| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | 5 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
| 6 | 6 |
| 7 // Some headers on Android are missing cdefs: crbug.com/172337. | 7 // Some headers on Android are missing cdefs: crbug.com/172337. |
| 8 // (We can't use OS_ANDROID here since build_config.h is not included). | 8 // (We can't use OS_ANDROID here since build_config.h is not included). |
| 9 #if defined(ANDROID) | 9 #if defined(ANDROID) |
| 10 #include <sys/cdefs.h> | 10 #include <sys/cdefs.h> |
| (...skipping 28 matching lines...) Expand all Loading... |
| 39 #include "sandbox/linux/services/thread_helpers.h" | 39 #include "sandbox/linux/services/thread_helpers.h" |
| 40 #include "sandbox/linux/system_headers/linux_seccomp.h" | 40 #include "sandbox/linux/system_headers/linux_seccomp.h" |
| 41 #include "sandbox/linux/system_headers/linux_syscalls.h" | 41 #include "sandbox/linux/system_headers/linux_syscalls.h" |
| 42 | 42 |
| 43 namespace sandbox { | 43 namespace sandbox { |
| 44 | 44 |
| 45 namespace { | 45 namespace { |
| 46 | 46 |
| 47 bool IsRunningOnValgrind() { return RUNNING_ON_VALGRIND; } | 47 bool IsRunningOnValgrind() { return RUNNING_ON_VALGRIND; } |
| 48 | 48 |
| 49 bool IsSingleThreaded(int proc_task_fd) { | 49 bool IsSingleThreaded(int proc_fd) { |
| 50 return ThreadHelpers::IsSingleThreaded(proc_task_fd); | 50 return ThreadHelpers::IsSingleThreaded(proc_fd); |
| 51 } | 51 } |
| 52 | 52 |
| 53 // Check if the kernel supports seccomp-filter (a.k.a. seccomp mode 2) via | 53 // Check if the kernel supports seccomp-filter (a.k.a. seccomp mode 2) via |
| 54 // prctl(). | 54 // prctl(). |
| 55 bool KernelSupportsSeccompBPF() { | 55 bool KernelSupportsSeccompBPF() { |
| 56 errno = 0; | 56 errno = 0; |
| 57 const int rv = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, nullptr); | 57 const int rv = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, nullptr); |
| 58 | 58 |
| 59 if (rv == -1 && EFAULT == errno) { | 59 if (rv == -1 && EFAULT == errno) { |
| 60 return true; | 60 return true; |
| (...skipping 14 matching lines...) Expand all Loading... |
| 75 // TODO(jln): turn these into DCHECK after 417888 is considered fixed. | 75 // TODO(jln): turn these into DCHECK after 417888 is considered fixed. |
| 76 CHECK_EQ(-1, rv); | 76 CHECK_EQ(-1, rv); |
| 77 CHECK(ENOSYS == errno || EINVAL == errno); | 77 CHECK(ENOSYS == errno || EINVAL == errno); |
| 78 return false; | 78 return false; |
| 79 } | 79 } |
| 80 } | 80 } |
| 81 | 81 |
| 82 } // namespace | 82 } // namespace |
| 83 | 83 |
| 84 SandboxBPF::SandboxBPF(bpf_dsl::Policy* policy) | 84 SandboxBPF::SandboxBPF(bpf_dsl::Policy* policy) |
| 85 : proc_task_fd_(), sandbox_has_started_(false), policy_(policy) { | 85 : proc_fd_(), sandbox_has_started_(false), policy_(policy) { |
| 86 } | 86 } |
| 87 | 87 |
| 88 SandboxBPF::~SandboxBPF() { | 88 SandboxBPF::~SandboxBPF() { |
| 89 } | 89 } |
| 90 | 90 |
| 91 // static | 91 // static |
| 92 bool SandboxBPF::SupportsSeccompSandbox(SeccompLevel level) { | 92 bool SandboxBPF::SupportsSeccompSandbox(SeccompLevel level) { |
| 93 // Never pretend to support seccomp with Valgrind, as it | 93 // Never pretend to support seccomp with Valgrind, as it |
| 94 // throws the tool off. | 94 // throws the tool off. |
| 95 if (IsRunningOnValgrind()) { | 95 if (IsRunningOnValgrind()) { |
| (...skipping 15 matching lines...) Expand all Loading... |
| 111 CHECK(seccomp_level == SeccompLevel::SINGLE_THREADED || | 111 CHECK(seccomp_level == SeccompLevel::SINGLE_THREADED || |
| 112 seccomp_level == SeccompLevel::MULTI_THREADED); | 112 seccomp_level == SeccompLevel::MULTI_THREADED); |
| 113 | 113 |
| 114 if (sandbox_has_started_) { | 114 if (sandbox_has_started_) { |
| 115 SANDBOX_DIE( | 115 SANDBOX_DIE( |
| 116 "Cannot repeatedly start sandbox. Create a separate Sandbox " | 116 "Cannot repeatedly start sandbox. Create a separate Sandbox " |
| 117 "object instead."); | 117 "object instead."); |
| 118 return false; | 118 return false; |
| 119 } | 119 } |
| 120 | 120 |
| 121 if (!proc_task_fd_.is_valid()) { | 121 if (!proc_fd_.is_valid()) { |
| 122 SetProcTaskFd(ProcUtil::OpenProcSelfTask()); | 122 SetProcFd(ProcUtil::OpenProc()); |
| 123 } | 123 } |
| 124 | 124 |
| 125 const bool supports_tsync = KernelSupportsSeccompTsync(); | 125 const bool supports_tsync = KernelSupportsSeccompTsync(); |
| 126 | 126 |
| 127 if (seccomp_level == SeccompLevel::SINGLE_THREADED) { | 127 if (seccomp_level == SeccompLevel::SINGLE_THREADED) { |
| 128 // Wait for /proc/self/task/ to update if needed and assert the | 128 // Wait for /proc/self/task/ to update if needed and assert the |
| 129 // process is single threaded. | 129 // process is single threaded. |
| 130 ThreadHelpers::AssertSingleThreaded(proc_task_fd_.get()); | 130 ThreadHelpers::AssertSingleThreaded(proc_fd_.get()); |
| 131 } else if (seccomp_level == SeccompLevel::MULTI_THREADED) { | 131 } else if (seccomp_level == SeccompLevel::MULTI_THREADED) { |
| 132 if (IsSingleThreaded(proc_task_fd_.get())) { | 132 if (IsSingleThreaded(proc_fd_.get())) { |
| 133 SANDBOX_DIE("Cannot start sandbox; " | 133 SANDBOX_DIE("Cannot start sandbox; " |
| 134 "process may be single-threaded when reported as not"); | 134 "process may be single-threaded when reported as not"); |
| 135 return false; | 135 return false; |
| 136 } | 136 } |
| 137 if (!supports_tsync) { | 137 if (!supports_tsync) { |
| 138 SANDBOX_DIE("Cannot start sandbox; kernel does not support synchronizing " | 138 SANDBOX_DIE("Cannot start sandbox; kernel does not support synchronizing " |
| 139 "filters for a threadgroup"); | 139 "filters for a threadgroup"); |
| 140 return false; | 140 return false; |
| 141 } | 141 } |
| 142 } | 142 } |
| 143 | 143 |
| 144 // We no longer need access to any files in /proc. We want to do this | 144 // We no longer need access to any files in /proc. We want to do this |
| 145 // before installing the filters, just in case that our policy denies | 145 // before installing the filters, just in case that our policy denies |
| 146 // close(). | 146 // close(). |
| 147 if (proc_task_fd_.is_valid()) { | 147 if (proc_fd_.is_valid()) { |
| 148 proc_task_fd_.reset(); | 148 proc_fd_.reset(); |
| 149 } | 149 } |
| 150 | 150 |
| 151 // Install the filters. | 151 // Install the filters. |
| 152 InstallFilter(supports_tsync || | 152 InstallFilter(supports_tsync || |
| 153 seccomp_level == SeccompLevel::MULTI_THREADED); | 153 seccomp_level == SeccompLevel::MULTI_THREADED); |
| 154 | 154 |
| 155 return true; | 155 return true; |
| 156 } | 156 } |
| 157 | 157 |
| 158 void SandboxBPF::SetProcTaskFd(base::ScopedFD proc_task_fd) { | 158 void SandboxBPF::SetProcFd(base::ScopedFD proc_fd) { |
| 159 proc_task_fd_.swap(proc_task_fd); | 159 proc_fd_.swap(proc_fd); |
| 160 } | 160 } |
| 161 | 161 |
| 162 // static | 162 // static |
| 163 bool SandboxBPF::IsValidSyscallNumber(int sysnum) { | 163 bool SandboxBPF::IsValidSyscallNumber(int sysnum) { |
| 164 return SyscallSet::IsValid(sysnum); | 164 return SyscallSet::IsValid(sysnum); |
| 165 } | 165 } |
| 166 | 166 |
| 167 // static | 167 // static |
| 168 bool SandboxBPF::IsRequiredForUnsafeTrap(int sysno) { | 168 bool SandboxBPF::IsRequiredForUnsafeTrap(int sysno) { |
| 169 return bpf_dsl::PolicyCompiler::IsRequiredForUnsafeTrap(sysno); | 169 return bpf_dsl::PolicyCompiler::IsRequiredForUnsafeTrap(sysno); |
| (...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 247 } else { | 247 } else { |
| 248 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) { | 248 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) { |
| 249 SANDBOX_DIE("Kernel refuses to turn on BPF filters"); | 249 SANDBOX_DIE("Kernel refuses to turn on BPF filters"); |
| 250 } | 250 } |
| 251 } | 251 } |
| 252 | 252 |
| 253 sandbox_has_started_ = true; | 253 sandbox_has_started_ = true; |
| 254 } | 254 } |
| 255 | 255 |
| 256 } // namespace sandbox | 256 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 938223004:
Linux sandbox: better APIs with /proc/ arguments (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master