Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(93)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/common/sandbox_seccomp_bpf_linux.cc

Issue 10834219: Seccomp-bpf: create system call sets. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Address Markus' concerns. Created 8 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include <asm/unistd.h> 5 #include <asm/unistd.h>
6 #include <dlfcn.h> 6 #include <dlfcn.h>
7 #include <errno.h> 7 #include <errno.h>
8 #include <fcntl.h> 8 #include <fcntl.h>
9 #include <linux/audit.h> 9 #include <linux/audit.h>
10 #include <linux/filter.h> 10 #include <linux/filter.h>
(...skipping 25 matching lines...) Expand all
36 namespace { 36 namespace {
37 37
38 inline bool IsChromeOS() { 38 inline bool IsChromeOS() {
39 #if defined(OS_CHROMEOS) 39 #if defined(OS_CHROMEOS)
40 return true; 40 return true;
41 #else 41 #else
42 return false; 42 return false;
43 #endif 43 #endif
44 } 44 }
45 45
46 void LogSandboxStarted(const std::string& sandbox_name,
47 const std::string& process_type) {
48 const std::string activated_sandbox =
49 "Activated " + sandbox_name + " sandbox for process type: " +
50 process_type + ".";
51 if (IsChromeOS()) {
52 LOG(WARNING) << activated_sandbox;
53 } else {
54 VLOG(1) << activated_sandbox;
55 }
56 }
57
58 intptr_t CrashSIGSYS_Handler(const struct arch_seccomp_data& args, void* aux) { 46 intptr_t CrashSIGSYS_Handler(const struct arch_seccomp_data& args, void* aux) {
59 int syscall = args.nr; 47 int syscall = args.nr;
60 if (syscall >= 1024) 48 if (syscall >= 1024)
61 syscall = 0; 49 syscall = 0;
62 // Encode 8-bits of the 1st two arguments too, so we can discern which socket 50 // Encode 8-bits of the 1st two arguments too, so we can discern which socket
63 // type, which fcntl, ... etc., without being likely to hit a mapped 51 // type, which fcntl, ... etc., without being likely to hit a mapped
64 // address. 52 // address.
65 // Do not encode more bits here without thinking about increasing the 53 // Do not encode more bits here without thinking about increasing the
66 // likelihood of collision with mapped pages. 54 // likelihood of collision with mapped pages.
67 syscall |= ((args.args[0] & 0xffUL) << 12); 55 syscall |= ((args.args[0] & 0xffUL) << 12);
68 syscall |= ((args.args[1] & 0xffUL) << 20); 56 syscall |= ((args.args[1] & 0xffUL) << 20);
69 // Purposefully dereference the syscall as an address so it'll show up very 57 // Purposefully dereference the syscall as an address so it'll show up very
70 // clearly and easily in crash dumps. 58 // clearly and easily in crash dumps.
71 volatile char* addr = reinterpret_cast<volatile char*>(syscall); 59 volatile char* addr = reinterpret_cast<volatile char*>(syscall);
72 *addr = '\0'; 60 *addr = '\0';
73 // In case we hit a mapped address, hit the null page with just the syscall, 61 // In case we hit a mapped address, hit the null page with just the syscall,
74 // for paranoia. 62 // for paranoia.
75 syscall &= 0xfffUL; 63 syscall &= 0xfffUL;
76 addr = reinterpret_cast<volatile char*>(syscall); 64 addr = reinterpret_cast<volatile char*>(syscall);
77 *addr = '\0'; 65 *addr = '\0';
78 for (;;) 66 for (;;)
79 _exit(1); 67 _exit(1);
80 } 68 }
81 69
82 // TODO(jln) we need to restrict the first parameter!
83 bool IsKillSyscall(int sysno) {
84 switch (sysno) {
85 case __NR_kill:
86 case __NR_tkill:
87 case __NR_tgkill:
88 return true;
89 default:
90 return false;
91 }
92 }
93
94 bool IsGettimeSyscall(int sysno) {
95 switch (sysno) {
96 case __NR_clock_gettime:
97 case __NR_gettimeofday:
98 case __NR_time:
99 return true;
100 default:
101 return false;
102 }
103 }
104
105 bool IsFileSystemSyscall(int sysno) {
106 switch (sysno) {
107 case __NR_open:
108 case __NR_openat:
109 case __NR_execve:
110 case __NR_access:
111 case __NR_mkdir:
112 case __NR_mkdirat:
113 case __NR_readlink:
114 case __NR_readlinkat:
115 case __NR_stat:
116 case __NR_lstat:
117 case __NR_chdir:
118 case __NR_mknod:
119 case __NR_mknodat:
120 return true;
121 default:
122 return false;
123 }
124 }
125
126 bool IsAcceleratedVideoDecodeEnabled() { 70 bool IsAcceleratedVideoDecodeEnabled() {
127 // Accelerated video decode is currently enabled on Chrome OS, 71 // Accelerated video decode is currently enabled on Chrome OS,
128 // but not on Linux: crbug.com/137247. 72 // but not on Linux: crbug.com/137247.
129 bool is_enabled = IsChromeOS(); 73 bool is_enabled = IsChromeOS();
130 74
131 const CommandLine& command_line = *CommandLine::ForCurrentProcess(); 75 const CommandLine& command_line = *CommandLine::ForCurrentProcess();
132 is_enabled = is_enabled && 76 is_enabled = is_enabled &&
133 !command_line.HasSwitch(switches::kDisableAcceleratedVideoDecode); 77 !command_line.HasSwitch(switches::kDisableAcceleratedVideoDecode);
134 78
135 return is_enabled; 79 return is_enabled;
(...skipping 61 matching lines...) Expand 10 before | Expand all | Expand 10 after
197 141
198 if (strcmp(pathname, kDriRcPath) == 0) { 142 if (strcmp(pathname, kDriRcPath) == 0) {
199 int ret = OpenWithCache(pathname, flags); 143 int ret = OpenWithCache(pathname, flags);
200 return (ret == -1) ? -errno : ret; 144 return (ret == -1) ? -errno : ret;
201 } else { 145 } else {
202 return -ENOENT; 146 return -ENOENT;
203 } 147 }
204 } 148 }
205 149
206 #if defined(__x86_64__) 150 #if defined(__x86_64__)
207 // x86_64 only because it references system calls that are multiplexed on IA32. 151
208 bool IsGpuAndFlashPolicyAllowed_x86_64(int sysno) { 152 // The functions below cover all existing x86_64 system calls.
209 switch (sysno) { 153 // The implicitly defined sets form a partition of the sets of
210 case __NR_brk: 154 // system calls.
211 case __NR_clone: // TODO(jln) restrict flags. 155
212 case __NR_close: 156 // TODO(jln) we need to restrict the first parameter!
213 case __NR_dup: 157 bool IsKillSyscall(int sysno) {
214 case __NR_epoll_create: 158 switch (sysno) {
215 case __NR_epoll_ctl: 159 case __NR_kill:
216 case __NR_epoll_wait: 160 case __NR_tkill:
217 case __NR_exit: 161 case __NR_tgkill:
218 case __NR_exit_group: 162 return true;
219 case __NR_fcntl: 163 default:
164 return false;
165 }
166 }
167
168 bool IsAllowedGettimeSyscall(int sysno) {
169 switch (sysno) {
170 // case __NR_clock_getres:
171 case __NR_clock_gettime:
172 // case __NR_clock_nanosleep:
173 case __NR_gettimeofday:
174 case __NR_time:
175 return true;
176 case __NR_adjtimex: // Privileged.
177 case __NR_settimeofday: // Privileged.
178 case __NR_clock_adjtime: // Privileged.
179 case __NR_clock_settime: // Privileged.
180 default:
181 return false;
182 }
183 }
184
185 bool IsAmbientFileSystemSyscall(int sysno) {
186 switch (sysno) {
187 // case __NR_getcwd:
188 case __NR_chdir:
189 // case __NR_fchdir:
190 // case __NR_umask:
191 return true;
192 default:
193 return false;
194 }
195 }
196
197 // System calls that directly access the file system. They might aquire
198 // a new file descriptor or otherwise perform an operation directly
199 // via a path.
200 // For many, EPERM is a valid errno, but not for all of them.
201 bool IsFileSystemSyscall(int sysno) {
202 switch (sysno) {
203 case __NR_access:
204 // case __NR_chmod:
205 // case __NR_chown:
206 // case __NR_creat:
207 case __NR_execve:
208 // case __NR_faccessat:
209 // case __NR_fchmodat:
210 // case __NR_fchownat: // Should be called chownat ?
211 // case __NR_futimesat: // Should be called utimesat ?
212 // case __NR_getdents:
213 // case __NR_getdents64:
214 // case __NR_lchown:
215 // case __NR_link:
216 // case __NR_linkat:
217 // case __NR_lookup_dcookie:
218 case __NR_lstat:
219 case __NR_mkdir:
220 case __NR_mkdirat:
221 case __NR_mknod:
222 case __NR_mknodat:
223 // case __NR_newfstatat: // Should be called statat ?
224 case __NR_open:
225 case __NR_openat:
226 case __NR_readlink:
227 case __NR_readlinkat:
228 // case __NR_rename:
229 // case __NR_renameat:
230 // case __NR_rmdir:
231 case __NR_stat:
232 // case __NR_statfs:
233 // case __NR_symlink:
234 // case __NR_symlinkat:
235 // case __NR_truncate:
236 // case __NR_unlink:
237 // case __NR_unlinkat:
238 // case __NR_uselib:
239 // case __NR_ustat: // Deprecated.
240 // case __NR_utime:
241 // case __NR_utimensat: // New.
242 // case __NR_utimes:
243 return true;
244 default:
245 return false;
246 }
247 }
248
249 bool IsAllowedFileSystemCapabilitySyscall(int sysno) {
250 switch (sysno) {
251 // case __NR_fadvise64:
252 // case __NR_flock:
220 case __NR_fstat: 253 case __NR_fstat:
221 case __NR_futex: 254 // case __NR_fstatfs: // Give information about the whole filesystem.
255 // case __NR_fsync:
256 // case __NR_fdatasync:
257 // case __NR_sync_file_range:
258 return true;
259 case __NR_fallocate:
260 case __NR_fchmod:
261 case __NR_fchown:
262 case __NR_ftruncate:
263 default:
264 return false;
265 }
266 }
267
268 bool IsGetProcessIdSyscall(int sysno) {
269 switch (sysno) {
270 // case __NR_capget:
222 case __NR_getegid: 271 case __NR_getegid:
223 case __NR_geteuid: 272 case __NR_geteuid:
224 case __NR_getgid: 273 case __NR_getgid:
274 // case __NR_getgroups:
275 // case __NR_getpid:
276 // case __NR_getppid:
277 // case __NR_getresgid:
278 // case __NR_getresuid:
279 // case __NR_getsid:
225 case __NR_gettid: 280 case __NR_gettid:
226 case __NR_getuid: 281 case __NR_getuid:
282 return true;
283 default:
284 return false;
285 }
286 }
287
288 bool IsProcessPrivilegeChange(int sysno) {
289 switch (sysno) {
290 case __NR_capset:
291 case __NR_iopl: // Intel privilege.
Jorge Lucangeli Obes 2012/08/08 21:56:31 Wrong alphabetical order?
jln (very slow on Chromium) 2012/08/08 22:03:40 Thanks! You're a terminator for spotting this :)
292 case __NR_ioperm: // Intel privilege.
293 case __NR_setfsgid:
294 case __NR_setfsuid:
295 case __NR_setgid:
296 case __NR_setgroups:
297 case __NR_setregid:
298 case __NR_setresgid:
299 case __NR_setresuid:
300 case __NR_setreuid:
301 case __NR_setuid:
302 return true;
303 default:
304 return false;
305 }
306 }
307
308 bool IsProcessGroupOrSession(int sysno) {
309 switch (sysno) {
310 case __NR_setpgid:
311 case __NR_getpgrp:
312 case __NR_setsid:
313 case __NR_getpgid:
314 return true;
315 default:
316 return false;
317 }
318 }
319
320 bool IsAllowedSignalHandling(int sysno) {
321 switch (sysno) {
322 case __NR_rt_sigaction:
323 // case __NR_rt_sigpending:
324 case __NR_rt_sigprocmask:
325 // case __NR_rt_sigqueueinfo:
326 case __NR_rt_sigreturn:
327 // case __NR_rt_sigsuspend:
328 // case __NR_rt_sigtimedwait:
329 // case __NR_rt_tgsigqueueinfo:
330 // case __NR_sigaltstack:
331 // case __NR_signalfd:
332 // case __NR_signalfd4:
333 return true;
334 default:
335 return false;
336 }
337 }
338
339 bool IsOperationOnFd(int sysno) {
340 switch (sysno) {
341 case __NR_close:
342 case __NR_dup:
343 // case __NR_dup2:
344 // case __NR_dup3:
345 case __NR_fcntl:
346 case __NR_shutdown:
347 return true;
348 default:
349 return false;
350 }
351 }
352
353 bool IsKernelInteralApi(int sysno) {
354 switch (sysno) {
355 case __NR_restart_syscall:
356 return true;
357 default:
358 return false;
359 }
360 }
361
362 bool IsAllowedProcessStartOrDeath(int sysno) {
363 switch (sysno) {
364 case __NR_clone: // TODO(jln): restrict flags.
365 case __NR_exit:
366 case __NR_exit_group:
367 // case __NR_fork:
368 // case __NR_get_thread_area:
369 // case __NR_set_thread_area:
370 // case __NR_set_tid_address:
371 // case __NR_unshare:
372 // case __NR_vfork:
373 // case __NR_wait4:
374 // case __NR_waitid:
375 return true;
376 case __NR_setns: // Privileged.
377 default:
378 return false;
379 }
380 }
381
382 bool IsAllowedEpoll(int sysno) {
383 switch (sysno) {
384 case __NR_epoll_create:
385 // case __NR_epoll_create1:
386 case __NR_epoll_ctl:
387 // case __NR_epoll_ctl_old:
388 // case __NR_epoll_pwait:
389 case __NR_epoll_wait:
390 // case __NR_epoll_wait_old:
391 return true;
392 default:
393 return false;
394 }
395 }
396
397 bool IsAllowedGetOrModifySocket(int sysno) {
398 switch (sysno) {
399 case __NR_pipe:
400 // case __NR_pipe2:
401 case __NR_socketpair: // We will want to inspect its argument.
402 return true;
403 default:
404 case __NR_accept:
405 case __NR_accept4:
406 case __NR_bind:
407 case __NR_connect:
408 case __NR_socket:
409 case __NR_listen:
410 return false;
411 }
412 }
413
414 bool IsNetworkSocketInformation(int sysno) {
415 switch (sysno) {
416 case __NR_getpeername:
417 case __NR_getsockname:
418 case __NR_getsockopt:
419 case __NR_setsockopt:
420 return true;
421 default:
422 return false;
423 }
424 }
425
426 bool IsFutex(int sysno) {
427 switch (sysno) {
428 case __NR_futex:
429 // case __NR_get_robust_list:
430 case __NR_set_robust_list:
431 return true;
432 default:
433 return false;
434 }
435 }
436
437 bool IsAllowedAddressSpaceAccess(int sysno) {
438 switch (sysno) {
439 case __NR_brk:
440 case __NR_madvise:
441 // case __NR_mincore:
442 // case __NR_mlock:
443 // case __NR_mlockall:
444 case __NR_mmap:
445 // case __NR_modify_ldt:
446 case __NR_mprotect:
447 // case __NR_mremap:
448 // case __NR_msync:
449 // case __NR_munlock:
450 // case __NR_munlockall:
451 case __NR_munmap:
452 // case __NR_readahead:
453 // case __NR_remap_file_pages:
454 return true;
455 default:
456 return false;
457 }
458 }
459
460 bool IsAllowedGeneralIo(int sysno) {
461 switch (sysno) {
227 case __NR_lseek: 462 case __NR_lseek:
228 case __NR_madvise: 463 // case __NR_poll:
229 case __NR_mmap: 464 // case __NR_ppoll:
230 case __NR_mprotect: 465 // case __NR_pread64:
231 case __NR_munmap: 466 // case __NR_preadv:
232 case __NR_pipe: 467 // case __NR_pselect6:
468 // case __NR_pwrite64:
469 // case __NR_pwritev:
470 case __NR_read:
471 // case __NR_readv:
472 // case __NR_recvfrom: // Could specify source.
473 // case __NR_recvmmsg: // Could specify source.
474 case __NR_recvmsg: // Could specify source.
475 // case __NR_select:
476 // case __NR_sendfile:
477 // case __NR_sendmmsg: // Could specify destination.
478 case __NR_sendmsg: // Could specify destination.
479 // case __NR_sendto: // Could specify destination.
480 // case __NR_splice:
481 // case __NR_tee:
482 // case __NR_vmsplice:
483 case __NR_write:
484 // case __NR_writev:
485 return true;
486 default:
487 case __NR_ioctl: // Can be very powerful.
488 return false;
489 }
490 }
491
492 bool IsAllowedPrctl(int sysno) {
493 switch (sysno) {
233 case __NR_prctl: 494 case __NR_prctl:
234 case __NR_read: 495 // case __NR_arch_prctl:
235 case __NR_recvmsg: 496 return true;
236 case __NR_restart_syscall: 497 default:
237 case __NR_rt_sigaction: // Breakpad signal handler. 498 return false;
238 case __NR_rt_sigprocmask: 499 }
239 case __NR_rt_sigreturn: 500 }
501
502 bool IsAllowedBasicScheduler(int sysno) {
503 switch (sysno) {
240 case __NR_sched_yield: 504 case __NR_sched_yield:
241 case __NR_sendmsg: 505 // case __NR_pause:
242 case __NR_set_robust_list: 506 // case __NR_nanosleep:
243 case __NR_shutdown: 507 // case __NR_getpriority:
244 case __NR_socketpair: 508 return true;
245 case __NR_write: 509 case __NR_setpriority:
246 return true; 510 default:
247 default: 511 return false;
248 if (IsGettimeSyscall(sysno) || 512 }
249 IsKillSyscall(sysno)) { 513 }
250 return true; 514
251 } else { 515 bool IsAdminOperation(int sysno) {
252 return false; 516 switch (sysno) {
253 } 517 case __NR_kexec_load:
518 case __NR_reboot:
519 case __NR_setdomainname:
520 case __NR_sethostname:
521 case __NR_syslog:
522 return true;
523 default:
524 return false;
525 }
526 }
527
528 bool IsKernelModule(int sysno) {
529 switch (sysno) {
530 case __NR_create_module:
531 case __NR_delete_module:
532 case __NR_get_kernel_syms: // Should ENOSYS.
533 case __NR_init_module:
534 case __NR_query_module:
535 return true;
536 default:
537 return false;
538 }
539 }
540
541 bool IsGlobalFSViewChange(int sysno) {
542 switch (sysno) {
543 case __NR_pivot_root:
544 case __NR_chroot:
545 case __NR_sync:
546 return true;
547 default:
548 return false;
549 }
550 }
551
552 bool IsFsControl(int sysno) {
553 switch (sysno) {
554 case __NR_mount:
555 case __NR_nfsservctl:
556 case __NR_quotactl:
557 case __NR_swapoff:
558 case __NR_swapon:
559 case __NR_umount2:
560 return true;
561 default:
562 return false;
563 }
564 }
565
566 bool IsNuma(int sysno) {
567 switch (sysno) {
568 case __NR_get_mempolicy:
569 case __NR_getcpu:
570 case __NR_mbind:
571 case __NR_migrate_pages:
572 case __NR_move_pages:
573 case __NR_set_mempolicy:
574 return true;
575 default:
576 return false;
577 }
578 }
579
580 bool IsMessageQueue(int sysno) {
581 switch (sysno) {
582 case __NR_mq_getsetattr:
583 case __NR_mq_notify:
584 case __NR_mq_open:
585 case __NR_mq_timedreceive:
586 case __NR_mq_timedsend:
587 case __NR_mq_unlink:
588 return true;
589 default:
590 return false;
591 }
592 }
593
594 bool IsGlobalProcessEnvironment(int sysno) {
595 switch (sysno) {
596 case __NR_acct: // Privileged.
597 case __NR_getrlimit:
598 case __NR_getrusage:
599 case __NR_personality: // Can change its personality as well.
600 case __NR_prlimit64: // Like setrlimit / getrlimit.
601 case __NR_setrlimit:
602 case __NR_times:
603 return true;
604 default:
605 return false;
606 }
607 }
608
609 bool IsDebug(int sysno) {
610 switch (sysno) {
611 case __NR_ptrace:
612 case __NR_process_vm_readv:
613 case __NR_process_vm_writev:
614 case __NR_kcmp:
615 return true;
616 default:
617 return false;
618 }
619 }
620
621 bool IsGlobalSystemStatus(int sysno) {
622 switch (sysno) {
623 case __NR__sysctl:
624 case __NR_sysfs:
625 case __NR_sysinfo:
626 case __NR_uname:
627 return true;
628 default:
629 return false;
630 }
631 }
632
633 bool IsEventFd(int sysno) {
634 switch (sysno) {
635 case __NR_eventfd:
636 // case __NR_eventfd2:
637 return true;
638 default:
639 return false;
640 }
641 }
642
643 // Asynchronous I/O API.
644 bool IsAsyncIo(int sysno) {
645 switch (sysno) {
646 case __NR_io_cancel:
647 case __NR_io_destroy:
648 case __NR_io_getevents:
649 case __NR_io_setup:
650 case __NR_io_submit:
651 return true;
652 default:
653 return false;
654 }
655 }
656
657 bool IsKeyManagement(int sysno) {
658 switch (sysno) {
659 case __NR_add_key:
660 case __NR_keyctl:
661 case __NR_request_key:
662 return true;
663 default:
664 return false;
665 }
666 }
667
668 bool IsSystemVSemaphores(int sysno) {
669 switch (sysno) {
670 case __NR_semctl:
671 case __NR_semget:
672 case __NR_semop:
673 case __NR_semtimedop:
674 return true;
675 default:
676 return false;
677 }
678 }
679
680 // These give a lot of ambient authority and bypass the setuid sandbox.
681 bool IsSystemVSharedMemory(int sysno) {
682 switch (sysno) {
683 case __NR_shmat:
684 case __NR_shmctl:
685 case __NR_shmdt:
686 // case __NR_shmget:
687 return true;
688 default:
689 return false;
690 }
691 }
692
693 bool IsSystemVMessageQueue(int sysno) {
694 switch (sysno) {
695 case __NR_msgctl:
696 case __NR_msgget:
697 case __NR_msgrcv:
698 case __NR_msgsnd:
699 return true;
700 default:
701 return false;
702 }
703 }
704
705 bool IsAdvancedScheduler(int sysno) {
706 switch (sysno) {
707 case __NR_ioprio_get: // IO scheduler.
708 case __NR_ioprio_set:
709 case __NR_sched_get_priority_max:
710 case __NR_sched_get_priority_min:
711 case __NR_sched_getaffinity:
712 case __NR_sched_getparam:
713 case __NR_sched_getscheduler:
714 case __NR_sched_rr_get_interval:
715 case __NR_sched_setaffinity:
716 case __NR_sched_setparam:
717 case __NR_sched_setscheduler:
718 return true;
719 default:
720 return false;
721 }
722 }
723
724 bool IsInotify(int sysno) {
725 switch (sysno) {
726 case __NR_inotify_add_watch:
727 case __NR_inotify_init:
728 case __NR_inotify_init1:
729 case __NR_inotify_rm_watch:
730 return true;
731 default:
732 return false;
733 }
734 }
735
736 bool IsFaNotify(int sysno) {
737 switch (sysno) {
738 case __NR_fanotify_init:
739 case __NR_fanotify_mark:
740 return true;
741 default:
742 return false;
743 }
744 }
745
746 bool IsTimer(int sysno) {
747 switch (sysno) {
748 case __NR_getitimer:
749 case __NR_alarm:
750 case __NR_setitimer:
751 return true;
752 default:
753 return false;
754 }
755 }
756
757 bool IsAdvancedTimer(int sysno) {
758 switch (sysno) {
759 case __NR_timer_create:
760 case __NR_timer_delete:
761 case __NR_timer_getoverrun:
762 case __NR_timer_gettime:
763 case __NR_timer_settime:
764 case __NR_timerfd_create:
765 case __NR_timerfd_gettime:
766 case __NR_timerfd_settime:
767 return true;
768 default:
769 return false;
770 }
771 }
772
773 bool IsExtendedAttributes(int sysno) {
774 switch (sysno) {
775 case __NR_fgetxattr:
776 case __NR_flistxattr:
777 case __NR_fremovexattr:
778 case __NR_fsetxattr:
779 case __NR_getxattr:
780 case __NR_lgetxattr:
781 case __NR_listxattr:
782 case __NR_llistxattr:
783 case __NR_lremovexattr:
784 case __NR_lsetxattr:
785 case __NR_removexattr:
786 case __NR_setxattr:
787 return true;
788 default:
789 return false;
790 }
791 }
792
793 // Various system calls that need to be researched.
794 // TODO(jln): classify this better.
795 bool IsMiscSyscall(int sysno) {
796 switch (sysno) {
797 case __NR_name_to_handle_at:
798 case __NR_open_by_handle_at:
799 case __NR_perf_event_open:
800 case __NR_syncfs:
801 case __NR_vhangup:
802 // The system calls below are not implemented.
803 case __NR_afs_syscall:
804 case __NR_getpmsg:
805 case __NR_putpmsg:
806 case __NR_security:
807 case __NR_tuxcall:
808 case __NR_vserver:
809 return true;
810 default:
811 return false;
812 }
813 }
814
815 // End of the system call sets section.
816
817 // x86_64 only because it references system calls that are multiplexed on IA32.
818 bool IsGpuAndFlashPolicyAllowed_x86_64(int sysno) {
819 if (IsAllowedAddressSpaceAccess(sysno) ||
820 IsAllowedBasicScheduler(sysno) ||
821 IsAllowedFileSystemCapabilitySyscall(sysno) ||
822 IsAllowedGeneralIo(sysno) ||
823 IsAllowedGetOrModifySocket(sysno) ||
824 IsAllowedGettimeSyscall(sysno) ||
825 IsAllowedProcessStartOrDeath(sysno) ||
826 IsAllowedEpoll(sysno) ||
827 IsFutex(sysno) ||
828 IsGetProcessIdSyscall(sysno) ||
829 IsKernelInteralApi(sysno) ||
830 IsKillSyscall(sysno) ||
831 IsOperationOnFd(sysno) ||
832 IsAllowedPrctl(sysno) ||
833 IsAllowedSignalHandling(sysno)) {
834 return true;
835 } else {
836 return false;
837 }
838 }
839
840 // System calls that will trigger the crashing sigsys handler.
841 bool IsGpuAndFlashPolicyWatched_x86_64(int sysno) {
842 if (IsAdminOperation(sysno) ||
843 IsAdvancedScheduler(sysno) ||
844 IsAdvancedTimer(sysno) ||
845 IsAsyncIo(sysno) ||
846 IsDebug(sysno) ||
847 IsEventFd(sysno) ||
848 IsExtendedAttributes(sysno) ||
849 IsFaNotify(sysno) ||
850 IsFsControl(sysno) ||
851 IsGlobalFSViewChange(sysno) ||
852 IsGlobalProcessEnvironment(sysno) ||
853 IsGlobalSystemStatus(sysno) ||
854 IsInotify(sysno) ||
855 IsKernelModule(sysno) ||
856 IsKeyManagement(sysno) ||
857 IsMessageQueue(sysno) ||
858 IsMiscSyscall(sysno) ||
859 IsNetworkSocketInformation(sysno) ||
860 IsNuma(sysno) ||
861 IsProcessGroupOrSession(sysno) ||
862 IsProcessPrivilegeChange(sysno) ||
863 IsSystemVMessageQueue(sysno) ||
864 IsSystemVSemaphores(sysno) ||
865 IsSystemVSharedMemory(sysno) ||
866 IsTimer(sysno)) {
867 return true;
868 } else {
869 return false;
254 } 870 }
255 } 871 }
256 872
257 // x86_64 only because it references system calls that are multiplexed on IA32. 873 // x86_64 only because it references system calls that are multiplexed on IA32.
258 playground2::Sandbox::ErrorCode GpuProcessPolicy_x86_64(int sysno) { 874 playground2::Sandbox::ErrorCode GpuProcessPolicy_x86_64(int sysno) {
259 switch(sysno) { 875 switch(sysno) {
260 case __NR_eventfd2:
261 case __NR_getpid: // Nvidia binary driver. 876 case __NR_getpid: // Nvidia binary driver.
262 case __NR_getppid: // ATI binary driver. 877 case __NR_getppid: // ATI binary driver.
263 case __NR_ioctl: 878 case __NR_ioctl:
264 case __NR_mlock: 879 case __NR_mlock:
265 case __NR_munlock: 880 case __NR_munlock:
266 case __NR_poll: 881 case __NR_poll:
267 case __NR_recvfrom: 882 case __NR_recvfrom:
268 case __NR_writev: 883 case __NR_writev:
269 return playground2::Sandbox::SB_ALLOWED; 884 return playground2::Sandbox::SB_ALLOWED;
270 case __NR_socket: 885 case __NR_socket:
271 return EACCES; // Nvidia binary driver. 886 return EACCES; // Nvidia binary driver.
272 case __NR_fchmod: 887 case __NR_fchmod:
273 return EPERM; // ATI binary driver. 888 return EPERM; // ATI binary driver.
274 case __NR_open: 889 case __NR_open:
275 // Accelerated video decode is enabled by default only on Chrome OS. 890 // Accelerated video decode is enabled by default only on Chrome OS.
276 if (IsAcceleratedVideoDecodeEnabled()) { 891 if (IsAcceleratedVideoDecodeEnabled()) {
277 // Accelerated video decode needs to open /dev/dri/card0, and 892 // Accelerated video decode needs to open /dev/dri/card0, and
278 // dup()'ing an already open file descriptor does not work. 893 // dup()'ing an already open file descriptor does not work.
279 // Allow open() even though it severely weakens the sandbox, 894 // Allow open() even though it severely weakens the sandbox,
280 // to test the sandboxing mechanism in general. 895 // to test the sandboxing mechanism in general.
281 // TODO(jorgelo): remove this once we solve the libva issue. 896 // TODO(jorgelo): remove this once we solve the libva issue.
282 return playground2::Sandbox::SB_ALLOWED; 897 return playground2::Sandbox::SB_ALLOWED;
283 } else { 898 } else {
284 // Hook open() in the GPU process to allow opening /etc/drirc, 899 // Hook open() in the GPU process to allow opening /etc/drirc,
285 // needed by Mesa. 900 // needed by Mesa.
286 // The hook needs dup(), lseek(), and close() to be allowed. 901 // The hook needs dup(), lseek(), and close() to be allowed.
287 return playground2::Sandbox::ErrorCode(GpuOpenSIGSYS_Handler, NULL); 902 return playground2::Sandbox::ErrorCode(GpuOpenSIGSYS_Handler, NULL);
288 } 903 }
289 default: 904 default:
290 if (IsGpuAndFlashPolicyAllowed_x86_64(sysno)) { 905 if (IsGpuAndFlashPolicyAllowed_x86_64(sysno) || IsEventFd(sysno)) {
291 return playground2::Sandbox::SB_ALLOWED; 906 return playground2::Sandbox::SB_ALLOWED;
292 } 907 }
293 // Generally, filename-based syscalls will fail with ENOENT to behave 908 // Generally, filename-based syscalls will fail with ENOENT to behave
294 // similarly to a possible future setuid sandbox. 909 // similarly to a possible future setuid sandbox.
295 if (IsFileSystemSyscall(sysno)) { 910 if (IsFileSystemSyscall(sysno) || IsAmbientFileSystemSyscall(sysno)) {
296 return ENOENT; 911 return ENOENT;
297 } 912 }
913
914 if (IsGpuAndFlashPolicyWatched_x86_64(sysno)) {
915 // Previously unseen syscalls. TODO(jln): some of these should
916 // be denied gracefully right away.
917 return playground2::Sandbox::ErrorCode(CrashSIGSYS_Handler, NULL);
918 }
298 // In any other case crash the program with our SIGSYS handler 919 // In any other case crash the program with our SIGSYS handler
299 return playground2::Sandbox::ErrorCode(CrashSIGSYS_Handler, NULL); 920 return playground2::Sandbox::ErrorCode(CrashSIGSYS_Handler, NULL);
300 } 921 }
301 } 922 }
302 923
303 // x86_64 only because it references system calls that are multiplexed on IA32. 924 // x86_64 only because it references system calls that are multiplexed on IA32.
304 playground2::Sandbox::ErrorCode FlashProcessPolicy_x86_64(int sysno) { 925 playground2::Sandbox::ErrorCode FlashProcessPolicy_x86_64(int sysno) {
305 switch (sysno) { 926 switch (sysno) {
306 case __NR_sched_getaffinity: 927 case __NR_sched_getaffinity:
307 case __NR_sched_setscheduler: 928 case __NR_sched_setscheduler:
308 // These are under investigation, and hopefully not here for the long term. 929 // These are under investigation, and hopefully not here for the long term.
309 case __NR_shmat:
310 case __NR_shmctl:
311 case __NR_shmdt:
312 case __NR_times: 930 case __NR_times:
313 case __NR_wait4: 931 case __NR_wait4:
314 return playground2::Sandbox::SB_ALLOWED; 932 return playground2::Sandbox::SB_ALLOWED;
315 case __NR_ioctl: 933 case __NR_ioctl:
316 return ENOTTY; // Flash Access. 934 return ENOTTY; // Flash Access.
317 case __NR_socket: 935 case __NR_socket:
318 return EACCES; 936 return EACCES;
319 default: 937 default:
320 if (IsGpuAndFlashPolicyAllowed_x86_64(sysno)) { 938 if (IsGpuAndFlashPolicyAllowed_x86_64(sysno) ||
939 IsSystemVSharedMemory(sysno)) {
321 return playground2::Sandbox::SB_ALLOWED; 940 return playground2::Sandbox::SB_ALLOWED;
322 } 941 }
323 if (IsFileSystemSyscall(sysno)) { 942 if (IsFileSystemSyscall(sysno) || IsAmbientFileSystemSyscall(sysno)) {
324 return ENOENT; 943 return ENOENT;
325 } 944 }
945 if (IsGpuAndFlashPolicyWatched_x86_64(sysno)) {
946 // Previously unseen syscalls. TODO(jln): some of these should
947 // be denied gracefully right away.
948 return playground2::Sandbox::ErrorCode(CrashSIGSYS_Handler, NULL);
949 }
326 // In any other case crash the program with our SIGSYS handler. 950 // In any other case crash the program with our SIGSYS handler.
327 return playground2::Sandbox::ErrorCode(CrashSIGSYS_Handler, NULL); 951 return playground2::Sandbox::ErrorCode(CrashSIGSYS_Handler, NULL);
328 } 952 }
329 } 953 }
330 #endif 954 #endif
331 955
332 playground2::Sandbox::ErrorCode BlacklistPtracePolicy(int sysno) { 956 playground2::Sandbox::ErrorCode BlacklistPtracePolicy(int sysno) {
333 if (sysno < static_cast<int>(MIN_SYSCALL) || 957 if (sysno < static_cast<int>(MIN_SYSCALL) ||
334 sysno > static_cast<int>(MAX_SYSCALL)) { 958 sysno > static_cast<int>(MAX_SYSCALL)) {
335 // TODO(jln) we should not have to do that in a trivial policy. 959 // TODO(jln) we should not have to do that in a trivial policy.
(...skipping 137 matching lines...) Expand 10 before | Expand all | Expand 10 after
473 // Process-specific policy. 1097 // Process-specific policy.
474 ShouldEnableSeccompBpf(process_type) && 1098 ShouldEnableSeccompBpf(process_type) &&
475 SupportsSandbox()) { 1099 SupportsSandbox()) {
476 return StartBpfSandbox_x86(command_line, process_type); 1100 return StartBpfSandbox_x86(command_line, process_type);
477 } 1101 }
478 #endif 1102 #endif
479 return false; 1103 return false;
480 } 1104 }
481 1105
482 } // namespace content 1106 } // namespace content
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698