Initial snapshot of the new BPF-enabled seccomp sandbox. This code is

sandbox/linux/seccomp_bpf/sandbox_bpf.cc

Index: sandbox/linux/seccomp_bpf/sandbox_bpf.cc
===================================================================
--- sandbox/linux/seccomp_bpf/sandbox_bpf.cc	(revision 0)
+++ sandbox/linux/seccomp_bpf/sandbox_bpf.cc	(revision 0)
@@ -0,0 +1,238 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "sandbox_bpf.h"
+
+
+namespace playground2 {

[jln (very slow on Chromium), 2012/05/31 21:01:05]

Don't forget to change it

+
+int Sandbox::supportsSeccompSandbox(int proc_fd) {
+  if (status_ == STATUS_UNKNOWN) {
+    if (!isSingleThreaded(proc_fd)) {
+      status_ = STATUS_UNSUPPORTED;
+    } else {
+      pid_t pid = fork();
+      if (pid < 0) {
+        die("Failed to check for sandbox support");

[jln (very slow on Chromium), 2012/05/31 21:01:05]

I really don't think we should die here. supports should not make you die,
that's the point, isn't it ?

Now, agreed if we can't fork we're going to have some issues, but I would rather
let core Chrome code fail and handle that.

+      }
+      if (!pid) {
+        static const struct sock_filter filter[] = {
+          // If the architecture doesn't match SECCOMP_ARCH, disallow the
+          // system call.
+          BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
+                   offsetof(struct arch_seccomp_data, arch)),
+          BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_ARCH, 0, 3),
+
+          // Check the system call number. The only allowed call are getpid()
+          // and exit_group()
+          BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
+                   offsetof(struct arch_seccomp_data,  nr)),
+          BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_getpid, 2, 1),
+          BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_exit_group, 0, 2),

[jln (very slow on Chromium), 2012/05/31 21:01:05]

Should we rather use your normal API to install a filter?

Should we block all signals? Merely getting a signal for which there is a
handler would get us killed since we don't have *sigreturn.

+          BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
+          BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | EPERM),
+          BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL),
+        };
+
+        // Try to install filter. If we succeed, return success.
+        const struct sock_fprog prog = {
+          ARRAYSIZE(filter),
+          (struct sock_filter *)filter
+        };
+        if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0 &&
+            prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == 0 &&
+            syscall(__NR_getpid) == -1 && errno == EPERM) {
+          syscall(__NR_exit_group, (intptr_t)0);
+        }
+        _exit(1);
+      }
+      int status;
+      TEMP_FAILURE_RETRY(waitpid(pid, &status, 0));

[jln (very slow on Chromium), 2012/05/31 21:01:05]

Very minor: Chrome seems to use HANDLE_EINTR

+      status_ = WIFEXITED(status) && !WEXITSTATUS(status)
+        ? STATUS_AVAILABLE : STATUS_UNSUPPORTED;
+    }
+  }
+  return status_ == STATUS_AVAILABLE;
+}
+
+void Sandbox::setProcFd(int proc_fd) {
+  proc_fd_ = proc_fd;
+}
+
+void Sandbox::startSandbox() {
+  if (status_ == STATUS_UNSUPPORTED) {
+    die("Trying to start sandbox, even though it is known to be unavailable");
+  }
+  if (proc_fd_ < 0) {
+    proc_fd_ = open("/proc", O_RDONLY|O_DIRECTORY);
+  }
+  if (proc_fd_ < 0) {
+    // For now, continue in degraded mode, if we can't access /proc.
+    // In the future, we might want to tighten this requirement.
+  }
+  if (!isSingleThreaded(proc_fd_)) {
+    die("Cannot start sandbox, if process is already multi-threaded");
+  }
+  installFilter();
+
+  // We no longer need access to any files in /proc
+  if (proc_fd_ >= 0) {
+    if (TEMP_FAILURE_RETRY(close(proc_fd_))) {
+      die("Failed to close file descriptor for /proc");
+    }
+    proc_fd_ = -1;
+  }
+}
+
+bool Sandbox::isSingleThreaded(int proc_fd) {
+  if (proc_fd < 0) {
+    // Cannot determine whether program is single-threaded. Hope for
+    // the best...
+    return true;
+  }
+
+  struct stat sb;
+  int task = -1;
+  if (proc_fd < 0 ||
+      (task = openat(proc_fd, "self/task", O_RDONLY|O_DIRECTORY)) < 0 ||
+      fstat(task, &sb) != 0 ||
+      sb.st_nlink != 3 ||
+      TEMP_FAILURE_RETRY(close(task))) {
+    if (task >= 0) {
+      TEMP_FAILURE_RETRY(close(task));
+    }
+    return false;
+  }
+  return true;
+}
+
+void Sandbox::setSandboxPolicy(EvaluateSyscall syscallEvaluator,
+                               EvaluateArguments argumentEvaluator) {
+  evaluators_.push_back(std::make_pair<EvaluateSyscall, EvaluateArguments>(
+    syscallEvaluator, argumentEvaluator));
+}
+
+void Sandbox::installFilter() {
+  // Verify that the user pushed a policy.
+  if (evaluators_.empty()) {
+  filter_failed:

[jln (very slow on Chromium), 2012/05/31 21:01:05]

Minor: Do you mind putting this label at the end? I find it much easier to
review when stuff that exits without return: is at the end.

+    die("Failed to configure system call filters");
+  }
+
+  // Set new SIGSYS handler
+  struct sigaction sa;
+  memset(&sa, 0, sizeof(sa));
+  sa.sa_sigaction = &sigSys;
+  sa.sa_flags = SA_SIGINFO;
+  if (sigaction(SIGSYS, &sa, NULL) < 0) {
+    goto filter_failed;
+  }
+
+  // Unmask SIGSYS
+  sigset_t mask;
+  sigemptyset(&mask);
+  sigaddset(&mask, SIGSYS);
+  if (sigprocmask(SIG_UNBLOCK, &mask, NULL)) {
+    goto filter_failed;
+  }
+
+  // We can't handle stacked evaluators, yet. We'll get there eventually
+  // though. Hang tight.
+  if (evaluators_.size() != 1) {
+    die("Not implemented");
+  }
+
+  // If the architecture doesn't match SECCOMP_ARCH, disallow the
+  // system call.
+  std::vector<struct sock_filter> program;
+  program.push_back((struct sock_filter)
+                    BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
+                             offsetof(struct arch_seccomp_data, arch)));
+  program.push_back((struct sock_filter)
+    BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_ARCH, 1, 0));
+  program.push_back((struct sock_filter)
+    BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_DENY));
+
+  // Grab the system call number, so that we can implement jump tables.
+  program.push_back((struct sock_filter)
+    BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct arch_seccomp_data, nr)));
+
+  // Evaluate all possible system calls and depending on their
+  // exit codes generate a BPF filter.
+  // This is very inefficient right now. We need to be much smarter
+  // eventually.
+  EvaluateSyscall evaluateSyscall = evaluators_.begin()->first;
+  for (int sysnum = 0; sysnum <= MAX_SYSCALL; ++sysnum) {
+    ErrorCode err = evaluateSyscall(sysnum);
+    int ret;
+    switch (err) {
+    case SB_INSPECT_ARG_1...SB_INSPECT_ARG_6:

[jln (very slow on Chromium), 2012/05/31 21:01:05]

We'll need SB_INSPECT_ARG1 for Chris' policy because of kill().
If that's the only show stopper, we can probably live without it and allow
kill() unrestricted for now.

+      die("Not implemented");
+    case SB_TRAP:
+      ret = SECCOMP_RET_TRAP;
+      break;
+    case SB_ALLOWED:
+      ret = SECCOMP_RET_ALLOW;
+      break;
+    default:
+      ret = SECCOMP_RET_ERRNO + err;
+      break;
+    }
+    program.push_back((struct sock_filter)
+      BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, sysnum, 0, 1));
+    program.push_back((struct sock_filter)
+      BPF_STMT(BPF_RET+BPF_K, ret));
+  }
+
+  // Everything that isn't allowed is forbidden. Eventually, we would
+  // like to have a way to log forbidden calls, when in debug mode.
+  program.push_back((struct sock_filter)
+    BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_DENY));

[jln (very slow on Chromium), 2012/05/31 21:01:05]

It's not strictly correct to ENOPERM for many system calls, but I think it's a
good default.

ENOMEM is more generally supported but it may trigger a panic shut down in those
rare callers that look for the actual errno.

+
+  // Install BPF filter program
+  const struct sock_fprog prog = { program.size(), &program[0] };
+  if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) ||
+      prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
+    goto filter_failed;
+  }
+
+  return;
+}
+
+void Sandbox::sigSys(int nr, siginfo_t *info, void *void_context) {
+  if (info->si_code != SYS_SECCOMP || !void_context) {

[jln (very slow on Chromium), 2012/05/31 21:01:05]

I think for now it's best to let the user specify the SIGSYS handler and do
nothing in it. For the first iteration, we'll just keep Chris' handler and
change it in the next one.

+    die("Unexpected SIGSYS received");
+  }
+  ucontext_t *ctx = (ucontext_t *)void_context;
+  int old_errno   = errno;
+  void *rc        =
+    (void *)(intptr_t)-(int)(SECCOMP_RET_DENY & SECCOMP_RET_DATA);
+
+  // This is where we can add extra code to handle complex system calls.
+  // ...
+
+  if (rc == (void *)(intptr_t)-(int)(SECCOMP_RET_DENY & SECCOMP_RET_DATA)) {
+    // sprintf() is not technically async-signal safe. But in glibc it
+    // tends to be much safer than calling fprintf() or any other higher-
+    // level I/O function.
+    // We need to eventually have a better solution. But for debugging
+    // purposes during code development, this is good enough for now.
+    char buf[80];
+    sprintf(buf, "Seccomp policy denies system call %ld\n",
+            (long int)ctx->uc_mcontext.gregs[REG_SYSCALL]);
+    if (TEMP_FAILURE_RETRY(write(2, buf, strlen(buf)))) {}
+  }
+
+  ctx->uc_mcontext.gregs[REG_RESULT] = (greg_t)rc;
+  errno                              = old_errno;
+  return;
+}
+
+
+Sandbox::SandboxStatus Sandbox::status_ = STATUS_UNKNOWN;
+int    Sandbox::proc_fd_                = -1;
+std::vector<std::pair<Sandbox::EvaluateSyscall,
+                      Sandbox::EvaluateArguments> > Sandbox::evaluators_;
+
+} // namespace
Property changes on: sandbox/linux/seccomp_bpf/sandbox_bpf.cc
___________________________________________________________________
Added: svn:eol-style
   + LF