| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <asm/unistd.h> | 5 #include <asm/unistd.h> |
| 6 #include <dlfcn.h> | 6 #include <dlfcn.h> |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <fcntl.h> | 8 #include <fcntl.h> |
| 9 #include <linux/audit.h> | 9 #include <linux/audit.h> |
| 10 #include <linux/filter.h> | 10 #include <linux/filter.h> |
| 11 #include <signal.h> | 11 #include <signal.h> |
| 12 #include <string.h> | 12 #include <string.h> |
| 13 #include <sys/prctl.h> | 13 #include <sys/prctl.h> |
| 14 #include <sys/stat.h> | 14 #include <sys/stat.h> |
| 15 #include <sys/types.h> | 15 #include <sys/types.h> |
| 16 #include <ucontext.h> | 16 #include <ucontext.h> |
| 17 #include <unistd.h> | 17 #include <unistd.h> |
| 18 | 18 |
| 19 #include <vector> | 19 #include <vector> |
| 20 | 20 |
| 21 #include "base/command_line.h" | 21 #include "base/command_line.h" |
| 22 #include "base/logging.h" | 22 #include "base/logging.h" |
| 23 #include "content/common/sandbox_linux.h" | 23 #include "content/common/sandbox_linux.h" |
| 24 #include "content/common/sandbox_seccomp_bpf_linux.h" | 24 #include "content/common/sandbox_seccomp_bpf_linux.h" |
| 25 #include "content/public/common/content_switches.h" | 25 #include "content/public/common/content_switches.h" |
| 26 | 26 |
| 27 // These are the only architectures supported for now. | 27 // These are the only architectures supported for now. |
| 28 #if defined(__i386__) || defined(__x86_64__) || defined(__arm__) | 28 #if defined(__i386__) || defined(__x86_64__) || \ |
| 29 (defined(__arm__) && (defined(__thumb__) || defined(__ARM_EABI__))) |
| 29 #define SECCOMP_BPF_SANDBOX | 30 #define SECCOMP_BPF_SANDBOX |
| 30 #endif | 31 #endif |
| 31 | 32 |
| 32 #if defined(SECCOMP_BPF_SANDBOX) | 33 #if defined(SECCOMP_BPF_SANDBOX) |
| 33 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | 34 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
| 34 | 35 |
| 35 #if defined(__i386__) || defined(__x86_64__) | 36 #if defined(__i386__) || defined(__x86_64__) |
| 36 #include "sandbox/linux/services/x86_linux_syscalls.h" | 37 #include "sandbox/linux/services/x86_linux_syscalls.h" |
| 37 #elif defined(__arm__) | 38 #elif defined(__arm__) |
| 38 // This file doesn't yet list all syscalls. | 39 // This file doesn't yet list all syscalls. |
| (...skipping 107 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 146 int flags = static_cast<int>(arg1); | 147 int flags = static_cast<int>(arg1); |
| 147 | 148 |
| 148 if (strcmp(pathname, kDriRcPath) == 0) { | 149 if (strcmp(pathname, kDriRcPath) == 0) { |
| 149 int ret = OpenWithCache(pathname, flags); | 150 int ret = OpenWithCache(pathname, flags); |
| 150 return (ret == -1) ? -errno : ret; | 151 return (ret == -1) ? -errno : ret; |
| 151 } else { | 152 } else { |
| 152 return -ENOENT; | 153 return -ENOENT; |
| 153 } | 154 } |
| 154 } | 155 } |
| 155 | 156 |
| 156 #if defined(__i386__) || defined(__x86_64__) | 157 // The functions below cover all existing i386, x86_64, and ARM system calls; |
| 157 | 158 // excluding syscalls made obsolete in ARM EABI. |
| 158 // The functions below cover all existing x86_64 and i386 system calls. | |
| 159 // The implicitly defined sets form a partition of the sets of | 159 // The implicitly defined sets form a partition of the sets of |
| 160 // system calls. | 160 // system calls. |
| 161 | 161 |
| 162 // TODO(jln) we need to restrict the first parameter! | 162 // TODO(jln) we need to restrict the first parameter! |
| 163 bool IsKill(int sysno) { | 163 bool IsKill(int sysno) { |
| 164 switch (sysno) { | 164 switch (sysno) { |
| 165 case __NR_kill: | 165 case __NR_kill: |
| 166 case __NR_tkill: | 166 case __NR_tkill: |
| 167 case __NR_tgkill: | 167 case __NR_tgkill: |
| 168 return true; | 168 return true; |
| 169 default: | 169 default: |
| 170 return false; | 170 return false; |
| 171 } | 171 } |
| 172 } | 172 } |
| 173 | 173 |
| 174 bool IsAllowedGettime(int sysno) { | 174 bool IsAllowedGettime(int sysno) { |
| 175 switch (sysno) { | 175 switch (sysno) { |
| 176 case __NR_clock_gettime: | 176 case __NR_clock_gettime: |
| 177 case __NR_gettimeofday: | 177 case __NR_gettimeofday: |
| 178 #if defined(__i386__) || defined(__x86_64__) |
| 178 case __NR_time: | 179 case __NR_time: |
| 180 #endif |
| 179 return true; | 181 return true; |
| 180 case __NR_adjtimex: // Privileged. | 182 case __NR_adjtimex: // Privileged. |
| 181 case __NR_clock_adjtime: // Privileged. | 183 case __NR_clock_adjtime: // Privileged. |
| 182 case __NR_clock_getres: // Could be allowed. | 184 case __NR_clock_getres: // Could be allowed. |
| 183 case __NR_clock_nanosleep: // Could be allowed. | 185 case __NR_clock_nanosleep: // Could be allowed. |
| 184 case __NR_clock_settime: // Privileged. | 186 case __NR_clock_settime: // Privileged. |
| 185 #if defined(__i386__) | 187 #if defined(__i386__) |
| 186 case __NR_ftime: // Obsolete. | 188 case __NR_ftime: // Obsolete. |
| 187 #endif | 189 #endif |
| 188 case __NR_settimeofday: // Privileged. | 190 case __NR_settimeofday: // Privileged. |
| (...skipping 83 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 272 case __NR_symlink: | 274 case __NR_symlink: |
| 273 case __NR_symlinkat: | 275 case __NR_symlinkat: |
| 274 case __NR_truncate: | 276 case __NR_truncate: |
| 275 #if defined(__i386__) | 277 #if defined(__i386__) |
| 276 case __NR_truncate64: | 278 case __NR_truncate64: |
| 277 #endif | 279 #endif |
| 278 case __NR_unlink: | 280 case __NR_unlink: |
| 279 case __NR_unlinkat: | 281 case __NR_unlinkat: |
| 280 case __NR_uselib: // Neither EPERM, nor ENOENT are valid errno. | 282 case __NR_uselib: // Neither EPERM, nor ENOENT are valid errno. |
| 281 case __NR_ustat: // Same as above. Deprecated. | 283 case __NR_ustat: // Same as above. Deprecated. |
| 284 #if defined(__i386__) || defined(__x86_64__) |
| 282 case __NR_utime: | 285 case __NR_utime: |
| 286 #endif |
| 283 case __NR_utimensat: // New. | 287 case __NR_utimensat: // New. |
| 284 case __NR_utimes: | 288 case __NR_utimes: |
| 285 return true; | 289 return true; |
| 286 default: | 290 default: |
| 287 return false; | 291 return false; |
| 288 } | 292 } |
| 289 } | 293 } |
| 290 | 294 |
| 291 bool IsAllowedFileSystemAccessViaFd(int sysno) { | 295 bool IsAllowedFileSystemAccessViaFd(int sysno) { |
| 292 switch (sysno) { | 296 switch (sysno) { |
| 293 case __NR_fstat: | 297 case __NR_fstat: |
| 294 #if defined(__i386__) | 298 #if defined(__i386__) |
| 295 case __NR_fstat64: | 299 case __NR_fstat64: |
| 296 #endif | 300 #endif |
| 297 return true; | 301 return true; |
| 298 // TODO(jln): these should be denied gracefully as well (moved below). | 302 // TODO(jln): these should be denied gracefully as well (moved below). |
| 303 #if defined(__i386__) || defined(__x86_64__) |
| 299 case __NR_fadvise64: // EPERM not a valid errno. | 304 case __NR_fadvise64: // EPERM not a valid errno. |
| 305 #endif |
| 300 #if defined(__i386__) | 306 #if defined(__i386__) |
| 301 case __NR_fadvise64_64: | 307 case __NR_fadvise64_64: |
| 302 #endif | 308 #endif |
| 309 #if defined(__arm__) |
| 310 case __NR_arm_fadvise64_64: |
| 311 #endif |
| 303 case __NR_fdatasync: // EPERM not a valid errno. | 312 case __NR_fdatasync: // EPERM not a valid errno. |
| 304 case __NR_flock: // EPERM not a valid errno. | 313 case __NR_flock: // EPERM not a valid errno. |
| 305 case __NR_fstatfs: // Give information about the whole filesystem. | 314 case __NR_fstatfs: // Give information about the whole filesystem. |
| 306 #if defined(__i386__) | 315 #if defined(__i386__) |
| 307 case __NR_fstatfs64: | 316 case __NR_fstatfs64: |
| 308 #endif | 317 #endif |
| 309 case __NR_fsync: // EPERM not a valid errno. | 318 case __NR_fsync: // EPERM not a valid errno. |
| 310 #if defined(__i386__) | 319 #if defined(__i386__) |
| 311 case __NR_oldfstat: | 320 case __NR_oldfstat: |
| 312 #endif | 321 #endif |
| 313 case __NR_sync_file_range: // EPERM not a valid errno. | 322 #if defined(__i386__) || defined(__x86_64__) |
| 323 case __NR_sync_file_range: // EPERM not a valid errno. |
| 324 #elif defined(__arm__) |
| 325 case __NR_arm_sync_file_range: // EPERM not a valid errno. |
| 326 #endif |
| 314 default: | 327 default: |
| 315 return false; | 328 return false; |
| 316 } | 329 } |
| 317 } | 330 } |
| 318 | 331 |
| 319 // EPERM is a good errno for any of these. | 332 // EPERM is a good errno for any of these. |
| 320 bool IsDeniedFileSystemAccessViaFd(int sysno) { | 333 bool IsDeniedFileSystemAccessViaFd(int sysno) { |
| 321 switch (sysno) { | 334 switch (sysno) { |
| 322 case __NR_fallocate: | 335 case __NR_fallocate: |
| 323 case __NR_fchmod: | 336 case __NR_fchmod: |
| (...skipping 53 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 377 #endif | 390 #endif |
| 378 return true; | 391 return true; |
| 379 default: | 392 default: |
| 380 return false; | 393 return false; |
| 381 } | 394 } |
| 382 } | 395 } |
| 383 | 396 |
| 384 bool IsProcessPrivilegeChange(int sysno) { | 397 bool IsProcessPrivilegeChange(int sysno) { |
| 385 switch (sysno) { | 398 switch (sysno) { |
| 386 case __NR_capset: | 399 case __NR_capset: |
| 400 #if defined(__i386__) || defined(__x86_64__) |
| 387 case __NR_ioperm: // Intel privilege. | 401 case __NR_ioperm: // Intel privilege. |
| 388 case __NR_iopl: // Intel privilege. | 402 case __NR_iopl: // Intel privilege. |
| 403 #endif |
| 389 case __NR_setfsgid: | 404 case __NR_setfsgid: |
| 390 case __NR_setfsuid: | 405 case __NR_setfsuid: |
| 391 case __NR_setgid: | 406 case __NR_setgid: |
| 392 case __NR_setgroups: | 407 case __NR_setgroups: |
| 393 case __NR_setregid: | 408 case __NR_setregid: |
| 394 case __NR_setresgid: | 409 case __NR_setresgid: |
| 395 case __NR_setresuid: | 410 case __NR_setresuid: |
| 396 case __NR_setreuid: | 411 case __NR_setreuid: |
| 397 case __NR_setuid: | 412 case __NR_setuid: |
| 398 #if defined(__i386__) | 413 #if defined(__i386__) |
| (...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 467 #endif | 482 #endif |
| 468 #if defined(__x86_64__) | 483 #if defined(__x86_64__) |
| 469 case __NR_shutdown: | 484 case __NR_shutdown: |
| 470 #endif | 485 #endif |
| 471 return true; | 486 return true; |
| 472 default: | 487 default: |
| 473 return false; | 488 return false; |
| 474 } | 489 } |
| 475 } | 490 } |
| 476 | 491 |
| 477 bool IsKernelInteralApi(int sysno) { | 492 bool IsKernelInternalApi(int sysno) { |
| 478 switch (sysno) { | 493 switch (sysno) { |
| 479 case __NR_restart_syscall: | 494 case __NR_restart_syscall: |
| 495 #if defined(__arm__) |
| 496 case __ARM_NR_cmpxchg: |
| 497 #endif |
| 480 return true; | 498 return true; |
| 481 default: | 499 default: |
| 482 return false; | 500 return false; |
| 483 } | 501 } |
| 484 } | 502 } |
| 485 | 503 |
| 486 // This should be thought through in conjunction with IsFutex(). | 504 // This should be thought through in conjunction with IsFutex(). |
| 487 bool IsAllowedProcessStartOrDeath(int sysno) { | 505 bool IsAllowedProcessStartOrDeath(int sysno) { |
| 488 switch (sysno) { | 506 switch (sysno) { |
| 489 case __NR_clone: // TODO(jln): restrict flags. | 507 case __NR_clone: // TODO(jln): restrict flags. |
| 490 case __NR_exit: | 508 case __NR_exit: |
| 491 case __NR_exit_group: | 509 case __NR_exit_group: |
| 492 case __NR_wait4: | 510 case __NR_wait4: |
| 493 case __NR_waitid: | 511 case __NR_waitid: |
| 494 #if defined(__i386__) | 512 #if defined(__i386__) |
| 495 case __NR_waitpid: | 513 case __NR_waitpid: |
| 496 #endif | 514 #endif |
| 497 return true; | 515 return true; |
| 498 case __NR_setns: // Privileged. | 516 case __NR_setns: // Privileged. |
| 499 case __NR_fork: | 517 case __NR_fork: |
| 518 #if defined(__i386__) || defined(__x86_64__) |
| 500 case __NR_get_thread_area: | 519 case __NR_get_thread_area: |
| 501 case __NR_set_thread_area: | 520 case __NR_set_thread_area: |
| 521 #endif |
| 502 case __NR_set_tid_address: | 522 case __NR_set_tid_address: |
| 503 case __NR_unshare: | 523 case __NR_unshare: |
| 504 case __NR_vfork: | 524 case __NR_vfork: |
| 505 default: | 525 default: |
| 506 return false; | 526 return false; |
| 507 } | 527 } |
| 508 } | 528 } |
| 509 | 529 |
| 510 // It's difficult to restrict those, but there is attack surface here. | 530 // It's difficult to restrict those, but there is attack surface here. |
| 511 bool IsFutex(int sysno) { | 531 bool IsFutex(int sysno) { |
| (...skipping 71 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 583 return false; | 603 return false; |
| 584 } | 604 } |
| 585 } | 605 } |
| 586 #endif | 606 #endif |
| 587 | 607 |
| 588 bool IsAllowedAddressSpaceAccess(int sysno) { | 608 bool IsAllowedAddressSpaceAccess(int sysno) { |
| 589 switch (sysno) { | 609 switch (sysno) { |
| 590 case __NR_brk: | 610 case __NR_brk: |
| 591 case __NR_madvise: | 611 case __NR_madvise: |
| 592 case __NR_mlock: | 612 case __NR_mlock: |
| 613 #if defined(__i386__) || defined(__x86_64__) |
| 593 case __NR_mmap: // TODO(jln): to restrict flags. | 614 case __NR_mmap: // TODO(jln): to restrict flags. |
| 594 #if defined(__i386__) | 615 #endif |
| 616 #if defined(__i386__) || defined(__arm__) |
| 595 case __NR_mmap2: | 617 case __NR_mmap2: |
| 596 #endif | 618 #endif |
| 597 case __NR_mprotect: | 619 case __NR_mprotect: |
| 598 case __NR_munlock: | 620 case __NR_munlock: |
| 599 case __NR_munmap: | 621 case __NR_munmap: |
| 600 return true; | 622 return true; |
| 601 case __NR_mincore: | 623 case __NR_mincore: |
| 602 case __NR_mlockall: | 624 case __NR_mlockall: |
| 625 #if defined(__i386__) || defined(__x86_64__) |
| 603 case __NR_modify_ldt: | 626 case __NR_modify_ldt: |
| 627 #endif |
| 604 case __NR_mremap: | 628 case __NR_mremap: |
| 605 case __NR_msync: | 629 case __NR_msync: |
| 606 case __NR_munlockall: | 630 case __NR_munlockall: |
| 607 case __NR_readahead: | 631 case __NR_readahead: |
| 608 case __NR_remap_file_pages: | 632 case __NR_remap_file_pages: |
| 609 #if defined(__i386__) | 633 #if defined(__i386__) |
| 610 case __NR_vm86: | 634 case __NR_vm86: |
| 611 case __NR_vm86old: | 635 case __NR_vm86old: |
| 612 #endif | 636 #endif |
| 613 default: | 637 default: |
| 614 return false; | 638 return false; |
| 615 } | 639 } |
| 616 } | 640 } |
| 617 | 641 |
| 618 bool IsAllowedGeneralIo(int sysno) { | 642 bool IsAllowedGeneralIo(int sysno) { |
| 619 switch (sysno) { | 643 switch (sysno) { |
| 620 case __NR_lseek: | 644 case __NR_lseek: |
| 621 #if defined(__i386__) | 645 #if defined(__i386__) |
| 622 case __NR__llseek: | 646 case __NR__llseek: |
| 623 #endif | 647 #endif |
| 624 case __NR_poll: | 648 case __NR_poll: |
| 625 case __NR_ppoll: | 649 case __NR_ppoll: |
| 626 case __NR_pselect6: | 650 case __NR_pselect6: |
| 627 case __NR_read: | 651 case __NR_read: |
| 628 case __NR_readv: | 652 case __NR_readv: |
| 653 #if defined(__arm__) |
| 654 case __NR_recv: |
| 655 #endif |
| 629 #if defined(__x86_64__) | 656 #if defined(__x86_64__) |
| 630 case __NR_recvfrom: // Could specify source. | 657 case __NR_recvfrom: // Could specify source. |
| 631 case __NR_recvmsg: // Could specify source. | 658 case __NR_recvmsg: // Could specify source. |
| 632 #endif | 659 #endif |
| 660 #if defined(__i386__) || defined(__x86_64__) |
| 633 case __NR_select: | 661 case __NR_select: |
| 634 #if defined(__i386__) | 662 #endif |
| 663 #if defined(__i386__) || defined(__arm__) |
| 635 case __NR__newselect: | 664 case __NR__newselect: |
| 636 #endif | 665 #endif |
| 666 #if defined(__arm__) |
| 667 case __NR_send: |
| 668 #endif |
| 637 #if defined(__x86_64__) | 669 #if defined(__x86_64__) |
| 638 case __NR_sendmsg: // Could specify destination. | 670 case __NR_sendmsg: // Could specify destination. |
| 639 case __NR_sendto: // Could specify destination. | 671 case __NR_sendto: // Could specify destination. |
| 640 #endif | 672 #endif |
| 641 case __NR_write: | 673 case __NR_write: |
| 642 case __NR_writev: | 674 case __NR_writev: |
| 643 return true; | 675 return true; |
| 644 case __NR_ioctl: // Can be very powerful. | 676 case __NR_ioctl: // Can be very powerful. |
| 645 case __NR_pread64: | 677 case __NR_pread64: |
| 646 case __NR_preadv: | 678 case __NR_preadv: |
| (...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 699 case __NR_sethostname: | 731 case __NR_sethostname: |
| 700 case __NR_syslog: | 732 case __NR_syslog: |
| 701 return true; | 733 return true; |
| 702 default: | 734 default: |
| 703 return false; | 735 return false; |
| 704 } | 736 } |
| 705 } | 737 } |
| 706 | 738 |
| 707 bool IsKernelModule(int sysno) { | 739 bool IsKernelModule(int sysno) { |
| 708 switch (sysno) { | 740 switch (sysno) { |
| 741 #if defined(__i386__) || defined(__x86_64__) |
| 709 case __NR_create_module: | 742 case __NR_create_module: |
| 743 case __NR_get_kernel_syms: // Should ENOSYS. |
| 744 case __NR_query_module: |
| 745 #endif |
| 710 case __NR_delete_module: | 746 case __NR_delete_module: |
| 711 case __NR_get_kernel_syms: // Should ENOSYS. | |
| 712 case __NR_init_module: | 747 case __NR_init_module: |
| 713 case __NR_query_module: | |
| 714 return true; | 748 return true; |
| 715 default: | 749 default: |
| 716 return false; | 750 return false; |
| 717 } | 751 } |
| 718 } | 752 } |
| 719 | 753 |
| 720 bool IsGlobalFSViewChange(int sysno) { | 754 bool IsGlobalFSViewChange(int sysno) { |
| 721 switch (sysno) { | 755 switch (sysno) { |
| 722 case __NR_pivot_root: | 756 case __NR_pivot_root: |
| 723 case __NR_chroot: | 757 case __NR_chroot: |
| (...skipping 19 matching lines...) Expand all Loading... |
| 743 default: | 777 default: |
| 744 return false; | 778 return false; |
| 745 } | 779 } |
| 746 } | 780 } |
| 747 | 781 |
| 748 bool IsNuma(int sysno) { | 782 bool IsNuma(int sysno) { |
| 749 switch (sysno) { | 783 switch (sysno) { |
| 750 case __NR_get_mempolicy: | 784 case __NR_get_mempolicy: |
| 751 case __NR_getcpu: | 785 case __NR_getcpu: |
| 752 case __NR_mbind: | 786 case __NR_mbind: |
| 787 #if defined(__i386__) || defined(__x86_64__) |
| 753 case __NR_migrate_pages: | 788 case __NR_migrate_pages: |
| 789 #endif |
| 754 case __NR_move_pages: | 790 case __NR_move_pages: |
| 755 case __NR_set_mempolicy: | 791 case __NR_set_mempolicy: |
| 756 return true; | 792 return true; |
| 757 default: | 793 default: |
| 758 return false; | 794 return false; |
| 759 } | 795 } |
| 760 } | 796 } |
| 761 | 797 |
| 762 bool IsMessageQueue(int sysno) { | 798 bool IsMessageQueue(int sysno) { |
| 763 switch (sysno) { | 799 switch (sysno) { |
| 764 case __NR_mq_getsetattr: | 800 case __NR_mq_getsetattr: |
| 765 case __NR_mq_notify: | 801 case __NR_mq_notify: |
| 766 case __NR_mq_open: | 802 case __NR_mq_open: |
| 767 case __NR_mq_timedreceive: | 803 case __NR_mq_timedreceive: |
| 768 case __NR_mq_timedsend: | 804 case __NR_mq_timedsend: |
| 769 case __NR_mq_unlink: | 805 case __NR_mq_unlink: |
| 770 return true; | 806 return true; |
| 771 default: | 807 default: |
| 772 return false; | 808 return false; |
| 773 } | 809 } |
| 774 } | 810 } |
| 775 | 811 |
| 776 bool IsGlobalProcessEnvironment(int sysno) { | 812 bool IsGlobalProcessEnvironment(int sysno) { |
| 777 switch (sysno) { | 813 switch (sysno) { |
| 778 case __NR_acct: // Privileged. | 814 case __NR_acct: // Privileged. |
| 815 #if defined(__i386__) || defined(__x86_64__) |
| 779 case __NR_getrlimit: | 816 case __NR_getrlimit: |
| 780 #if defined(__i386__) | 817 #endif |
| 818 #if defined(__i386__) || defined(__arm__) |
| 781 case __NR_ugetrlimit: | 819 case __NR_ugetrlimit: |
| 820 #elif defined(__i386__) |
| 782 case __NR_ulimit: | 821 case __NR_ulimit: |
| 783 #endif | 822 #endif |
| 784 case __NR_getrusage: | 823 case __NR_getrusage: |
| 785 case __NR_personality: // Can change its personality as well. | 824 case __NR_personality: // Can change its personality as well. |
| 786 case __NR_prlimit64: // Like setrlimit / getrlimit. | 825 case __NR_prlimit64: // Like setrlimit / getrlimit. |
| 787 case __NR_setrlimit: | 826 case __NR_setrlimit: |
| 788 case __NR_times: | 827 case __NR_times: |
| 789 return true; | 828 return true; |
| 790 default: | 829 default: |
| 791 return false; | 830 return false; |
| 792 } | 831 } |
| 793 } | 832 } |
| 794 | 833 |
| 795 bool IsDebug(int sysno) { | 834 bool IsDebug(int sysno) { |
| 796 switch (sysno) { | 835 switch (sysno) { |
| 797 case __NR_ptrace: | 836 case __NR_ptrace: |
| 798 case __NR_process_vm_readv: | 837 case __NR_process_vm_readv: |
| 799 case __NR_process_vm_writev: | 838 case __NR_process_vm_writev: |
| 839 #if defined(__i386__) || defined(__x86_64__) |
| 800 case __NR_kcmp: | 840 case __NR_kcmp: |
| 841 #endif |
| 801 return true; | 842 return true; |
| 802 default: | 843 default: |
| 803 return false; | 844 return false; |
| 804 } | 845 } |
| 805 } | 846 } |
| 806 | 847 |
| 807 bool IsGlobalSystemStatus(int sysno) { | 848 bool IsGlobalSystemStatus(int sysno) { |
| 808 switch (sysno) { | 849 switch (sysno) { |
| 809 case __NR__sysctl: | 850 case __NR__sysctl: |
| 810 case __NR_sysfs: | 851 case __NR_sysfs: |
| (...skipping 136 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 947 case __NR_fanotify_mark: | 988 case __NR_fanotify_mark: |
| 948 return true; | 989 return true; |
| 949 default: | 990 default: |
| 950 return false; | 991 return false; |
| 951 } | 992 } |
| 952 } | 993 } |
| 953 | 994 |
| 954 bool IsTimer(int sysno) { | 995 bool IsTimer(int sysno) { |
| 955 switch (sysno) { | 996 switch (sysno) { |
| 956 case __NR_getitimer: | 997 case __NR_getitimer: |
| 998 #if defined(__i386__) || defined(__x86_64__) |
| 957 case __NR_alarm: | 999 case __NR_alarm: |
| 1000 #endif |
| 958 case __NR_setitimer: | 1001 case __NR_setitimer: |
| 959 return true; | 1002 return true; |
| 960 default: | 1003 default: |
| 961 return false; | 1004 return false; |
| 962 } | 1005 } |
| 963 } | 1006 } |
| 964 | 1007 |
| 965 bool IsAdvancedTimer(int sysno) { | 1008 bool IsAdvancedTimer(int sysno) { |
| 966 switch (sysno) { | 1009 switch (sysno) { |
| 967 case __NR_timer_create: | 1010 case __NR_timer_create: |
| (...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1001 // Various system calls that need to be researched. | 1044 // Various system calls that need to be researched. |
| 1002 // TODO(jln): classify this better. | 1045 // TODO(jln): classify this better. |
| 1003 bool IsMisc(int sysno) { | 1046 bool IsMisc(int sysno) { |
| 1004 switch (sysno) { | 1047 switch (sysno) { |
| 1005 case __NR_name_to_handle_at: | 1048 case __NR_name_to_handle_at: |
| 1006 case __NR_open_by_handle_at: | 1049 case __NR_open_by_handle_at: |
| 1007 case __NR_perf_event_open: | 1050 case __NR_perf_event_open: |
| 1008 case __NR_syncfs: | 1051 case __NR_syncfs: |
| 1009 case __NR_vhangup: | 1052 case __NR_vhangup: |
| 1010 // The system calls below are not implemented. | 1053 // The system calls below are not implemented. |
| 1054 #if defined(__i386__) || defined(__x86_64__) |
| 1011 case __NR_afs_syscall: | 1055 case __NR_afs_syscall: |
| 1056 #endif |
| 1012 #if defined(__i386__) | 1057 #if defined(__i386__) |
| 1013 case __NR_break: | 1058 case __NR_break: |
| 1014 #endif | 1059 #endif |
| 1060 #if defined(__i386__) || defined(__x86_64__) |
| 1015 case __NR_getpmsg: | 1061 case __NR_getpmsg: |
| 1062 #endif |
| 1016 #if defined(__i386__) | 1063 #if defined(__i386__) |
| 1017 case __NR_gtty: | 1064 case __NR_gtty: |
| 1018 case __NR_idle: | 1065 case __NR_idle: |
| 1019 case __NR_lock: | 1066 case __NR_lock: |
| 1020 case __NR_mpx: | 1067 case __NR_mpx: |
| 1021 case __NR_prof: | 1068 case __NR_prof: |
| 1022 case __NR_profil: | 1069 case __NR_profil: |
| 1023 #endif | 1070 #endif |
| 1071 #if defined(__i386__) || defined(__x86_64__) |
| 1024 case __NR_putpmsg: | 1072 case __NR_putpmsg: |
| 1073 #endif |
| 1025 #if defined(__x86_64__) | 1074 #if defined(__x86_64__) |
| 1026 case __NR_security: | 1075 case __NR_security: |
| 1027 #endif | 1076 #endif |
| 1028 #if defined(__i386__) | 1077 #if defined(__i386__) |
| 1029 case __NR_stty: | 1078 case __NR_stty: |
| 1030 #endif | 1079 #endif |
| 1031 #if defined(__x86_64__) | 1080 #if defined(__x86_64__) |
| 1032 case __NR_tuxcall: | 1081 case __NR_tuxcall: |
| 1033 #endif | 1082 #endif |
| 1034 case __NR_vserver: | 1083 case __NR_vserver: |
| 1035 return true; | 1084 return true; |
| 1036 default: | 1085 default: |
| 1037 return false; | 1086 return false; |
| 1038 } | 1087 } |
| 1039 } | 1088 } |
| 1040 | 1089 |
| 1090 #if defined(__arm__) |
| 1091 bool IsArmPciConfig(int sysno) { |
| 1092 switch (sysno) { |
| 1093 case __NR_pciconfig_iobase: |
| 1094 case __NR_pciconfig_read: |
| 1095 case __NR_pciconfig_write: |
| 1096 return true; |
| 1097 default: |
| 1098 return false; |
| 1099 } |
| 1100 } |
| 1101 |
| 1102 bool IsArmPrivate(int sysno) { |
| 1103 switch (sysno) { |
| 1104 case __ARM_NR_breakpoint: |
| 1105 case __ARM_NR_cacheflush: |
| 1106 case __ARM_NR_set_tls: |
| 1107 case __ARM_NR_usr26: |
| 1108 case __ARM_NR_usr32: |
| 1109 return true; |
| 1110 default: |
| 1111 return false; |
| 1112 } |
| 1113 } |
| 1114 #endif // defined(__arm__) |
| 1115 |
| 1041 // End of the system call sets section. | 1116 // End of the system call sets section. |
| 1042 | 1117 |
| 1043 bool IsBaselinePolicyAllowed_x86_64(int sysno) { | 1118 bool IsBaselinePolicyAllowed_x86_64(int sysno) { |
| 1044 if (IsAllowedAddressSpaceAccess(sysno) || | 1119 if (IsAllowedAddressSpaceAccess(sysno) || |
| 1045 IsAllowedBasicScheduler(sysno) || | 1120 IsAllowedBasicScheduler(sysno) || |
| 1046 IsAllowedEpoll(sysno) || | 1121 IsAllowedEpoll(sysno) || |
| 1047 IsAllowedFileSystemAccessViaFd(sysno) || | 1122 IsAllowedFileSystemAccessViaFd(sysno) || |
| 1048 IsAllowedGeneralIo(sysno) || | 1123 IsAllowedGeneralIo(sysno) || |
| 1049 IsAllowedGetOrModifySocket(sysno) || | 1124 IsAllowedGetOrModifySocket(sysno) || |
| 1050 IsAllowedGettime(sysno) || | 1125 IsAllowedGettime(sysno) || |
| 1051 IsAllowedPrctl(sysno) || | 1126 IsAllowedPrctl(sysno) || |
| 1052 IsAllowedProcessStartOrDeath(sysno) || | 1127 IsAllowedProcessStartOrDeath(sysno) || |
| 1053 IsAllowedSignalHandling(sysno) || | 1128 IsAllowedSignalHandling(sysno) || |
| 1054 IsFutex(sysno) || | 1129 IsFutex(sysno) || |
| 1055 IsGetSimpleId(sysno) || | 1130 IsGetSimpleId(sysno) || |
| 1056 IsKernelInteralApi(sysno) || | 1131 IsKernelInternalApi(sysno) || |
| 1132 #if defined(__arm__) |
| 1133 IsArmPrivate(sysno) || |
| 1134 #endif |
| 1057 IsKill(sysno) || | 1135 IsKill(sysno) || |
| 1058 IsOperationOnFd(sysno)) { | 1136 IsOperationOnFd(sysno)) { |
| 1059 return true; | 1137 return true; |
| 1060 } else { | 1138 } else { |
| 1061 return false; | 1139 return false; |
| 1062 } | 1140 } |
| 1063 } | 1141 } |
| 1064 | 1142 |
| 1065 // System calls that will trigger the crashing sigsys handler. | 1143 // System calls that will trigger the crashing sigsys handler. |
| 1066 bool IsBaselinePolicyWatched_x86_64(int sysno) { | 1144 bool IsBaselinePolicyWatched_x86_64(int sysno) { |
| (...skipping 26 matching lines...) Expand all Loading... |
| 1093 #if defined(__i386__) | 1171 #if defined(__i386__) |
| 1094 IsSocketCall(sysno) || // We'll need to handle this properly to build | 1172 IsSocketCall(sysno) || // We'll need to handle this properly to build |
| 1095 // a x86_32 policy. | 1173 // a x86_32 policy. |
| 1096 #endif | 1174 #endif |
| 1097 #if defined(__x86_64__) | 1175 #if defined(__x86_64__) |
| 1098 IsSystemVMessageQueue(sysno) || | 1176 IsSystemVMessageQueue(sysno) || |
| 1099 IsSystemVSemaphores(sysno) || | 1177 IsSystemVSemaphores(sysno) || |
| 1100 #elif defined(__i386__) | 1178 #elif defined(__i386__) |
| 1101 IsSystemVIpc(sysno) || | 1179 IsSystemVIpc(sysno) || |
| 1102 #endif | 1180 #endif |
| 1181 #if defined(__arm__) |
| 1182 IsArmPciConfig(sysno) || |
| 1183 #endif |
| 1103 IsTimer(sysno)) { | 1184 IsTimer(sysno)) { |
| 1104 return true; | 1185 return true; |
| 1105 } else { | 1186 } else { |
| 1106 return false; | 1187 return false; |
| 1107 } | 1188 } |
| 1108 } | 1189 } |
| 1109 | 1190 |
| 1110 // x86_64 only for now. Needs to be adapted and tested for i386. | 1191 // x86_64 only for now. Needs to be adapted and tested for i386. |
| 1111 playground2::Sandbox::ErrorCode BaselinePolicy_x86_64(int sysno) { | 1192 playground2::Sandbox::ErrorCode BaselinePolicy_x86_64(int sysno) { |
| 1112 if (IsBaselinePolicyAllowed_x86_64(sysno)) { | 1193 if (IsBaselinePolicyAllowed_x86_64(sysno)) { |
| (...skipping 69 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1182 // These are under investigation, and hopefully not here for the long | 1263 // These are under investigation, and hopefully not here for the long |
| 1183 // term. | 1264 // term. |
| 1184 if (IsAllowedSystemVSharedMemory(sysno)) | 1265 if (IsAllowedSystemVSharedMemory(sysno)) |
| 1185 return playground2::Sandbox::SB_ALLOWED; | 1266 return playground2::Sandbox::SB_ALLOWED; |
| 1186 #endif | 1267 #endif |
| 1187 | 1268 |
| 1188 // Default on the baseline policy. | 1269 // Default on the baseline policy. |
| 1189 return BaselinePolicy_x86_64(sysno); | 1270 return BaselinePolicy_x86_64(sysno); |
| 1190 } | 1271 } |
| 1191 } | 1272 } |
| 1192 #endif // defined(__i386__) || defined(__x86_64__) | |
| 1193 | 1273 |
| 1194 playground2::Sandbox::ErrorCode BlacklistPtracePolicy(int sysno) { | 1274 playground2::Sandbox::ErrorCode BlacklistPtracePolicy(int sysno) { |
| 1195 if (sysno < static_cast<int>(MIN_SYSCALL) || | 1275 if (sysno < static_cast<int>(MIN_SYSCALL) || |
| 1196 sysno > static_cast<int>(MAX_SYSCALL)) { | 1276 sysno > static_cast<int>(MAX_SYSCALL)) { |
| 1197 // TODO(jln) we should not have to do that in a trivial policy. | 1277 // TODO(jln) we should not have to do that in a trivial policy. |
| 1198 return ENOSYS; | 1278 return ENOSYS; |
| 1199 } | 1279 } |
| 1200 switch (sysno) { | 1280 switch (sysno) { |
| 1201 #if defined(__i386__) || defined(__x86_64__) | 1281 #if defined(__i386__) || defined(__x86_64__) |
| 1202 case __NR_migrate_pages: | 1282 case __NR_migrate_pages: |
| (...skipping 135 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1338 // Process-specific policy. | 1418 // Process-specific policy. |
| 1339 ShouldEnableSeccompBpf(process_type) && | 1419 ShouldEnableSeccompBpf(process_type) && |
| 1340 SupportsSandbox()) { | 1420 SupportsSandbox()) { |
| 1341 return StartBpfSandbox(command_line, process_type); | 1421 return StartBpfSandbox(command_line, process_type); |
| 1342 } | 1422 } |
| 1343 #endif | 1423 #endif |
| 1344 return false; | 1424 return false; |
| 1345 } | 1425 } |
| 1346 | 1426 |
| 1347 } // namespace content | 1427 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 10830348:
Add ARM syscalls to syscall sets. (Closed)
Base URL: http://git.chromium.org/chromium/src.git@master