| OLD | NEW |
|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" | 5 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <fcntl.h> | 8 #include <fcntl.h> |
| 9 #include <fcntl.h> | 9 #include <fcntl.h> |
| 10 #include <linux/net.h> | 10 #include <linux/net.h> |
| (...skipping 15 matching lines...) Expand all Loading... |
| 26 #if defined(OS_ANDROID) | 26 #if defined(OS_ANDROID) |
| 27 #if !defined(F_DUPFD_CLOEXEC) | 27 #if !defined(F_DUPFD_CLOEXEC) |
| 28 #define F_DUPFD_CLOEXEC (F_LINUX_SPECIFIC_BASE + 6) | 28 #define F_DUPFD_CLOEXEC (F_LINUX_SPECIFIC_BASE + 6) |
| 29 #endif | 29 #endif |
| 30 #endif | 30 #endif |
| 31 | 31 |
| 32 #if defined(__arm__) && !defined(MAP_STACK) | 32 #if defined(__arm__) && !defined(MAP_STACK) |
| 33 #define MAP_STACK 0x20000 // Daisy build environment has old headers. | 33 #define MAP_STACK 0x20000 // Daisy build environment has old headers. |
| 34 #endif | 34 #endif |
| 35 | 35 |
| 36 using playground2::arch_seccomp_data; | |
| 37 using playground2::ErrorCode; | |
| 38 using playground2::Sandbox; | |
| 39 | |
| 40 namespace { | 36 namespace { |
| 41 | 37 |
| 42 inline bool RunningOnASAN() { | 38 inline bool RunningOnASAN() { |
| 43 #if defined(ADDRESS_SANITIZER) | 39 #if defined(ADDRESS_SANITIZER) |
| 44 return true; | 40 return true; |
| 45 #else | 41 #else |
| 46 return false; | 42 return false; |
| 47 #endif | 43 #endif |
| 48 } | 44 } |
| 49 | 45 |
| (...skipping 10 matching lines...) Expand all Loading... |
| 60 return true; | 56 return true; |
| 61 #else | 57 #else |
| 62 return false; | 58 return false; |
| 63 #endif | 59 #endif |
| 64 } | 60 } |
| 65 | 61 |
| 66 } // namespace. | 62 } // namespace. |
| 67 | 63 |
| 68 namespace sandbox { | 64 namespace sandbox { |
| 69 | 65 |
| 70 ErrorCode RestrictCloneToThreadsAndEPERMFork(Sandbox* sandbox) { | 66 ErrorCode RestrictCloneToThreadsAndEPERMFork(SandboxBPF* sandbox) { |
| 71 // Glibc's pthread. | 67 // Glibc's pthread. |
| 72 if (!RunningOnASAN()) { | 68 if (!RunningOnASAN()) { |
| 73 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, | 69 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
| 74 CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | | 70 CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | |
| 75 CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS | | 71 CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS | |
| 76 CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID, | 72 CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID, |
| 77 ErrorCode(ErrorCode::ERR_ALLOWED), | 73 ErrorCode(ErrorCode::ERR_ALLOWED), |
| 78 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, | 74 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
| 79 CLONE_PARENT_SETTID | SIGCHLD, | 75 CLONE_PARENT_SETTID | SIGCHLD, |
| 80 ErrorCode(EPERM), | 76 ErrorCode(EPERM), |
| 81 // ARM | 77 // ARM |
| 82 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, | 78 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
| 83 CLONE_CHILD_SETTID | CLONE_CHILD_CLEARTID | SIGCHLD, | 79 CLONE_CHILD_SETTID | CLONE_CHILD_CLEARTID | SIGCHLD, |
| 84 ErrorCode(EPERM), | 80 ErrorCode(EPERM), |
| 85 sandbox->Trap(SIGSYSCloneFailure, NULL)))); | 81 sandbox->Trap(SIGSYSCloneFailure, NULL)))); |
| 86 } else { | 82 } else { |
| 87 return ErrorCode(ErrorCode::ERR_ALLOWED); | 83 return ErrorCode(ErrorCode::ERR_ALLOWED); |
| 88 } | 84 } |
| 89 } | 85 } |
| 90 | 86 |
| 91 ErrorCode RestrictPrctl(Sandbox* sandbox) { | 87 ErrorCode RestrictPrctl(SandboxBPF* sandbox) { |
| 92 // Will need to add seccomp compositing in the future. PR_SET_PTRACER is | 88 // Will need to add seccomp compositing in the future. PR_SET_PTRACER is |
| 93 // used by breakpad but not needed anymore. | 89 // used by breakpad but not needed anymore. |
| 94 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, | 90 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
| 95 PR_SET_NAME, ErrorCode(ErrorCode::ERR_ALLOWED), | 91 PR_SET_NAME, ErrorCode(ErrorCode::ERR_ALLOWED), |
| 96 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, | 92 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
| 97 PR_SET_DUMPABLE, ErrorCode(ErrorCode::ERR_ALLOWED), | 93 PR_SET_DUMPABLE, ErrorCode(ErrorCode::ERR_ALLOWED), |
| 98 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, | 94 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
| 99 PR_GET_DUMPABLE, ErrorCode(ErrorCode::ERR_ALLOWED), | 95 PR_GET_DUMPABLE, ErrorCode(ErrorCode::ERR_ALLOWED), |
| 100 sandbox->Trap(SIGSYSPrctlFailure, NULL)))); | 96 sandbox->Trap(SIGSYSPrctlFailure, NULL)))); |
| 101 } | 97 } |
| 102 | 98 |
| 103 ErrorCode RestrictIoctl(Sandbox* sandbox) { | 99 ErrorCode RestrictIoctl(SandboxBPF* sandbox) { |
| 104 return sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, TCGETS, | 100 return sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, TCGETS, |
| 105 ErrorCode(ErrorCode::ERR_ALLOWED), | 101 ErrorCode(ErrorCode::ERR_ALLOWED), |
| 106 sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, FIONREAD, | 102 sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, FIONREAD, |
| 107 ErrorCode(ErrorCode::ERR_ALLOWED), | 103 ErrorCode(ErrorCode::ERR_ALLOWED), |
| 108 sandbox->Trap(SIGSYSIoctlFailure, NULL))); | 104 sandbox->Trap(SIGSYSIoctlFailure, NULL))); |
| 109 } | 105 } |
| 110 | 106 |
| 111 ErrorCode RestrictMmapFlags(Sandbox* sandbox) { | 107 ErrorCode RestrictMmapFlags(SandboxBPF* sandbox) { |
| 112 // The flags you see are actually the allowed ones, and the variable is a | 108 // The flags you see are actually the allowed ones, and the variable is a |
| 113 // "denied" mask because of the negation operator. | 109 // "denied" mask because of the negation operator. |
| 114 // Significantly, we don't permit MAP_HUGETLB, or the newer flags such as | 110 // Significantly, we don't permit MAP_HUGETLB, or the newer flags such as |
| 115 // MAP_POPULATE. | 111 // MAP_POPULATE. |
| 116 // TODO(davidung), remove MAP_DENYWRITE with updated Tegra libraries. | 112 // TODO(davidung), remove MAP_DENYWRITE with updated Tegra libraries. |
| 117 uint32_t denied_mask = ~(MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS | | 113 uint32_t denied_mask = ~(MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS | |
| 118 MAP_STACK | MAP_NORESERVE | MAP_FIXED | | 114 MAP_STACK | MAP_NORESERVE | MAP_FIXED | |
| 119 MAP_DENYWRITE); | 115 MAP_DENYWRITE); |
| 120 return sandbox->Cond(3, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS, | 116 return sandbox->Cond(3, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS, |
| 121 denied_mask, | 117 denied_mask, |
| 122 sandbox->Trap(CrashSIGSYS_Handler, NULL), | 118 sandbox->Trap(CrashSIGSYS_Handler, NULL), |
| 123 ErrorCode(ErrorCode::ERR_ALLOWED)); | 119 ErrorCode(ErrorCode::ERR_ALLOWED)); |
| 124 } | 120 } |
| 125 | 121 |
| 126 ErrorCode RestrictMprotectFlags(Sandbox* sandbox) { | 122 ErrorCode RestrictMprotectFlags(SandboxBPF* sandbox) { |
| 127 // The flags you see are actually the allowed ones, and the variable is a | 123 // The flags you see are actually the allowed ones, and the variable is a |
| 128 // "denied" mask because of the negation operator. | 124 // "denied" mask because of the negation operator. |
| 129 // Significantly, we don't permit weird undocumented flags such as | 125 // Significantly, we don't permit weird undocumented flags such as |
| 130 // PROT_GROWSDOWN. | 126 // PROT_GROWSDOWN. |
| 131 uint32_t denied_mask = ~(PROT_READ | PROT_WRITE | PROT_EXEC); | 127 uint32_t denied_mask = ~(PROT_READ | PROT_WRITE | PROT_EXEC); |
| 132 return sandbox->Cond(2, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS, | 128 return sandbox->Cond(2, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS, |
| 133 denied_mask, | 129 denied_mask, |
| 134 sandbox->Trap(CrashSIGSYS_Handler, NULL), | 130 sandbox->Trap(CrashSIGSYS_Handler, NULL), |
| 135 ErrorCode(ErrorCode::ERR_ALLOWED)); | 131 ErrorCode(ErrorCode::ERR_ALLOWED)); |
| 136 } | 132 } |
| 137 | 133 |
| 138 ErrorCode RestrictFcntlCommands(Sandbox* sandbox) { | 134 ErrorCode RestrictFcntlCommands(SandboxBPF* sandbox) { |
| 139 // We also restrict the flags in F_SETFL. We don't want to permit flags with | 135 // We also restrict the flags in F_SETFL. We don't want to permit flags with |
| 140 // a history of trouble such as O_DIRECT. The flags you see are actually the | 136 // a history of trouble such as O_DIRECT. The flags you see are actually the |
| 141 // allowed ones, and the variable is a "denied" mask because of the negation | 137 // allowed ones, and the variable is a "denied" mask because of the negation |
| 142 // operator. | 138 // operator. |
| 143 // Glibc overrides the kernel's O_LARGEFILE value. Account for this. | 139 // Glibc overrides the kernel's O_LARGEFILE value. Account for this. |
| 144 int kOLargeFileFlag = O_LARGEFILE; | 140 int kOLargeFileFlag = O_LARGEFILE; |
| 145 if (IsArchitectureX86_64() || IsArchitectureI386()) | 141 if (IsArchitectureX86_64() || IsArchitectureI386()) |
| 146 kOLargeFileFlag = 0100000; | 142 kOLargeFileFlag = 0100000; |
| 147 | 143 |
| 148 // TODO(jln): add TP_LONG/TP_SIZET types. | 144 // TODO(jln): add TP_LONG/TP_SIZET types. |
| (...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 183 sandbox->Cond(1, ErrorCode::TP_32BIT, | 179 sandbox->Cond(1, ErrorCode::TP_32BIT, |
| 184 ErrorCode::OP_EQUAL, F_GETLK, | 180 ErrorCode::OP_EQUAL, F_GETLK, |
| 185 ErrorCode(ErrorCode::ERR_ALLOWED), | 181 ErrorCode(ErrorCode::ERR_ALLOWED), |
| 186 sandbox->Cond(1, ErrorCode::TP_32BIT, | 182 sandbox->Cond(1, ErrorCode::TP_32BIT, |
| 187 ErrorCode::OP_EQUAL, F_DUPFD_CLOEXEC, | 183 ErrorCode::OP_EQUAL, F_DUPFD_CLOEXEC, |
| 188 ErrorCode(ErrorCode::ERR_ALLOWED), | 184 ErrorCode(ErrorCode::ERR_ALLOWED), |
| 189 sandbox->Trap(CrashSIGSYS_Handler, NULL)))))))))); | 185 sandbox->Trap(CrashSIGSYS_Handler, NULL)))))))))); |
| 190 } | 186 } |
| 191 | 187 |
| 192 #if defined(__i386__) | 188 #if defined(__i386__) |
| 193 ErrorCode RestrictSocketcallCommand(Sandbox* sandbox) { | 189 ErrorCode RestrictSocketcallCommand(SandboxBPF* sandbox) { |
| 194 // Unfortunately, we are unable to restrict the first parameter to | 190 // Unfortunately, we are unable to restrict the first parameter to |
| 195 // socketpair(2). Whilst initially sounding bad, it's noteworthy that very | 191 // socketpair(2). Whilst initially sounding bad, it's noteworthy that very |
| 196 // few protocols actually support socketpair(2). The scary call that we're | 192 // few protocols actually support socketpair(2). The scary call that we're |
| 197 // worried about, socket(2), remains blocked. | 193 // worried about, socket(2), remains blocked. |
| 198 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, | 194 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
| 199 SYS_SOCKETPAIR, ErrorCode(ErrorCode::ERR_ALLOWED), | 195 SYS_SOCKETPAIR, ErrorCode(ErrorCode::ERR_ALLOWED), |
| 200 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, | 196 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
| 201 SYS_SEND, ErrorCode(ErrorCode::ERR_ALLOWED), | 197 SYS_SEND, ErrorCode(ErrorCode::ERR_ALLOWED), |
| 202 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, | 198 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
| 203 SYS_RECV, ErrorCode(ErrorCode::ERR_ALLOWED), | 199 SYS_RECV, ErrorCode(ErrorCode::ERR_ALLOWED), |
| 204 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, | 200 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
| 205 SYS_SENDTO, ErrorCode(ErrorCode::ERR_ALLOWED), | 201 SYS_SENDTO, ErrorCode(ErrorCode::ERR_ALLOWED), |
| 206 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, | 202 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
| 207 SYS_RECVFROM, ErrorCode(ErrorCode::ERR_ALLOWED), | 203 SYS_RECVFROM, ErrorCode(ErrorCode::ERR_ALLOWED), |
| 208 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, | 204 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
| 209 SYS_SHUTDOWN, ErrorCode(ErrorCode::ERR_ALLOWED), | 205 SYS_SHUTDOWN, ErrorCode(ErrorCode::ERR_ALLOWED), |
| 210 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, | 206 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
| 211 SYS_SENDMSG, ErrorCode(ErrorCode::ERR_ALLOWED), | 207 SYS_SENDMSG, ErrorCode(ErrorCode::ERR_ALLOWED), |
| 212 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, | 208 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
| 213 SYS_RECVMSG, ErrorCode(ErrorCode::ERR_ALLOWED), | 209 SYS_RECVMSG, ErrorCode(ErrorCode::ERR_ALLOWED), |
| 214 ErrorCode(EPERM))))))))); | 210 ErrorCode(EPERM))))))))); |
| 215 } | 211 } |
| 216 #endif | 212 #endif |
| 217 | 213 |
| 218 } // namespace sandbox. | 214 } // namespace sandbox. |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 101773003:
Linux sandbox: cleanup sandbox-bpf naming. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src