OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | 5 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
6 | 6 |
7 // Some headers on Android are missing cdefs: crbug.com/172337. | 7 // Some headers on Android are missing cdefs: crbug.com/172337. |
8 // (We can't use OS_ANDROID here since build_config.h is not included). | 8 // (We can't use OS_ANDROID here since build_config.h is not included). |
9 #if defined(ANDROID) | 9 #if defined(ANDROID) |
10 #include <sys/cdefs.h> | 10 #include <sys/cdefs.h> |
(...skipping 28 matching lines...) Expand all Loading... |
39 #include "sandbox/linux/services/thread_helpers.h" | 39 #include "sandbox/linux/services/thread_helpers.h" |
40 #include "sandbox/linux/system_headers/linux_seccomp.h" | 40 #include "sandbox/linux/system_headers/linux_seccomp.h" |
41 #include "sandbox/linux/system_headers/linux_syscalls.h" | 41 #include "sandbox/linux/system_headers/linux_syscalls.h" |
42 | 42 |
43 namespace sandbox { | 43 namespace sandbox { |
44 | 44 |
45 namespace { | 45 namespace { |
46 | 46 |
47 bool IsRunningOnValgrind() { return RUNNING_ON_VALGRIND; } | 47 bool IsRunningOnValgrind() { return RUNNING_ON_VALGRIND; } |
48 | 48 |
49 bool IsSingleThreaded(int proc_task_fd) { | 49 bool IsSingleThreaded(int proc_fd) { |
50 return ThreadHelpers::IsSingleThreaded(proc_task_fd); | 50 return ThreadHelpers::IsSingleThreaded(proc_fd); |
51 } | 51 } |
52 | 52 |
53 // Check if the kernel supports seccomp-filter (a.k.a. seccomp mode 2) via | 53 // Check if the kernel supports seccomp-filter (a.k.a. seccomp mode 2) via |
54 // prctl(). | 54 // prctl(). |
55 bool KernelSupportsSeccompBPF() { | 55 bool KernelSupportsSeccompBPF() { |
56 errno = 0; | 56 errno = 0; |
57 const int rv = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, nullptr); | 57 const int rv = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, nullptr); |
58 | 58 |
59 if (rv == -1 && EFAULT == errno) { | 59 if (rv == -1 && EFAULT == errno) { |
60 return true; | 60 return true; |
(...skipping 14 matching lines...) Expand all Loading... |
75 // TODO(jln): turn these into DCHECK after 417888 is considered fixed. | 75 // TODO(jln): turn these into DCHECK after 417888 is considered fixed. |
76 CHECK_EQ(-1, rv); | 76 CHECK_EQ(-1, rv); |
77 CHECK(ENOSYS == errno || EINVAL == errno); | 77 CHECK(ENOSYS == errno || EINVAL == errno); |
78 return false; | 78 return false; |
79 } | 79 } |
80 } | 80 } |
81 | 81 |
82 } // namespace | 82 } // namespace |
83 | 83 |
84 SandboxBPF::SandboxBPF(bpf_dsl::Policy* policy) | 84 SandboxBPF::SandboxBPF(bpf_dsl::Policy* policy) |
85 : proc_task_fd_(), sandbox_has_started_(false), policy_(policy) { | 85 : proc_fd_(), sandbox_has_started_(false), policy_(policy) { |
86 } | 86 } |
87 | 87 |
88 SandboxBPF::~SandboxBPF() { | 88 SandboxBPF::~SandboxBPF() { |
89 } | 89 } |
90 | 90 |
91 // static | 91 // static |
92 bool SandboxBPF::SupportsSeccompSandbox(SeccompLevel level) { | 92 bool SandboxBPF::SupportsSeccompSandbox(SeccompLevel level) { |
93 // Never pretend to support seccomp with Valgrind, as it | 93 // Never pretend to support seccomp with Valgrind, as it |
94 // throws the tool off. | 94 // throws the tool off. |
95 if (IsRunningOnValgrind()) { | 95 if (IsRunningOnValgrind()) { |
(...skipping 15 matching lines...) Expand all Loading... |
111 CHECK(seccomp_level == SeccompLevel::SINGLE_THREADED || | 111 CHECK(seccomp_level == SeccompLevel::SINGLE_THREADED || |
112 seccomp_level == SeccompLevel::MULTI_THREADED); | 112 seccomp_level == SeccompLevel::MULTI_THREADED); |
113 | 113 |
114 if (sandbox_has_started_) { | 114 if (sandbox_has_started_) { |
115 SANDBOX_DIE( | 115 SANDBOX_DIE( |
116 "Cannot repeatedly start sandbox. Create a separate Sandbox " | 116 "Cannot repeatedly start sandbox. Create a separate Sandbox " |
117 "object instead."); | 117 "object instead."); |
118 return false; | 118 return false; |
119 } | 119 } |
120 | 120 |
121 if (!proc_task_fd_.is_valid()) { | 121 if (!proc_fd_.is_valid()) { |
122 SetProcTaskFd(ProcUtil::OpenProcSelfTask()); | 122 SetProcFd(ProcUtil::OpenProc()); |
123 } | 123 } |
124 | 124 |
125 const bool supports_tsync = KernelSupportsSeccompTsync(); | 125 const bool supports_tsync = KernelSupportsSeccompTsync(); |
126 | 126 |
127 if (seccomp_level == SeccompLevel::SINGLE_THREADED) { | 127 if (seccomp_level == SeccompLevel::SINGLE_THREADED) { |
128 // Wait for /proc/self/task/ to update if needed and assert the | 128 // Wait for /proc/self/task/ to update if needed and assert the |
129 // process is single threaded. | 129 // process is single threaded. |
130 ThreadHelpers::AssertSingleThreaded(proc_task_fd_.get()); | 130 ThreadHelpers::AssertSingleThreaded(proc_fd_.get()); |
131 } else if (seccomp_level == SeccompLevel::MULTI_THREADED) { | 131 } else if (seccomp_level == SeccompLevel::MULTI_THREADED) { |
132 if (IsSingleThreaded(proc_task_fd_.get())) { | 132 if (IsSingleThreaded(proc_fd_.get())) { |
133 SANDBOX_DIE("Cannot start sandbox; " | 133 SANDBOX_DIE("Cannot start sandbox; " |
134 "process may be single-threaded when reported as not"); | 134 "process may be single-threaded when reported as not"); |
135 return false; | 135 return false; |
136 } | 136 } |
137 if (!supports_tsync) { | 137 if (!supports_tsync) { |
138 SANDBOX_DIE("Cannot start sandbox; kernel does not support synchronizing " | 138 SANDBOX_DIE("Cannot start sandbox; kernel does not support synchronizing " |
139 "filters for a threadgroup"); | 139 "filters for a threadgroup"); |
140 return false; | 140 return false; |
141 } | 141 } |
142 } | 142 } |
143 | 143 |
144 // We no longer need access to any files in /proc. We want to do this | 144 // We no longer need access to any files in /proc. We want to do this |
145 // before installing the filters, just in case that our policy denies | 145 // before installing the filters, just in case that our policy denies |
146 // close(). | 146 // close(). |
147 if (proc_task_fd_.is_valid()) { | 147 if (proc_fd_.is_valid()) { |
148 proc_task_fd_.reset(); | 148 proc_fd_.reset(); |
149 } | 149 } |
150 | 150 |
151 // Install the filters. | 151 // Install the filters. |
152 InstallFilter(supports_tsync || | 152 InstallFilter(supports_tsync || |
153 seccomp_level == SeccompLevel::MULTI_THREADED); | 153 seccomp_level == SeccompLevel::MULTI_THREADED); |
154 | 154 |
155 return true; | 155 return true; |
156 } | 156 } |
157 | 157 |
158 void SandboxBPF::SetProcTaskFd(base::ScopedFD proc_task_fd) { | 158 void SandboxBPF::SetProcFd(base::ScopedFD proc_fd) { |
159 proc_task_fd_.swap(proc_task_fd); | 159 proc_fd_.swap(proc_fd); |
160 } | 160 } |
161 | 161 |
162 // static | 162 // static |
163 bool SandboxBPF::IsValidSyscallNumber(int sysnum) { | 163 bool SandboxBPF::IsValidSyscallNumber(int sysnum) { |
164 return SyscallSet::IsValid(sysnum); | 164 return SyscallSet::IsValid(sysnum); |
165 } | 165 } |
166 | 166 |
167 // static | 167 // static |
168 bool SandboxBPF::IsRequiredForUnsafeTrap(int sysno) { | 168 bool SandboxBPF::IsRequiredForUnsafeTrap(int sysno) { |
169 return bpf_dsl::PolicyCompiler::IsRequiredForUnsafeTrap(sysno); | 169 return bpf_dsl::PolicyCompiler::IsRequiredForUnsafeTrap(sysno); |
(...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
247 } else { | 247 } else { |
248 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) { | 248 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) { |
249 SANDBOX_DIE("Kernel refuses to turn on BPF filters"); | 249 SANDBOX_DIE("Kernel refuses to turn on BPF filters"); |
250 } | 250 } |
251 } | 251 } |
252 | 252 |
253 sandbox_has_started_ = true; | 253 sandbox_has_started_ = true; |
254 } | 254 } |
255 | 255 |
256 } // namespace sandbox | 256 } // namespace sandbox |
OLD | NEW |