OLD | NEW |
1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.h" | 5 #include "components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.h" |
6 | 6 |
7 #include "build/build_config.h" | 7 #include "build/build_config.h" |
8 | 8 |
9 #if defined(USE_SECCOMP_BPF) | 9 #if defined(USE_SECCOMP_BPF) |
10 | 10 |
11 #include <errno.h> | 11 #include <errno.h> |
12 #include <signal.h> | 12 #include <signal.h> |
13 #include <sys/ptrace.h> | 13 #include <sys/ptrace.h> |
| 14 #include <sys/types.h> |
| 15 #include <unistd.h> |
14 | 16 |
15 #include "base/basictypes.h" | 17 #include "base/basictypes.h" |
16 #include "base/callback.h" | 18 #include "base/callback.h" |
| 19 #include "base/command_line.h" |
17 #include "base/compiler_specific.h" | 20 #include "base/compiler_specific.h" |
18 #include "base/logging.h" | 21 #include "base/logging.h" |
19 | 22 |
| 23 #include "components/nacl/common/nacl_switches.h" |
20 #include "content/public/common/sandbox_init.h" | 24 #include "content/public/common/sandbox_init.h" |
21 #include "sandbox/linux/bpf_dsl/bpf_dsl.h" | 25 #include "sandbox/linux/bpf_dsl/bpf_dsl.h" |
22 #include "sandbox/linux/bpf_dsl/policy.h" | 26 #include "sandbox/linux/bpf_dsl/policy.h" |
| 27 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" |
23 #include "sandbox/linux/services/linux_syscalls.h" | 28 #include "sandbox/linux/services/linux_syscalls.h" |
24 | 29 |
25 #endif // defined(USE_SECCOMP_BPF) | 30 #endif // defined(USE_SECCOMP_BPF) |
26 | 31 |
27 namespace nacl { | 32 namespace nacl { |
28 | 33 |
29 #if defined(USE_SECCOMP_BPF) | 34 #if defined(USE_SECCOMP_BPF) |
30 | 35 |
31 namespace { | 36 namespace { |
32 | 37 |
33 using sandbox::bpf_dsl::Allow; | 38 using sandbox::bpf_dsl::Allow; |
34 using sandbox::bpf_dsl::Error; | 39 using sandbox::bpf_dsl::Error; |
35 using sandbox::bpf_dsl::ResultExpr; | 40 using sandbox::bpf_dsl::ResultExpr; |
36 | 41 |
37 class NaClBPFSandboxPolicy : public sandbox::bpf_dsl::Policy { | 42 class NaClBPFSandboxPolicy : public sandbox::bpf_dsl::Policy { |
38 public: | 43 public: |
39 NaClBPFSandboxPolicy() | 44 NaClBPFSandboxPolicy() |
40 : baseline_policy_(content::GetBPFSandboxBaselinePolicy()) {} | 45 : baseline_policy_(content::GetBPFSandboxBaselinePolicy()), |
| 46 policy_pid_(syscall(__NR_getpid)) { |
| 47 const base::CommandLine* command_line = |
| 48 base::CommandLine::ForCurrentProcess(); |
| 49 // nacl_process_host.cc doesn't always enable the debug stub when |
| 50 // kEnableNaClDebug is passed, but it's OK to enable the extra syscalls |
| 51 // whenever kEnableNaClDebug is passed. |
| 52 enable_nacl_debug_ = command_line->HasSwitch(switches::kEnableNaClDebug); |
| 53 } |
41 ~NaClBPFSandboxPolicy() override {} | 54 ~NaClBPFSandboxPolicy() override {} |
42 | 55 |
43 ResultExpr EvaluateSyscall(int system_call_number) const override; | 56 ResultExpr EvaluateSyscall(int system_call_number) const override; |
44 ResultExpr InvalidSyscall() const override { | 57 ResultExpr InvalidSyscall() const override { |
45 return baseline_policy_->InvalidSyscall(); | 58 return baseline_policy_->InvalidSyscall(); |
46 } | 59 } |
47 | 60 |
48 private: | 61 private: |
49 scoped_ptr<sandbox::bpf_dsl::Policy> baseline_policy_; | 62 scoped_ptr<sandbox::bpf_dsl::Policy> baseline_policy_; |
| 63 bool enable_nacl_debug_; |
| 64 const pid_t policy_pid_; |
50 | 65 |
51 DISALLOW_COPY_AND_ASSIGN(NaClBPFSandboxPolicy); | 66 DISALLOW_COPY_AND_ASSIGN(NaClBPFSandboxPolicy); |
52 }; | 67 }; |
53 | 68 |
54 ResultExpr NaClBPFSandboxPolicy::EvaluateSyscall(int sysno) const { | 69 ResultExpr NaClBPFSandboxPolicy::EvaluateSyscall(int sysno) const { |
55 DCHECK(baseline_policy_); | 70 DCHECK(baseline_policy_); |
| 71 |
| 72 // EvaluateSyscall must be called from the same process that instantiated the |
| 73 // NaClBPFSandboxPolicy. |
| 74 DCHECK_EQ(policy_pid_, syscall(__NR_getpid)); |
| 75 |
| 76 // NaCl's GDB debug stub uses the following socket system calls. We only |
| 77 // allow them when --enable-nacl-debug is specified. |
| 78 if (enable_nacl_debug_) { |
| 79 switch (sysno) { |
| 80 // trusted/service_runtime/linux/thread_suspension.c needs sigwait(). Thread |
| 81 // suspension is currently only used in the debug stub. |
| 82 case __NR_rt_sigtimedwait: |
| 83 return Allow(); |
| 84 #if defined(__x86_64__) || defined(__arm__) || defined(__mips__) |
| 85 // transport_common.cc needs this. |
| 86 case __NR_accept: |
| 87 case __NR_setsockopt: |
| 88 return Allow(); |
| 89 #elif defined(__i386__) |
| 90 case __NR_socketcall: |
| 91 return Allow(); |
| 92 #endif |
| 93 default: |
| 94 break; |
| 95 } |
| 96 } |
| 97 |
56 switch (sysno) { | 98 switch (sysno) { |
57 // TODO(jln): NaCl's GDB debug stub uses the following socket system calls, | |
58 // see if it can be restricted a bit. | |
59 #if defined(__x86_64__) || defined(__arm__) || defined(__mips__) | |
60 // transport_common.cc needs this. | |
61 case __NR_accept: | |
62 case __NR_setsockopt: | |
63 #elif defined(__i386__) | |
64 case __NR_socketcall: | |
65 #endif | |
66 // trusted/service_runtime/linux/thread_suspension.c needs sigwait() and is | |
67 // used by NaCl's GDB debug stub. | |
68 case __NR_rt_sigtimedwait: | |
69 #if defined(__i386__) || defined(__mips__) | 99 #if defined(__i386__) || defined(__mips__) |
70 // Needed on i386 to set-up the custom segments. | 100 // Needed on i386 to set-up the custom segments. |
71 case __NR_modify_ldt: | 101 case __NR_modify_ldt: |
72 #endif | 102 #endif |
73 // NaClAddrSpaceBeforeAlloc needs prlimit64. | 103 // NaClAddrSpaceBeforeAlloc needs prlimit64. |
74 case __NR_prlimit64: | 104 case __NR_prlimit64: |
75 // NaCl uses custom signal stacks. | 105 // NaCl uses custom signal stacks. |
76 case __NR_sigaltstack: | 106 case __NR_sigaltstack: |
77 // Below is fairly similar to the policy for a Chromium renderer. | 107 // Below is fairly similar to the policy for a Chromium renderer. |
78 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__) | 108 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__) |
79 case __NR_getrlimit: | 109 case __NR_getrlimit: |
80 #endif | 110 #endif |
81 #if defined(__i386__) || defined(__arm__) | 111 #if defined(__i386__) || defined(__arm__) |
82 case __NR_ugetrlimit: | 112 case __NR_ugetrlimit: |
83 #endif | 113 #endif |
84 // NaCl runtime exposes clock_getres to untrusted code. | 114 // NaCl runtime exposes clock_getres to untrusted code. |
85 case __NR_clock_getres: | 115 case __NR_clock_getres: |
86 // NaCl runtime uses flock to simulate POSIX behavior for pwrite. | 116 // NaCl runtime uses flock to simulate POSIX behavior for pwrite. |
87 case __NR_flock: | 117 case __NR_flock: |
88 case __NR_pread64: | 118 case __NR_pread64: |
89 case __NR_pwrite64: | 119 case __NR_pwrite64: |
90 case __NR_sched_get_priority_max: | 120 case __NR_sched_get_priority_max: |
91 case __NR_sched_get_priority_min: | 121 case __NR_sched_get_priority_min: |
92 case __NR_sched_getaffinity: | |
93 case __NR_sched_getparam: | |
94 case __NR_sched_getscheduler: | |
95 case __NR_sched_setscheduler: | |
96 case __NR_sysinfo: | 122 case __NR_sysinfo: |
97 // __NR_times needed as clock() is called by CommandBufferHelper, which is | 123 // __NR_times needed as clock() is called by CommandBufferHelper, which is |
98 // used by NaCl applications that use Pepper's 3D interfaces. | 124 // used by NaCl applications that use Pepper's 3D interfaces. |
99 // See crbug.com/264856 for details. | 125 // See crbug.com/264856 for details. |
100 case __NR_times: | 126 case __NR_times: |
101 case __NR_uname: | 127 case __NR_uname: |
102 return Allow(); | 128 return Allow(); |
103 case __NR_ioctl: | 129 case __NR_ioctl: |
104 case __NR_ptrace: | 130 case __NR_ptrace: |
105 return Error(EPERM); | 131 return Error(EPERM); |
| 132 case __NR_sched_getaffinity: |
| 133 case __NR_sched_getparam: |
| 134 case __NR_sched_getscheduler: |
| 135 case __NR_sched_setscheduler: |
| 136 return sandbox::RestrictSchedTarget(policy_pid_, sysno); |
106 default: | 137 default: |
107 return baseline_policy_->EvaluateSyscall(sysno); | 138 return baseline_policy_->EvaluateSyscall(sysno); |
108 } | 139 } |
109 NOTREACHED(); | 140 NOTREACHED(); |
110 // GCC wants this. | 141 // GCC wants this. |
111 return Error(EPERM); | 142 return Error(EPERM); |
112 } | 143 } |
113 | 144 |
114 void RunSandboxSanityChecks() { | 145 void RunSandboxSanityChecks() { |
115 errno = 0; | 146 errno = 0; |
(...skipping 18 matching lines...) Expand all Loading... |
134 scoped_ptr<sandbox::bpf_dsl::Policy>(new NaClBPFSandboxPolicy)); | 165 scoped_ptr<sandbox::bpf_dsl::Policy>(new NaClBPFSandboxPolicy)); |
135 if (sandbox_is_initialized) { | 166 if (sandbox_is_initialized) { |
136 RunSandboxSanityChecks(); | 167 RunSandboxSanityChecks(); |
137 return true; | 168 return true; |
138 } | 169 } |
139 #endif // defined(USE_SECCOMP_BPF) | 170 #endif // defined(USE_SECCOMP_BPF) |
140 return false; | 171 return false; |
141 } | 172 } |
142 | 173 |
143 } // namespace nacl | 174 } // namespace nacl |
OLD | NEW |