (very slow on Chromium), 2014/09/22 21:56:44]

style: C++ static_cast

[rickyz (no longer on Chrome), 2014/09/23 06:03:20]

Done.

+    switch (args.nr) {
+      case __NR_sched_getaffinity:
+      case __NR_sched_getattr:
+      case __NR_sched_getparam:
+      case __NR_sched_getscheduler:
+      case __NR_sched_rr_get_interval:
+      case __NR_sched_setaffinity:
+      case __NR_sched_setattr:
+      case __NR_sched_setparam:
+      case __NR_sched_setscheduler:
+        // The first argument the pid
+        return syscall(args.nr,

[jln (very slow on Chromium), 2014/09/22 21:56:44]

glibc's syscall sets errno (which will be discarded by our trap handler anyways)
and returns -1.

The convention for trap handlers is to do like native system calls on Intel and
return -errno.

You could use syscall.h to perform the syscall instead of glibc's.

We also have ForwardSyscall, explicitly for that.

However, I can't remember what the deal is with ForwardSyscall on MIPS (and
perhaps ARM):

nedeljko: is it correct that on MIPS, if an 8 parameters system call traps on
SIGSYS, userland will only see the 6 first parameters and therefore a real
ForwardSyscall is impossible? Or was there some magic where argument 6 and 7
would end-up in the 32 upper bits of argument 4 and 5? We should absolutely
document this behavior better in the ForwardSyscall interface as well as in
trap.h.

Ricky: Given the system calls that you're handling, this may be ok, but you
should quickly check that none of them would trigger parameter 6 and 7 on MIPS.

[rickyz (no longer on Chrome), 2014/09/23 06:03:20]

Ah, good catch - fixed this and added a test that catches it.  Ended up using
Syscall directly to avoid making a copy of arch_seccomp_data.

+                       0,
+                       args.args[1],
+                       args.args[2],
+                       args.args[3],
+                       args.args[4],
+                       args.args[5]);
+    }
+  }
+
+  CrashSIGSYS_Handler(args, aux);
+  NOTREACHED();

[jln (very slow on Chromium), 2014/09/22 21:56:44]

Don't use NOTREACHED() here, as it's not async signal safe. You can do a
RAW_CHECK() instead (This will exist in release builds as well, which IMO is
fine.

[rickyz (no longer on Chrome), 2014/09/23 06:03:20]

Done.

+  return -1;

[jln (very slow on Chromium), 2014/09/22 21:56:44]

return -ENOSYS maybe?

[rickyz (no longer on Chrome), 2014/09/23 06:03:20]

Done.

+}
+
 bpf_dsl::ResultExpr CrashSIGSYS() {
   return bpf_dsl::Trap(CrashSIGSYS_Handler, NULL);
 }
 
 bpf_dsl::ResultExpr CrashSIGSYSClone() {
   return bpf_dsl::Trap(SIGSYSCloneFailure, NULL);
 }
 
 bpf_dsl::ResultExpr CrashSIGSYSPrctl() {
   return bpf_dsl::Trap(SIGSYSPrctlFailure, NULL);
 }
 
 bpf_dsl::ResultExpr CrashSIGSYSIoctl() {
   return bpf_dsl::Trap(SIGSYSIoctlFailure, NULL);
 }
 
 bpf_dsl::ResultExpr CrashSIGSYSKill() {
   return bpf_dsl::Trap(SIGSYSKillFailure, NULL);
 }
 
 bpf_dsl::ResultExpr CrashSIGSYSFutex() {
   return bpf_dsl::Trap(SIGSYSFutexFailure, NULL);
 }
 
+bpf_dsl::ResultExpr RewriteSchedSIGSYS() {
+  return bpf_dsl::Trap(SIGSYSSchedHandler, NULL);
+}
+
 const char* GetErrorMessageContentForTests() {
   return SECCOMP_MESSAGE_COMMON_CONTENT;
 }
 
 const char* GetCloneErrorMessageContentForTests() {
   return SECCOMP_MESSAGE_CLONE_CONTENT;
 }
 
 const char* GetPrctlErrorMessageContentForTests() {
   return SECCOMP_MESSAGE_PRCTL_CONTENT;
 }
 
 const char* GetIoctlErrorMessageContentForTests() {
   return SECCOMP_MESSAGE_IOCTL_CONTENT;
 }
 
 const char* GetKillErrorMessageContentForTests() {
   return SECCOMP_MESSAGE_KILL_CONTENT;
 }
 
 const char* GetFutexErrorMessageContentForTests() {
   return SECCOMP_MESSAGE_FUTEX_CONTENT;
 }
 
 }  // namespace sandbox.