Block ptrace (and ptrace-like) syscalls from the renderer and worker processs.

content/common/sandbox_init_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/public/common/sandbox_init.h"
 
 #if defined(OS_LINUX) && defined(__x86_64__)
 
 #include <asm/unistd.h>
 #include <errno.h>
@@ skipping 30 matching lines @@
 #endif
 
 #ifndef __NR_readlinkat
   #define __NR_readlinkat 267
 #endif
 
 #ifndef __NR_eventfd2
   #define __NR_eventfd2 290
 #endif
 
+#ifndef __NR_process_vm_readv
+  #define __NR_process_vm_readv 310
+#endif
+
+#ifndef __NR_process_vm_writev
+  #define __NR_process_vm_writev 311
+#endif
+
 // Constants from very new header files that we can't yet include.
 #ifndef SECCOMP_MODE_FILTER
   #define SECCOMP_MODE_FILTER 2
   #define SECCOMP_RET_KILL        0x00000000U
   #define SECCOMP_RET_TRAP        0x00030000U
   #define SECCOMP_RET_ERRNO       0x00050000U
   #define SECCOMP_RET_ALLOW       0x7fff0000U
 #endif
 
 
@@ skipping 97 matching lines @@
   // "4" is magic offset for the arch number.
   EmitLoad(4, program);
   EmitJEQJT1(AUDIT_ARCH_X86_64, program);
   EmitRet(SECCOMP_RET_KILL, program);
 
   // Load the syscall number.
   // "0" is magic offset for the syscall number.
   EmitLoad(0, program);
 }
 
+static void EmitTrap(std::vector<struct sock_filter>* program) {
+  EmitRet(SECCOMP_RET_TRAP, program);
+}
+
+static void EmitAllow(std::vector<struct sock_filter>* program) {
+  EmitRet(SECCOMP_RET_ALLOW, program);
+}
+
 static void EmitAllowSyscall(int nr, std::vector<struct sock_filter>* program) {
   EmitJEQJF(nr, 1, program);
-  EmitRet(SECCOMP_RET_ALLOW, program);
+  EmitAllow(program);
+}
+
+static void EmitDenySyscall(int nr, std::vector<struct sock_filter>* program) {
+  EmitJEQJF(nr, 1, program);
+  EmitTrap(program);
 }
 
 static void EmitAllowSyscallArgN(int nr,
                                  int arg_nr,
                                  int arg_val,
                                  std::vector<struct sock_filter>* program) {
   // Jump forward 4 on no-match so that we also skip the unneccessary reload of
   // syscall_nr. (It is unneccessary because we have not trashed it yet.)
   EmitJEQJF(nr, 4, program);
   EmitLoadArg(arg_nr, program);
   EmitJEQJF(arg_val, 1, program);
-  EmitRet(SECCOMP_RET_ALLOW, program);
+  EmitAllow(program);
   // We trashed syscall_nr so put it back in the accumulator.
   EmitLoad(0, program);
 }
 
 static void EmitFailSyscall(int nr, int err,
                             std::vector<struct sock_filter>* program) {
   EmitJEQJF(nr, 1, program);
   EmitRet(SECCOMP_RET_ERRNO | err, program);
 }
 
-static void EmitTrap(std::vector<struct sock_filter>* program) {
-  EmitRet(SECCOMP_RET_TRAP, program);
-}
-
 // TODO(cevans) -- only really works as advertised once we restrict clone()
 // to CLONE_THREAD.
 static void EmitAllowSignalSelf(std::vector<struct sock_filter>* program) {
   EmitAllowSyscallArgN(__NR_kill, 1, getpid(), program);
   EmitAllowSyscallArgN(__NR_tgkill, 1, getpid(), program);
 }
 
 static void EmitAllowGettime(std::vector<struct sock_filter>* program) {
   EmitAllowSyscall(__NR_clock_gettime, program);
   EmitAllowSyscall(__NR_gettimeofday, program);
@@ skipping 119 matching lines @@
   EmitAllowSignalSelf(program);
 
   // These are under investigation, and hopefully not here for the long term.
   EmitAllowSyscall(__NR_shmctl, program);
   EmitAllowSyscall(__NR_shmat, program);
   EmitAllowSyscall(__NR_shmdt, program);
 
   EmitSetupEmptyFileSystem(program);
 }
 
+static void ApplyNoPtracePolicy(std::vector<struct sock_filter>* program) {
+  EmitDenySyscall(__NR_ptrace, program);
+  EmitDenySyscall(__NR_process_vm_readv, program);
+  EmitDenySyscall(__NR_process_vm_writev, program);

[jln (very slow on Chromium), 2012/06/01 18:34:37]

Not a huge deal, but maybe add move_pages and migrate_pages as well ?

+}
+
 static bool CanUseSeccompFilters() {
   int ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, 0, 0, 0);
   if (ret != 0 && errno == EFAULT)
     return true;
   return false;
 }
 
 static void InstallFilter(const std::vector<struct sock_filter>& program) {
   int ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
   PLOG_IF(FATAL, ret != 0) << "prctl(PR_SET_NO_NEW_PRIVS) failed";
@@ skipping 27 matching lines @@
 
   CheckSingleThreaded();
 
   std::vector<struct sock_filter> program;
   EmitPreamble(&program);
 
   if (process_type == switches::kGpuProcess) {
     ApplyGPUPolicy(&program);
   } else if (process_type == switches::kPpapiPluginProcess) {
     ApplyFlashPolicy(&program);
+  } else if (process_type == switches::kRendererProcess ||
+             process_type == switches::kWorkerProcess) {
+    ApplyNoPtracePolicy(&program);
   } else {

[jln (very slow on Chromium), 2012/06/01 18:34:37]

This whole section (up to line 418) is becoming difficult to read.

Maybe have a switch statement to make it clear in one place what programs are
generated for each case?

     NOTREACHED();
   }
 
-  EmitTrap(&program);
+  if (process_type == switches::kRendererProcess ||
+      process_type == switches::kWorkerProcess) {
+    EmitAllow(&program);
+  } else {
+    EmitTrap(&program);
+  }
 
   InstallSIGSYSHandler();
   InstallFilter(program);
 }
 
 }  // namespace content
 
 #else
 
 namespace content {
 
 void InitializeSandbox() {
 }
 
 }  // namespace content
 
 #endif