Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(112)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/common/sandbox_seccomp_bpf_linux.cc

Issue 10829286: Seccomp-bpf: more policy cleanup. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Fix minor typos. Created 8 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include <asm/unistd.h> 5 #include <asm/unistd.h>
6 #include <dlfcn.h> 6 #include <dlfcn.h>
7 #include <errno.h> 7 #include <errno.h>
8 #include <fcntl.h> 8 #include <fcntl.h>
9 #include <linux/audit.h> 9 #include <linux/audit.h>
10 #include <linux/filter.h> 10 #include <linux/filter.h>
(...skipping 136 matching lines...) Expand 10 before | Expand all | Expand 10 after
147 } 147 }
148 } 148 }
149 149
150 #if defined(__x86_64__) 150 #if defined(__x86_64__)
151 151
152 // The functions below cover all existing x86_64 system calls. 152 // The functions below cover all existing x86_64 system calls.
153 // The implicitly defined sets form a partition of the sets of 153 // The implicitly defined sets form a partition of the sets of
154 // system calls. 154 // system calls.
155 155
156 // TODO(jln) we need to restrict the first parameter! 156 // TODO(jln) we need to restrict the first parameter!
157 bool IsKillSyscall(int sysno) { 157 bool IsKill(int sysno) {
158 switch (sysno) { 158 switch (sysno) {
159 case __NR_kill: 159 case __NR_kill:
160 case __NR_tkill: 160 case __NR_tkill:
161 case __NR_tgkill: 161 case __NR_tgkill:
162 return true; 162 return true;
163 default: 163 default:
164 return false; 164 return false;
165 } 165 }
166 } 166 }
167 167
168 bool IsAllowedGettimeSyscall(int sysno) { 168 bool IsAllowedGettime(int sysno) {
169 switch (sysno) { 169 switch (sysno) {
170 // case __NR_clock_getres:
171 case __NR_clock_gettime: 170 case __NR_clock_gettime:
172 // case __NR_clock_nanosleep:
173 case __NR_gettimeofday: 171 case __NR_gettimeofday:
174 case __NR_time: 172 case __NR_time:
175 return true; 173 return true;
176 case __NR_adjtimex: // Privileged. 174 case __NR_adjtimex: // Privileged.
177 case __NR_settimeofday: // Privileged. 175 case __NR_clock_adjtime: // Privileged.
178 case __NR_clock_adjtime: // Privileged. 176 case __NR_clock_getres: // Could be allowed.
179 case __NR_clock_settime: // Privileged. 177 case __NR_clock_nanosleep: // Could be allowed.
178 case __NR_clock_settime: // Privileged.
179 case __NR_settimeofday: // Privileged.
180 default: 180 default:
181 return false; 181 return false;
182 } 182 }
183 } 183 }
184 184
185 bool IsAmbientFileSystemSyscall(int sysno) { 185 bool IsCurrentDirectory(int sysno) {
186 switch (sysno) { 186 switch (sysno) {
187 // case __NR_getcwd: 187 case __NR_getcwd:
188 case __NR_chdir: 188 case __NR_chdir:
189 // case __NR_fchdir: 189 case __NR_fchdir:
190 // case __NR_umask:
191 return true; 190 return true;
192 default: 191 default:
193 return false; 192 return false;
194 } 193 }
195 } 194 }
196 195
197 // System calls that directly access the file system. They might aquire 196 bool IsUmask(int sysno) {
197 switch (sysno) {
198 case __NR_umask:
199 return true;
200 default:
201 return false;
202 }
203 }
204
205 // System calls that directly access the file system. They might acquire
198 // a new file descriptor or otherwise perform an operation directly 206 // a new file descriptor or otherwise perform an operation directly
199 // via a path. 207 // via a path.
200 // Both EPERM and ENOENT are valid errno unless otherwise noted in comment. 208 // Both EPERM and ENOENT are valid errno unless otherwise noted in comment.
201 bool IsFileSystemSyscall(int sysno) { 209 bool IsFileSystem(int sysno) {
202 switch (sysno) { 210 switch (sysno) {
203 case __NR_access: // EPERM not a valid errno. 211 case __NR_access: // EPERM not a valid errno.
204 case __NR_chmod: 212 case __NR_chmod:
205 case __NR_chown: 213 case __NR_chown:
206 case __NR_creat: 214 case __NR_creat:
207 case __NR_execve: 215 case __NR_execve:
208 case __NR_faccessat: // EPERM not a valid errno. 216 case __NR_faccessat: // EPERM not a valid errno.
209 case __NR_fchmodat: 217 case __NR_fchmodat:
210 case __NR_fchownat: // Should be called chownat ? 218 case __NR_fchownat: // Should be called chownat ?
211 case __NR_futimesat: // Should be called utimesat ? 219 case __NR_futimesat: // Should be called utimesat ?
(...skipping 26 matching lines...) Expand all
238 case __NR_ustat: // Same as above. Deprecated. 246 case __NR_ustat: // Same as above. Deprecated.
239 case __NR_utime: 247 case __NR_utime:
240 case __NR_utimensat: // New. 248 case __NR_utimensat: // New.
241 case __NR_utimes: 249 case __NR_utimes:
242 return true; 250 return true;
243 default: 251 default:
244 return false; 252 return false;
245 } 253 }
246 } 254 }
247 255
248 // TODO(jln): these should be denied gracefully as well. 256 bool IsAllowedFileSystemAccessViaFd(int sysno) {
249 bool IsAllowedFileSystemCapabilitySyscall(int sysno) {
250 switch (sysno) { 257 switch (sysno) {
251 // case __NR_fadvise64:
252 // case __NR_flock:
253 case __NR_fstat: 258 case __NR_fstat:
254 // case __NR_fstatfs: // Give information about the whole filesystem.
255 // case __NR_fsync:
256 // case __NR_fdatasync:
257 // case __NR_sync_file_range:
258 return true; 259 return true;
260 // TODO(jln): these should be denied gracefully as well (moved below).
261 case __NR_fadvise64: // EPERM not a valid errno.
262 case __NR_fdatasync: // EPERM not a valid errno.
263 case __NR_flock: // EPERM not a valid errno.
264 case __NR_fstatfs: // Give information about the whole filesystem.
265 case __NR_fsync: // EPERM not a valid errno.
266 case __NR_sync_file_range: // EPERM not a valid errno.
259 default: 267 default:
260 return false; 268 return false;
261 } 269 }
262 } 270 }
263 271
264 // EPERM is a good errno for any of these unless noted in comments. 272 // EPERM is a good errno for any of these.
265 bool IsDeniedFileSystemCapabilitySyscall(int sysno) { 273 bool IsDeniedFileSystemAccessViaFd(int sysno) {
266 switch (sysno) { 274 switch (sysno) {
267 case __NR_fallocate: 275 case __NR_fallocate:
268 case __NR_fchmod: 276 case __NR_fchmod:
269 case __NR_fchown: 277 case __NR_fchown:
270 case __NR_ftruncate: 278 case __NR_ftruncate:
271 case __NR_getdents: // EPERM not a valid errno. 279 case __NR_getdents: // EPERM not a valid errno.
272 case __NR_getdents64: // EPERM not a valid errno. 280 case __NR_getdents64: // EPERM not a valid errno.
273 return true; 281 return true;
274 default: 282 default:
275 return false; 283 return false;
276 } 284 }
277 } 285 }
278 286
279 bool IsGetSimpleId(int sysno) { 287 bool IsGetSimpleId(int sysno) {
280 switch (sysno) { 288 switch (sysno) {
281 // case __NR_capget: 289 case __NR_capget:
282 case __NR_getegid: 290 case __NR_getegid:
283 case __NR_geteuid: 291 case __NR_geteuid:
284 case __NR_getgid: 292 case __NR_getgid:
285 case __NR_getgroups: 293 case __NR_getgroups:
286 case __NR_getpid: 294 case __NR_getpid:
287 case __NR_getppid: 295 case __NR_getppid:
288 case __NR_getresgid: 296 case __NR_getresgid:
289 case __NR_getresuid: 297 case __NR_getresuid:
290 case __NR_getsid: 298 case __NR_getsid:
291 case __NR_gettid: 299 case __NR_gettid:
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after
324 case __NR_getpgid: 332 case __NR_getpgid:
325 return true; 333 return true;
326 default: 334 default:
327 return false; 335 return false;
328 } 336 }
329 } 337 }
330 338
331 bool IsAllowedSignalHandling(int sysno) { 339 bool IsAllowedSignalHandling(int sysno) {
332 switch (sysno) { 340 switch (sysno) {
333 case __NR_rt_sigaction: 341 case __NR_rt_sigaction:
334 // case __NR_rt_sigpending:
335 case __NR_rt_sigprocmask: 342 case __NR_rt_sigprocmask:
336 // case __NR_rt_sigqueueinfo:
337 case __NR_rt_sigreturn: 343 case __NR_rt_sigreturn:
338 // case __NR_rt_sigsuspend:
339 // case __NR_rt_sigtimedwait:
340 // case __NR_rt_tgsigqueueinfo:
341 // case __NR_sigaltstack:
342 // case __NR_signalfd:
343 // case __NR_signalfd4:
344 return true; 344 return true;
345 case __NR_rt_sigpending:
346 case __NR_rt_sigqueueinfo:
347 case __NR_rt_sigsuspend:
348 case __NR_rt_sigtimedwait:
349 case __NR_rt_tgsigqueueinfo:
350 case __NR_sigaltstack:
351 case __NR_signalfd:
352 case __NR_signalfd4:
345 default: 353 default:
346 return false; 354 return false;
347 } 355 }
348 } 356 }
349 357
350 bool IsOperationOnFd(int sysno) { 358 bool IsOperationOnFd(int sysno) {
351 switch (sysno) { 359 switch (sysno) {
352 case __NR_close: 360 case __NR_close:
353 case __NR_dup: 361 case __NR_dup:
354 case __NR_dup2: 362 case __NR_dup2:
(...skipping 14 matching lines...) Expand all
369 return false; 377 return false;
370 } 378 }
371 } 379 }
372 380
373 // This should be thought through in conjunction with IsFutex(). 381 // This should be thought through in conjunction with IsFutex().
374 bool IsAllowedProcessStartOrDeath(int sysno) { 382 bool IsAllowedProcessStartOrDeath(int sysno) {
375 switch (sysno) { 383 switch (sysno) {
376 case __NR_clone: // TODO(jln): restrict flags. 384 case __NR_clone: // TODO(jln): restrict flags.
377 case __NR_exit: 385 case __NR_exit:
378 case __NR_exit_group: 386 case __NR_exit_group:
379 // case __NR_fork:
380 // case __NR_get_thread_area:
381 // case __NR_set_thread_area:
382 // case __NR_set_tid_address:
383 // case __NR_unshare:
384 // case __NR_vfork:
385 case __NR_wait4: 387 case __NR_wait4:
386 case __NR_waitid: 388 case __NR_waitid:
387 return true; 389 return true;
388 case __NR_setns: // Privileged. 390 case __NR_setns: // Privileged.
391 case __NR_fork:
392 case __NR_get_thread_area:
393 case __NR_set_thread_area:
394 case __NR_set_tid_address:
395 case __NR_unshare:
396 case __NR_vfork:
389 default: 397 default:
390 return false; 398 return false;
391 } 399 }
392 } 400 }
393 401
402 // It's difficult to restrict those, but there is attack surface here.
394 bool IsFutex(int sysno) { 403 bool IsFutex(int sysno) {
395 switch (sysno) { 404 switch (sysno) {
396 case __NR_futex: 405 case __NR_futex:
397 // case __NR_get_robust_list: 406 case __NR_get_robust_list:
398 case __NR_set_robust_list: 407 case __NR_set_robust_list:
399 return true; 408 return true;
400 default: 409 default:
401 return false; 410 return false;
402 } 411 }
403 } 412 }
404 413
405 bool IsAllowedEpoll(int sysno) { 414 bool IsAllowedEpoll(int sysno) {
406 switch (sysno) { 415 switch (sysno) {
407 case __NR_epoll_create: 416 case __NR_epoll_create:
408 // case __NR_epoll_create1: 417 case __NR_epoll_create1:
409 case __NR_epoll_ctl: 418 case __NR_epoll_ctl:
410 // case __NR_epoll_ctl_old:
411 // case __NR_epoll_pwait:
412 case __NR_epoll_wait: 419 case __NR_epoll_wait:
413 // case __NR_epoll_wait_old:
414 return true; 420 return true;
415 default: 421 default:
422 case __NR_epoll_ctl_old:
423 case __NR_epoll_pwait:
424 case __NR_epoll_wait_old:
416 return false; 425 return false;
417 } 426 }
418 } 427 }
419 428
420 bool IsAllowedGetOrModifySocket(int sysno) { 429 bool IsAllowedGetOrModifySocket(int sysno) {
421 switch (sysno) { 430 switch (sysno) {
422 case __NR_pipe: 431 case __NR_pipe:
423 // case __NR_pipe2: 432 case __NR_pipe2:
424 case __NR_socketpair: // We will want to inspect its argument. 433 case __NR_socketpair: // We will want to inspect its argument.
425 return true; 434 return true;
426 default: 435 default:
427 case __NR_accept: 436 case __NR_accept:
428 case __NR_accept4: 437 case __NR_accept4:
429 case __NR_bind: 438 case __NR_bind:
430 case __NR_connect: 439 case __NR_connect:
431 case __NR_socket: 440 case __NR_socket:
432 case __NR_listen: 441 case __NR_listen:
433 return false; 442 return false;
434 } 443 }
435 } 444 }
436 445
437 bool IsNetworkSocketInformation(int sysno) { 446 bool IsNetworkSocketInformation(int sysno) {
438 switch (sysno) { 447 switch (sysno) {
439 case __NR_getpeername: 448 case __NR_getpeername:
440 case __NR_getsockname: 449 case __NR_getsockname:
441 case __NR_getsockopt: 450 case __NR_getsockopt:
442 case __NR_setsockopt: 451 case __NR_setsockopt:
443 return true; 452 return true;
444 default: 453 default:
445 return false; 454 return false;
446 } 455 }
447 } 456 }
448 457
449 bool IsAllowedAddressSpaceAccess(int sysno) { 458 bool IsAllowedAddressSpaceAccess(int sysno) {
450 switch (sysno) { 459 switch (sysno) {
451 case __NR_brk: 460 case __NR_brk:
452 case __NR_madvise: 461 case __NR_madvise:
453 // case __NR_mincore:
454 case __NR_mlock: 462 case __NR_mlock:
455 // case __NR_mlockall:
456 case __NR_mmap: // TODO(jln): to restrict flags. 463 case __NR_mmap: // TODO(jln): to restrict flags.
457 // case __NR_modify_ldt:
458 case __NR_mprotect: 464 case __NR_mprotect:
459 // case __NR_mremap:
460 // case __NR_msync:
461 case __NR_munlock: 465 case __NR_munlock:
462 // case __NR_munlockall:
463 case __NR_munmap: 466 case __NR_munmap:
464 // case __NR_readahead:
465 // case __NR_remap_file_pages:
466 return true; 467 return true;
468 case __NR_mincore:
469 case __NR_mlockall:
470 case __NR_modify_ldt:
471 case __NR_mremap:
472 case __NR_msync:
473 case __NR_munlockall:
474 case __NR_readahead:
475 case __NR_remap_file_pages:
467 default: 476 default:
468 return false; 477 return false;
469 } 478 }
470 } 479 }
471 480
472 bool IsAllowedGeneralIo(int sysno) { 481 bool IsAllowedGeneralIo(int sysno) {
473 switch (sysno) { 482 switch (sysno) {
474 case __NR_lseek: 483 case __NR_lseek:
475 case __NR_poll: 484 case __NR_poll:
476 case __NR_ppoll: 485 case __NR_ppoll:
477 // case __NR_pread64:
478 // case __NR_preadv:
479 case __NR_pselect6: 486 case __NR_pselect6:
480 // case __NR_pwrite64:
481 // case __NR_pwritev:
482 case __NR_read: 487 case __NR_read:
483 case __NR_readv: 488 case __NR_readv:
484 case __NR_recvfrom: // Could specify source. 489 case __NR_recvfrom: // Could specify source.
485 // case __NR_recvmmsg: // Could specify source.
486 case __NR_recvmsg: // Could specify source. 490 case __NR_recvmsg: // Could specify source.
487 case __NR_select: 491 case __NR_select:
488 // case __NR_sendfile:
489 // case __NR_sendmmsg: // Could specify destination.
490 case __NR_sendmsg: // Could specify destination. 492 case __NR_sendmsg: // Could specify destination.
491 case __NR_sendto: // Could specify destination. 493 case __NR_sendto: // Could specify destination.
492 // case __NR_splice:
493 // case __NR_tee:
494 // case __NR_vmsplice:
495 case __NR_write: 494 case __NR_write:
496 case __NR_writev: 495 case __NR_writev:
497 return true; 496 return true;
497 case __NR_ioctl: // Can be very powerful.
498 case __NR_pread64:
499 case __NR_preadv:
500 case __NR_pwrite64:
501 case __NR_pwritev:
502 case __NR_recvmmsg: // Could specify source.
503 case __NR_sendfile:
504 case __NR_sendmmsg: // Could specify destination.
505 case __NR_splice:
506 case __NR_tee:
507 case __NR_vmsplice:
498 default: 508 default:
499 case __NR_ioctl: // Can be very powerful.
500 return false; 509 return false;
501 } 510 }
502 } 511 }
503 512
504 bool IsAllowedPrctl(int sysno) { 513 bool IsAllowedPrctl(int sysno) {
505 switch (sysno) { 514 switch (sysno) {
506 case __NR_prctl: 515 case __NR_prctl:
507 // case __NR_arch_prctl:
508 return true; 516 return true;
509 default: 517 default:
518 case __NR_arch_prctl:
510 return false; 519 return false;
511 } 520 }
512 } 521 }
513 522
514 bool IsAllowedBasicScheduler(int sysno) { 523 bool IsAllowedBasicScheduler(int sysno) {
515 switch (sysno) { 524 switch (sysno) {
516 case __NR_sched_yield: 525 case __NR_sched_yield:
517 case __NR_pause: 526 case __NR_pause:
518 case __NR_nanosleep: 527 case __NR_nanosleep:
519 // case __NR_getpriority:
520 return true; 528 return true;
529 case __NR_getpriority:
521 case __NR_setpriority: 530 case __NR_setpriority:
522 default: 531 default:
523 return false; 532 return false;
524 } 533 }
525 } 534 }
526 535
527 bool IsAdminOperation(int sysno) { 536 bool IsAdminOperation(int sysno) {
528 switch (sysno) { 537 switch (sysno) {
529 case __NR_kexec_load: 538 case __NR_kexec_load:
530 case __NR_reboot: 539 case __NR_reboot:
(...skipping 152 matching lines...) Expand 10 before | Expand all | Expand 10 after
683 case __NR_semget: 692 case __NR_semget:
684 case __NR_semop: 693 case __NR_semop:
685 case __NR_semtimedop: 694 case __NR_semtimedop:
686 return true; 695 return true;
687 default: 696 default:
688 return false; 697 return false;
689 } 698 }
690 } 699 }
691 700
692 // These give a lot of ambient authority and bypass the setuid sandbox. 701 // These give a lot of ambient authority and bypass the setuid sandbox.
693 bool IsSystemVSharedMemory(int sysno) { 702 bool IsAllowedSystemVSharedMemory(int sysno) {
694 switch (sysno) { 703 switch (sysno) {
695 case __NR_shmat: 704 case __NR_shmat:
696 case __NR_shmctl: 705 case __NR_shmctl:
697 case __NR_shmdt: 706 case __NR_shmdt:
698 // case __NR_shmget:
699 return true; 707 return true;
708 case __NR_shmget:
700 default: 709 default:
701 return false; 710 return false;
702 } 711 }
703 } 712 }
704 713
705 bool IsSystemVMessageQueue(int sysno) { 714 bool IsSystemVMessageQueue(int sysno) {
706 switch (sysno) { 715 switch (sysno) {
707 case __NR_msgctl: 716 case __NR_msgctl:
708 case __NR_msgget: 717 case __NR_msgget:
709 case __NR_msgrcv: 718 case __NR_msgrcv:
(...skipping 87 matching lines...) Expand 10 before | Expand all | Expand 10 after
797 case __NR_removexattr: 806 case __NR_removexattr:
798 case __NR_setxattr: 807 case __NR_setxattr:
799 return true; 808 return true;
800 default: 809 default:
801 return false; 810 return false;
802 } 811 }
803 } 812 }
804 813
805 // Various system calls that need to be researched. 814 // Various system calls that need to be researched.
806 // TODO(jln): classify this better. 815 // TODO(jln): classify this better.
807 bool IsMiscSyscall(int sysno) { 816 bool IsMisc(int sysno) {
808 switch (sysno) { 817 switch (sysno) {
809 case __NR_name_to_handle_at: 818 case __NR_name_to_handle_at:
810 case __NR_open_by_handle_at: 819 case __NR_open_by_handle_at:
811 case __NR_perf_event_open: 820 case __NR_perf_event_open:
812 case __NR_syncfs: 821 case __NR_syncfs:
813 case __NR_vhangup: 822 case __NR_vhangup:
814 // The system calls below are not implemented. 823 // The system calls below are not implemented.
815 case __NR_afs_syscall: 824 case __NR_afs_syscall:
816 case __NR_getpmsg: 825 case __NR_getpmsg:
817 case __NR_putpmsg: 826 case __NR_putpmsg:
818 case __NR_security: 827 case __NR_security:
819 case __NR_tuxcall: 828 case __NR_tuxcall:
820 case __NR_vserver: 829 case __NR_vserver:
821 return true; 830 return true;
822 default: 831 default:
823 return false; 832 return false;
824 } 833 }
825 } 834 }
826 835
827 // End of the system call sets section. 836 // End of the system call sets section.
828 837
829 // x86_64 only because it references system calls that are multiplexed on IA32. 838 // x86_64 only because it references system calls that are multiplexed on IA32.
830 bool IsBaselinePolicyAllowed_x86_64(int sysno) { 839 bool IsBaselinePolicyAllowed_x86_64(int sysno) {
831 if (IsAllowedAddressSpaceAccess(sysno) || 840 if (IsAllowedAddressSpaceAccess(sysno) ||
832 IsAllowedBasicScheduler(sysno) || 841 IsAllowedBasicScheduler(sysno) ||
833 IsAllowedEpoll(sysno) || 842 IsAllowedEpoll(sysno) ||
834 IsAllowedFileSystemCapabilitySyscall(sysno) || 843 IsAllowedFileSystemAccessViaFd(sysno) ||
835 IsAllowedGeneralIo(sysno) || 844 IsAllowedGeneralIo(sysno) ||
836 IsAllowedGetOrModifySocket(sysno) || 845 IsAllowedGetOrModifySocket(sysno) ||
837 IsAllowedGettimeSyscall(sysno) || 846 IsAllowedGettime(sysno) ||
838 IsAllowedPrctl(sysno) || 847 IsAllowedPrctl(sysno) ||
839 IsAllowedProcessStartOrDeath(sysno) || 848 IsAllowedProcessStartOrDeath(sysno) ||
840 IsAllowedSignalHandling(sysno) || 849 IsAllowedSignalHandling(sysno) ||
841 IsFutex(sysno) || 850 IsFutex(sysno) ||
842 IsGetSimpleId(sysno) || 851 IsGetSimpleId(sysno) ||
843 IsKernelInteralApi(sysno) || 852 IsKernelInteralApi(sysno) ||
844 IsKillSyscall(sysno) || 853 IsKill(sysno) ||
845 IsOperationOnFd(sysno)) { 854 IsOperationOnFd(sysno)) {
846 return true; 855 return true;
847 } else { 856 } else {
848 return false; 857 return false;
849 } 858 }
850 } 859 }
851 860
852 // System calls that will trigger the crashing sigsys handler. 861 // System calls that will trigger the crashing sigsys handler.
853 bool IsBaselinePolicyWatched_x86_64(int sysno) { 862 bool IsBaselinePolicyWatched_x86_64(int sysno) {
854 if (IsAdminOperation(sysno) || 863 if (IsAdminOperation(sysno) ||
855 IsAdvancedScheduler(sysno) || 864 IsAdvancedScheduler(sysno) ||
856 IsAdvancedTimer(sysno) || 865 IsAdvancedTimer(sysno) ||
866 IsAllowedSystemVSharedMemory(sysno) ||
857 IsAsyncIo(sysno) || 867 IsAsyncIo(sysno) ||
858 IsDebug(sysno) || 868 IsDebug(sysno) ||
859 IsEventFd(sysno) || 869 IsEventFd(sysno) ||
860 IsExtendedAttributes(sysno) || 870 IsExtendedAttributes(sysno) ||
861 IsFaNotify(sysno) || 871 IsFaNotify(sysno) ||
862 IsFsControl(sysno) || 872 IsFsControl(sysno) ||
863 IsGlobalFSViewChange(sysno) || 873 IsGlobalFSViewChange(sysno) ||
864 IsGlobalProcessEnvironment(sysno) || 874 IsGlobalProcessEnvironment(sysno) ||
865 IsGlobalSystemStatus(sysno) || 875 IsGlobalSystemStatus(sysno) ||
866 IsInotify(sysno) || 876 IsInotify(sysno) ||
867 IsKernelModule(sysno) || 877 IsKernelModule(sysno) ||
868 IsKeyManagement(sysno) || 878 IsKeyManagement(sysno) ||
869 IsMessageQueue(sysno) || 879 IsMessageQueue(sysno) ||
870 IsMiscSyscall(sysno) || 880 IsMisc(sysno) ||
871 IsNetworkSocketInformation(sysno) || 881 IsNetworkSocketInformation(sysno) ||
872 IsNuma(sysno) || 882 IsNuma(sysno) ||
873 IsProcessGroupOrSession(sysno) || 883 IsProcessGroupOrSession(sysno) ||
874 IsProcessPrivilegeChange(sysno) || 884 IsProcessPrivilegeChange(sysno) ||
875 IsSystemVMessageQueue(sysno) || 885 IsSystemVMessageQueue(sysno) ||
876 IsSystemVSemaphores(sysno) || 886 IsSystemVSemaphores(sysno) ||
877 IsSystemVSharedMemory(sysno) ||
878 IsTimer(sysno)) { 887 IsTimer(sysno)) {
879 return true; 888 return true;
880 } else { 889 } else {
881 return false; 890 return false;
882 } 891 }
883 } 892 }
884 893
885 playground2::Sandbox::ErrorCode BaselinePolicy_x86_64(int sysno) { 894 playground2::Sandbox::ErrorCode BaselinePolicy_x86_64(int sysno) {
886 if (IsBaselinePolicyAllowed_x86_64(sysno)) { 895 if (IsBaselinePolicyAllowed_x86_64(sysno)) {
887 return playground2::Sandbox::SB_ALLOWED; 896 return playground2::Sandbox::SB_ALLOWED;
888 } 897 }
889 // TODO(jln): some system calls in those sets are not supposed to 898 // TODO(jln): some system calls in those sets are not supposed to
890 // return ENOENT. Return the appropriate error. 899 // return ENOENT. Return the appropriate error.
891 if (IsFileSystemSyscall(sysno) || IsAmbientFileSystemSyscall(sysno)) { 900 if (IsFileSystem(sysno) || IsCurrentDirectory(sysno)) {
892 return ENOENT; 901 return ENOENT;
893 } 902 }
894 903
895 if (IsDeniedFileSystemCapabilitySyscall(sysno)) { 904 if (IsUmask(sysno) || IsDeniedFileSystemAccessViaFd(sysno)) {
896 return EPERM; 905 return EPERM;
897 } 906 }
898 907
899 if (IsBaselinePolicyWatched_x86_64(sysno)) { 908 if (IsBaselinePolicyWatched_x86_64(sysno)) {
900 // Previously unseen syscalls. TODO(jln): some of these should 909 // Previously unseen syscalls. TODO(jln): some of these should
901 // be denied gracefully right away. 910 // be denied gracefully right away.
902 return playground2::Sandbox::ErrorCode(CrashSIGSYS_Handler, NULL); 911 return playground2::Sandbox::ErrorCode(CrashSIGSYS_Handler, NULL);
903 } 912 }
904 // In any other case crash the program with our SIGSYS handler 913 // In any other case crash the program with our SIGSYS handler
905 return playground2::Sandbox::ErrorCode(CrashSIGSYS_Handler, NULL); 914 return playground2::Sandbox::ErrorCode(CrashSIGSYS_Handler, NULL);
(...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after
943 case __NR_sched_setscheduler: 952 case __NR_sched_setscheduler:
944 case __NR_times: 953 case __NR_times:
945 return playground2::Sandbox::SB_ALLOWED; 954 return playground2::Sandbox::SB_ALLOWED;
946 case __NR_ioctl: 955 case __NR_ioctl:
947 return ENOTTY; // Flash Access. 956 return ENOTTY; // Flash Access.
948 case __NR_socket: 957 case __NR_socket:
949 return EACCES; 958 return EACCES;
950 default: 959 default:
951 // These are under investigation, and hopefully not here for the long 960 // These are under investigation, and hopefully not here for the long
952 // term. 961 // term.
953 if (IsSystemVSharedMemory(sysno)) 962 if (IsAllowedSystemVSharedMemory(sysno))
954 return playground2::Sandbox::SB_ALLOWED; 963 return playground2::Sandbox::SB_ALLOWED;
955 964
956 // Default on the baseline policy. 965 // Default on the baseline policy.
957 return BaselinePolicy_x86_64(sysno); 966 return BaselinePolicy_x86_64(sysno);
958 } 967 }
959 } 968 }
960 #endif 969 #endif
961 970
962 playground2::Sandbox::ErrorCode BlacklistPtracePolicy(int sysno) { 971 playground2::Sandbox::ErrorCode BlacklistPtracePolicy(int sysno) {
963 if (sysno < static_cast<int>(MIN_SYSCALL) || 972 if (sysno < static_cast<int>(MIN_SYSCALL) ||
964 sysno > static_cast<int>(MAX_SYSCALL)) { 973 sysno > static_cast<int>(MAX_SYSCALL)) {
965 // TODO(jln) we should not have to do that in a trivial policy. 974 // TODO(jln) we should not have to do that in a trivial policy.
966 return ENOSYS; 975 return ENOSYS;
967 } 976 }
968 switch (sysno) { 977 switch (sysno) {
969 case __NR_ptrace: 978 case __NR_migrate_pages:
979 case __NR_move_pages:
970 case __NR_process_vm_readv: 980 case __NR_process_vm_readv:
971 case __NR_process_vm_writev: 981 case __NR_process_vm_writev:
972 case __NR_migrate_pages: 982 case __NR_ptrace:
973 case __NR_move_pages:
974 return playground2::Sandbox::ErrorCode(CrashSIGSYS_Handler, NULL); 983 return playground2::Sandbox::ErrorCode(CrashSIGSYS_Handler, NULL);
975 default: 984 default:
976 return playground2::Sandbox::SB_ALLOWED; 985 return playground2::Sandbox::SB_ALLOWED;
977 } 986 }
978 } 987 }
979 988
980 // Allow all syscalls. 989 // Allow all syscalls.
981 // This will still deny x32 or IA32 calls in 64 bits mode or 990 // This will still deny x32 or IA32 calls in 64 bits mode or
982 // 64 bits system calls in compatibility mode. 991 // 64 bits system calls in compatibility mode.
983 playground2::Sandbox::ErrorCode AllowAllPolicy(int sysno) { 992 playground2::Sandbox::ErrorCode AllowAllPolicy(int sysno) {
(...skipping 119 matching lines...) Expand 10 before | Expand all | Expand 10 after
1103 // Process-specific policy. 1112 // Process-specific policy.
1104 ShouldEnableSeccompBpf(process_type) && 1113 ShouldEnableSeccompBpf(process_type) &&
1105 SupportsSandbox()) { 1114 SupportsSandbox()) {
1106 return StartBpfSandbox_x86(command_line, process_type); 1115 return StartBpfSandbox_x86(command_line, process_type);
1107 } 1116 }
1108 #endif 1117 #endif
1109 return false; 1118 return false;
1110 } 1119 }
1111 1120
1112 } // namespace content 1121 } // namespace content
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698