Avoid all library calls (including calls to destructors) after enabling the sandbox.

sandbox/linux/seccomp-bpf/sandbox_bpf.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
 
 // The kernel gives us a sandbox, we turn it into a playground :-)
 // This is version 2 of the playground; version 1 was built on top of
 // pre-BPF seccomp mode.
 namespace playground2 {
@@ skipping 193 matching lines @@
       sigprocmask(SIG_UNBLOCK, &mask, NULL)) {
     goto filter_failed;
   }
 
   // We can't handle stacked evaluators, yet. We'll get there eventually
   // though. Hang tight.
   if (evaluators_.size() != 1) {
     die("Not implemented");
   }
 
+  // Assemble the BPF filter program.
+  Program *program = new Program();
+  if (!program) {

[Chris Evans, 2012/06/12 20:26:26]

Nit: not sure you need this, the standard c++ runtime should throw upon an
allocation failure?

+    die("Out of memory");
+  }
+
   // If the architecture doesn't match SECCOMP_ARCH, disallow the
   // system call.
-  std::vector<struct sock_filter> program;
-  program.push_back((struct sock_filter)
+  program->push_back((struct sock_filter)
     BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct arch_seccomp_data, arch)));
-  program.push_back((struct sock_filter)
+  program->push_back((struct sock_filter)
     BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_ARCH, 1, 0));
 
   // TODO: Instead of killing outright, we should raise a SIGSYS and
   //       report a useful error message. SIGKILL cannot be trapped by the
   //       debugger and essentially makes the program fail in a way that is
   //       almost impossible to debug.
-  program.push_back((struct sock_filter)
+  program->push_back((struct sock_filter)
     BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL));
 
   // Grab the system call number, so that we can implement jump tables.
-  program.push_back((struct sock_filter)
+  program->push_back((struct sock_filter)
     BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct arch_seccomp_data, nr)));
 
   // On Intel architectures, verify that system call numbers are in the
   // expected number range. The older i386 and x86-64 APIs clear bit 30
   // on all system calls. The newer x86-32 API always sets bit 30.
 #if defined(__i386__) || defined(__x86_64__)
 #if defined(__x86_64__) && defined(__ILP32__)
-  program.push_back((struct sock_filter)
+  program->push_back((struct sock_filter)
     BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, 0x40000000, 1, 0));
 #else
-  program.push_back((struct sock_filter)
+  program->push_back((struct sock_filter)
     BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, 0x40000000, 0, 1));
 #endif
   // TODO: raise a suitable SIGSYS signal
-  program.push_back((struct sock_filter)
+  program->push_back((struct sock_filter)
     BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL));
 #endif
 
   // Evaluate all possible system calls and depending on their
   // exit codes generate a BPF filter.
   // This is very inefficient right now. We need to be much smarter
   // eventually.
   // We currently incur a O(N) overhead on each system call, with N
   // being the number of system calls. It is easy to get this down to
   // O(log_2(M)) with M being the number of system calls that need special
@@ skipping 15 matching lines @@
       if (err >= static_cast<ErrorCode>(1) &&
           err <= static_cast<ErrorCode>(4096)) {
         // We limit errno values to a reasonable range. In fact, the Linux ABI
         // doesn't support errno values outside of this range.
         ret = SECCOMP_RET_ERRNO + err;
       } else {
         die("Invalid ErrorCode reported by sandbox system call evaluator");
       }
       break;
     }
-    program.push_back((struct sock_filter)
+    program->push_back((struct sock_filter)
       BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, sysnum, 0, 1));
-    program.push_back((struct sock_filter)
+    program->push_back((struct sock_filter)
       BPF_STMT(BPF_RET+BPF_K, ret));
   }
 
   // Everything that isn't allowed is forbidden. Eventually, we would
   // like to have a way to log forbidden calls, when in debug mode.
   // TODO: raise a suitable SIGSYS signal
-  program.push_back((struct sock_filter)
+  program->push_back((struct sock_filter)
     BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL));
 
+  // We want to be very careful in not imposing any requirements on the
+  // policies that are set with setSandboxPolicy(). This means, as soon as
+  // the sandbox is active, we shouldn't be relying on libraries that could
+  // be making system calls. This, for example, means we should avoid
+  // using the heap and we should avoid using STL functions.
+  // Temporarily copy the contents of the "program" vector into a
+  // stack-allocated array; and then explicitly destroy that object.
+  // This makes sure we don't ex- or implicitly call new/delete after we
+  // installed the BPF filter program in the kernel. Depending on the
+  // system memory allocator that is in effect, these operators can result
+  // in system calls to things like munmap() or brk().
+  struct sock_filter bpf[program->size()];
+  const struct sock_fprog prog = { program->size(), bpf };
+  memcpy(bpf, &(*program)[0], sizeof(bpf));
+  delete program;
+
   // Install BPF filter program
-  const struct sock_fprog prog = { program.size(), &program[0] };
   if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) ||
       prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
     goto filter_failed;
   }
 
   return;
 }
 
 void Sandbox::sigSys(int nr, siginfo_t *info, void *void_context) {
   if (nr != SIGSYS || info->si_code != SYS_SECCOMP || !void_context) {
@@ skipping 26 matching lines @@
 }
 
 
 bool Sandbox::suppressLogging_          = false;
 Sandbox::SandboxStatus Sandbox::status_ = STATUS_UNKNOWN;
 int    Sandbox::proc_fd_                = -1;
 std::vector<std::pair<Sandbox::EvaluateSyscall,
                       Sandbox::EvaluateArguments> > Sandbox::evaluators_;
 
 }  // namespace