| Index: sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc
|
| diff --git a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..26a15637305d2794ccd552231cc3f5e5727bfb7a
|
| --- /dev/null
|
| +++ b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc
|
| @@ -0,0 +1,299 @@
|
| +// Copyright (c) 2013 The Chromium Authors. All rights reserved.
|
| +// Use of this source code is governed by a BSD-style license that can be
|
| +// found in the LICENSE file.
|
| +
|
| +// Note: any code in this file MUST be async-signal safe.
|
| +
|
| +#include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
|
| +
|
| +#include <sys/syscall.h>
|
| +#include <unistd.h>
|
| +
|
| +#include "base/basictypes.h"
|
| +#include "base/logging.h"
|
| +#include "base/posix/eintr_wrapper.h"
|
| +#include "build/build_config.h"
|
| +#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
|
| +#include "sandbox/linux/seccomp-bpf/syscall.h"
|
| +#include "sandbox/linux/services/linux_syscalls.h"
|
| +
|
| +#if defined(__mips__)
|
| +// __NR_Linux, is defined in <asm/unistd.h>.
|
| +#include <asm/unistd.h>
|
| +#endif
|
| +
|
| +#define SECCOMP_MESSAGE_COMMON_CONTENT "seccomp-bpf failure"
|
| +#define SECCOMP_MESSAGE_CLONE_CONTENT "clone() failure"
|
| +#define SECCOMP_MESSAGE_PRCTL_CONTENT "prctl() failure"
|
| +#define SECCOMP_MESSAGE_IOCTL_CONTENT "ioctl() failure"
|
| +#define SECCOMP_MESSAGE_KILL_CONTENT "(tg)kill() failure"
|
| +#define SECCOMP_MESSAGE_FUTEX_CONTENT "futex() failure"
|
| +
|
| +namespace {
|
| +
|
| +inline bool IsArchitectureX86_64() {
|
| +#if defined(__x86_64__)
|
| + return true;
|
| +#else
|
| + return false;
|
| +#endif
|
| +}
|
| +
|
| +// Write |error_message| to stderr. Similar to RawLog(), but a bit more careful
|
| +// about async-signal safety. |size| is the size to write and should typically
|
| +// not include a terminating \0.
|
| +void WriteToStdErr(const char* error_message, size_t size) {
|
| + while (size > 0) {
|
| + // TODO(jln): query the current policy to check if send() is available and
|
| + // use it to perform a non-blocking write.
|
| + const int ret = HANDLE_EINTR(write(STDERR_FILENO, error_message, size));
|
| + // We can't handle any type of error here.
|
| + if (ret <= 0 || static_cast<size_t>(ret) > size) break;
|
| + size -= ret;
|
| + error_message += ret;
|
| + }
|
| +}
|
| +
|
| +// Invalid syscall values are truncated to zero.
|
| +// On architectures where base value is zero (Intel and Arm),
|
| +// syscall number is the same as offset from base.
|
| +// This function returns values between 0 and 1023 on all architectures.
|
| +// On architectures where base value is different than zero (currently only
|
| +// Mips), we are truncating valid syscall values to offset from base.
|
| +uint32_t SyscallNumberToOffsetFromBase(uint32_t sysno) {
|
| +#if defined(__mips__)
|
| + // On MIPS syscall numbers are in different range than on x86 and ARM.
|
| + // Valid MIPS O32 ABI syscall __NR_syscall will be truncated to zero for
|
| + // simplicity.
|
| + sysno = sysno - __NR_Linux;
|
| +#endif
|
| +
|
| + if (sysno >= 1024)
|
| + sysno = 0;
|
| +
|
| + return sysno;
|
| +}
|
| +
|
| +// Print a seccomp-bpf failure to handle |sysno| to stderr in an
|
| +// async-signal safe way.
|
| +void PrintSyscallError(uint32_t sysno) {
|
| + if (sysno >= 1024)
|
| + sysno = 0;
|
| + // TODO(markus): replace with async-signal safe snprintf when available.
|
| + const size_t kNumDigits = 4;
|
| + char sysno_base10[kNumDigits];
|
| + uint32_t rem = sysno;
|
| + uint32_t mod = 0;
|
| + for (int i = kNumDigits - 1; i >= 0; i--) {
|
| + mod = rem % 10;
|
| + rem /= 10;
|
| + sysno_base10[i] = '0' + mod;
|
| + }
|
| +#if defined(__mips__) && (_MIPS_SIM == _MIPS_SIM_ABI32)
|
| + static const char kSeccompErrorPrefix[] = __FILE__
|
| + ":**CRASHING**:" SECCOMP_MESSAGE_COMMON_CONTENT " in syscall 4000 + ";
|
| +#else
|
| + static const char kSeccompErrorPrefix[] =
|
| + __FILE__":**CRASHING**:" SECCOMP_MESSAGE_COMMON_CONTENT " in syscall ";
|
| +#endif
|
| + static const char kSeccompErrorPostfix[] = "\n";
|
| + WriteToStdErr(kSeccompErrorPrefix, sizeof(kSeccompErrorPrefix) - 1);
|
| + WriteToStdErr(sysno_base10, sizeof(sysno_base10));
|
| + WriteToStdErr(kSeccompErrorPostfix, sizeof(kSeccompErrorPostfix) - 1);
|
| +}
|
| +
|
| +} // namespace.
|
| +
|
| +namespace sandbox {
|
| +
|
| +intptr_t CrashSIGSYS_Handler(const struct arch_seccomp_data& args, void* aux) {
|
| + uint32_t syscall = SyscallNumberToOffsetFromBase(args.nr);
|
| +
|
| + PrintSyscallError(syscall);
|
| +
|
| + // Encode 8-bits of the 1st two arguments too, so we can discern which socket
|
| + // type, which fcntl, ... etc., without being likely to hit a mapped
|
| + // address.
|
| + // Do not encode more bits here without thinking about increasing the
|
| + // likelihood of collision with mapped pages.
|
| + syscall |= ((args.args[0] & 0xffUL) << 12);
|
| + syscall |= ((args.args[1] & 0xffUL) << 20);
|
| + // Purposefully dereference the syscall as an address so it'll show up very
|
| + // clearly and easily in crash dumps.
|
| + volatile char* addr = reinterpret_cast<volatile char*>(syscall);
|
| + *addr = '\0';
|
| + // In case we hit a mapped address, hit the null page with just the syscall,
|
| + // for paranoia.
|
| + syscall &= 0xfffUL;
|
| + addr = reinterpret_cast<volatile char*>(syscall);
|
| + *addr = '\0';
|
| + for (;;)
|
| + _exit(1);
|
| +}
|
| +
|
| +// TODO(jln): refactor the reporting functions.
|
| +
|
| +intptr_t SIGSYSCloneFailure(const struct arch_seccomp_data& args, void* aux) {
|
| + static const char kSeccompCloneError[] =
|
| + __FILE__":**CRASHING**:" SECCOMP_MESSAGE_CLONE_CONTENT "\n";
|
| + WriteToStdErr(kSeccompCloneError, sizeof(kSeccompCloneError) - 1);
|
| + // "flags" is the first argument in the kernel's clone().
|
| + // Mark as volatile to be able to find the value on the stack in a minidump.
|
| + volatile uint64_t clone_flags = args.args[0];
|
| + volatile char* addr;
|
| + if (IsArchitectureX86_64()) {
|
| + addr = reinterpret_cast<volatile char*>(clone_flags & 0xFFFFFF);
|
| + *addr = '\0';
|
| + }
|
| + // Hit the NULL page if this fails to fault.
|
| + addr = reinterpret_cast<volatile char*>(clone_flags & 0xFFF);
|
| + *addr = '\0';
|
| + for (;;)
|
| + _exit(1);
|
| +}
|
| +
|
| +intptr_t SIGSYSPrctlFailure(const struct arch_seccomp_data& args,
|
| + void* /* aux */) {
|
| + static const char kSeccompPrctlError[] =
|
| + __FILE__":**CRASHING**:" SECCOMP_MESSAGE_PRCTL_CONTENT "\n";
|
| + WriteToStdErr(kSeccompPrctlError, sizeof(kSeccompPrctlError) - 1);
|
| + // Mark as volatile to be able to find the value on the stack in a minidump.
|
| + volatile uint64_t option = args.args[0];
|
| + volatile char* addr =
|
| + reinterpret_cast<volatile char*>(option & 0xFFF);
|
| + *addr = '\0';
|
| + for (;;)
|
| + _exit(1);
|
| +}
|
| +
|
| +intptr_t SIGSYSIoctlFailure(const struct arch_seccomp_data& args,
|
| + void* /* aux */) {
|
| + static const char kSeccompIoctlError[] =
|
| + __FILE__":**CRASHING**:" SECCOMP_MESSAGE_IOCTL_CONTENT "\n";
|
| + WriteToStdErr(kSeccompIoctlError, sizeof(kSeccompIoctlError) - 1);
|
| + // Make "request" volatile so that we can see it on the stack in a minidump.
|
| + volatile uint64_t request = args.args[1];
|
| + volatile char* addr = reinterpret_cast<volatile char*>(request & 0xFFFF);
|
| + *addr = '\0';
|
| + // Hit the NULL page if this fails.
|
| + addr = reinterpret_cast<volatile char*>(request & 0xFFF);
|
| + *addr = '\0';
|
| + for (;;)
|
| + _exit(1);
|
| +}
|
| +
|
| +intptr_t SIGSYSKillFailure(const struct arch_seccomp_data& args,
|
| + void* /* aux */) {
|
| + static const char kSeccompKillError[] =
|
| + __FILE__":**CRASHING**:" SECCOMP_MESSAGE_KILL_CONTENT "\n";
|
| + WriteToStdErr(kSeccompKillError, sizeof(kSeccompKillError) - 1);
|
| + // Make "request" volatile so that we can see it on the stack in a minidump.
|
| + volatile uint64_t pid = args.args[0];
|
| + volatile char* addr = reinterpret_cast<volatile char*>(pid & 0xFFF);
|
| + *addr = '\0';
|
| + // Hit the NULL page if this fails.
|
| + addr = reinterpret_cast<volatile char*>(pid & 0xFFF);
|
| + *addr = '\0';
|
| + for (;;)
|
| + _exit(1);
|
| +}
|
| +
|
| +intptr_t SIGSYSFutexFailure(const struct arch_seccomp_data& args,
|
| + void* /* aux */) {
|
| + static const char kSeccompFutexError[] =
|
| + __FILE__ ":**CRASHING**:" SECCOMP_MESSAGE_FUTEX_CONTENT "\n";
|
| + WriteToStdErr(kSeccompFutexError, sizeof(kSeccompFutexError) - 1);
|
| + volatile int futex_op = args.args[1];
|
| + volatile char* addr = reinterpret_cast<volatile char*>(futex_op & 0xFFF);
|
| + *addr = '\0';
|
| + for (;;)
|
| + _exit(1);
|
| +}
|
| +
|
| +intptr_t SIGSYSSchedHandler(const struct arch_seccomp_data& args,
|
| + void* aux) {
|
| + switch (args.nr) {
|
| + case __NR_sched_getaffinity:
|
| + case __NR_sched_getattr:
|
| + case __NR_sched_getparam:
|
| + case __NR_sched_getscheduler:
|
| + case __NR_sched_rr_get_interval:
|
| + case __NR_sched_setaffinity:
|
| + case __NR_sched_setattr:
|
| + case __NR_sched_setparam:
|
| + case __NR_sched_setscheduler:
|
| + const pid_t tid = syscall(__NR_gettid);
|
| + // The first argument is the pid. If is our thread id, then replace it
|
| + // with 0, which is equivalent and allowed by the policy.
|
| + if (args.args[0] == static_cast<uint64_t>(tid)) {
|
| + return Syscall::Call(args.nr,
|
| + 0,
|
| + static_cast<intptr_t>(args.args[1]),
|
| + static_cast<intptr_t>(args.args[2]),
|
| + static_cast<intptr_t>(args.args[3]),
|
| + static_cast<intptr_t>(args.args[4]),
|
| + static_cast<intptr_t>(args.args[5]));
|
| + }
|
| + break;
|
| + }
|
| +
|
| + CrashSIGSYS_Handler(args, aux);
|
| +
|
| + // Should never be reached.
|
| + RAW_CHECK(false);
|
| + return -ENOSYS;
|
| +}
|
| +
|
| +bpf_dsl::ResultExpr CrashSIGSYS() {
|
| + return bpf_dsl::Trap(CrashSIGSYS_Handler, NULL);
|
| +}
|
| +
|
| +bpf_dsl::ResultExpr CrashSIGSYSClone() {
|
| + return bpf_dsl::Trap(SIGSYSCloneFailure, NULL);
|
| +}
|
| +
|
| +bpf_dsl::ResultExpr CrashSIGSYSPrctl() {
|
| + return bpf_dsl::Trap(SIGSYSPrctlFailure, NULL);
|
| +}
|
| +
|
| +bpf_dsl::ResultExpr CrashSIGSYSIoctl() {
|
| + return bpf_dsl::Trap(SIGSYSIoctlFailure, NULL);
|
| +}
|
| +
|
| +bpf_dsl::ResultExpr CrashSIGSYSKill() {
|
| + return bpf_dsl::Trap(SIGSYSKillFailure, NULL);
|
| +}
|
| +
|
| +bpf_dsl::ResultExpr CrashSIGSYSFutex() {
|
| + return bpf_dsl::Trap(SIGSYSFutexFailure, NULL);
|
| +}
|
| +
|
| +bpf_dsl::ResultExpr RewriteSchedSIGSYS() {
|
| + return bpf_dsl::Trap(SIGSYSSchedHandler, NULL);
|
| +}
|
| +
|
| +const char* GetErrorMessageContentForTests() {
|
| + return SECCOMP_MESSAGE_COMMON_CONTENT;
|
| +}
|
| +
|
| +const char* GetCloneErrorMessageContentForTests() {
|
| + return SECCOMP_MESSAGE_CLONE_CONTENT;
|
| +}
|
| +
|
| +const char* GetPrctlErrorMessageContentForTests() {
|
| + return SECCOMP_MESSAGE_PRCTL_CONTENT;
|
| +}
|
| +
|
| +const char* GetIoctlErrorMessageContentForTests() {
|
| + return SECCOMP_MESSAGE_IOCTL_CONTENT;
|
| +}
|
| +
|
| +const char* GetKillErrorMessageContentForTests() {
|
| + return SECCOMP_MESSAGE_KILL_CONTENT;
|
| +}
|
| +
|
| +const char* GetFutexErrorMessageContentForTests() {
|
| + return SECCOMP_MESSAGE_FUTEX_CONTENT;
|
| +}
|
| +
|
| +} // namespace sandbox.
|
|
|
Chromium Code Reviews
Issue 670183003:
Update from chromium 62675d9fb31fb8cedc40f68e78e8445a74f362e7 (Closed)
Base URL: git@github.com:domokit/mojo.git@master