Chromium Code Reviews Chromium Code Reviews
Issue 10454110:
Block ptrace (and ptrace-like) syscalls from the renderer and worker processs. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/| Index: content/common/sandbox_init_linux.cc |
| =================================================================== |
| --- content/common/sandbox_init_linux.cc (revision 139969) |
| +++ content/common/sandbox_init_linux.cc (working copy) |
| @@ -48,6 +48,14 @@ |
| #define __NR_eventfd2 290 |
| #endif |
| +#ifndef __NR_process_vm_readv |
| + #define __NR_process_vm_readv 310 |
| +#endif |
| + |
| +#ifndef __NR_process_vm_writev |
| + #define __NR_process_vm_writev 311 |
| +#endif |
| + |
| // Constants from very new header files that we can't yet include. |
| #ifndef SECCOMP_MODE_FILTER |
| #define SECCOMP_MODE_FILTER 2 |
| @@ -165,11 +173,24 @@ |
| EmitLoad(0, program); |
| } |
| +static void EmitTrap(std::vector<struct sock_filter>* program) { |
| + EmitRet(SECCOMP_RET_TRAP, program); |
| +} |
| + |
| +static void EmitAllow(std::vector<struct sock_filter>* program) { |
| + EmitRet(SECCOMP_RET_ALLOW, program); |
| +} |
| + |
| static void EmitAllowSyscall(int nr, std::vector<struct sock_filter>* program) { |
| EmitJEQJF(nr, 1, program); |
| - EmitRet(SECCOMP_RET_ALLOW, program); |
| + EmitAllow(program); |
| } |
| +static void EmitDenySyscall(int nr, std::vector<struct sock_filter>* program) { |
| + EmitJEQJF(nr, 1, program); |
| + EmitTrap(program); |
| +} |
| + |
| static void EmitAllowSyscallArgN(int nr, |
| int arg_nr, |
| int arg_val, |
| @@ -179,7 +200,7 @@ |
| EmitJEQJF(nr, 4, program); |
| EmitLoadArg(arg_nr, program); |
| EmitJEQJF(arg_val, 1, program); |
| - EmitRet(SECCOMP_RET_ALLOW, program); |
| + EmitAllow(program); |
| // We trashed syscall_nr so put it back in the accumulator. |
| EmitLoad(0, program); |
| } |
| @@ -190,10 +211,6 @@ |
| EmitRet(SECCOMP_RET_ERRNO | err, program); |
| } |
| -static void EmitTrap(std::vector<struct sock_filter>* program) { |
| - EmitRet(SECCOMP_RET_TRAP, program); |
| -} |
| - |
| // TODO(cevans) -- only really works as advertised once we restrict clone() |
| // to CLONE_THREAD. |
| static void EmitAllowSignalSelf(std::vector<struct sock_filter>* program) { |
| @@ -333,6 +350,12 @@ |
| EmitSetupEmptyFileSystem(program); |
| } |
| +static void ApplyNoPtracePolicy(std::vector<struct sock_filter>* program) { |
| + EmitDenySyscall(__NR_ptrace, program); |
| + EmitDenySyscall(__NR_process_vm_readv, program); |
| + EmitDenySyscall(__NR_process_vm_writev, program); |
|
jln (very slow on Chromium)
2012/06/01 18:34:37
Not a huge deal, but maybe add move_pages and migr
|
| +} |
| + |
| static bool CanUseSeccompFilters() { |
| int ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, 0, 0, 0); |
| if (ret != 0 && errno == EFAULT) |
| @@ -380,11 +403,19 @@ |
| ApplyGPUPolicy(&program); |
| } else if (process_type == switches::kPpapiPluginProcess) { |
| ApplyFlashPolicy(&program); |
| + } else if (process_type == switches::kRendererProcess || |
| + process_type == switches::kWorkerProcess) { |
| + ApplyNoPtracePolicy(&program); |
| } else { |
|
jln (very slow on Chromium)
2012/06/01 18:34:37
This whole section (up to line 418) is becoming di
|
| NOTREACHED(); |
| } |
| - EmitTrap(&program); |
| + if (process_type == switches::kRendererProcess || |
| + process_type == switches::kWorkerProcess) { |
| + EmitAllow(&program); |
| + } else { |
| + EmitTrap(&program); |
| + } |
| InstallSIGSYSHandler(); |
| InstallFilter(program); |
