| Index: sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h
|
| diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..bf9909c6302b3a5e8fa18759c27e37e0c4c314f3
|
| --- /dev/null
|
| +++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h
|
| @@ -0,0 +1,92 @@
|
| +// Copyright (c) 2013 The Chromium Authors. All rights reserved.
|
| +// Use of this source code is governed by a BSD-style license that can be
|
| +// found in the LICENSE file.
|
| +
|
| +#ifndef SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_
|
| +#define SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_
|
| +
|
| +#include <unistd.h>
|
| +
|
| +#include "build/build_config.h"
|
| +#include "sandbox/linux/bpf_dsl/bpf_dsl.h"
|
| +#include "sandbox/sandbox_export.h"
|
| +
|
| +// These are helpers to build seccomp-bpf policies, i.e. policies for a
|
| +// sandbox that reduces the Linux kernel's attack surface. They return a
|
| +// bpf_dsl::ResultExpr suitable to restrict certain system call parameters.
|
| +
|
| +namespace sandbox {
|
| +
|
| +// Allow clone(2) for threads.
|
| +// Reject fork(2) attempts with EPERM.
|
| +// Don't restrict on ASAN.
|
| +// Crash if anything else is attempted.
|
| +SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictCloneToThreadsAndEPERMFork();
|
| +
|
| +// Allow PR_SET_NAME, PR_SET_DUMPABLE, PR_GET_DUMPABLE.
|
| +// Crash if anything else is attempted.
|
| +SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictPrctl();
|
| +
|
| +// Allow TCGETS and FIONREAD.
|
| +// Crash if anything else is attempted.
|
| +SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictIoctl();
|
| +
|
| +// Restrict the flags argument in mmap(2).
|
| +// Only allow: MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS |
|
| +// MAP_STACK | MAP_NORESERVE | MAP_FIXED | MAP_DENYWRITE.
|
| +// Crash if any other flag is used.
|
| +SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictMmapFlags();
|
| +
|
| +// Restrict the prot argument in mprotect(2).
|
| +// Only allow: PROT_READ | PROT_WRITE | PROT_EXEC.
|
| +SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictMprotectFlags();
|
| +
|
| +// Restrict fcntl(2) cmd argument to:
|
| +// We allow F_GETFL, F_SETFL, F_GETFD, F_SETFD, F_DUPFD, F_DUPFD_CLOEXEC,
|
| +// F_SETLK, F_SETLKW and F_GETLK.
|
| +// Also, in F_SETFL, restrict the allowed flags to: O_ACCMODE | O_APPEND |
|
| +// O_NONBLOCK | O_SYNC | O_LARGEFILE | O_CLOEXEC | O_NOATIME.
|
| +SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictFcntlCommands();
|
| +
|
| +#if defined(__i386__) || defined(__mips__)
|
| +// Restrict socketcall(2) to only allow socketpair(2), send(2), recv(2),
|
| +// sendto(2), recvfrom(2), shutdown(2), sendmsg(2) and recvmsg(2).
|
| +SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictSocketcallCommand();
|
| +#endif
|
| +
|
| +// Restrict |sysno| (which must be kill, tkill or tgkill) by allowing tgkill or
|
| +// kill iff the first parameter is |target_pid|, crashing otherwise or if
|
| +// |sysno| is tkill.
|
| +SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictKillTarget(pid_t target_pid,
|
| + int sysno);
|
| +
|
| +// Crash if FUTEX_CMP_REQUEUE_PI is used in the second argument of futex(2).
|
| +SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictFutex();
|
| +
|
| +// Crash if |which| is not PRIO_PROCESS. EPERM if |who| is not 0, neither
|
| +// |target_pid| while calling setpriority(2) / getpriority(2).
|
| +SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictGetSetpriority(pid_t target_pid);
|
| +
|
| +// Restrict |clk_id| for clock_getres(), clock_gettime() and clock_settime().
|
| +// We allow accessing only CLOCK_MONOTONIC, CLOCK_PROCESS_CPUTIME_ID,
|
| +// CLOCK_REALTIME, and CLOCK_THREAD_CPUTIME_ID. In particular, this disallows
|
| +// access to arbitrary per-{process,thread} CPU-time clock IDs (such as those
|
| +// returned by {clock,pthread}_getcpuclockid), which can leak information
|
| +// about the state of the host OS.
|
| +// On Chrome OS, base::TimeTicks::kClockSystemTrace is also allowed.
|
| +SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictClockID();
|
| +
|
| +// Restricts |pid| for sched_* syscalls which take a pid as the first argument.
|
| +// We only allow calling these syscalls if the pid argument is equal to the pid
|
| +// of the sandboxed process or 0 (indicating the current thread). The following
|
| +// syscalls are supported:
|
| +//
|
| +// sched_getaffinity(), sched_getattr(), sched_getparam(), sched_getscheduler(),
|
| +// sched_rr_get_interval(), sched_setaffinity(), sched_setattr(),
|
| +// sched_setparam(), sched_setscheduler()
|
| +SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictSchedTarget(pid_t target_pid,
|
| + int sysno);
|
| +
|
| +} // namespace sandbox.
|
| +
|
| +#endif // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_
|
|
|
Chromium Code Reviews
Issue 670183003:
Update from chromium 62675d9fb31fb8cedc40f68e78e8445a74f362e7 (Closed)
Base URL: git@github.com:domokit/mojo.git@master