Index: sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h |
diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h |
new file mode 100644 |
index 0000000000000000000000000000000000000000..bf9909c6302b3a5e8fa18759c27e37e0c4c314f3 |
--- /dev/null |
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h |
@@ -0,0 +1,92 @@ |
+// Copyright (c) 2013 The Chromium Authors. All rights reserved. |
+// Use of this source code is governed by a BSD-style license that can be |
+// found in the LICENSE file. |
+ |
+#ifndef SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_ |
+#define SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_ |
+ |
+#include <unistd.h> |
+ |
+#include "build/build_config.h" |
+#include "sandbox/linux/bpf_dsl/bpf_dsl.h" |
+#include "sandbox/sandbox_export.h" |
+ |
+// These are helpers to build seccomp-bpf policies, i.e. policies for a |
+// sandbox that reduces the Linux kernel's attack surface. They return a |
+// bpf_dsl::ResultExpr suitable to restrict certain system call parameters. |
+ |
+namespace sandbox { |
+ |
+// Allow clone(2) for threads. |
+// Reject fork(2) attempts with EPERM. |
+// Don't restrict on ASAN. |
+// Crash if anything else is attempted. |
+SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictCloneToThreadsAndEPERMFork(); |
+ |
+// Allow PR_SET_NAME, PR_SET_DUMPABLE, PR_GET_DUMPABLE. |
+// Crash if anything else is attempted. |
+SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictPrctl(); |
+ |
+// Allow TCGETS and FIONREAD. |
+// Crash if anything else is attempted. |
+SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictIoctl(); |
+ |
+// Restrict the flags argument in mmap(2). |
+// Only allow: MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS | |
+// MAP_STACK | MAP_NORESERVE | MAP_FIXED | MAP_DENYWRITE. |
+// Crash if any other flag is used. |
+SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictMmapFlags(); |
+ |
+// Restrict the prot argument in mprotect(2). |
+// Only allow: PROT_READ | PROT_WRITE | PROT_EXEC. |
+SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictMprotectFlags(); |
+ |
+// Restrict fcntl(2) cmd argument to: |
+// We allow F_GETFL, F_SETFL, F_GETFD, F_SETFD, F_DUPFD, F_DUPFD_CLOEXEC, |
+// F_SETLK, F_SETLKW and F_GETLK. |
+// Also, in F_SETFL, restrict the allowed flags to: O_ACCMODE | O_APPEND | |
+// O_NONBLOCK | O_SYNC | O_LARGEFILE | O_CLOEXEC | O_NOATIME. |
+SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictFcntlCommands(); |
+ |
+#if defined(__i386__) || defined(__mips__) |
+// Restrict socketcall(2) to only allow socketpair(2), send(2), recv(2), |
+// sendto(2), recvfrom(2), shutdown(2), sendmsg(2) and recvmsg(2). |
+SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictSocketcallCommand(); |
+#endif |
+ |
+// Restrict |sysno| (which must be kill, tkill or tgkill) by allowing tgkill or |
+// kill iff the first parameter is |target_pid|, crashing otherwise or if |
+// |sysno| is tkill. |
+SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictKillTarget(pid_t target_pid, |
+ int sysno); |
+ |
+// Crash if FUTEX_CMP_REQUEUE_PI is used in the second argument of futex(2). |
+SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictFutex(); |
+ |
+// Crash if |which| is not PRIO_PROCESS. EPERM if |who| is not 0, neither |
+// |target_pid| while calling setpriority(2) / getpriority(2). |
+SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictGetSetpriority(pid_t target_pid); |
+ |
+// Restrict |clk_id| for clock_getres(), clock_gettime() and clock_settime(). |
+// We allow accessing only CLOCK_MONOTONIC, CLOCK_PROCESS_CPUTIME_ID, |
+// CLOCK_REALTIME, and CLOCK_THREAD_CPUTIME_ID. In particular, this disallows |
+// access to arbitrary per-{process,thread} CPU-time clock IDs (such as those |
+// returned by {clock,pthread}_getcpuclockid), which can leak information |
+// about the state of the host OS. |
+// On Chrome OS, base::TimeTicks::kClockSystemTrace is also allowed. |
+SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictClockID(); |
+ |
+// Restricts |pid| for sched_* syscalls which take a pid as the first argument. |
+// We only allow calling these syscalls if the pid argument is equal to the pid |
+// of the sandboxed process or 0 (indicating the current thread). The following |
+// syscalls are supported: |
+// |
+// sched_getaffinity(), sched_getattr(), sched_getparam(), sched_getscheduler(), |
+// sched_rr_get_interval(), sched_setaffinity(), sched_setattr(), |
+// sched_setparam(), sched_setscheduler() |
+SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictSchedTarget(pid_t target_pid, |
+ int sysno); |
+ |
+} // namespace sandbox. |
+ |
+#endif // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_ |