Add an initial Linux GPU sandbox using the seccomp filter framework.

content/common/sandbox_init_linux.cc

Index: content/common/sandbox_init_linux.cc
===================================================================
--- content/common/sandbox_init_linux.cc	(revision 0)
+++ content/common/sandbox_init_linux.cc	(revision 0)
@@ -0,0 +1,259 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "content/public/common/sandbox_init.h"
+
+#if defined(OS_LINUX) && defined(__x86_64__)
+
+#include <asm/unistd.h>
+#include <errno.h>
+#include <linux/filter.h>
+#include <signal.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/prctl.h>
+#include <ucontext.h>
+#include <unistd.h>
+
+#include <vector>
+
+#include "base/command_line.h"
+#include "base/file_util.h"
+#include "base/logging.h"
+#include "base/time.h"
+#include "content/public/common/content_switches.h"
+
+#ifndef PR_SET_NO_NEW_PRIVS
+  #define PR_SET_NO_NEW_PRIVS 38
+#endif
+
+#ifndef SYS_SECCOMP
+  #define SYS_SECCOMP 1
+#endif
+
+namespace {
+
+static void CheckSingleThreaded() {

[jln (very slow on Chromium), 2012/04/12 17:54:14]

This is racy if potentially created threads can create other threads.

Could you check /proc/self/stat for the num_threads field instead?

+  char proc_name[64];
+  snprintf(proc_name, sizeof(proc_name), "/proc/%d/task", getpid());
+  FilePath path(proc_name);
+  int num_threads = file_util::CountFilesCreatedAfter(
+      path, base::Time::UnixEpoch());
+  CHECK_EQ(num_threads, 1);
+}
+
+static void SIGSYS_Handler(int signal, siginfo_t* info, void* void_context) {
+  if (signal != SIGSYS)
+    return;
+  if (info->si_code != SYS_SECCOMP)
+    return;
+  if (!void_context)
+    return;
+  ucontext_t* context = reinterpret_cast<ucontext_t*>(void_context);
+  unsigned int syscall = context->uc_mcontext.gregs[REG_RAX];

[Will Drewry, 2012/04/12 01:08:56]

I guess this is easier than wrangling asm/siginfo?
What other info will end up in the dump? Do you want to prime the crash dump
with other data or are you hoping unwinding will cover all that?

[Chris Evans, 2012/04/12 18:42:49]

Yeah, and it's also the way the Will / Kees example code grabs it.
Initial plan is that stack trace + syscall_nr should be sufficient to understand
and add omitted syscalls. If we get into difficulty, we can actually encode tons
more stuff in the deref ptr before we use another channel :)

[Kees Cook, 2012/04/12 18:56:39]

Will found a way to include the kernel's siginfo.h sanely, but that'll make
things depend on that specific siginfo.h file for builds. I think instead of
using the arch-specific REG_RAX, it'd be better to include a copy of the
kernel's siginfo structure instead, and just recast the glibc siginfo_t to the
new structure.

+  if (syscall >= 1024)
+    syscall = 0;
+  // Purposefully dereference the syscall as an address so it'll show up very
+  // clearly and easily in crash dumps.
+  volatile char* addr = reinterpret_cast<volatile char*>(syscall);
+  *addr = '\0';
+  _exit(1);
+}
+
+static void InstallSIGSYSHandler() {
+  struct sigaction sa;
+  memset(&sa, 0, sizeof(sa));
+  sa.sa_flags = SA_SIGINFO;
+  sa.sa_sigaction = SIGSYS_Handler;
+  int ret = sigaction(SIGSYS, &sa, NULL);
+  PLOG_IF(FATAL, ret != 0) << "Failed to install SIGSYS handler.";
+}
+
+static void EmitPreamble(std::vector<struct sock_filter>* program) {
+  struct sock_filter filter;
+  // First, check syscall arch.
+  filter.code = BPF_LD+BPF_W+BPF_ABS;
+  filter.jt = 0;
+  filter.jf = 0;
+  // Offset 4 for syscall arch.
+  filter.k = 4;
+  program->push_back(filter);
+  filter.code = BPF_JMP+BPF_JEQ+BPF_K;
+  filter.jt = 1;
+  filter.jf = 0;
+  // AUDIT_ARCH_X86_64
+  filter.k = 0xc000003e;
+  program->push_back(filter);
+  filter.code = BPF_RET+BPF_K;
+  filter.jt = 0;
+  filter.jf = 0;
+  // SECCOMP_RET_KILL
+  filter.k = 0;

[Kees Cook, 2012/04/12 18:56:39]

I would use the actual SECCOMP_* defines here and later, instead of literals,
with a section at the top with the values defined. That way, once #include
<linux/seccomp.h> is possible, the defines can go away easily without needing to
check all the code.

+  program->push_back(filter);
+  filter.code = BPF_LD+BPF_W+BPF_ABS;
+  filter.jt = 0;
+  filter.jf = 0;
+  // Offset 0 for syscall number.
+  filter.k = 0;
+  program->push_back(filter);
+}
+
+static void EmitAllowSyscall(int nr, std::vector<struct sock_filter>* program) {
+  struct sock_filter filter;
+  filter.code = BPF_JMP+BPF_JEQ+BPF_K;
+  filter.jt = 0;
+  filter.jf = 1;
+  filter.k = nr;
+  program->push_back(filter);
+  filter.code = BPF_RET+BPF_K;
+  filter.jt = 0;
+  filter.jf = 0;
+  // SECCOMP_RET_ALLOW
+  filter.k = 0x7fff0000;
+  program->push_back(filter);
+}
+
+static void EmitFailSyscall(int nr, int err,
+                            std::vector<struct sock_filter>* program) {
+  struct sock_filter filter;
+  filter.code = BPF_JMP+BPF_JEQ+BPF_K;
+  filter.jt = 0;
+  filter.jf = 1;
+  filter.k = nr;
+  program->push_back(filter);
+  filter.code = BPF_RET+BPF_K;
+  filter.jt = 0;
+  filter.jf = 0;
+  // SECCOMP_RET_ERRNO
+  filter.k = 0x00050000 | err;
+  program->push_back(filter);
+}
+
+static void EmitKill(std::vector<struct sock_filter>* program) {

[Will Drewry, 2012/04/12 01:08:56]

nit: Any reason not to call it EmitLoggedKill?  Then if you add a
SECCOMP_RET_KILL call, it'll just be EmitKill :)

[Chris Evans, 2012/04/12 18:42:49]

Ah nice catch, I did previously used SECCOMP_RET_KILL but then changed to trap.
Renamed to just EmitTrap().

+  struct sock_filter filter;
+  filter.code = BPF_RET+BPF_K;
+  filter.jt = 0;
+  filter.jf = 0;
+  // SECCOMP_RET_TRAP
+  filter.k = 0x00030000;
+  program->push_back(filter);
+}
+
+static void ApplyGPUPolicy(std::vector<struct sock_filter>* program) {

[Will Drewry, 2012/04/12 01:08:56]

Is the plan to tighten this up further later?

[Markus (顧孟勤), 2012/04/12 17:51:24]

My ultimate plan for efficient syscall filtering is actually to build a tree
that does a binary search.

On the other hand, I am not sure if optimizing the way that we test for system
calls is actually worth the trouble. Has anybody bothered benchmarking this
code? Does the order of the tests show up in benchmarks?

[Chris Evans, 2012/04/12 18:42:49]

Definitely. Once we've flushed out all the corner-case syscalls, we'll start
locking down arguments.

+  // "Hot" syscalls go first.

[jln (very slow on Chromium), 2012/04/12 17:54:14]

Looks like a very good start with a positive security impact. 

We can look into tightening it more later maybe.

+  EmitAllowSyscall(__NR_read, program);
+  EmitAllowSyscall(__NR_ioctl, program);
+  EmitAllowSyscall(__NR_poll, program);
+  EmitAllowSyscall(__NR_epoll_wait, program);
+  EmitAllowSyscall(__NR_recvfrom, program);
+  EmitAllowSyscall(__NR_write, program);
+  EmitAllowSyscall(__NR_writev, program);
+  EmitAllowSyscall(__NR_gettid, program);
+
+  // Less hot syscalls.
+  EmitAllowSyscall(__NR_futex, program);
+  EmitAllowSyscall(__NR_madvise, program);
+  EmitAllowSyscall(__NR_sendmsg, program);
+  EmitAllowSyscall(__NR_recvmsg, program);
+  EmitAllowSyscall(__NR_eventfd2, program);
+  EmitAllowSyscall(__NR_pipe, program);
+  EmitAllowSyscall(__NR_mmap, program);
+  EmitAllowSyscall(__NR_mprotect, program);
+  EmitAllowSyscall(__NR_clone, program);
+  EmitAllowSyscall(__NR_set_robust_list, program);
+  EmitAllowSyscall(__NR_getuid, program);
+  EmitAllowSyscall(__NR_geteuid, program);
+  EmitAllowSyscall(__NR_getgid, program);
+  EmitAllowSyscall(__NR_getegid, program);
+  EmitAllowSyscall(__NR_epoll_create, program);
+  EmitAllowSyscall(__NR_fcntl, program);
+  EmitAllowSyscall(__NR_socketpair, program);
+  EmitAllowSyscall(__NR_epoll_ctl, program);
+  EmitAllowSyscall(__NR_prctl, program);
+  EmitAllowSyscall(__NR_fstat, program);
+  EmitAllowSyscall(__NR_close, program);
+  EmitAllowSyscall(__NR_restart_syscall, program);
+  EmitAllowSyscall(__NR_rt_sigreturn, program);
+  EmitAllowSyscall(__NR_brk, program);
+  EmitAllowSyscall(__NR_rt_sigprocmask, program);
+  EmitAllowSyscall(__NR_munmap, program);
+  EmitAllowSyscall(__NR_dup, program);
+  EmitAllowSyscall(__NR_mlock, program);
+  EmitAllowSyscall(__NR_munlock, program);
+  EmitAllowSyscall(__NR_exit, program);
+  EmitAllowSyscall(__NR_exit_group, program);
+
+  EmitFailSyscall(__NR_open, ENOENT, program);
+  EmitFailSyscall(__NR_access, ENOENT, program);
+}
+
+static bool CanUseSeccompFilters() {
+  int ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+  if (ret != 0) {
+    if (errno == EINVAL) {
+      // This is expected: not many kernels support this yet.
+      return false;
+    }
+    PLOG(FATAL) << "prctl(PR_SET_NO_NEW_PRIVS) failed";
+  }

[Will Drewry, 2012/04/12 01:08:56]

An authoritative check would be:
  ret = prctl(PR_SET_SECCOMP, 2, NULL);
  if (ret != 0 && errno == EFAULT)
    return true;
  return false;

but no_new_privs is a good guard too since it is required.  The only ugly bit is
that now your CanUse function has side effects :)

[Markus (顧孟勤), 2012/04/12 17:51:24]

If you don't mind the minimal cost of doing an extra fork(), a more thorough
test looks like this:


int Sandbox::supportsSeccompSandbox(int proc_self) {
  pid_t pid = fork();
  if (pid < 0) {
    die("Failed to check for sandbox support");
  }
  if (!pid) {
    static const struct sock_filter filter[] = {
      // If the architecture doesn't match SECCOMP_ARCH, disallow the
      // system call.
      BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct arch_seccomp_data, arch)),
      BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_ARCH, 0, 3),

      // Check the system call number. The only allowed call is exit_group()
      BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct arch_seccomp_data, nr)),
      BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_exit_group, 0, 1),
      BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
      BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL),
    };

    // Try to install filter. If we succeed, return success.
    const struct sock_fprog prog = {
      ARRAYSIZE(filter),
      (struct sock_filter *)filter
    };
    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0 &&
        prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == 0) {
      syscall(__NR_exit_group, (intptr_t)0);
    }
    _exit(1);
  }
  int status;
  TEMP_FAILURE_RETRY(waitpid(pid, &status, 0));
  return WIFEXITED(status) && !WEXITSTATUS(status);
}

[Chris Evans, 2012/04/12 18:42:49]

Thanks! Much cleaner. I moved PR_SET_NEW_PRIVS to InstallFilter to complete the
cleanup.

[Kees Cook, 2012/04/12 18:56:39]

I wonder if the filter should test for failure instead of passing exit 0
cleanly. i.e. verify that the filter actually blocks things rather than just
installs. So, reduce it to a single statement (RET_KILL), and check
WIFSIGNALED(status) && WTERMSIG(status) == 31

+  return true;
+}
+
+static void InstallFilter(const std::vector<struct sock_filter>& program) {
+  struct sock_fprog fprog;
+  fprog.len = program.size();
+  fprog.filter = const_cast<struct sock_filter*>(&program[0]);
+
+  int ret = prctl(PR_SET_SECCOMP, 2, &fprog, 0, 0);
+  PLOG_IF(FATAL, ret != 0) << "Failed to install filter.";
+}
+
+}  // anonymous namespace
+
+namespace content {
+
+void InitializeSandbox() {
+  const CommandLine& command_line = *CommandLine::ForCurrentProcess();
+  if (command_line.HasSwitch(switches::kNoSandbox))
+    return;
+
+  std::string process_type =
+      command_line.GetSwitchValueASCII(switches::kProcessType);
+  if (process_type == switches::kGpuProcess &&
+      command_line.HasSwitch(switches::kDisableGpuSandbox))
+    return;
+
+  CheckSingleThreaded();
+
+  if (!CanUseSeccompFilters())
+    return;
+
+  std::vector<struct sock_filter> program;
+  EmitPreamble(&program);
+
+  if (process_type == switches::kGpuProcess) {
+    ApplyGPUPolicy(&program);
+  } else {
+    NOTREACHED();
+  }
+
+  EmitKill(&program);
+
+  InstallSIGSYSHandler();
+  InstallFilter(program);
+}
+
+}  // namespace content
+
+#else
+
+namespace content {
+
+void InitializeSandbox() {
+}
+
+}  // namespace content
+
+#endif
+