Chromium Code Reviews Chromium Code Reviews
Issue 670603002:
Linux sandbox: Tighten up the NaCl sandbox policy. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.h" | 5 #include "components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.h" |
| 6 | 6 |
| 7 #include "build/build_config.h" | 7 #include "build/build_config.h" |
| 8 | 8 |
| 9 #if defined(USE_SECCOMP_BPF) | 9 #if defined(USE_SECCOMP_BPF) |
| 10 | 10 |
| 11 #include <errno.h> | 11 #include <errno.h> |
| 12 #include <signal.h> | 12 #include <signal.h> |
| 13 #include <sys/ptrace.h> | 13 #include <sys/ptrace.h> |
| 14 #include <sys/types.h> | |
| 15 #include <unistd.h> | |
| 14 | 16 |
| 15 #include "base/basictypes.h" | 17 #include "base/basictypes.h" |
| 16 #include "base/callback.h" | 18 #include "base/callback.h" |
| 19 #include "base/command_line.h" | |
| 17 #include "base/compiler_specific.h" | 20 #include "base/compiler_specific.h" |
| 18 #include "base/logging.h" | 21 #include "base/logging.h" |
| 19 | 22 |
| 23 #include "components/nacl/common/nacl_switches.h" | |
| 20 #include "content/public/common/sandbox_init.h" | 24 #include "content/public/common/sandbox_init.h" |
| 21 #include "sandbox/linux/bpf_dsl/bpf_dsl.h" | 25 #include "sandbox/linux/bpf_dsl/bpf_dsl.h" |
| 26 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" | |
| 22 #include "sandbox/linux/services/linux_syscalls.h" | 27 #include "sandbox/linux/services/linux_syscalls.h" |
| 23 | 28 |
| 24 #endif // defined(USE_SECCOMP_BPF) | 29 #endif // defined(USE_SECCOMP_BPF) |
| 25 | 30 |
| 26 namespace nacl { | 31 namespace nacl { |
| 27 | 32 |
| 28 #if defined(USE_SECCOMP_BPF) | 33 #if defined(USE_SECCOMP_BPF) |
| 29 | 34 |
| 30 namespace { | 35 namespace { |
| 31 | 36 |
| 32 using sandbox::bpf_dsl::Allow; | 37 using sandbox::bpf_dsl::Allow; |
| 33 using sandbox::bpf_dsl::Error; | 38 using sandbox::bpf_dsl::Error; |
| 34 using sandbox::bpf_dsl::ResultExpr; | 39 using sandbox::bpf_dsl::ResultExpr; |
| 35 | 40 |
| 36 class NaClBPFSandboxPolicy : public sandbox::bpf_dsl::SandboxBPFDSLPolicy { | 41 class NaClBPFSandboxPolicy : public sandbox::bpf_dsl::SandboxBPFDSLPolicy { |
| 37 public: | 42 public: |
| 38 NaClBPFSandboxPolicy() | 43 NaClBPFSandboxPolicy() |
| 39 : baseline_policy_(content::GetBPFSandboxBaselinePolicy()) {} | 44 : baseline_policy_(content::GetBPFSandboxBaselinePolicy()) { |
| 45 const base::CommandLine* command_line = | |
| 46 base::CommandLine::ForCurrentProcess(); | |
| 47 enable_nacl_debug_ = command_line->HasSwitch(switches::kEnableNaClDebug); | |
| 48 current_pid_ = getpid(); | |
|
jln (very slow on Chromium)
2014/10/24 20:38:34
Nit: how about putting this in the initializer lis
| |
| 49 } | |
| 40 virtual ~NaClBPFSandboxPolicy() {} | 50 virtual ~NaClBPFSandboxPolicy() {} |
| 41 | 51 |
| 42 virtual ResultExpr EvaluateSyscall(int system_call_number) const override; | 52 virtual ResultExpr EvaluateSyscall(int system_call_number) const override; |
| 43 virtual ResultExpr InvalidSyscall() const override { | 53 virtual ResultExpr InvalidSyscall() const override { |
| 44 return baseline_policy_->InvalidSyscall(); | 54 return baseline_policy_->InvalidSyscall(); |
| 45 } | 55 } |
| 46 | 56 |
| 47 private: | 57 private: |
| 48 scoped_ptr<sandbox::bpf_dsl::SandboxBPFDSLPolicy> baseline_policy_; | 58 scoped_ptr<sandbox::bpf_dsl::SandboxBPFDSLPolicy> baseline_policy_; |
| 59 bool enable_nacl_debug_; | |
| 60 pid_t current_pid_; | |
|
jln (very slow on Chromium)
2014/10/24 20:38:34
policy_pid_ to be consistent ?
| |
| 49 | 61 |
| 50 DISALLOW_COPY_AND_ASSIGN(NaClBPFSandboxPolicy); | 62 DISALLOW_COPY_AND_ASSIGN(NaClBPFSandboxPolicy); |
| 51 }; | 63 }; |
| 52 | 64 |
| 53 ResultExpr NaClBPFSandboxPolicy::EvaluateSyscall(int sysno) const { | 65 ResultExpr NaClBPFSandboxPolicy::EvaluateSyscall(int sysno) const { |
| 54 DCHECK(baseline_policy_); | 66 DCHECK(baseline_policy_); |
| 67 | |
| 68 // NaCl's GDB debug stub uses the following socket system calls. We only | |
| 69 // allow then when --enable-nacl-debug is specified. | |
| 70 if (enable_nacl_debug_) { | |
| 71 switch (sysno) { | |
| 72 #if defined(__x86_64__) || defined(__arm__) || defined(__mips__) | |
| 73 // transport_common.cc needs this. | |
| 74 case __NR_accept: | |
| 75 case __NR_setsockopt: | |
| 76 return Allow(); | |
| 77 #elif defined(__i386__) | |
| 78 case __NR_socketcall: | |
| 79 return Allow(); | |
| 80 #endif | |
|
jln (very slow on Chromium)
2014/10/24 20:48:11
style: add "default:" with a // Fallthrough commen
| |
| 81 } | |
| 82 } | |
| 83 | |
| 55 switch (sysno) { | 84 switch (sysno) { |
| 56 // TODO(jln): NaCl's GDB debug stub uses the following socket system calls, | 85 // trusted/service_runtime/linux/thread_suspension.c needs sigwait() |
| 57 // see if it can be restricted a bit. | |
| 58 #if defined(__x86_64__) || defined(__arm__) || defined(__mips__) | |
| 59 // transport_common.cc needs this. | |
| 60 case __NR_accept: | |
| 61 case __NR_setsockopt: | |
| 62 #elif defined(__i386__) | |
| 63 case __NR_socketcall: | |
| 64 #endif | |
| 65 // trusted/service_runtime/linux/thread_suspension.c needs sigwait() and is | |
| 66 // used by NaCl's GDB debug stub. | |
| 67 case __NR_rt_sigtimedwait: | 86 case __NR_rt_sigtimedwait: |
| 68 #if defined(__i386__) || defined(__mips__) | 87 #if defined(__i386__) || defined(__mips__) |
| 69 // Needed on i386 to set-up the custom segments. | 88 // Needed on i386 to set-up the custom segments. |
| 70 case __NR_modify_ldt: | 89 case __NR_modify_ldt: |
| 71 #endif | 90 #endif |
| 72 // NaClAddrSpaceBeforeAlloc needs prlimit64. | 91 // NaClAddrSpaceBeforeAlloc needs prlimit64. |
| 73 case __NR_prlimit64: | 92 case __NR_prlimit64: |
| 74 // NaCl uses custom signal stacks. | 93 // NaCl uses custom signal stacks. |
| 75 case __NR_sigaltstack: | 94 case __NR_sigaltstack: |
| 76 // Below is fairly similar to the policy for a Chromium renderer. | 95 // Below is fairly similar to the policy for a Chromium renderer. |
| 77 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__) | 96 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__) |
| 78 case __NR_getrlimit: | 97 case __NR_getrlimit: |
| 79 #endif | 98 #endif |
| 80 #if defined(__i386__) || defined(__arm__) | 99 #if defined(__i386__) || defined(__arm__) |
| 81 case __NR_ugetrlimit: | 100 case __NR_ugetrlimit: |
| 82 #endif | 101 #endif |
| 83 // NaCl runtime exposes clock_getres to untrusted code. | 102 // NaCl runtime exposes clock_getres to untrusted code. |
| 84 case __NR_clock_getres: | 103 case __NR_clock_getres: |
| 85 // NaCl runtime uses flock to simulate POSIX behavior for pwrite. | 104 // NaCl runtime uses flock to simulate POSIX behavior for pwrite. |
| 86 case __NR_flock: | 105 case __NR_flock: |
| 87 case __NR_pread64: | 106 case __NR_pread64: |
| 88 case __NR_pwrite64: | 107 case __NR_pwrite64: |
| 89 case __NR_sched_get_priority_max: | 108 case __NR_sched_get_priority_max: |
| 90 case __NR_sched_get_priority_min: | 109 case __NR_sched_get_priority_min: |
| 91 case __NR_sched_getaffinity: | |
| 92 case __NR_sched_getparam: | |
| 93 case __NR_sched_getscheduler: | |
| 94 case __NR_sched_setscheduler: | |
| 95 case __NR_sysinfo: | 110 case __NR_sysinfo: |
| 96 // __NR_times needed as clock() is called by CommandBufferHelper, which is | 111 // __NR_times needed as clock() is called by CommandBufferHelper, which is |
| 97 // used by NaCl applications that use Pepper's 3D interfaces. | 112 // used by NaCl applications that use Pepper's 3D interfaces. |
| 98 // See crbug.com/264856 for details. | 113 // See crbug.com/264856 for details. |
| 99 case __NR_times: | 114 case __NR_times: |
| 100 case __NR_uname: | 115 case __NR_uname: |
| 101 return Allow(); | 116 return Allow(); |
| 102 case __NR_ioctl: | 117 case __NR_ioctl: |
| 103 case __NR_ptrace: | 118 case __NR_ptrace: |
| 104 return Error(EPERM); | 119 return Error(EPERM); |
| 120 case __NR_sched_getaffinity: | |
| 121 case __NR_sched_getparam: | |
| 122 case __NR_sched_getscheduler: | |
| 123 case __NR_sched_setscheduler: | |
| 124 return sandbox::RestrictSchedTarget(current_pid_, sysno); | |
| 105 default: | 125 default: |
| 106 return baseline_policy_->EvaluateSyscall(sysno); | 126 return baseline_policy_->EvaluateSyscall(sysno); |
| 107 } | 127 } |
| 108 NOTREACHED(); | 128 NOTREACHED(); |
| 109 // GCC wants this. | 129 // GCC wants this. |
| 110 return Error(EPERM); | 130 return Error(EPERM); |
| 111 } | 131 } |
| 112 | 132 |
| 113 void RunSandboxSanityChecks() { | 133 void RunSandboxSanityChecks() { |
| 114 errno = 0; | 134 errno = 0; |
| (...skipping 19 matching lines...) Expand all Loading... | |
| 134 new NaClBPFSandboxPolicy)); | 154 new NaClBPFSandboxPolicy)); |
| 135 if (sandbox_is_initialized) { | 155 if (sandbox_is_initialized) { |
| 136 RunSandboxSanityChecks(); | 156 RunSandboxSanityChecks(); |
| 137 return true; | 157 return true; |
| 138 } | 158 } |
| 139 #endif // defined(USE_SECCOMP_BPF) | 159 #endif // defined(USE_SECCOMP_BPF) |
| 140 return false; | 160 return false; |
| 141 } | 161 } |
| 142 | 162 |
| 143 } // namespace nacl | 163 } // namespace nacl |
| OLD | NEW |
