| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/seccomp-bpf/trap.h" | 5 #include "sandbox/linux/seccomp-bpf/trap.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <signal.h> | 8 #include <signal.h> |
| 9 #include <string.h> | 9 #include <string.h> |
| 10 #include <sys/syscall.h> | 10 #include <sys/syscall.h> |
| (...skipping 233 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 244 bool Trap::TrapKey::operator<(const TrapKey& o) const { | 244 bool Trap::TrapKey::operator<(const TrapKey& o) const { |
| 245 if (fnc != o.fnc) { | 245 if (fnc != o.fnc) { |
| 246 return fnc < o.fnc; | 246 return fnc < o.fnc; |
| 247 } else if (aux != o.aux) { | 247 } else if (aux != o.aux) { |
| 248 return aux < o.aux; | 248 return aux < o.aux; |
| 249 } else { | 249 } else { |
| 250 return safe < o.safe; | 250 return safe < o.safe; |
| 251 } | 251 } |
| 252 } | 252 } |
| 253 | 253 |
| 254 uint16_t Trap::MakeTrap(TrapFnc fnc, const void* aux, bool safe) { |
| 255 return Registry()->Add(fnc, aux, safe); |
| 256 } |
| 257 |
| 254 uint16_t Trap::Add(TrapFnc fnc, const void* aux, bool safe) { | 258 uint16_t Trap::Add(TrapFnc fnc, const void* aux, bool safe) { |
| 255 if (!safe && !SandboxDebuggingAllowedByUser()) { | 259 if (!safe && !SandboxDebuggingAllowedByUser()) { |
| 256 // Unless the user set the CHROME_SANDBOX_DEBUGGING environment variable, | 260 // Unless the user set the CHROME_SANDBOX_DEBUGGING environment variable, |
| 257 // we never return an ErrorCode that is marked as "unsafe". This also | 261 // we never return an ErrorCode that is marked as "unsafe". This also |
| 258 // means, the BPF compiler will never emit code that allow unsafe system | 262 // means, the BPF compiler will never emit code that allow unsafe system |
| 259 // calls to by-pass the filter (because they use the magic return address | 263 // calls to by-pass the filter (because they use the magic return address |
| 260 // from Syscall::Call(-1)). | 264 // from Syscall::Call(-1)). |
| 261 | 265 |
| 262 // This SANDBOX_DIE() can optionally be removed. It won't break security, | 266 // This SANDBOX_DIE() can optionally be removed. It won't break security, |
| 263 // but it might make error messages from the BPF compiler a little harder | 267 // but it might make error messages from the BPF compiler a little harder |
| (...skipping 78 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 342 delete[] old_trap_array; | 346 delete[] old_trap_array; |
| 343 } | 347 } |
| 344 | 348 |
| 345 uint16_t id = trap_array_size_ + 1; | 349 uint16_t id = trap_array_size_ + 1; |
| 346 trap_ids_[key] = id; | 350 trap_ids_[key] = id; |
| 347 trap_array_[trap_array_size_] = key; | 351 trap_array_[trap_array_size_] = key; |
| 348 trap_array_size_++; | 352 trap_array_size_++; |
| 349 return id; | 353 return id; |
| 350 } | 354 } |
| 351 | 355 |
| 352 bool Trap::SandboxDebuggingAllowedByUser() { | 356 bool Trap::SandboxDebuggingAllowedByUser() const { |
| 353 const char* debug_flag = getenv(kSandboxDebuggingEnv); | 357 const char* debug_flag = getenv(kSandboxDebuggingEnv); |
| 354 return debug_flag && *debug_flag; | 358 return debug_flag && *debug_flag; |
| 355 } | 359 } |
| 356 | 360 |
| 361 bool Trap::EnableUnsafeTrapsInSigSysHandler() { |
| 362 return Registry()->EnableUnsafeTraps(); |
| 363 } |
| 364 |
| 357 bool Trap::EnableUnsafeTraps() { | 365 bool Trap::EnableUnsafeTraps() { |
| 358 if (!has_unsafe_traps_) { | 366 if (!has_unsafe_traps_) { |
| 359 // Unsafe traps are a one-way fuse. Once enabled, they can never be turned | 367 // Unsafe traps are a one-way fuse. Once enabled, they can never be turned |
| 360 // off again. | 368 // off again. |
| 361 // We only allow enabling unsafe traps, if the user explicitly set an | 369 // We only allow enabling unsafe traps, if the user explicitly set an |
| 362 // appropriate environment variable. This prevents bugs that accidentally | 370 // appropriate environment variable. This prevents bugs that accidentally |
| 363 // disable all sandboxing for all users. | 371 // disable all sandboxing for all users. |
| 364 if (SandboxDebuggingAllowedByUser()) { | 372 if (SandboxDebuggingAllowedByUser()) { |
| 365 // We only ever print this message once, when we enable unsafe traps the | 373 // We only ever print this message once, when we enable unsafe traps the |
| 366 // first time. | 374 // first time. |
| 367 SANDBOX_INFO("WARNING! Disabling sandbox for debugging purposes"); | 375 SANDBOX_INFO("WARNING! Disabling sandbox for debugging purposes"); |
| 368 has_unsafe_traps_ = true; | 376 has_unsafe_traps_ = true; |
| 369 } else { | 377 } else { |
| 370 SANDBOX_INFO( | 378 SANDBOX_INFO( |
| 371 "Cannot disable sandbox and use unsafe traps unless " | 379 "Cannot disable sandbox and use unsafe traps unless " |
| 372 "CHROME_SANDBOX_DEBUGGING is turned on first"); | 380 "CHROME_SANDBOX_DEBUGGING is turned on first"); |
| 373 } | 381 } |
| 374 } | 382 } |
| 375 // Returns the, possibly updated, value of has_unsafe_traps_. | 383 // Returns the, possibly updated, value of has_unsafe_traps_. |
| 376 return has_unsafe_traps_; | 384 return has_unsafe_traps_; |
| 377 } | 385 } |
| 378 | 386 |
| 379 Trap* Trap::global_trap_; | 387 Trap* Trap::global_trap_; |
| 380 | 388 |
| 381 } // namespace sandbox | 389 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 937303005:
Revert of bpf_dsl: decouple PolicyCompiler from Syscall (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master