content/common/sandbox_init_linux.cc - Issue 10105009: Apply an initial seccomp filter policy for Pepper Flash.

Side by Side Diff: content/common/sandbox_init_linux.cc

Issue 10105009: Apply an initial seccomp filter policy for Pepper Flash. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/

Patch Set: Created 8 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "content/public/common/sandbox_init.h"	5 #include "content/public/common/sandbox_init.h"

6	6

7 #if defined(OS_LINUX) && defined(__x86_64__)	7 #if defined(OS_LINUX) && defined(__x86_64__)

8	8

9 #include <asm/unistd.h>	9 #include <asm/unistd.h>

10 #include <errno.h>	10 #include <errno.h>

(...skipping 176 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
187 EmitAllowSyscall(__NR_dup, program);	187 EmitAllowSyscall(__NR_dup, program);

188 EmitAllowSyscall(__NR_mlock, program);	188 EmitAllowSyscall(__NR_mlock, program);

189 EmitAllowSyscall(__NR_munlock, program);	189 EmitAllowSyscall(__NR_munlock, program);

190 EmitAllowSyscall(__NR_exit, program);	190 EmitAllowSyscall(__NR_exit, program);

191 EmitAllowSyscall(__NR_exit_group, program);	191 EmitAllowSyscall(__NR_exit_group, program);

192	192

193 EmitFailSyscall(__NR_open, ENOENT, program);	193 EmitFailSyscall(__NR_open, ENOENT, program);

194 EmitFailSyscall(__NR_access, ENOENT, program);	194 EmitFailSyscall(__NR_access, ENOENT, program);

195 }	195 }

196	196

	197 static void ApplyFlashPolicy(std::vector<struct sock_filter>* program) {

	198 // "Hot" syscalls go first.

	199 EmitAllowSyscall(__NR_futex, program);

	200 EmitAllowSyscall(__NR_write, program);

	201 EmitAllowSyscall(__NR_epoll_wait, program);

	202 EmitAllowSyscall(__NR_read, program);

	203 EmitAllowSyscall(__NR_times, program);

	204

	205 // Less hot syscalls.

	206 EmitAllowSyscall(__NR_clone, program);

	207 EmitAllowSyscall(__NR_set_robust_list, program);

	208 EmitAllowSyscall(__NR_getuid, program);

	209 EmitAllowSyscall(__NR_geteuid, program);

	210 EmitAllowSyscall(__NR_getgid, program);

	211 EmitAllowSyscall(__NR_getegid, program);

	212 EmitAllowSyscall(__NR_epoll_create, program);

	213 EmitAllowSyscall(__NR_fcntl, program);

	214 EmitAllowSyscall(__NR_socketpair, program);

	215 EmitAllowSyscall(__NR_pipe, program);

	216 EmitAllowSyscall(__NR_epoll_ctl, program);

	217 EmitAllowSyscall(__NR_gettid, program);

	218 EmitAllowSyscall(__NR_prctl, program);

	219 EmitAllowSyscall(__NR_fstat, program);

	220 EmitAllowSyscall(__NR_sendmsg, program);

	221 EmitAllowSyscall(__NR_mmap, program);

	222 EmitAllowSyscall(__NR_munmap, program);

	223 EmitAllowSyscall(__NR_mprotect, program);

	224 EmitAllowSyscall(__NR_madvise, program);

	225 EmitAllowSyscall(__NR_rt_sigaction, program);

	226 EmitAllowSyscall(__NR_rt_sigprocmask, program);

	227 EmitAllowSyscall(__NR_wait4, program);

	228 EmitAllowSyscall(__NR_exit_group, program);

	229 EmitAllowSyscall(__NR_exit, program);

	230 EmitAllowSyscall(__NR_rt_sigreturn, program);

	231 EmitAllowSyscall(__NR_restart_syscall, program);

	232 EmitAllowSyscall(__NR_close, program);

	233 EmitAllowSyscall(__NR_recvmsg, program);

	234 EmitAllowSyscall(__NR_lseek, program);

	235 EmitAllowSyscall(__NR_brk, program);

	236 EmitAllowSyscall(__NR_sched_yield, program);

	237

	238 // These are under investigation, and hopefully not here for the long term.
	Markus (顧孟勤) 2012/04/16 22:09:23 SysV shared memory is really broken and dangerous SysV shared memory is really broken and dangerous as it can probably be used to screenscrape renderers. I have an implementation in my code, that allows restricting this system call. But it is unfortunately quite complicated. I wish we could get kernel support. For now, I don't have any problem with you checking in your code as is, since it is strictly an improvement over what we had before. But in the long-run, we do need a better solution.
	239 EmitAllowSyscall(__NR_shmctl, program);

	240 EmitAllowSyscall(__NR_shmat, program);

	241 EmitAllowSyscall(__NR_shmdt, program);

	242

	243 EmitFailSyscall(__NR_open, ENOENT, program);
	Markus (顧孟勤) 2012/04/16 22:09:23 Why do you need to explicitly fail some system cal Why do you need to explicitly fail some system calls. Wouldn't they fail, because of a default policy that denies all system calls that aren't explicitly whitelisted? And I assume, this probably breaks some Flash features, doesn't it? Things like accessing the microphone and camera would spring to mind. Or maybe, storing persistent Flash cookies. Kees Cook 2012/04/16 22:13:35 AIUI, the difference here is between "Fail" and "K AIUI, the difference here is between "Fail" and "Kill". Unlisted syscalls kill the process, but these syscalls are used for no good reason, and can just be denied instead of doing a full kill.
	244 EmitFailSyscall(__NR_execve, ENOENT, program);

	245 EmitFailSyscall(__NR_access, ENOENT, program);

	246 }

	247

197 static bool CanUseSeccompFilters() {	248 static bool CanUseSeccompFilters() {

198 int ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, 0, 0, 0);	249 int ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, 0, 0, 0);

199 if (ret != 0 && errno == EFAULT)	250 if (ret != 0 && errno == EFAULT)

200 return true;	251 return true;

201 return false;	252 return false;

202 }	253 }

203	254

204 static void InstallFilter(const std::vector<struct sock_filter>& program) {	255 static void InstallFilter(const std::vector<struct sock_filter>& program) {

205 int ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);	256 int ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);

206 PLOG_IF(FATAL, ret != 0) << "prctl(PR_SET_NO_NEW_PRIVS) failed";	257 PLOG_IF(FATAL, ret != 0) << "prctl(PR_SET_NO_NEW_PRIVS) failed";

(...skipping 24 matching lines...) Expand all Loading...
231 if (!CanUseSeccompFilters())	282 if (!CanUseSeccompFilters())

232 return;	283 return;

233	284

234 CheckSingleThreaded();	285 CheckSingleThreaded();

235	286

236 std::vector<struct sock_filter> program;	287 std::vector<struct sock_filter> program;

237 EmitPreamble(&program);	288 EmitPreamble(&program);

238	289

239 if (process_type == switches::kGpuProcess) {	290 if (process_type == switches::kGpuProcess) {

240 ApplyGPUPolicy(&program);	291 ApplyGPUPolicy(&program);

	292 } else if (process_type == switches::kPpapiPluginProcess) {

	293 ApplyFlashPolicy(&program);

241 } else {	294 } else {

242 NOTREACHED();	295 NOTREACHED();

243 }	296 }

244	297

245 EmitTrap(&program);	298 EmitTrap(&program);

246	299

247 InstallSIGSYSHandler();	300 InstallSIGSYSHandler();

248 InstallFilter(program);	301 InstallFilter(program);

249 }	302 }

250	303

251 } // namespace content	304 } // namespace content

252	305

253 #else	306 #else

254	307

255 namespace content {	308 namespace content {

256	309

257 void InitializeSandbox() {	310 void InitializeSandbox() {

258 }	311 }

259	312

260 } // namespace content	313 } // namespace content

261	314

262 #endif	315 #endif

263	316

OLD	NEW

« no previous file with comments | « no previous file | content/ppapi_plugin/ppapi_plugin_main.cc » ('j') | no next file with comments »