OLD | NEW |
---|---|
1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.h" | 5 #include "components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.h" |
6 | 6 |
7 #include "build/build_config.h" | 7 #include "build/build_config.h" |
8 | 8 |
9 #if defined(USE_SECCOMP_BPF) | 9 #if defined(USE_SECCOMP_BPF) |
10 | 10 |
11 #include <errno.h> | 11 #include <errno.h> |
12 #include <signal.h> | 12 #include <signal.h> |
13 #include <sys/ptrace.h> | 13 #include <sys/ptrace.h> |
14 | 14 |
15 #include "base/basictypes.h" | 15 #include "base/basictypes.h" |
16 #include "base/callback.h" | 16 #include "base/callback.h" |
17 #include "base/command_line.h" | |
17 #include "base/compiler_specific.h" | 18 #include "base/compiler_specific.h" |
18 #include "base/logging.h" | 19 #include "base/logging.h" |
19 | 20 |
21 #include "components/nacl/common/nacl_switches.h" | |
20 #include "content/public/common/sandbox_init.h" | 22 #include "content/public/common/sandbox_init.h" |
21 #include "sandbox/linux/bpf_dsl/bpf_dsl.h" | 23 #include "sandbox/linux/bpf_dsl/bpf_dsl.h" |
24 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" | |
22 #include "sandbox/linux/services/linux_syscalls.h" | 25 #include "sandbox/linux/services/linux_syscalls.h" |
23 | 26 |
24 #endif // defined(USE_SECCOMP_BPF) | 27 #endif // defined(USE_SECCOMP_BPF) |
25 | 28 |
26 namespace nacl { | 29 namespace nacl { |
27 | 30 |
28 #if defined(USE_SECCOMP_BPF) | 31 #if defined(USE_SECCOMP_BPF) |
29 | 32 |
30 namespace { | 33 namespace { |
31 | 34 |
32 using sandbox::bpf_dsl::Allow; | 35 using sandbox::bpf_dsl::Allow; |
33 using sandbox::bpf_dsl::Error; | 36 using sandbox::bpf_dsl::Error; |
34 using sandbox::bpf_dsl::ResultExpr; | 37 using sandbox::bpf_dsl::ResultExpr; |
35 | 38 |
36 class NaClBPFSandboxPolicy : public sandbox::bpf_dsl::SandboxBPFDSLPolicy { | 39 class NaClBPFSandboxPolicy : public sandbox::bpf_dsl::SandboxBPFDSLPolicy { |
37 public: | 40 public: |
38 NaClBPFSandboxPolicy() | 41 NaClBPFSandboxPolicy() |
39 : baseline_policy_(content::GetBPFSandboxBaselinePolicy()) {} | 42 : baseline_policy_(content::GetBPFSandboxBaselinePolicy()) {} |
jln (very slow on Chromium)
2014/10/23 22:37:20
NaCl's sandbox policy was based on content/'s base
| |
40 virtual ~NaClBPFSandboxPolicy() {} | 43 virtual ~NaClBPFSandboxPolicy() {} |
41 | 44 |
42 virtual ResultExpr EvaluateSyscall(int system_call_number) const override; | 45 virtual ResultExpr EvaluateSyscall(int system_call_number) const override; |
43 virtual ResultExpr InvalidSyscall() const override { | 46 virtual ResultExpr InvalidSyscall() const override { |
44 return baseline_policy_->InvalidSyscall(); | 47 return baseline_policy_->InvalidSyscall(); |
45 } | 48 } |
46 | 49 |
47 private: | 50 private: |
48 scoped_ptr<sandbox::bpf_dsl::SandboxBPFDSLPolicy> baseline_policy_; | 51 scoped_ptr<sandbox::bpf_dsl::SandboxBPFDSLPolicy> baseline_policy_; |
49 | 52 |
50 DISALLOW_COPY_AND_ASSIGN(NaClBPFSandboxPolicy); | 53 DISALLOW_COPY_AND_ASSIGN(NaClBPFSandboxPolicy); |
51 }; | 54 }; |
52 | 55 |
53 ResultExpr NaClBPFSandboxPolicy::EvaluateSyscall(int sysno) const { | 56 ResultExpr NaClBPFSandboxPolicy::EvaluateSyscall(int sysno) const { |
54 DCHECK(baseline_policy_); | 57 DCHECK(baseline_policy_); |
58 | |
59 const base::CommandLine* command_line = | |
60 base::CommandLine::ForCurrentProcess(); | |
61 if (command_line->HasSwitch(switches::kEnableNaClDebug)) { | |
jln (very slow on Chromium)
2014/10/23 17:51:55
Could you instead have a class variable to record
rickyz (no longer on Chrome)
2014/10/23 20:05:30
Done.
| |
62 switch (sysno) { | |
63 // NaCl's GDB debug stub uses the following socket system calls. We only | |
64 // allow then when --enable-nacl-debug is specified. | |
65 #if defined(__x86_64__) || defined(__arm__) || defined(__mips__) | |
66 // transport_common.cc needs this. | |
67 case __NR_accept: | |
68 case __NR_setsockopt: | |
69 return Allow(); | |
70 #elif defined(__i386__) | |
71 case __NR_socketcall: | |
72 return Allow(); | |
73 #endif | |
74 } | |
75 } | |
76 | |
55 switch (sysno) { | 77 switch (sysno) { |
56 // TODO(jln): NaCl's GDB debug stub uses the following socket system calls, | 78 // trusted/service_runtime/linux/thread_suspension.c needs sigwait() |
57 // see if it can be restricted a bit. | |
58 #if defined(__x86_64__) || defined(__arm__) || defined(__mips__) | |
59 // transport_common.cc needs this. | |
60 case __NR_accept: | |
61 case __NR_setsockopt: | |
62 #elif defined(__i386__) | |
63 case __NR_socketcall: | |
64 #endif | |
65 // trusted/service_runtime/linux/thread_suspension.c needs sigwait() and is | |
66 // used by NaCl's GDB debug stub. | |
67 case __NR_rt_sigtimedwait: | 79 case __NR_rt_sigtimedwait: |
68 #if defined(__i386__) || defined(__mips__) | 80 #if defined(__i386__) || defined(__mips__) |
69 // Needed on i386 to set-up the custom segments. | 81 // Needed on i386 to set-up the custom segments. |
70 case __NR_modify_ldt: | 82 case __NR_modify_ldt: |
71 #endif | 83 #endif |
72 // NaClAddrSpaceBeforeAlloc needs prlimit64. | 84 // NaClAddrSpaceBeforeAlloc needs prlimit64. |
73 case __NR_prlimit64: | 85 case __NR_prlimit64: |
74 // NaCl uses custom signal stacks. | 86 // NaCl uses custom signal stacks. |
75 case __NR_sigaltstack: | 87 case __NR_sigaltstack: |
76 // Below is fairly similar to the policy for a Chromium renderer. | 88 // Below is fairly similar to the policy for a Chromium renderer. |
77 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__) | 89 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__) |
78 case __NR_getrlimit: | 90 case __NR_getrlimit: |
79 #endif | 91 #endif |
80 #if defined(__i386__) || defined(__arm__) | 92 #if defined(__i386__) || defined(__arm__) |
81 case __NR_ugetrlimit: | 93 case __NR_ugetrlimit: |
82 #endif | 94 #endif |
83 // NaCl runtime exposes clock_getres to untrusted code. | 95 // NaCl runtime exposes clock_getres to untrusted code. |
84 case __NR_clock_getres: | 96 case __NR_clock_getres: |
85 // NaCl runtime uses flock to simulate POSIX behavior for pwrite. | 97 // NaCl runtime uses flock to simulate POSIX behavior for pwrite. |
86 case __NR_flock: | 98 case __NR_flock: |
87 case __NR_pread64: | 99 case __NR_pread64: |
88 case __NR_pwrite64: | 100 case __NR_pwrite64: |
89 case __NR_sched_get_priority_max: | 101 case __NR_sched_get_priority_max: |
90 case __NR_sched_get_priority_min: | 102 case __NR_sched_get_priority_min: |
91 case __NR_sched_getaffinity: | |
92 case __NR_sched_getparam: | |
93 case __NR_sched_getscheduler: | |
94 case __NR_sched_setscheduler: | |
95 case __NR_sysinfo: | 103 case __NR_sysinfo: |
96 // __NR_times needed as clock() is called by CommandBufferHelper, which is | 104 // __NR_times needed as clock() is called by CommandBufferHelper, which is |
97 // used by NaCl applications that use Pepper's 3D interfaces. | 105 // used by NaCl applications that use Pepper's 3D interfaces. |
98 // See crbug.com/264856 for details. | 106 // See crbug.com/264856 for details. |
99 case __NR_times: | 107 case __NR_times: |
100 case __NR_uname: | 108 case __NR_uname: |
101 return Allow(); | 109 return Allow(); |
102 case __NR_ioctl: | 110 case __NR_ioctl: |
103 case __NR_ptrace: | 111 case __NR_ptrace: |
104 return Error(EPERM); | 112 return Error(EPERM); |
113 case __NR_sched_getaffinity: | |
114 case __NR_sched_getparam: | |
115 case __NR_sched_getscheduler: | |
116 case __NR_sched_setscheduler: | |
117 return sandbox::RestrictSchedTarget(getpid(), sysno); | |
jln (very slow on Chromium)
2014/10/23 17:51:55
Why not policy_pid() ?
(As a general rule, we sho
rickyz (no longer on Chrome)
2014/10/23 20:05:30
policy_pid isn't exposed via sandbox::bpf_dsl::San
| |
105 default: | 118 default: |
106 return baseline_policy_->EvaluateSyscall(sysno); | 119 return baseline_policy_->EvaluateSyscall(sysno); |
107 } | 120 } |
108 NOTREACHED(); | 121 NOTREACHED(); |
109 // GCC wants this. | 122 // GCC wants this. |
110 return Error(EPERM); | 123 return Error(EPERM); |
111 } | 124 } |
112 | 125 |
113 void RunSandboxSanityChecks() { | 126 void RunSandboxSanityChecks() { |
114 errno = 0; | 127 errno = 0; |
(...skipping 19 matching lines...) Expand all Loading... | |
134 new NaClBPFSandboxPolicy)); | 147 new NaClBPFSandboxPolicy)); |
135 if (sandbox_is_initialized) { | 148 if (sandbox_is_initialized) { |
136 RunSandboxSanityChecks(); | 149 RunSandboxSanityChecks(); |
137 return true; | 150 return true; |
138 } | 151 } |
139 #endif // defined(USE_SECCOMP_BPF) | 152 #endif // defined(USE_SECCOMP_BPF) |
140 return false; | 153 return false; |
141 } | 154 } |
142 | 155 |
143 } // namespace nacl | 156 } // namespace nacl |
OLD | NEW |